DETAILED ACTION
	Claims 1-20 are presented on 09/10/2020 for examination on merits.  Claims 1, 11, and 19 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-6, 8-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Koottayi (US 20180288063 A1; hereinafter “Koo”) in view of Levy (US 20210326467 A1).

As per claim 1, Koo teaches a method of determining risk metrics, comprising: 
providing, by a device, a risk model for a network environment, the risk model comprising a plurality of levels (Koo, par. 0020-0021: a behavior model associated with the user to obtain a behavior-based risk; par. 0031: for preventing insider attacks from within a system, the behavior model [is used] with each of the users to obtain a behavior based risk for each of the users), the plurality of levels comprising: 
an input level configured to process first datasets each corresponding to one of a plurality of features and one of a plurality of time windows (Koo, par. 1048-1049: At step 1015, an occurrence of a security event is determined within the one or more live information; par. 0157 and 0162: a threshold level …associated with threat based on a user input), the first datasets comprising factors on access requests in the network environment (Koo, par. 0156: multiple factors such as a pattern of system usage by users or a group of users that are similar to each of the users, a pattern of resource usage by users or a group of users similar to each of the users, a percentage of time spent on each system or resource by users or a group of users similar to each of the users, and so on); an 
output level configured to generate a first aggregate risk metric of a first access request according to the datasets processed by the input level, the plurality of levels of the risk model updated using the first aggregate risk metric (Koo, par. 0162: at step 1245, output … the live information flows including the plurality of sources and the plurality of destinations … which may be displayed within the user interface; par. 0152: a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
identifying, by the device, responsive to a second access request, a second dataset corresponding to the second access request over the plurality of features and the plurality of time windows (Koo, par. 0149-0150: identifying ... data associated with an access request, which may be over a second time window; see par. 0162-0163 wherein Koo determines different time durations for analyzing different access requests; a time duration may be a predetermined period of time of at least 5 minutes, at least 10 minutes, at least 30 minutes, or at least on hour; a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
determining, by the device, a second aggregate risk metric for the second access request by applying the second dataset to the risk model (Koo, par. 0088: determining by 
However, Koo does not explicitly disclose a response being generated to the second access request in accordance with an access control policy and the second aggregate risk metric.  This aspect of the claim is identified as a difference.
In a related art, Levy teaches:
generating, by the device, a response to the second access request in accordance with an access control policy and the second aggregate risk metric (Levy, par. 0060-0061: use rule evaluation to parse network access requests and apply policies: The threat management facility 100 may control access to the enterprise facility 102 with adjusted policies and risks/a second risk score; par. 0184-0185; par. 0088: in response to a risky access request, a dynamic multifactor authenticator 600 may be used, adjusted according to the levels of privilege for a user; par. 0201-0202).
Koo and Levy are analogous art, because they are in a similar field of endeavor in improving risk assessment to facilitate user authentication process.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Koo with Levy’s teaching on using adjusted security policies to determine how to respond to an access request with multifactor authentication.  For this combination, the motivation would have been to improve the level of security with dynamically adjusted multifactor authentication according to the levels of risk.

As per claim 2, the references as combined above teach the method of claim 1, wherein the plurality of levels of the risk model further comprises an intermediate level Levy, par. 0114: identifying intermediate threats, e.g., with the integrative model. The one or more intermediate threats may include one or more computing objects with an objective score from the integrative model that are not within a predetermined confidence level of a safe score or a malicious score; par. 0118-0120: the intermediate threats).

As per claim 3, the references as combined above teach the method of claim 1, wherein the output level of the risk model further comprises a subtractor configured to determine an aggregate error metric between a result generated by a set of transformation layers of the output level and an input to the set of transformation layers (Levy, par. 0156: violation of an enterprise policy may be detected when an unauthorized user; note that the violation here is the error metric; par. 0121: the threat management facility is configured to remediate a risk to an endpoint in response to a user input received through the user interface par. 0154-0155: evaluating a trustworthiness of one or more users).

