Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/25/2022 has been entered.
Priority
This application claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 62/732,470 filed on Sep. 17, 2018 and entitled “SUPERVISED LEARNING SYSTEM FOR IDENTITY COMPROMISE RISK COMPUTATION,” which application is expressly incorporated herein by reference in its entirety.
DETAILED ACTION
This office action is in response to a request for continued examination (RCE) application filed on 01/25/2022. In the amendment, applicant has amended claims 1, 3-7 and 9-16. Claim 8 remain cancelled. Claim 2 remain original. Claims 17-22 have been added as new claims.
For this office action, claims 1-7 and 9-21 have been received for consideration and have been examined. 


Response to Arguments
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, filed 01/25/2022, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims. 
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-7 and 9-21 are rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention. 
Independent claims 1, 15 and 16 recite “the second set of quantified risk levels having fewer number of quantified risk levels than the first set of quantified risk levels ” in fourth limitation. In addition to checking the entire specification, as per Applicant’s remarks, examiner also consulted paragraphs [0096-0103] of the specification, however, examiner was unable to find the concept of identified clause. 
Dependent claims inherit this deficiency. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 and 9-21 are rejected under 35 U.S.C. 103 as being unpatentable over Abrams et al., (US20150339477A1) in view of Commons.,(US9015093B1) and further in view of Grajek et al., (US20180069867A1).
Regarding claim 1, Abrams discloses:
	A computing system comprising:
one or more processors; and one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system improve precision and recall utility for user identity risk scores that are utilized in providing computer security, including instructions that are executable to configure the computer system to:
access sign-in data (see [0020]; i.e. historical authentication data) associated with a set of sign-in events (See [0020]; i.e. log in events) corresponding to a first user (See [0030]; i.e., a given user (A)), the sign-in data being stored for a predetermined period of time (See [0023]; i.e., malicious authentication context properties containing threshold timespan of user account being used for malicious activities), the set of sign-in events comprising one or more sign-in event that each corresponds to a sign-in attempt by the first user (See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; [0021-0022] discloses for example types of log in events which will be accessed and evaluated); 
from the sign-in data, and based on risk profiles associated with the sign-in data, identify a set of sign-in detectors (i.e. identification of set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of sign-in events corresponding to the first user, the set of sign-in detectors comprising one or more sign-in detector that each identifies at least a feature or an attribute that is detected for a corresponding sign-in event (See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context properties in [0020]);  
generate a first set of quantified risk levels (See [0025] i.e., generating a risk assessment level such as user account being “compromised” or “safe” construed as first risk level) based on the set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in detector of the set of sign-in detectors ([0025] At 110, a risk assessment machine learning model may be trained (e.g., supervised, semi-supervised, or unsupervised) based upon the annotated context properties training set to generate a risk assessment model … A machine learning structure may indicate that one or more user context properties are indicative of either a malicious user account event or a safe user account event); 
generate a second set of quantified risk levels (See step 112 & 114 of FIG. 1; i.e., user account having a high likelihood of being malicious construed as second risk level) based on the first set of quantified risk levels by applying the machine learning tool to the first set of quantified risk levels that were generated by applying the first machine learning tool to the set of sign-in detectors ([0026] The risk assessment model may be utilized to identify safe or malicious user account events … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment). For example, the risk analysis metric may indicate that the current user account event may have a high likelihood of being malicious based upon the current user context property), Page 2 of 14Application No. 16/165,255 Amendment "B" Reply to Final Office Action, mailed October 26, 2021
generate a first user identity risk score (i.e. risk analysis metric indicative of a degree of maliciousness) based on the second set of quantified risk levels by applying the machine learning tool to the second set of quantified risk levels that were generated by applying the machine learning tool to the first set of quantified risk levels, the machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment); [0034] discloses applying new training data ). 
Abrams discloses generating the risk levels and risk score using single a machine learning model. 
Commons reference discloses using hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted.
