Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
2.	Applicant’s drawings filed on 09/30/2019 has been inspected and it is compliance with MPEP 608.02.

Specification
3.	The specification filed on 09/30/2019 is acceptable for examination proceedings.

Internet Communications
4. 	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439,
http://www.uspto.gov/sites/defauit/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only. (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03. 

Claim Rejections – 35 USC §103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn et al. (US Pub. No. US 2015/0229664 A1, hereinafter refer as to Hawthorn) in view of Andrews et al. (2016/0292599 A1, hereinafter refer as to Andrews).

Hawthorn provide the method enables utilizing feedback and/or responses associated with presenting and/or transmitting security items and/or training items to determine a risk score for a user, so that users with low risk can be permitted to increased network and system access based on the calculated risk score. The method allows a risk assessment manager to increase the frequency of presenting security item and/or training item to the user with a higher risk score than for a user with a lower risk score, so that the user can positively interact with the security items and/or training items, thus reducing risk score and imposing less network restrictions on the user.
Andrews provides the method enables analyzing data related to operational risks to production computing systems and allowing for creation of scenarios and tolerances which trigger automated risk mitigation plans for execution directly by target production computing systems that support an organization, thus reducing potential or actual risk to operation and/or security of the production computing system. The method enables updating data to prevent unauthorized access to the production system and removal of fraudulent transactions entered into the production system, thus avoiding potentially compromised or unavailable production workflow servers.

As per claim 1, Hawthorn discloses a system comprising: at least one processor; and a memory coupled to the at least one processor (Para 0034: discloses  a system may include a security system, a user system, and a network connecting a security system and a user system, for example), wherein the memory stores: a test database including a plurality of tests and corresponding test rules (fig. 1 and furthermore para. 0007, 0041, 0043, discloses database housed on any user system 104, 106 and/or security system 102 or the network 108, may store, or may connect to external data warehouses that stores, risk score data, input data, scoring metrics, campaign data, template data, and/or other data, for example); a user information database including user data; a profile database including a profile for each user, wherein each profile includes corresponding user scores (fig. 1 and furthermore para. 0073, 0075,0078 discloses the campaign manager 204 may identify and return these templates 114 in a template list 338 with at least the titles/names of the identified templates 114 obtained from the template profile 116, for example); a threshold database including a plurality of thresholds corresponding to test scores and similarity scores; and instructions that, upon execution (para. 0040 discloses user system 104, 106 and/or security system 102 may include one or more network-enabled computers to process instructions for assessing risk associated with an end user, with a group of end users, for example), cause the at least one processor to, in response to receiving interaction parameters of an interaction performed by a user (figs. 2 and 5 and furthermore para. 0095, 0160 discloses , a sophistication score below a first weight threshold may indicate that a template 514 is of a low sophistication level, a sophistication score below a second weight threshold and equal to the first weight threshold may indicate that a template 514 is of a medium sophistication level, and a sophistication score below a third weight threshold and equal to the second weight threshold may indicate that a template 514 is of a high sophistication level, for example): identify a set of tests of the plurality of tests to perform based on the interaction parameters; for each identified test of the set of tests: obtain corresponding test rules, user data corresponding to the user (fig. 1 furthermore, para. 0053 discloses risk assessment agent 142 may monitor a user's interaction with security items 112 and/or training items 124 received from the risk assessment manager 110. Risk assessment agent 142 may identify attributes/characteristics of the user system 104, 106, such as user property data 136 and/or technical information 138, for example), and a profile of the user; calculate a score using the corresponding test rules, user data of the user, and the interaction parameters; adjust the score based on the profile of the user (fig. 1 and furthermore para. 0047 discloses the security system 102 may include hardware and/or software components to build a campaign, transmit campaign data to a user system 104, 106, receive behavioral and/or technical data associated with a campaign from a user system 104, and/or calculate a risk score for each end user, group of end users, and/or organization associated with an end user (e.g., company), for example). 

Hawthorn failed to explicitly discloses obtain a threshold corresponding to the identified test; and in response to the score exceeding the threshold, categorize the interaction within a first category; and in response to the interaction being categorized within the first category, generate and transmit an alert.

Andrews discloses obtain a threshold corresponding to the identified test; and in response to the score exceeding the threshold (para. 0041 discloses Para 41: a user access data is collected to determine where the access was associated with risk because location, distance, and time period threshold suggesting access by a single user is not permissible, for example), categorize the interaction within a first category; and in response to the interaction being categorized within the first category, generate and transmit an alert (para. 0007 discloses the computer program product includes instructions operable to cause the risk mitigation modeler to determine a risk remediation plan based upon the selected risk scenario if at least one of the identified risks meets or exceeds a risk tolerance associated with the selected risk scenario, wherein the risk remediation plan comprises instructions to change one or more data elements based upon the identified risk, and transmit the risk remediation plan to a target production computing system for execution to remediate the identified risks, for example). 