As per claim 4, the references as combined above teach the method of claim 1, wherein providing the risk model further comprises updating, concurrent to updating the output level, the input level based at least on a comparison between (i) a result of processing a dataset of a corresponding factor of the plurality of factors and a corresponding time window of the plurality of time windows and (ii) an expected output from processing the dataset (Levy, par. 0085-0086: Real-time and retrospective threat intelligence may also be included… for Levy discloses making comparisons to new event vectors in the event stream 1604; par. 0193).

As per claim 5, the references as combined above teach the method of claim 1, wherein providing the risk model further comprises establishing the risk model using a training dataset, the training dataset comprising metrics on access requests verified as safe for the network environment (Levy, par. 0010 and par. 0125-0127: include training a machine learning algorithm to estimate the business value (i.e., the training dataset ) based on a training set of files each having a known business value; a training set of known safe and known unsafe threat samples; par. 0113).

As per claim 6, the references as combined above teach the method of claim 1, wherein the second dataset comprises second factors associated with the second access request, the second factors comprising at least one of a user, a device, an application, a network address, or a location (Levy, par. 0163: a request is initiated by a user… with an event vector 1410; par. 0173-0174: unknown network address …vs. permitted network addresses; where the event stream 1414 deviates from a baseline of expected activity that is described in the entity models 1420 for one or more entities, any number of responses may be initiated by the response facility 1424 of the threat management facility 1412).

As per claim 8, the references as combined above teach the method of claim 1, further comprising determining, by the device using the risk model, for a first feature of the plurality of features and for a first time window of the plurality of time windows, a contribution metric (Koo, par. 0063: Nonetheless, as the user types in the credentials, the system may determine whether these credentials typically come from a particular server and determines that additional challenges may need to be presented to the user if there is suspicious activity. By the time the 

As per claim 9, the references as combined above teach the method of claim 1, wherein generating the response further comprises comparing the second aggregate risk metric to a threshold metric defined by the access control policy (Levy, par. 0181 and 0185: comparing risk score with a threshold; when the second risk score exceeds a second threshold, the method 1500 may include deploying a second remedial action).

As per claim 10, the references as combined above teach the method of claim 1, wherein generating the response further comprises applying at least one of an access rule or a static score to the access control policy (Koo, par. 0088 and 0096: The rules may include … a predetermined time.  Other access rules include a specification of a destination (e.g., URI, host name, destination IP address or port, etc. of a target system or resource such as an application or service), a source (e.g., a user ID, designation for a group of users, an IP address for a client device, etc.)).