Therefore, Abrams explicitly fails to disclose:
	A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted; 
iteratively and dynamically update the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Commons discloses:
A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted (See FIG. 2; Col. 32, Line # 11-25; discloses concept of a stacked neural network which has three architecturally distinct ordered neural networks to process sensory data [construed as sign-in data] which is inputted into first neural network (20), the output of which is inputted into second neural network (22) and output of the second neural network is fed into third neural network (24) which produces a final output).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Abrams reference and include hierarchical stacked neural networks to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks, as disclosed by Commons.
	The motivation to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks is to provide hierarchical stacked neural networks that are ordered in a non-arbitrary fashion so that actions performed by neural networks at a higher level are the product of a concatenation of actions performed by lower-level networks in the hierarchy. 
The combination of Abrams and Commons fails to disclose:
	iteratively and dynamically update the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Grajek discloses:
	iteratively and dynamically update (i.e. adjusting, augmenting and updating of ID confidence score) the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool (i.e., continuous adjusting and augmenting of ID confidence score through machine learning model is interpreted as ‘continuously reapplying the machine learning tool’), the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score ([0021] & [0032] discloses generating different quantified risk scores based on confidence that user attempting to log on is who they purport to be; [0039] discloses continuous authentication to adjust and augment the ID confidence score; [0040] discloses using a machine learning model determine anomalous activity to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score; Also see FIG. 5; [0077] discloses using machine learning model for the user, user activity of the user is monitored for anomalous activity to generate first data);
detecting a user request from the first user corresponding to a new sign-in event (Abrams: [0036] for user requesting to create account/logging in; Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
The motivation to have a system which continuously updates the users’ risk analysis metric is that the score will be up-to-date and be based on all current information, and avoid the score becoming inaccurate for further user risk analysis (See Grajek: [0021]). 
With respect to “the second set of quantified risk levels having fewer number of quantified risk levels than the first set of quantified risk levels”, this is nonfunctional descriptive material as it only describes the data that is contained in the quantified risk levels, while the data contained in the quantified risk levels is not used to perform any of the recited functions/method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. (In re Gulack, 217 USPQ 401 (Fed. Cir. 1983), In re Ngai, 70 USPQ2d (Fed. Cir. 2004), In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2111.05), Ex parte Nehls 88 USPQ2d 1883 (BPAI 2008) (precedential).
Regarding claim 2, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the second machine learning tool and the third machine learning tool are incorporated into a single machine learning algorithm (Abrams: See [0005]).
Regarding claim 3, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to generate the new first user identity risk score after generating the first user identity risk score and prior to detecting any new sign-in event associated with the first user (Grajek: [0077]; See also Fig 1, steps 160 through 190).
Regarding claim 4, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to:
detect the new sign-in event for the first user, wherein new sign-in data for the new sign-in event is added to the sign-in event data; and based on the new sign-in event, identify a new set of sign-in detectors, which is subsequently used to generate a new quantified risk level set of sign-in detectors through application of the first machine learning tool, and which is further used to generate a new quantified risk level set of sign-ins through application of the second machine learning tool, and which is even further used to generate the new first user identity risk score by applying the third machine learning tool (Abrams: FIG. 3A; [0036]-[0037]; see also Grajek [0054]-[0055] for continually updating data stored).
Regarding claim 5, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to generate a new second user identity risk score for a second user that is different than a previous second user identity risk score of the second user, the previous second user identity risk score being based on a previous application of the first machine learning tool to a set of sign-in detectors associated with sign-in events of the second user, wherein the generating of the new second user identity risk score is performed automatically in response to the application of the first machine learning tool to the set of sign-in detectors in the set of sign-in events of the first user and which resulted in a modification of the first machine learning tool and/or data utilized by the first machine learning tool when the first machine learning tool is applied (Abrams: Fig 2A and 2B and associated text provides for continually updating the machine learning models;  See also Fig 3B, 334 and Fig 4B, 434;  See also par [0029] for changing other user scores after updating model;  Garjek: [0061] & [0067]).
