Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 2/04/2020.  Claims 1-20 are pending.  Claims 1 (a method), 13 (a machine), and 17 (a non-signal bearing CRM, App. Spec. ¶ 49) are independent.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, 5-13, 16, 17, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al., US 2017/0221064 (filed 2017-04), in view of Pritchett et al., US 2010/0191661 (filed 2009-11).
As to claims 1, 13, and 17, Turgeman discloses a method comprising:
(Regarding the processor/memory and CRM of claims 13 and 17, see Turgeman ¶ 76)
tracking, by a usage manager, usage of a device, wherein the usage includes activity by a user interacting with the device; (“The system may capture the user's usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47)
identifying, based on the usage, a usage pattern, wherein the usage pattern is based on usage data; (“The system may capture the user's application usage behavior, by monitoring and tracking the user page-specific intra-page behavior, such as, order of navigation between fields (text input, buttons, select-boxes, or the like), angle and/or velocity of entering and exiting each field, average or typical time spent in each field, location of mouse clicks within each field (e.g., right-side, center, left-side), or the like.” Turgeman ¶ 47)
generating, based on the usage pattern, a heatmap (“FIG. 3, which is a schematic illustration of a map 300 demonstrating utilization of user-specific usage stream model” Turgeman ¶ 48), wherein the heatmap represents a relative probability of the user interacting with a portion of the device, and the heatmap is based on the usage data; (“Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability.” Turgeman ¶ 48)
predicting future usage of the device by the user, wherein the predicting includes generating a Markov chain of the predicted future usage; (“The system may model the behavior as a hierarchical fully observed continuous-time Markov chain” Turgeman ¶ 49. “When a new session is observed, the system may compare the observed Markov chain with the empirical expected model by a statistical test;” Turgeman ¶ 51)

calculating, in response to determining the actual usage is different than the predicted future usage, a difference …; (“server 555 may determine that in the currently-monitored interaction session, the current user moves between fields by using mouse clicks; whereas, in all or in 90 percent (or another threshold percentage) of past interactions that correspond to the currently logged-in user, movement between fields was performed with the Tab key on the keyboard; and thus, server 555 may send back a response indicating “possibly fraudulent interaction”” Turgeman ¶ 64. See also Turgman ¶ 35)
determining the difference … is above a difference threshold; and (“in all or in 90 percent (or another threshold percentage) of past interactions that correspond to the currently logged-in user,” Turgeman ¶ 64)
activating, in response to determining the difference … is above the difference threshold, an alert. (“server 555 may send back a response indicating “possibly fraudulent interaction”” Turgeman ¶ 64. “if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

Turgeman does not disclose a “score”

Pritchett discloses a score (“Each identity may be associated with scoring information 270. The scoring information 270 may include a probability score information 276, rank score information 278, and raw data information 272. The probability score information 276 may include an identity identifier and a probability score between 0 and 1. For example, the probability score may be a measure of likelihood that the identity has performed a fraudulent activity.” Pritchett ¶ 62)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Turgeman with Pritchett by utilizing a probability score to rank the relative probability of fraudulent activity.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to utilize the probability score of Prtichett in the system of Turgeman in order to allow the mitigating actions to be conditioned thresholds that are not specific to a particular step in the Markov model (e.g. the particular probability transition of Turgeman ¶ 64).  


As to claim 2, Turgeman in view of Pritchett discloses a method of claim 1 and further discloses:  wherein tracking the usage comprises: 
capturing a series of snapshots, wherein each snapshot (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47) includes data corresponding to at least one of a running application (the application of Turgeman), a location, a time of day, and a set of inputs (a user-interface (UI) element). (“Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability. Moreover, each state, whether external or internal, is also characterized by the time duration.” Turgeman ¶ 48)

As to claims 5, 16, and 20, Turgeman in view of Pritchett discloses a method of claim 1 and further discloses:  wherein the heatmap is a first heatmap and the first heatmap is correlated to a first application, the method further comprising: generating a second heatmap, wherein the second heatmap is correlated to a second application. Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like).” Turgeman ¶ 48. “Application Usage Stream or interaction stream. The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence), as well as navigation order and time span between the user-interface elements within each screen or web-page (intra-page sequence).” Turgeman ¶ 47)

