DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The Amendments filed on December 23, 2021 have been entered. 
Claims 1, 4, 16, 19, 24, and 27 have been amended. 
Claims 2, 5, 10, 17, and 25 have been canceled. 
Claims 28-33 have been added.
 
Response to Arguments
Applicant’s arguments filed on December 23, 2021 have been considered but are moot in view of the new grounds of rejection. 

Claim Objections
Claims 28, 30, and 32 are objected to because of the following informality:

	Claim 28 	“the distance between the first physical endpoint and the second physical endpoint is calculated” should read (ONLY Examiners’ suggestion) “the distance between the first physical location of the endpoint and the second physical location of the endpoint is calculated.” 

	Same applies to claims 30 and 32.

Appropriate correction is required.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 6-8, 11-16, and 20-24 are rejected under 35 U.S.C. 103 as being unpatentable over Most et al. (Pub. No. US 2017/0155652), hereinafter Most, in view of Jakobsson (Pub. No. US 2018/0152471). 
           
            Claim 1. 	Most discloses a method for regulating access to respective network-based resources by a computing device, the computing device configured to receive information representing access to and/or access requests to resources on at least one network (Parag. [0027]; (The art teaches a managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is , the method comprising: 
             detecting, by the computing device, access to a first network-based resource at a first time by a first entity (i.e., user), wherein the first network-based resource, the first entity, and a first physical location of an endpoint of the first entity are represented directly or indirectly by information received by the computing device (Parag. [0027], Parag. [0044], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts. The art teaches that a first access attempt is identified. The identification includes determining the location (i.e., first location) and time (i.e., first time) of the access attempt. Each access attempt may be detected based on information regarding log-ins and attempted access received or retrieved from a SSO server. The location of an access attempt may be determined based on, e.g., a source internet protocol (IP) address of the device requesting the log-in. The time of the first access attempt may be determined and recorded at the time of the first access attempt. Also, see Parag. [0013-0014])); 
             detecting, by the computing device, a request for access to, access to, or both the request for access and access to a second network-based resource at a second time by the first entity (i.e., user), wherein the second network-based resource, the first entity, and a second physical location of the endpoint of the first entity are represented directly or indirectly by information received by the computing device (Parag. [0027], Parag. [0045], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts. The art teaches that a second access attempt is identified. The identification includes determining a time (i.e., second time) and location (i.e., second location) of the second access attempt. The second access attempt may be for the same application as the first attempt, or for a cross-application (i.e., the second network-based resource) log-in. Also, see Parag. [0013-0014])); 
             calculating, by the computing device, a period of elapsed time between the first time and the second time (Parag. [0045]; (The art teaches that a difference in time between the time of the first access event and the time of the second access event is determined)); 
             calculating, by the computing device, a distance between the first physical location and the second physical location (Parag. [0045]; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined)); 
             processing, by the computing device, the period of elapsed time and the distance between the first physical location and the second physical location to determine a score of the first entity accessing or requesting access to the second network-based resource from the second physical location within the period of elapsed time (Parag. [0045-0048] and Fig. 2; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined. Additionally, a difference in time between the time of the first access event and the time of the second access event is determined. The required velocity is determined to be equal to the quotient of the determined distance by the determined time difference. Upon determining that the required velocity exceeds the threshold velocity, a velocity event is identified and it is checked whether the velocity event represents a fraudulent attempt to access the cloud application. To determine whether the access attempt is fraudulent, a risk score may be computed using a decision tree. The risk score may be used to determine whether the velocity event is a false positive. A false positive occurs when the second access attempt was not fraudulent despite the detection of the velocity event. As a non-limiting example, an access attempt via a virtual private network (VPN) connection may not be fraudulent despite triggering a velocity event. The computation of risk scores may be based on information related to previous access attempts as maintained in the user profile));  
             comparing, by the computing device, the determined score to a predetermined threshold value to identify, by the computing device, a security threat (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding ; and 100501/008072-USO/02908616.1 12Docket No.: 00501/008072-USO SA4268 
             precluding, in response to the identified security threat, by the computing device, the first entity's access to at least one network-based resource (Parag. [0028], Parag. [0038-0039], and Fig. 2; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application. Further, the art teaches that the access attempt is blocked (i.e., precluding) when it is identified as fraudulent; Fig. 2 (S270))).
              Most doesn’t explicitly disclose that the score is a probability score.
              However, Jakobsson discloses comparing the determined probability to a predetermined threshold value to identify a security threat (Parag. [0052]; (The art teaches that a risk is identified by determining the conditional probability. comparing the probability to at least one threshold  and assigning an associated risk score, by algebraically converting the probability to a risk score, or a combination of these approaches)).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the risk score taught by Most to identify the probability score taught Jakobsson. This would be convenient for performing a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score); and performing authenticity analysis may 
              