Regarding claim 6, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to generate the new first user identity risk score by modifying the second set of quantified risk levels by reapplying the second machine learning tool to the first set of quantified risk levels prior to reapplying the third machine learning tool (Garjek: [0061] & [0067]).
Regarding claim 7, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to generate the new first user identity risk score by modifying the first set of quantified risk levels by reapplying the first machine learning tool to the set of sign-in detectors prior to reapplying the second machine learning tool (Garjek: [0061] & [0067]).
Regarding claim 9, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 1, wherein the computer system is further configured to determine the new first user identity risk score exceeds the predetermined threshold and wherein the remedial action comprises requesting the first user provide supplemental authentication or verification information (Abrams: See FIG. 3B, 4B; [0037], [0039]).
Regarding claim 10, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 9, wherein the computer system is further configured to determine the new first user identity risk score exceeds the predetermined threshold and wherein the remedial action comprises denying the user request (Grajek: See FIG. 5; [0059], [0077]).
Regarding claim 11, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 9, wherein computer system is further configured to determine the new first user identity risk score falls below the predetermined threshold, but wherein the first user identity risk score exceeded the predetermined threshold (Grajek: [0059]-[0062] for removing access after it was previously granted or forcing re-authentication after modifying score to drop score due to anomalous activity).
Regarding claim 12, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 9, wherein the computer system is further configured to generate the first user identity risk score by applying a third machine learning tool to the second set of quantified risk levels in combination with other third-party data to quantify a relative risk level associated with the first user (Abrams: [0026]).
Regarding claim 13, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 9, wherein the computer system is further configured to generate the first user identity risk score by applying a third machine learning tool to the second set of quantified risk levels in combination with supplemental user behavior analysis data to quantify a relative risk level associated with the first user, the supplemental user behavior analysis data being obtained by the computer system in response to determining that a quantified risk levels in the second set of quantified risk levels exceeds a predetermined threshold (Abrams: FIG. 4B; [0039]).
Regarding claim 14, the combination of Abrams, Commons and Grajek discloses:
The computer system of claim 9, wherein the computer system is further configured to generate the first user identity risk score by applying a third machine learning tool to the second set of quantified risk levels in combination with supplemental user behavior analysis data to quantify a relative risk level associated with the first user, the supplemental user behavior analysis data being obtained by the computer system in response to determining that a quantified risk level in the quantified risk levels exceeds a predetermined threshold (Abrams: FIG. 4B; [0039]).
Regarding claim 15, Abrams discloses:
A computer implemented method of improving precision and recall utility for user identity risk scores that are utilized in providing computer security, the method comprising: 
accessing sign-in data (see [0020]; i.e. historical authentication data) associated with a set of sign-in events (See [0020]; i.e. log in events) corresponding to a first user (See [0030]; i.e., a given user (A)), the sign-in data being stored for a predetermined period of time (See [0023]; i.e., malicious authentication context properties containing threshold timespan of user account being used for malicious activities), the set of sign-in events comprising one or more sign-in event that each corresponds to a sign-in attempt by the first user (See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; [0021-0022] discloses for example types of log in events which will be accessed and evaluated); 
from the sign-in data, and based on risk profiles associated with the sign-in data, identify a set of sign-in detectors (i.e. set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of sign-in events corresponding to the first user, the set of sign-in detectors comprising one or more sign-in detector that each identifies at least a feature or an attribute that is detected for a corresponding sign-in event (See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context properties in [0020]);  
generating a first set of quantified risk levels (See [0025] i.e., generating a risk assessment level such as user account being “compromised” or “safe” construed as first risk level) based on the set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in detector of the set of sign-in detectors ([0025] At 110, a risk assessment machine learning model may be trained (e.g., supervised, semi-supervised, or unsupervised) based upon the annotated context properties training set to generate a risk assessment model … A machine learning structure may indicate that one or more user context properties are indicative of either a malicious user account event or a safe user account event); 
generating a second set of quantified risk levels (See step 112 & 114 of FIG. 1; i.e., user account having a high likelihood of being malicious construed as second risk level) based on the first set of quantified risk levels by applying the machine learning tool to the first set of quantified risk levels that were generated by applying the first machine learning tool to the set of sign-in detectors ([0026] The risk assessment model may be utilized to identify safe or malicious user account events … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment). For example, the risk analysis metric may indicate that the current user account event may have a high likelihood of being malicious based upon the current user context property), Page 2 of 14Application No. 16/165,255 Amendment "B" Reply to Final Office Action, mailed October 26, 2021
generating a first user identity risk score (i.e. risk analysis metric indicative of a degree of maliciousness) based on the second set of quantified risk levels by applying the machine learning tool to the second set of quantified risk levels that were generated by applying the machine learning tool to the first set of quantified risk levels, the machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment); [0034] discloses applying new training data ); 
Abrams discloses generating the risk levels and risk score using single a machine learning model. 