As to claim 6, Turgeman in view of Pritchett discloses the method of claim 1 and further discloses: wherein the user is an authorized user and the difference score represents a likelihood a current user is an unauthorized user of the device. (“Each identity may be associated with scoring information 270. The scoring information 270 may include a probability score information 276, rank score information 278, and raw data information 272. The probability score information 276 may include an identity identifier and a probability score between 0 and 1. For example, the probability score may be a measure of likelihood that the identity has performed a fraudulent activity.” Pritchett ¶ 62)

As to claim 7, Turgeman in view of Pritchett discloses a method of claim 1 and further discloses: wherein the usage manager includes a policy, the policy including a set of policy attributes. (“if the currently-captured motor behavior does not correspond to 

As to claim 8, Turgeman in view of Pritchett discloses a method of claim 7 and further discloses: wherein a first policy attribute of the set of policy attributes includes a set of contacts to alert. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 9, Turgeman in view of Pritchett discloses a method of claim 1 and further discloses: wherein the activating the alert includes sending a message to a set of contacts. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 10, Turgeman in view of Pritchett discloses a method of claim 1 and further discloses: wherein activating the alert includes requesting verification from a current user. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 11, Turgeman discloses a method of claim 1 and further discloses: wherein the device is a mobile device, and the mobile device includes a touch screen.
(“The term “pointing device” as used herein may include, for example, a mouse, a trackball, a pointing stick, a stylus, a joystick, a motion-sensing input device, a touch screen” Turgeman ¶ 114)

As to claim 12, Turgeman in view of Pritchett discloses claim 1 and further discloses:


Turgeman in view of Pritchett does not disclose:
determining the difference score is above a second difference threshold; and activating, in response to determining the difference score is above the second difference threshold, a second alert.

Pritchett further discloses: determining the difference score is above a second difference threshold; and activating, in response to determining the difference score is above the second difference threshold, a second alert.
 (“has increased over a first alert threshold or dropped below a second alert threshold….. the fraud detection system 16 may respond to the score crossing the threshold by communicating the alert to the appropriate monitoring machines 26. For example, the alert may be communicated as an interface that includes an identity identifier, a score, and a warning that the probability score has exceeded or dropped below alert threshold.” Pritchett ¶ 23)

.


Claim 3, 4, 14, 15, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al., US 2017/0221064 (filed 2017-04), in view of Pritchett et al., US 2010/0191661 (filed 2009-11), and Grajek et al., US 2018/0069867 (filed 2017-09).
As to claims 3, 14, and 18, Turgeman in view of Pritchett discloses the method of claim 1 and further discloses: wherein tracking the usage comprises: capturing a series of snapshots, (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47) wherein each snapshot includes data corresponding to a running application, …, and a set of inputs. (“Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is 

Turgeman in view of Pritchett does not disclose:
a location, a time of day

Grajek discloses: 
a location, a time of day (“the user conduct evaluation 120 may determine, among other things, that the user is attempting to access the system 100 from a GPS location that the user has previously never used at a time when the user has never requested to access the system 100, and may generate a score of “10” out of a possible value of “50”. In some variations, the ID confidence score is determined via a real time engine that collects the results of the biometric and conduct models.” Grajek ¶ 33)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Turgeman in view of Pritchett with Grajek by incorporating the behavior comparison of Turgeman in view of Pritchett into a confidence level based on GPS location and time.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Turgeman in view of Pritchett with Grajek in order to provide provide additional user use context into the model to better distinguish a legitimate user from a fraudulent user, e.g. Grajek ¶ 24.

As to claims 4, 15, and 19, Turgeman in view of Pritchett, and Grajek discloses the method of claim 3 and further discloses:
wherein identifying the usage pattern includes analysing the series (“Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability.” Turgeman ¶ 48) of snapshots. (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly.
Mital et al., US 2020/0092314, discloses establishing a behavioral baseline for detection of compromised users.
Argoeti et al., US 2020/0274894, discloses scoring anomalies based on  deviation from a trained model. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492