Hawthorn and Andrews are analogous art because they both are directed to computerized method for analyzing and remediating operational risks in production computing systems, and one of ordinary skill in the art would have had a reasonable expectation of success to modify Hawthorn with the specified features of Andrews because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Andrews with the teaching of Andrews in order to determining a user access to network resources from different locations within a time period threshold suggests abnormal access [para. 0041 of Andrews]. 

As per claim 2 as applied above in claim1 Hawthorn as modified Andrews  discloses wherein the instructions, upon execution, cause the at least one processor to: in response to the score being within a predetermined range of the threshold, categorize the interaction within a second category (para 0007 of Hawthorn discloses calculating and displaying security score of a user i.e., an “individual user”; Para 0065 of Hawthorn discloses providing detail information of user account, user status; Para of Hawthorn 0060; 179-0180 discloses summary information of a particular user is displayed on an interactive environment as a campaign summary; and See also. fig. 18 of Hawthorn; and Para. 0188 of Hawthorn discloses selecting and presenting user in a report, for example). 

As per claim 3 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the instructions, upon execution, cause the at least one processor to: update the profile corresponding to the user to incorporate the score (para. 0188 of Hawthorn, Para 0060, 0066 of Hawthorn and fig. 3 of Hawthorn para. 0175 of Hawthorn discloses score may be updated with the new score, for example). 

As per claim 4 as applied above in claim1 Hawthorn as modified Andrews discloses wherein: the memory stores a pattern database including known patterns constructed from interaction parameters categorized within the first category; and the instructions (para 0035 of Hawthorn; and Para 151 -158 of Hawthorn: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.), for example), upon execution, cause the at least one processor to: match characteristics of a known pattern of the known patterns to the interaction parameters to recognize a pattern of the known patterns in the interaction parameters, calculate a similarity score for the recognized pattern based on pattern rules (para. 168-169 of Hawthorn, 173-175 of Hawthorn, selecting collected a user interaction data to calculates risk score; and Para 0176 of Hawthorn discloses, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124, for example), wherein the similarity score is based on a similarity between the interaction parameters and the recognized pattern, adjust the similarity score based on the profile of the user, obtain a similarity threshold corresponding to the recognized pattern, and in response to the similarity score exceeding the similarity threshold, categorize the interaction within the first category (para. 0035 of Hawthorn; and para. 0151 -0158 of Hawthorn: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.), for example). 


As per claim 5 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the instructions, upon execution, cause the at least one processor to, in response to the interaction being categorized within the first category and receiving interaction feedback indicating the interaction is fraudulent: update the known patterns based on a machine learning algorithm guided by the interaction parameters (para. 0051 of Andrews discloses for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, and/or tactile input, for example). 

As per claim 6 as applied above in claim1 Hawthorn as modified Andrews discloses wherein: the known patterns are constructed by a machine learning algorithm, and the machine learning algorithm is trained using historical user interactions that are confirmed as being categorized within the first category (para 168-169, 173-175 of Andrews discloses selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”, for example). 
The same motivational statement applies as set forth above in claim 1. 


As per claim 7 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the instructions, upon execution, cause the at least one processor to: store the interaction and interaction parameters in a review database for manual review, and pause the interaction until manual review is complete (para 168-169, 173-175 of Andrews discloses selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”, for example). 
The same motivational statement applies as set forth above in claim 1.

As per claim 8 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the interaction parameters include metadata that indicates a unique device that initiated a transaction and a geographical location of the unique device upon initiation of the transaction (para. 0041 of Andrews discloses , the risk scenario 108b can be defined with a risk tolerance of zero customer account access attempts from geographical locations more than a certain distance apart (e.g., 3,000 miles) with in a prescribed time period (e.g., two hours), and the data mitigation modeler 108a can determine that the received risk input data indicates five login attempts for the customer account from different locations around the world within thirty minutes of each other—suggesting an attempt to hack the customer account, for example). 
The same motivational statement applies as set forth above in claim 1.
As per claim 9 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the instructions, upon execution, cause the at least one processor to review interaction parameters for a plurality of interactions to identify one or more anomalies among the plurality of interactions (para. 0032 of Hawthorn discloses security item and/or training item may be transmitted to a user system, where the subsequent security item and/or training item is determined based on the risk score associated with a user. Interactions via a user system with subsequent security items and/or training items may result in subsequent response data that may be transmitted to security system where a user's risk score may be updated and/or recalculated based on the subsequent response data, for example). 

As per claim 10 as applied above in claim1 Hawthorn as modified Andrews discloses wherein the user scores included in each user profile are computed from corresponding historical user interactions (para. 0120 of Hawthorn of discloses a campaign may be configured to send different security items 112 and/or training items 124 to different recipients based on a performance history, role, associated group, risk score, and/or the like, for example). 