Commons reference discloses using hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted.
Therefore, Abrams explicitly fails to disclose:
	A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted; 
iteratively and dynamically updating the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Commons discloses:
A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted (See FIG. 2; Col. 32, Line # 11-25; discloses concept of a stacked neural network which has three architecturally distinct ordered neural networks to process sensory data [construed as sign-in data] which is inputted into first neural network (20), the output of which is inputted into second neural network (22) and output of the second neural network is fed into third neural network (24) which produces a final output).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Abrams reference and include hierarchical stacked neural networks to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks, as disclosed by Commons.
The motivation to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks is to provide hierarchical stacked neural networks that are ordered in a non-arbitrary fashion so that actions performed by neural networks at a higher level are the product of a concatenation of actions performed by lower-level networks in the hierarchy. 
The combination of Abrams and Commons fails to disclose:
iteratively and dynamically updating the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Grajek discloses:
iteratively and dynamically updating (i.e. adjusting, augmenting and updating of ID confidence score) the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool (i.e., continuous adjusting and augmenting of ID confidence score through machine learning model is interpreted as ‘continuously reapplying the machine learning tool’), the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score ([0021] & [0032] discloses generating different quantified risk scores based on confidence that user attempting to log on is who they purport to be; [0039] discloses continuous authentication to adjust and augment the ID confidence score; [0040] discloses using a machine learning model determine anomalous activity to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score; Also see FIG. 5; [0077] discloses using machine learning model for the user, user activity of the user is monitored for anomalous activity to generate first data);
detecting a user request from the first user corresponding to a new sign-in event (Abrams: [0036] for user requesting to create account/logging in; Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
The motivation to have a system which continuously updates the users’ risk analysis metric is that the score will be up-to-date and be based on all current information, and avoid the score becoming inaccurate for further user risk analysis (See Grajek: [0021]). 
With respect to “the second set of quantified risk levels having fewer number of quantified risk levels than the first set of quantified risk levels”, this is nonfunctional descriptive material as it only describes the data that is contained in the quantified risk levels, while the data contained in the quantified risk levels is not used to perform any of the recited functions/method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. (In re Gulack, 217 USPQ 401 (Fed. Cir. 1983), In re Ngai, 70 USPQ2d (Fed. Cir. 2004), In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2111.05), Ex parte Nehls 88 USPQ2d 1883 (BPAI 2008) (precedential).