Claim 6. 	Most in view of Jakobsson discloses the method of claim 1,  
Most further discloses the method further comprising: providing to an information security dashboard, by the computing device, information representing the regulation of the first entity's access to at least one network-based resource (Parag. [0024] and Parag. [0028]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The SSO server allows the user of the client devices to log in once and gain access to systems/applications of the enterprises without being prompted to log in again at each of them)).  

Claim 7. 	Most in view of Jakobsson discloses the method of claim 6, 
Most further discloses wherein the information security dashboard includes a graphical user interface having at least one graphical control that, when selected, causes the computing device to regulate the first entity's access to at least one network-based resource (Parag. [0024] and Parag. [0028]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The SSO server allows the user of the client devices to log in once and gain access to systems/applications of the enterprises without being prompted to log in again at each of them)).    

Claim 8. 	Most in view of Jakobsson discloses the method of claim 1,  
Most further discloses wherein the first network-based resource and the second network-based resource are respectively located on at least one physical and/or virtual network (Parag. [0013]; (The art teaches identifying a first access attempt to a cloud application at a first time and from a first location; identifying a second access attempt to a cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location)). {00501/008072-USO/02908616.1 13Docket No.: 00501/008072-USO SA4268  
 
Claim 11. 	Most in view of Jakobsson discloses the method of claim 1,   
Most further discloses wherein regulating the first entity's access comprises not impeding the first entity's access to at least one network-based resource (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application)).
  
Claim 12. 	Most in view of Jakobsson discloses the method of claim 1,  
Most further discloses wherein at least one network-based resource is the second network-based resource (Parag. [0013]; (The art teaches identifying a first access attempt to a cloud application at a first time and from a first location; identifying a second access attempt to a cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location)).   
Claim 13. 	Most in view of Jakobsson discloses the method of claim 1,   
Most further discloses wherein the first network-based resource and the second network-based resource are separated by a distance (Parag. [0045]; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined)).   

Claim 14. 	Most in view of Jakobsson discloses the method of claim 1,  
Most further discloses wherein regulating the first entity's access to at least one network-based resource includes downgrading access privileges (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application)).    
 
Claim 15. 	Most in view of Jakobsson discloses the method of claim 1,  
Most further discloses wherein the access to first network-based resource or second network-based resource occurs via at least one respective endpoint (Parag. [0027]; (The art teaches a managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts)).  

