Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/904,443 filed on 6/17/2020. Claims 1-15 are pending. This Office Action is Non-Final.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 6-10 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
	Regarding claim 6; claim 6 is rejected under 35 U.S.C. 101 because the claims is directed to non-statutory subject matter.  Claim 6 recites “computer program product”.  Under a recent precedential opinion, the scope of the recited ““computer program product” encompasses transitory media such as signals or carrier waves, where, as here the Specification does not limit the computer readable storage medium to non-transitory forms.  See Ex parte Mewherter, 107 USPQ2d 1857, 1862 (PTAB 2013) (precedential) (holding recited machine-readable storage medium ineligible under § 35 U.S.C. 101 since it encompassed transitory media).  The Examiner respectfully suggests that the claim be amended to either “A non-transitory computer program product” or “computer program product storage device” to make the claim statutory under 35 USC 101; (emphasis added).
	Regarding claims 7-10; claims 7-10 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 6, 8, 11 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bott (US 2016/0072834) in view of Krishnamoorthy et al. (US 2020/0042723).

	As per claim 1, Bott teaches a method for determining a risk score of a communication network, the method comprising: receiving network traffic metadata from user interactions on a user device, the network traffic metadata associated with user logins to an entity via the communication network; constructing a plurality of digital signatures of the network traffic metadata associated with the user device, wherein the plurality of digital signatures are adjusted using a signature calculation process (Bott, Paragraph 0034 recites “Monitoring module 206 is configured to monitor data traffic 212 associated with a computing device. As described herein, in contrast to conventional configurations which use code signatures for identifying and protecting against malware, the present disclosure uses data traffic signature. Monitoring module 206 can include data collection software installed on the computing device 200. Device activity data normally recorded by the device can also be collected by monitoring module 206. Device activity data can be stored in counters, logs, or system files (not shown) and device activity information may be copied, extracted, parsed, or otherwise obtained from these sources by monitoring module 206 for creating a traffic signature for the device 200.”). 
	But fails to teach determining a first reference model for the network traffic metadata, wherein a first subset of the user logins to the entity via the communication network are associated with multi-factor authentication; determining a second reference 
	However, in an analogous art Krishnamoorthy teaches  determining a first reference model for the network traffic metadata, wherein a first subset of the user logins to the entity via the communication network are associated with multi-factor authentication; determining a second reference model for the network traffic metadata, wherein a second subset of the user logins to the entity via the communication network are associated with non-multi-factor authentication; and calculating a risk score based on a comparison of the first subset of the user logins to the entity network and the second subset of the user logins to the entity via the communication network found in the network data (Krishnamoorthy, Paragraph 0018 recites “Subsequent to collection of the attributes/information associated with a user 105 engaging in the static, dynamic authentication, and/or multi-factor authentication, the authentication server 120 passes the collected attributes (identified with a "2" within a circle) to a risk score engine 125 of risk assessment platform 100. Risk score engine 125 uses a process for determining a risk score, that identifies a level of risk of identity fraud, associated with user 105 attempting to access protected digital resources, based on the collected attributes. The risk score, therefore, represents a score that serves as a proxy for identifying whether or not the user 105 is likely to be the user/person/entity that user 105 is claiming to be when attempting to access digital resources. The risk score determination process, in one implementation, may calculate a weighted sum associated with the collected attributes to determine a risk score associated with user 105, as described in further detail below. Risk score engine 125 may, in one implementation, include a machine learning system that uses a Bayesian computation set for determining the risk score for each user 105. Upon determination of the current risk score for user 105, risk score engine 125 passes the risk score (identified with a "3" within a circle) to authentication server(s) 120 which, in turn, passes the risk score (identified with a "4" within a circle) to policy manager 130.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Krishnamoorthy’s identity fraud risk engine platform with Bott’s device activity and data traffic signature-based detection of mobile device health because the use of having different attributes when calculating a risk score will result in a more accurate score for determining risk.  

	As per claim 3, Bott in combination with Krishnamoorthy teaches the method of claim 1, Krishnamoorthy further teaches wherein a subset of the plurality of digital signatures are associated with an unclassified authentication process (Krishnamoorthy, Paragraph 0018 recites “Subsequent to collection of the attributes/information associated with a user 105 engaging in the static, dynamic authentication, and/or multi-factor authentication, the authentication server 120 passes the collected attributes (identified with a "2" within a circle) to a risk score engine 125 of risk assessment platform 100. Risk score engine 125 uses a process for determining a risk score, that identifies a level of risk of identity fraud, associated with user 105 attempting to access protected digital resources, based on the collected attributes. The risk score, therefore, represents a score that serves as a proxy for identifying whether or not the user 105 is likely to be the user/person/entity that user 105 is claiming to be when attempting to access digital resources. The risk score determination process, in one implementation, may calculate a weighted sum associated with the collected attributes to determine a risk score associated with user 105, as described in further detail below. Risk score engine 125 may, in one implementation, include a machine learning system that uses a Bayesian computation set for determining the risk score for each user 105. Upon determination of the current risk score for user 105, risk score engine 125 passes the risk score (identified with a "3" within a circle) to authentication server(s) 120 which, in turn, passes the risk score (identified with a "4" within a circle) to policy manager 130.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Krishnamoorthy’s identity fraud risk engine platform with Bott’s device activity and data traffic signature-based detection of mobile device health because the use of having different attributes when calculating a risk score will result in a more accurate score for determining risk.  