As per claim 11, Hawthorn discloses a method comprising: storing a test database including a plurality of tests and corresponding test rules (para 0007 of Hawthorn discloses accesses to databases storing detail information such as risk scoring metrics, translation data, for example; and Para 00064 of Hawthorn discloses summary of information, for example); storing a user information database including user data; storing a profile database including a profile for each user (para. 0173-0176 of Hawthorn discloses user profile generation and assessing risk score, for example), wherein each profile includes corresponding user scores; storing a threshold database including a plurality of thresholds corresponding to test scores and similarity scores (fig. 1 and furthermore para. 0073, 0075,0078 discloses the campaign manager 204 may identify and return these templates 114 in a template list 338 with at least the titles/names of the identified templates 114 obtained from the template profile 116, for example); and in response to receiving interaction parameters of an interaction performed by a user (figs. 2 and 5 and furthermore para. 0095, 0160 discloses , a sophistication score below a first weight threshold may indicate that a template 514 is of a low sophistication level, a sophistication score below a second weight threshold and equal to the first weight threshold may indicate that a template 514 is of a medium sophistication level, and a sophistication score below a third weight threshold and equal to the second weight threshold may indicate that a template 514 is of a high sophistication level, for example): identifying a set of tests of the plurality of tests to perform based on the interaction parameters; for each identified test of the set of tests: obtaining corresponding test rules, user data corresponding to the user, and a profile of the user; calculating a score using the corresponding test rules (fig. 1 furthermore, para. 0053 discloses risk assessment agent 142 may monitor a user's interaction with security items 112 and/or training items 124 received from the risk assessment manager 110. Risk assessment agent 142 may identify attributes/characteristics of the user system 104, 106, such as user property data 136 and/or technical information 138, for example), user data of the user, and the interaction parameters; adjusting the score based on the profile of the user (fig. 1 and furthermore para. 0047 discloses the security system 102 may include hardware and/or software components to build a campaign, transmit campaign data to a user system 104, 106, receive behavioral and/or technical data associated with a campaign from a user system 104, and/or calculate a risk score for each end user, group of end users, and/or organization associated with an end user (e.g., company), for example).

Hawthorn failed to explicitly discloses obtaining a threshold corresponding to the identified test; and in response to the score exceeding the threshold, categorizing the interaction within a first category; and in response to the interaction being categorized within the first category, generating and transmitting an alert.

Andrews discloses obtaining a threshold corresponding to the identified test; and in response to the score exceeding the threshold (para. 0041 discloses Para 41: a user access data is collected to determine where the access was associated with risk because location, distance, and time period threshold suggesting access by a single user is not permissible, for example), categorizing the interaction within a first category; and in response to the interaction being categorized within the first category, generating and transmitting an alert (para. 0007 discloses the computer program product includes instructions operable to cause the risk mitigation modeler to determine a risk remediation plan based upon the selected risk scenario if at least one of the identified risks meets or exceeds a risk tolerance associated with the selected risk scenario, wherein the risk remediation plan comprises instructions to change one or more data elements based upon the identified risk, and transmit the risk remediation plan to a target production computing system for execution to remediate the identified risks, for example). 

Hawthorn and Andrews are analogous art because they both are directed to computerized method for analyzing and remediating operational risks in production computing systems, and one of ordinary skill in the art would have had a reasonable expectation of success to modify Hawthorn with the specified features of Andrews because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Andrews with the teaching of Andrews in order to determining a user access to network resources from different locations within a time period threshold suggests abnormal access [para. 0041 of Andrews]. 

As per claim 12 as applied above in claim11 Hawthorn as modified Andrews  discloses in response to the score being within a predetermined range of the threshold, categorizing the interaction within a second category  (para 0007 of Hawthorn calculating and displaying security score of a user i.e., an “individual user”; Para 0065 of Hawthorn discloses providing detail information of user account, user status; Para of Hawthorn 0060; 179-0180 discloses summary information of a particular user is displayed on an interactive environment as a campaign summary; and See also. fig. 18 of Hawthorn; and Para. 0188 of Hawthorn discloses selecting and presenting user in a report, for example).

As per claim 13 as applied above in claim 11 Hawthorn as modified Andrews discloses updating the profile corresponding to the user to incorporate the score (para. 0188 of Hawthorn, Para 0060, 0066 of Hawthorn and fig. 3 of Hawthorn para. 0175 of Hawthorn discloses score may be updated with the new score, for example). 