Claim 16. 	Most discloses a system for regulating access to respective network-based resources, the system comprising: a computing device having access to instructions on non-transitory processor readable media that, when executed by the computing device, configure the computing device to: receive information representing access to and/or access requests to resources on at least one network (Parag. [0027]; (The art teaches a managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts));  
detect access to a first network-based resource at a first time by a first entity (i.e., user), wherein the first network-based resource, the first entity, and a first physical location of an {00501/008072-USO/02908616.1 14Docket No.: 00501/008072-USOSA4268endpoint of the first entity are represented directly or indirectly by information received by the computing device (Parag. [0027], Parag. [0044], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts. The art teaches that a first access attempt is identified. The identification includes determining the location (i.e., first location) and time (i.e., first time) of the access attempt. Each access attempt may be detected based on information regarding log-ins and attempted access received or retrieved from a SSO server. The location of an access attempt may be determined based on, e.g., a source internet protocol (IP) address of the device requesting the log-in. The time of the first access attempt may be determined and recorded at the time of the first access attempt. Also, see Parag. [0013-0014])); 
detect a request for access to, access to, or both the request for access and access to a second network-based resource at a second time by the first entity, wherein the second network-based resource, the first entity, and a second physical location of the endpoint of the first entity are represented directly or indirectly by information received by the computing device (Parag. [0027], Parag. [0045], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access for a cross-application (i.e., the second network-based resource) log-in. Also, see Parag. [0013-0014]));  
calculate a period of elapsed time between the first time and the second time (Parag. [0045]; (The art teaches that a difference in time between the time of the first access event and the time of the second access event is determined));  
calculate a distance between the first physical location and the second physical location (Parag. [0045]; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined));   
process the period of elapsed time and the distance between the first physical location and the second physical location to determine a score of the first entity accessing or requesting access to the second network-based resource from the second physical location within the period of elapsed time (Parag. [0045-0048] and Fig. 2; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined. Additionally, a difference in time between the time of the first access event and the time of the second access event is determined. The required velocity is determined to be equal to the quotient of the determined distance by the determined time difference. Upon determining that the required velocity exceeds the threshold velocity, a velocity event is identified and it is checked whether the velocity event represents a fraudulent attempt to access the cloud application. To determine whether the access attempt is fraudulent, a risk score may be computed using a decision tree. The risk score may be used to determine whether the velocity event is a false positive. A false positive occurs when the second access attempt was not fraudulent despite the detection of the velocity event. As a non-limiting example, an access attempt via a virtual private network (VPN) connection may not be fraudulent despite triggering a velocity event. The computation of risk scores may be based on information related to previous access attempts as maintained in the user profile)); 
compare the determined score to a predetermined threshold value to identify a security threat (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application)); and  
preclude, in response to the identified security threat, the first entity's access to at least one network-based resource (Parag. [0028], Parag. [0038-0039], and Fig. 2; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application. Further, the art teaches that the access attempt is blocked (i.e., precluding) when it is identified as fraudulent; Fig. 2 (S270))). 
            Most doesn’t explicitly disclose that the score is a probability score.
            However, Jakobsson discloses comparing the determined probability to a predetermined threshold value to identify a security threat (Parag. [0052]; (The art teaches that a risk is identified by determining the conditional probability. comparing the probability to at least one converting the probability to a risk score, or a combination of these approaches)). 
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the risk score taught by Most to identify the probability score taught Jakobsson. This would be convenient for performing a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score); and performing authenticity analysis may include determining a measure of confidence that a sender identified in the message (e.g., domain of sender) is the actual sender of the message (Parag. [0033-0034]).  
                               
Claim 20. 	Most in view of Jakobsson discloses the system of claim 16, 
Most further discloses wherein regulating the first entity's access to the at least one network-based resource is based on a change in the first entity's position over time (Parag. [0013]; (The art teaches identifying a first access attempt to a cloud application at a first time and from a first location; identifying a second access attempt to a cloud application at a second time and from a second location; computing a velocity between the first access attempt and the second access attempt based on the first time, the second time, the first location, and the second location)).  

Claim 21 is taught by Most in view of Jakobsson as described for claim 6.   

Claim 22 is taught by Most in view of Jakobsson as described for claim 7.  

Claim 23. 	Most in view of Jakobsson discloses the system of claim 16,  
Most further discloses wherein regulating the first entity's access to at least one network-based resource comprises permitting the first entity's access to at least one resource when the determined score is inside the predetermined threshold and restricting the first entity's access to at least one resource when the determined score is outside the predetermined threshold (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application)). 
Most doesn’t explicitly disclose that the score is a probability score.
            However, Jakobsson discloses comparing the determined probability to a predetermined threshold value to identify a security threat (Parag. [0052]; (The art teaches that a risk is identified by determining the conditional probability. comparing the probability to at least one threshold  and assigning an associated risk score, by algebraically converting the probability to a risk score, or a combination of these approaches)). 
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the risk score taught by Most to identify the probability score taught Jakobsson. This would be convenient for performing a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score); and performing authenticity analysis may include determining a measure of confidence that a sender identified in the message (e.g., domain of sender) is the actual sender of the message (Parag. [0033-0034]).  