Regarding claims 6 and 11, claims 6 and 11 are directed to a computer program product and system associated with the method of claim 1. Claims 6 and 11 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claims 8 and 13, claims 8 and 13 are directed to a computer program product and system associated with the method of claim 3. Claims 8 and 13 are of similar scope to claim 3, and are therefore rejected under similar rationale.

Claims 2, 7 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bott (US 2016/0072834) and Krishnamoorthy et al. (US 2020/0042723) and in further view of Jain et al. (US 2016/0036838).

	As per claim 2, Bott in combination with Krishnamoorthy teaches the method of claim 1, but fails to teach wherein the signature calculation process is a dynamic time warping process.
	However, in an analogous art Jain teaches wherein the signature calculation process is a dynamic time warping process (Jain, Paragraph 0048 recites “Finally, the traffic analyzer component 404 can use a variety of change detection algorithms (e.g., dynamic time warping, ARMA, EWMA) on the traffic state, for instance, to detect traffic spikes over a period of time. Output of these algorithms is stored in a traffic change estimation table, which can be used to identify anomalous network flows attacking the data center network and/or its hosted tenants.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Jain’s data center architecture that supports attack detection and mitigation with Bott’s device activity and data traffic signature-based detection of mobile device health because the use of dynamic time warping has the advantage to help better analyze network traffic.

Regarding claims 7 and 12, claims 7 and 12 are directed to a computer program product and system associated with the method of claim 2. Claims 7 and 12 are of similar scope to claim 2, and are therefore rejected under similar rationale.




Claims 4, 5, 9, 10, 14 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bott (US 2016/0072834) and Krishnamoorthy et al. (US 2020/0042723) and in further view of Llanos Alonso et al. (US 2018/0338010).

	As per claim 4, Bott in combination with Krishnamoorthy teaches the method of claim 3, but fails to teach wherein the subset of the plurality of digital signatures that are associated with the unclassified authentication process are compared with the first reference model and the second reference model using a cosine similarity process.
(Llanos Alonso, Paragraph 0044 recites “Stage 6, Apply the similarity (6) on each interval and signatures: traffic vectors are here compared against app signatures via the known cosine similarity method (described, for example, by Li, B. et al. in "Distance weighted cosine similarity measure for text classification", Intelligent Data Engineering and Automated Learning--IDEAL, volume 8206 of Lecture Notes in Computer Science, Springer, pp. 611-618, 2013). The maximum value for an app signature results in the definition of a tern user-app-value for that block. A list of terns is generated for the traffic.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Llanos Alonso’s method for detecting applications of mobile user terminals with Bott’s device activity and data traffic signature-based detection of mobile device health because the use of cosine similarity is a less complex way to perform similarity analysis.

	As per claim 5, Bott in combination with Krishnamoorthy teaches the method of claim 3, but fails to teach wherein the subset of the plurality of digital signatures that are associated with the unclassified authentication process are classified as multi-factor authentication or non-multi-factor authentication based on greater similarity to the first reference model or the second reference model, respectively, or based on an absolute values of cosine calculations.
(Llanos Alonso, Paragraph 0044 recites “Stage 6, Apply the similarity (6) on each interval and signatures: traffic vectors are here compared against app signatures via the known cosine similarity method (described, for example, by Li, B. et al. in "Distance weighted cosine similarity measure for text classification", Intelligent Data Engineering and Automated Learning--IDEAL, volume 8206 of Lecture Notes in Computer Science, Springer, pp. 611-618, 2013). The maximum value for an app signature results in the definition of a tern user-app-value for that block. A list of terns is generated for the traffic.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Llanos Alonso’s method for detecting applications of mobile user terminals with Bott’s device activity and data traffic signature-based detection of mobile device health because the use of cosine similarity is a less complex way to perform similarity analysis.

Regarding claims 9 and 14, claims 9 and 14 are directed to a computer program product and system associated with the method of claim 4. Claims 9 and 14 are of similar scope to claim 4, and are therefore rejected under similar rationale.

Regarding claims 10 and 15, claims 10 and 15 are directed to a computer program product and system associated with the method of claim 5. Claims 10 and 15 are of similar scope to claim 5, and are therefore rejected under similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439