Regarding claim 16, Abrams discloses:
One or more hardware storage device comprising stored computer-executable instructions that are executable by one or more processors of a computer system to cause the computer system perform:
accessing sign-in data (see [0020]; i.e. historical authentication data) associated with a set of sign-in events (See [0020]; i.e. log in events) corresponding to a first user (See [0030]; i.e., a given user (A)), the sign-in data being stored for a predetermined period of time (See [0023]; i.e., malicious authentication context properties containing threshold timespan of user account being used for malicious activities), the set of sign-in events comprising one or more sign-in event that each corresponds to a sign-in attempt by the first user (See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; [0021-0022] discloses for example types of log in events which will be accessed and evaluated); 
from the sign-in data, and based on risk profiles associated with the sign-in data, identify a set of sign-in detectors (i.e. set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of sign-in events corresponding to the first user, the set of sign-in detectors comprising one or more sign-in detector that each identifies at least a feature or an attribute that is detected for a corresponding sign-in event (See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context properties in [0020]);  
generating a first set of quantified risk levels (See [0025] i.e., generating a risk assessment level such as user account being “compromised” or “safe” construed as first risk level) based on the set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in detector of the set of sign-in detectors ([0025] At 110, a risk assessment machine learning model may be trained (e.g., supervised, semi-supervised, or unsupervised) based upon the annotated context properties training set to generate a risk assessment model … A machine learning structure may indicate that one or more user context properties are indicative of either a malicious user account event or a safe user account event); 
generating a second set of quantified risk levels (See step 112 & 114 of FIG. 1; i.e., user account having a high likelihood of being malicious construed as second risk level) based on the first set of quantified risk levels by applying the machine learning tool to the first set of quantified risk levels that were generated by applying the first machine learning tool to the set of sign-in detectors ([0026] The risk assessment model may be utilized to identify safe or malicious user account events … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment). For example, the risk analysis metric may indicate that the current user account event may have a high likelihood of being malicious based upon the current user context property), Page 2 of 14Application No. 16/165,255 Amendment "B" Reply to Final Office Action, mailed October 26, 2021
generating a first user identity risk score (i.e. risk analysis metric indicative of a degree of maliciousness) based on the second set of quantified risk levels by applying the machine learning tool to the second set of quantified risk levels that were generated by applying the machine learning tool to the first set of quantified risk levels, the machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment); [0034] discloses applying new training data ); 
Abrams discloses generating the risk levels and risk score using single a machine learning model. 
Commons reference discloses using hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted.
Therefore, Abrams explicitly fails to disclose:
	A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted; 
iteratively and dynamically updating the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Commons discloses:
A hierarchical stacked neural networks to process sensory data [e.g., sign-in data associated with sign-in events] and inputting it into first neural network, the output of first neural network is inputted into second neural network and output of the second neural network is fed into third neural network which produces a final output to determine imperfections [i.e., risk level associated with sign-in data] in the information transmitted (See FIG. 2; Col. 32, Line # 11-25; discloses concept of a stacked neural network which has three architecturally distinct ordered neural networks to process sensory data [construed as sign-in data] which is inputted into first neural network (20), the output of which is inputted into second neural network (22) and output of the second neural network is fed into third neural network (24) which produces a final output).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Abrams reference and include hierarchical stacked neural networks to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks, as disclosed by Commons.
The motivation to process data [sing-in data] in architecturally distinct hierarchical stacked neural networks is to provide hierarchical stacked neural networks that are ordered in a non-arbitrary fashion so that actions performed by neural networks at a higher level are the product of a concatenation of actions performed by lower-level networks in the hierarchy. 