As per claim 11, Koo teaches a device, comprising: 
at least one processor coupled with memory (Koo, par. 0060-0061), the at least one processor configured to: 
provide a risk model for a network environment, the risk model comprising a plurality of levels (Koo, par. 0020-0021: a behavior model associated with the user to obtain a behavior-
an input level configured to process first datasets each corresponding to one of a plurality of features and one of a plurality of time windows (Koo, par. 1048-1049: At step 1015, an occurrence of a security event is determined within the one or more live information; par. 0157 and 0162: a threshold level …associated with threat based on a user input), the first datasets comprising factors on access requests in the network environment (Koo, par. 0156: multiple factors such as a pattern of system usage by users or a group of users that are similar to each of the users, a pattern of resource usage by users); 
an output level configured to generate a first aggregate risk metric of a first access request according to the datasets processed by the input level, the plurality of levels of the risk model updated using the first aggregate risk metric (Koo, par. 0162: at step 1245, output … the live information flows including the plurality of sources and the plurality of destinations … which may be displayed within the user interface; par. 0152: a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
identify, responsive to a second access request, a second dataset corresponding to the second access request over the plurality of features and the plurality of time windows (Koo, par. 0149-0150: identifying ... data associated with an access request, which may be over a second time window; see par. 0162-0163 wherein Koo determines different time durations for analyzing different access requests; a time duration may be a predetermined period of time of at least 5 minutes, at least 10 minutes, at least 30 minutes, or at least on hour; a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
Koo, par. 0088: determining by analysis… a pattern in which a user accesses various applications …, and when network traffic or a user activity pattern corresponding to the behavior model is anomalous, a threat perception for the user is updated to reflect the anomalous activity and the enforcement action; note here that the activity pattern, threat perception, and the enforcement action collectively form the second aggregate risk metric for the second access request); and 
However, Koo does not explicitly disclose a response being generated to the second access request in accordance with an access control policy and the second aggregate risk metric.  This aspect of the claim is identified as a difference.
In a related art, Levy teaches:
generate a response to the second access request in accordance with an access control policy and the second aggregate risk metric (Levy, par. 0060-0061: use rule evaluation to parse network access requests and apply policies: The threat management facility 100 may control access to the enterprise facility 102 with adjusted policies and risks/a second risk score; par. 0184-0185; par. 0088: in response to a risky access request, a dynamic multifactor authenticator 600 may be used, adjusted according to the levels of privilege for a user; par. 0201-0202).
Koo and Levy are analogous art, because they are in a similar field of endeavor in improving risk assessment to facilitate user authentication process.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Koo with Levy’s teaching on using adjusted security policies to determine how to respond to an access request with multifactor authentication.  For this combination, the motivation would have been to improve the level of security with dynamically adjusted multifactor authentication according to the levels of risk.
.
As per claim 12, the references as combined above teach the device of claim 11, wherein the plurality of levels of the risk model further comprises an intermediate level configured to generate a plurality of risk metrics each generated according to the first datasets from one of the plurality of features over the plurality of time windows processed by the input level, and wherein the output level of the risk model is further configured to generate the first aggregate risk metric using the plurality of risk metrics generated by the intermediate level, the first aggregate risk metric used to update the plurality of levels of the risk model through the input level, the intermediate level, and the output level (Levy, par. 0114: identifying intermediate threats, e.g., with the integrative model. The one or more intermediate threats may include one or more computing objects with an objective score from the integrative model that are not within a predetermined confidence level of a safe score or a malicious score; par. 0118-0120: the intermediate threats).

As per claim 13, the references as combined above teach the device of claim 11, wherein the output level of the risk model further comprises a subtractor configured to determine an aggregate error metric between a result generated by a set of transformation layers of the output level and an input to the set of transformation layers (Levy, par. 0156: violation of an enterprise policy may be detected when an unauthorized user; note that the violation here is the error metric; par. 0121: the threat management facility is configured to remediate a risk to an endpoint in response to a user input received through the user interface par. 0154-0155: evaluating a trustworthiness of one or more users).

As per claim 14, the references as combined above teach the device of claim 11, wherein the at least one processor is further configured to update, concurrent to updating the output level, the input level based at least on a comparison between (i) a result of processing a dataset of a corresponding feature of the plurality of features and a corresponding time window Levy, par. 0085-0086: Real-time and retrospective threat intelligence may also be included… for updating… dynamic policies 571 … to better fit the security profile to the environment. Levy discloses making comparisons to new event vectors in the event stream 1604; par. 0193).

As per claim 15, the references as combined above teach the device of claim 11, wherein the at least one processor is further configured to establish the risk model using a training dataset, the training dataset comprising metrics on access requests verified as safe for the network environment.

As per claim 17, the references as combined above teach the device of claim 11, wherein the at least one processor is further configured to determine, using the risk model, for a first feature of the plurality of features and for a first time window of the plurality of time windows, a contribution metric (Levy, par. 0010 and par. 0125-0127: include training a machine learning algorithm to estimate the business value (i.e., the training dataset ) based on a training set of files each having a known business value; a training set of known safe and known unsafe threat samples; par. 0113).

As per claim 18, the references as combined above teach the device of claim 11, wherein the at least one processor is further configured to apply at least one of an access rule or a static score to the access control policy (Koo, par. 0088 and 0096: The rules may include … a predetermined time.  Other access rules include a specification of a destination (e.g., URI, host name, destination IP address or port, etc. of a target system or resource such as an application or service), a source (e.g., a user ID, designation for a group of users, an IP address for a client device, etc.)).