As per claim 14 as applied above in claim11 Hawthorn as modified Andrews discloses storing a pattern database including known patterns constructed from interaction parameters categorized within the first category  (para 0035 of Hawthorn; and Para 151 -158 of Hawthorn: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.), for example); matching characteristics of a known pattern of the known patterns to the interaction parameters to recognize a pattern of the known patterns in the interaction parameters (para. 168-169 of Hawthorn, 173-175 of Hawthorn, selecting collected a user interaction data to calculates risk score; and Para 0176 of Hawthorn discloses, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124, for example); calculating a similarity score for the recognized pattern based on pattern rules, wherein the similarity score is based on a similarity between the interaction parameters and the recognized pattern  (para 0007 of Hawthorn discloses calculating and displaying security score of a user i.e., an “individual user”; adjusting the similarity score based on the profile of the user; obtaining a similarity threshold corresponding to the recognized pattern; and in response to the similarity score exceeding the similarity threshold, categorizing the interaction within the first category  (para. 0035 of Hawthorn; and para. 151 -158 of Hawthorn: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.), for example).

As per claim 15 as applied above in claim11 Hawthorn as modified Andrews discloses in response to the interaction being categorized within the first category and receiving interaction feedback indicating the interaction is fraudulent, updating the known patterns based on a machine learning algorithm guided by the interaction parameters (para. 0051 of Andrews discloses for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, and/or tactile input, for example).
The same motivational statement applies as set forth above in claim 11.

As per claim 16 as applied above in claim 11 Hawthorn as modified Andrews discloses constructing the known patterns using a machine learning algorithm, wherein the machine learning algorithm is trained using historical user interactions that are confirmed as being categorized within the first category (para 168-169, 173-175 of Andrews discloses selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”, for example). 
The same motivational statement applies as set forth above in claim 11.

As per claim 17 as applied above in claim 11 Hawthorn as modified Andrews discloses storing the interaction and interaction parameters in a review database for manual review; and pausing the interaction until manual review is complete (para 168-169, 173-175 of Andrews discloses selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”, for example). 
The same motivational statement applies as set forth above in claim 11.

As per claim 18 as applied above in claim 11 Hawthorn as modified Andrews discloses wherein the interaction parameters include metadata that indicates (i) a unique device that initiated a transaction and (ii) a geographical location of the unique device upon initiation of the transaction  (para. 0041 of Andrews discloses , the risk scenario 108b can be defined with a risk tolerance of zero customer account access attempts from geographical locations more than a certain distance apart (e.g., 3,000 miles) with in a prescribed time period (e.g., two hours), and the data mitigation modeler 108a can determine that the received risk input data indicates five login attempts for the customer account from different locations around the world within thirty minutes of each other—suggesting an attempt to hack the customer account, for example).
The same motivational statement applies as set forth above in claim 11.

As per claim 19 as applied above in claim 11 Hawthorn as modified Andrews discloses reviewing interaction parameters for a plurality of interactions to identify one or more anomalies among the plurality of interactions (para. 0032 of Hawthorn discloses security item and/or training item may be transmitted to a user system, where the subsequent security item and/or training item is determined based on the risk score associated with a user. Interactions via a user system with subsequent security items and/or training items may result in subsequent response data that may be transmitted to security system where a user's risk score may be updated and/or recalculated based on the subsequent response data, for example). 


As per claim 20 as applied above in claim 11 Hawthorn as modified Andrews discloses computing the user scores included in each user profile from corresponding historical user interactions (para. 0120 of Hawthorn of discloses a campaign may be configured to send different security items 112 and/or training items 124 to different recipients based on a performance history, role, associated group, risk score, and/or the like, for example).

Pertinent Art
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  
	Higbee et al. (US 2015/0180896 A1) discloses the simulated phishing attacks are conducted on individuals and the performance is monitored, the trustworthy individuals are identified from untrustworthy individuals. The individuals whose responses are likely to be accurate or trustworthy individuals are identified from others whose responses are less likely to identify the phishing attacks accurately.

	Puri et al (US 9,367,809) discloses the master directed graph decomposition module processes the master directed graph to identify unique walks through the master directed graph, and decomposes unique walks into their probability distributions as decomposed master graph walks, thus discovers and extracts relevant insights in a rationalized and structured form and reduces the overall number of calculations required for performing a match.

	McCann et al (US 2011/0296003 A1) discloses determination is made as to whether interaction with a service provider via a user account deviates from a model. The model is based on behavior that was previously observed as corresponding to the user account. Responsive to a determination that the interaction deviates from the model, the user account is flagged as being potentially compromised by a malicious party” (Abstract).

	Warn et al. (US 2014/0082691 A1) discloses query may be transmitted to the user account responsible for a group of user accounts (see, e.g., block 512) requesting information to be detected, monitored, and/or reported” (Para 0065).

Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932. The examiner can normally be reached Mon.-Fri. 9:00 AM - 5:30 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





A.G.
April 8, 2022
/ABIY GETACHEW/          Primary Examiner, Art Unit 2434