Claim 24. 	Most discloses a method for regulating access to respective network-based resources by at least one computing device, each such computing device configured to receive information representing access to and/or access requests to resources on at least one network (Parag. [0027]; (The art teaches a managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts)), the method comprising:  
detecting electronic access to a first network-based resource at a first time by a first entity (i.e., user), wherein the first network-based resource, the first entity, and a first physical location of an endpoint of the first entity are represented directly or indirectly by information received by the computing device (Parag. [0027], Parag. [0044], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts. The art teaches that a first access attempt is identified. The identification includes determining the location (i.e., first location) and time (i.e., first time) of the access attempt. Each access attempt may be detected based on information regarding log-ins and attempted access received or retrieved from a SSO server. The location of an access attempt may be determined based on, e.g., a source internet protocol (IP) address of the device requesting the log-in. The time of the first access attempt may be determined and recorded at the time of the first access attempt. Also, see Parag. [0013-0014])); {00501/008072-USO/02908616.1 }6Docket No.: 00501/008072-USO  SA4268  
detecting a request for access to, access to, or both the request for access and access to a second network-based resource at a second time by the first entity, wherein the second network- based resource, the first entity, and a second physical location of the endpoint of the first entity are represented directly or indirectly by information received by at least one computing device (Parag. [0027], Parag. [0045], and Fig. 2; (The art teaches the managed proxy 120 that is configured to determine whether or not to grant a client device 130-1 or 130-2 access to the cloud application based on identification of a velocity event. A velocity event is defined as two subsequent or access attempts by a user to the same application or different applications during a time interval that is not sufficiently long given the difference in distance between the access attempts. The art teaches that a second access attempt is identified. The identification includes determining a time (i.e., second time) and location (i.e., second location) of the second access attempt. The second access attempt may be for the same application as the first attempt, or for a cross-application (i.e., the second network-based resource) log-in. Also, see Parag. [0013-0014]));     
calculating, at any of the computing device(s), a period of elapsed time between the first time and the second time (Parag. [0045]; (The art teaches that a difference in time between the time of the first access event and the time of the second access event is determined));  
calculating, at any of the computing device(s), a distance between the first physical location and the second physical location (Parag. [0045]; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined));   
processing, at any of the computing device(s), the period of elapsed time and the distance between the first physical location and the second physical location to determine a score of the first entity accessing or requesting access to the second network-based resource from the second physical location within the period of elapsed time (Parag. [0045-0048] and Fig. 2; (The art teaches that a distance between the location of the first access attempt and the location of the second access attempt is determined. Additionally, a difference in time between the time of the first access event and the time of the second access event is determined. The required velocity is determined to be equal to the quotient of the determined distance by the determined time difference. Upon determining that the required velocity exceeds the threshold velocity, a velocity event is identified and it is checked whether the velocity event represents a fraudulent attempt to access the cloud application. To determine whether the access attempt is fraudulent, a risk score may be computed using a decision tree. The risk score may be used to determine whether the velocity event is a false positive. A false positive occurs when the second access attempt was not fraudulent despite the detection of the velocity event. As a non-limiting example, an access attempt via a virtual private network (VPN) connection may not be fraudulent despite triggering a velocity event. The computation of risk scores may be based on information related to previous access attempts as maintained in the user profile));   
comparing, at any of the computing device(s), the determined score to a predetermined threshold value to identify a security threat (Parag. [0028] and Parag. [0038-0039]; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected ; and 
                precluding, in response to the identified security threat, the first entity's access to at least one network-based resource (Parag. [0028], Parag. [0038-0039], and Fig. 2; (The art teaches that the managed proxy is configured to detect velocity events and to take protective action based on a security policy defined for the cloud application or the cloud platform. The policy may block access to the cloud application, raise a security alert, ignore a velocity event, grant only limited access to the cloud application, and so on. Each velocity event represents a potentially unauthorized access. In an embodiment, a velocity event may be detected by the managed proxy based in part on information regarding access attempts received or retrieved from the SSO server. The art teaches that the risk score is computed for a velocity attempt may be compared to a certain threshold. The threshold may be different for users and/or for different applications. The risk scores’ respective computed velocity events may be considered by the managed proxy to determine an overall thread (i.e., security threat) for the cloud application. Further, the art teaches that the access attempt is blocked (i.e., precluding) when it is identified as fraudulent; Fig. 2 (S270))).
            Most doesn’t explicitly disclose that the score is a probability score.
            However, Jakobsson discloses comparing the determined probability to a predetermined threshold value to identify a security threat (Parag. [0052]; (The art teaches that a risk is identified by determining the conditional probability. comparing the probability to at least one threshold  and assigning an associated risk score, by algebraically converting the probability to a risk score, or a combination of these approaches)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the risk score taught by Most to identify the probability score taught Jakobsson. This would be convenient for performing a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score); and performing authenticity analysis may .  