As per claim 19, Koo teaches a non-transitory computer readable medium storing instructions that when executed cause at least one processor to: 
provide a risk model for a network environment, the risk model comprising a plurality of levels (Koo, par. 0020-0021: a behavior model associated with the user to obtain a behavior-based risk; par. 0031: for preventing insider attacks from within a system, the behavior model [is used] with each of the users to obtain a behavior-based risk for each of the users), the plurality of levels comprising: 
an input level configured to process first datasets each corresponding to one of a plurality of features and one of a plurality of time windows, the first datasets comprising factors on access requests in the network environment (Koo, par. 1048-1049: At step 1015, an occurrence of a security event is determined within the one or more live information; par. 0157 and 0162: a threshold level …associated with threat based on a user input; par. 0156: multiple factors for determining the access requests); 
an output level configured to generate a first aggregate risk metric of a first access request according to the datasets processed by the input level, the plurality of levels of the risk model updated using the first aggregate risk metric (Koo, par. 0162: at step 1245, output … the live information flows including the plurality of sources and the plurality of destinations … which may be displayed within the user interface; par. 0152: a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
identify, responsive to a second access request, a second dataset corresponding to the second access request over the plurality of features and the plurality of time windows (Koo, par. 0149-0150: identifying ... data associated with an access request, which may be over a second Koo determines different time durations for analyzing different access requests; a time duration may be a predetermined period of time of at least 5 minutes, at least 10 minutes, at least 30 minutes, or at least on hour; a threat perception for the user is determined based on the rule or policy based risk for the user and the behavior based risk for the user); 
determine a second aggregate risk metric for the second access request by applying the second dataset to the risk model (Koo, par. 0088: determining by analysis… a pattern in which a user accesses various applications …, and when network traffic or a user activity pattern corresponding to the behavior model is anomalous, a threat perception for the user is updated to reflect the anomalous activity and the enforcement action; note here that the activity pattern, threat perception, and the enforcement action collectively form the second aggregate risk metric for the second access request); and 
However, Koo does not explicitly disclose a response being generated to the second access request in accordance with an access control policy and the second aggregate risk metric.  This aspect of the claim is identified as a difference.
In a related art, Levy teaches:
generate a response to the second access request in accordance with an access control policy and the second aggregate risk metric (Levy, par. 0060-0061: use rule evaluation to parse network access requests and apply policies: The threat management facility 100 may control access to the enterprise facility 102 with adjusted policies and risks/a second risk score; par. 0184-0185; par. 0088: in response to a risky access request, a dynamic multifactor authenticator 600 may be used, adjusted according to the levels of privilege for a user; par. 0201-0202).
Koo and Levy are analogous art, because they are in a similar field of endeavor in improving risk assessment to facilitate user authentication process.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, Koo with Levy’s teaching on using adjusted security policies to determine how to respond to an access request with multifactor authentication.  For this combination, the motivation would have been to improve the level of security with dynamically adjusted multifactor authentication according to the levels of risk.

As per claim 20, the references as combined above teach the non-transitory computer readable medium of claim 19, wherein the instructions cause the at least one processor to update, concurrent to updating the output level, the input level based at least on a comparison between (i) a result of processing a dataset of a corresponding feature of the plurality of features and a corresponding time window of the plurality of time windows and (ii) an expected output from processing the dataset (Levy, par. 0085-0086: Real-time and retrospective threat intelligence may also be included… for updating… dynamic policies 571 … to better fit the security profile to the environment. Levy discloses making comparisons to new event vectors in the event stream 1604; par. 0193).

Allowable Subject Matter
Claims 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 7 and 16 each recite a limitation of “wherein determining the second aggregate risk metric further comprises comparing a first result from the output level generated by applying the second dataset to the risk model, and a second result from the output level generated by applying the first datasets, to generate an excessiveness metric”.  The features of this limitation, in combination with the other limitations in the base claims 1 and 11, respectively, are not anticipated by, nor made obvious over the prior art of record.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        03/25/2022