The combination of Abrams and Commons fails to disclose:
iteratively and dynamically updating the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool, the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score; detecting a user request from the first user corresponding to a new sign-in event; identifying the new first user identity risk score corresponding to the first user; and  in response to determining the new first user identity risk score exceeds a predetermined threshold, trigger a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Grajek discloses:
iteratively and dynamically updating (i.e. adjusting, augmenting and updating of ID confidence score) the first user identity risk score or generate a new first user identity risk score by reapplying the first machine learning tool (i.e., continuous adjusting and augmenting of ID confidence score through machine learning model is interpreted as ‘continuously reapplying the machine learning tool’), the second machine learning tool, or the third machine learning tool to generate a new first set of quantified risk levels, a new second set of quantified risk levels, and the new first user identity risk score ([0021] & [0032] discloses generating different quantified risk scores based on confidence that user attempting to log on is who they purport to be; [0039] discloses continuous authentication to adjust and augment the ID confidence score; [0040] discloses using a machine learning model determine anomalous activity to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score; Also see FIG. 5; [0077] discloses using machine learning model for the user, user activity of the user is monitored for anomalous activity to generate first data);
detecting a user request from the first user corresponding to a new sign-in event (Abrams: [0036] for user requesting to create account/logging in; Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
The motivation to have a system which continuously updates the users’ risk analysis metric is that the score will be up-to-date and be based on all current information, and avoid the score becoming inaccurate for further user risk analysis (See Grajek: [0021]). 
With respect to “the second set of quantified risk levels having fewer number of quantified risk levels than the first set of quantified risk levels”, this is nonfunctional descriptive material as it only describes the data that is contained in the quantified risk levels, while the data contained in the quantified risk levels is not used to perform any of the recited functions/method steps. Therefore, it has been held the nonfunctional descriptive material will not distinguish the invention from the prior art in term of patentability. (In re Gulack, 217 USPQ 401 (Fed. Cir. 1983), In re Ngai, 70 USPQ2d (Fed. Cir. 2004), In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2111.05), Ex parte Nehls 88 USPQ2d 1883 (BPAI 2008) (precedential).
Regarding claim 17, the combination of Abrams, Commons and Grajek discloses:
The method of claim 15, wherein the second machine learning tool and the third machine learning tool are incorporated into a single machine learning algorithm (Abrams: See [0005]).
Regarding claim 18, the combination of Abrams, Commons and Grajek discloses:
The method of claim 15, wherein the method further includes generating the new first user identity risk score after generating the first user identity risk score and prior to detecting any new sign-in event associated with the first user (Grajek: [0077]; See also Fig 1, steps 160 through 190).
Regarding claim 19, the combination of Abrams, Commons and Grajek discloses:
The method of claim 15, wherein the method further includes: detecting the new sign-in event for the first user, wherein new sign-in event data for the new sign- in event is added to the sign-in event data; and based on the new sign-in event, identifying a new set of sign-in detectors, which is subsequently used to generate a new quantified risk level set of sign-in detectors through application of the first machine learning tool, and which is further used to generate a new quantified risk level set of sign-ins through application of the second machine learning tool, and which is even further used to generate the new first user identity risk score by applying the third machine learning tool (Abrams: FIG. 3A; [0036]-[0037]; see also Grajek [0054]-[0055] for continually updating data stored).
Regarding claim 20, the combination of Abrams, Commons and Grajek discloses:
The method of claim 15, wherein the method further includes generating a new second user identity risk score for a second user that is different than a previous second user identity risk score of the second user, the previous second user identity risk score being based on a previous application of the first machine learning tool to a set of sign-in detectors associated with sign-in events of the second user, wherein the generating of the new second user identity risk score is performed automatically in response to the application of the first machine learning tool to the set of sign-in detectors in the set of sign-in events of the first user and which resulted in a modification of the first machine learning tool and/or data utilized by the first machine learning tool when the first machine learning tool is applied (Abrams: Fig 2A and 2B and associated text provides for continually updating the machine learning models;  See also Fig 3B, 334 and Fig 4B, 434;  See also par [0029] for changing other user scores after updating model;  Garjek: [0061] & [0067]).
Regarding claim 21, the combination of Abrams, Commons and Grajek discloses:
The method of claim 15, wherein the method further includes generating the new first user identity risk score by modifying the second set of quantified risk levels by reapplying the second machine learning tool to the first set of quantified risk levels prior to reapplying the third machine learning tool (Garjek: [0061] & [0067]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SYED M AHSAN/             Patent Examiner, Art Unit 2432