Claims 4, 19, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Most et al. (Pub. No. US 2017/0155652), hereinafter Most, in view of Jakobsson (Pub. No. US 2018/0152471), and in view of Demsey et al. (Pub. No. US 2018/0247339), hereinafter Demsey. 

Claim 4. 	Most in view of Jakobsson discloses the method of claim 1, 
The combination doesn’t explicitly disclose the method further comprising: defining, by the computing device, a plurality of geographic zones, each geographic zone comprising a respective radius which represents a calculated distance from the first physical location based on a predetermined travel speed of the first entity, wherein processing, by the computing device, the distance between the first physical location and the second physical location is further based on at least one of the respective geographic zones. 
            However, Demsey discloses defining, by the computing device, a plurality of geographic zones, each geographic zone comprising a respective radius which represents a calculated distance from the first physical location based on a predetermined travel speed of the first entity, wherein processing, by the computing device, the distance between the first physical location and the second physical location is further based on at least one of the respective geographic zones (Parag. [0005] and Parag. [0025]; (The art teaches identifying a first geographical zone associated with the fixed location; identifying a second geographical zone associated with the fixed location; generating a plurality of directional vectors for quantifying the displacement of any one of the plurality of electronic devices traveling between the first geographical zone and the second geographical zone. Both the inner and outer boundaries may be defined by radii or other lengths or shapes relative to fixed location. Alternatively, both the inner and outer boundaries may be defined by travel times and/or distances relative to fixed location. Alternatively, the inner boundary may be defined by a radius or distance from fixed location, whereas the outer boundary may be defined by a travel time and/or distance relative to fixed location. Alternatively, the inner boundary may be defined by a travel time and/or distance relative to fixed location, whereas the outer boundary may be defined by a radius or distance from fixed location)).
             It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teachings of Demsey. This would be convenient for modeling predictive analytics for electronic devices traveling between a first geographical zone and a second geographical zone (Parag. [0001]).

Claim 19 is taught by Most in view of Jakobsson and Demsey as described for claim 4.  

Claim 27 is taught by Most in view of Jakobsson and Demsey as described for claim 4.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Most et al. (Pub. No. US 2017/0155652), hereinafter Most, in view of Jakobsson (Pub. No. US 2018/0152471), and in view of Moonen (Pub. No. US 2018/0338243). 

Claim 9. 	Most in view of Jakobsson discloses the method of claim 1, 
Most further discloses wherein accessing or requesting access to the second network-based resource by the first entity occurs by logging into a computing device physically located away from the first network-based resource (Parag. [0044-0045]; (The art teaches that each access attempt may be detected based on information regarding log-ins and attempted access received or retrieved from a SSO server. The location of an access attempt may be determined based on, e.g., a source internet protocol (IP) address of the device requesting the log-in)).    
The combination doesn’t explicitly disclose wherein accessing the first network-based resource by the first entity physically occurs by scanning an identification card.
However, Moonen discloses wherein accessing the first network-based resource by the first entity physically occurs by scanning an identification card (Parag. [0023]; (The art teaches that an authentication procedure performed by a user on a portable device so that to be verified that an authorized user of a scanned smart card requests access to the server (i.e., resource) via said portable device (i.e., the user accesses a resource by scanning a smart card for authentication, as consistent with the applicant’s definition))).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teaching of  for authenticating the user in requesting access to the server (Parag. [0023]).

Claims 28, 30, and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Most et al. (Pub. No. US 2017/0155652), hereinafter Most, in view of Jakobsson (Pub. No. US 2018/0152471), and in view of Hua et al. (Pub. No. US 2020/0396356), hereinafter Hua.

Claim 28. 	Most in view of Jakobsson discloses the method of claim 1, 
Most discloses that the distance between the first physical endpoint and the second physical endpoint is calculated. 
Most doesn’t explicitly disclose that the distance is calculated using the equation: 

    PNG
    media_image1.png
    19
    562
    media_image1.png
    Greyscale
 
However, Hua discloses that the distance is calculated using the above equation (Parag. [0050]; (The art teaches that the radial distance, or radius, may be calculated by implementing equation 1 using one or more digital logic components/devices: Radius=√{square root over ((x.sub.pixel−X.sub.image.sub.center).sup.2+(y.sub.pixel−Y.sub.image.sub.center).sup.2)}. i.e., this equation is very known in mathematics to calculate the distance between two point with x and y coordinates)).
   It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Most to incorporate the teachings of Hua. This would be convenient for providing an accurate equation to calculate the distance between two locations.
Claim 30 is taught by Most in view of Jakobsson and Hua as described for claim 28.

Claim 32 is taught by Most in view of Jakobsson and Hua as described for claim 28.

Claims 29, 31, and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Most et al. (Pub. No. US 2017/0155652), hereinafter Most, in view of Jakobsson (Pub. No. US 2018/0152471), and in view of Kufluk et al. (Pub. No. US 2014/0164761), hereinafter Kufluk.
Claim 29. 	Most in view of Jakobsson discloses the method of claim 1,  
Most doesn’t explicitly disclose wherein the distance between the first physical endpoint and the second physical endpoint is calculated using two points on a sphere given respective latitude and longitude values of each of the first physical endpoint and the second physical endpoint.  
However, Kufluk discloses wherein the distance between the first physical endpoint and the second physical endpoint is calculated using two points on a sphere given respective latitude and longitude values of each of the first physical endpoint and the second physical endpoint (Parag. [0031] and Parag. [0034]; (The art teaches Client computers 120, 130, and 140 include locations 126, 136, and 146, respectively. Locations 126, 136, and 146 represent the physical location of the respective client computers, as determined by the respective location devices 115, 117, and 119. Locations 126, 136, and 146 may be represented as coordinates, such as latitude and longitude, or may be represented by a distance and direction from a designated reference point, or may be represented in some other manner of distinct location. Locations 126, 136, and 146 may be determined by a first location device and verified by a second location device. The location information of a client computer, derived, for example, from location 126, 136 or 146, may be scaled to represent an area of a designated size, which can be set as a larger or smaller area to match a predetermined proximity condition or proximity condition for an authorization policy. Location proximity may refer to geographical location, relative location (within defined areas), or may refer to a computing device connection to a particular physical network node, subnet, wireless network node, router, cell-phone tower, or other connection point that can be identified and referred to as a location. Similarly, distances between locations may be determined as a straight line or Euclidean calculations, or distances between locations may be determined as two points on the surface of a sphere when great circle distances are used for calculations)).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Most to incorporate the teachings of Kufluk. This would be convenient for managing authorization requests for a resource based on the distance calculated (i.e., using locations coordinates) (Parag. [0005]).

Claim 31 is taught by Most in view of Jakobsson and Kufluk as described for claim 29.  

            Claim 33 is taught by Most in view of Jakobsson and Kufluk as described for claim 29.









                                                           

















                                                                                                                                 

Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ojha et al. (US 2020/0092298) – Related art in the area of Authorized Data Source validation of evidence tool (Parag. [0081], receiving, at a first time, a first resource access request from a first computing device that is situated at a first location; receiving, at a second time, a second resource access request from a second computing device that is situated at a second location, wherein the second computing device is different from the first computing device; determining, based on comparisons between the first time, the second time, the first location, and the second location, whether or not travel between the first location and the second location can be done by the potentially unauthorized user within a given time period; identifying a potentially unauthorized access when a determined time period of travel between the first location and the second location is outside the given time period; and determining that the potentially unauthorized access is deemed as an authorized access by using configuration and activity information that corresponds to the potentially unauthorized user).   
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Examiner, Art Unit 2442                                                                                                                                                                                                       
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442