Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1, 3-4, 12, 14-15 and 20 have been amended. Claims 1-20 have been examined.

2.	Applicant's arguments filed 04/21/2022 have been fully considered but they are not persuasive.

3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

4.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim Rejections - 35 USC § 102
5.	Claims 1-2, 9, 12-13 and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Piel (U.S. Patent Application Publication 2020/0007536).
	For claims 1, 12 and 20, Piel teaches a system, method and computer program product to use security event correlation to describe an authentication process, the system comprising:
	memory (note paragraph [0109], memory); and
	one or more processors coupled to the memory (note paragraph [0104], processor executing instructions stored in memory), the one or more processors configured to:
	correlate one or more first security events that include one or more respective first descriptions that describe one or more respective attempts to authenticate a user, which are initiated by one or more respective authentication requests regarding the user (note paragraphs [0015], [0027] and [0077], attempt to authenticate user, i.e. security events, are initiated by user authentication request which may be website login or payment transaction), using an authentication protocol and one or more respective second security events that include one or more respective second descriptions that further describe the one or more respective attempts to authenticate the user, which are initiated by one or more respective authentication requests regarding the user (note paragraphs [0015], [0027] and [0077], attempt to authenticate user, i.e. security events, are initiated by user authentication request which may be website login or payment transaction), using the authentication protocol to identify one or more respective correlated event pairs based at least in part on a portion of the first description in the first security event in each correlated event pair and a portion of the second description in the second security event in the respective correlated event pair being same to define a respective common portion (note paragraphs [0020] and [0023], authentication correlation (AC) system correlates authentication requests include a common user identifier and are within a short time span);
	aggregate the one or more first security events and the one or more respective second security events to provide one or more respective first aggregated events based at least in part on the one or more first security events and the one or more respective second security events being correlated, each first aggregated event including a first aggregated description that includes an aggregation of the first and second descriptions that are included in the respective first and second security events that are aggregated to provide the respective first aggregated event (note paragraphs [0040], [0045] and [0078]-[0079], AC aggregates authentication factors including in the authentication requests that have been correlated by the account identifier or device-level fingerprint);
	correlate at least one of the one or more first aggregated events that include one or more respective first aggregated descriptions that describe the one or more respective attempts to authenticate the user (note paragraphs [0078] and [0084], aggregated factor data, i.e. aggregated description, includes data parsed from previous authentication requests including account identifier and timestamp), which are initiated by the one or more respective authentication requests regarding the user (note paragraphs [0015], [0027] and [0077], attempt to authenticate user, i.e. security events, are initiated by user authentication request which may be website login or payment transaction), and at least one respective third security event that includes at least one respective third description that describes at least one of the one or more attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user (note paragraphs [0015], [0027] and [0077], attempt to authenticate user, i.e. security events, are initiated by user authentication request which may be website login or payment transaction), using the authentication protocol to identify at least one respective associated event pair based at least in part on a portion of the common portion in the first aggregated description in the first aggregated event in each associated event pair and a portion of the third description in the third security event in the respective associated event pair being same (note paragraphs [0047], [0075] and [0088]-[0089], AC correlates receives authentication requests to the stored aggregated data that is associated by having the same user and/or account);
	aggregate the at least one of the one or more first aggregated events and the at least one respective third security event to provide at least one respective second aggregated event based at least in part on the at least one of the one or more first aggregated events and the at least one respective third security event being correlated, each second aggregated event including a second aggregated description that includes an aggregation of the first aggregated description and the third description that are included in the first aggregated event and the third security event, respectively, that are aggregated to provide the respective second aggregated event (note paragraphs [0040], [0045] and [0078]-[0079], for each successive authentication request, i.e. third security event, AC aggregates authentication factors including in the authentication requests that have been correlated by the account identifier or device-level fingerprint; note paragraph [0052] gives an example of three authentications within the past day); and
	generate an authentication report that includes the second aggregated description of each second aggregated event to describe the authentication process (note paragraphs [0077]-[0078], AC system stores aggregated data in identity database; paragraph [0091], AC system approves/declines authentication request based on aggregated authentication factors).


	For claims 2 and 13, Piel  teaches claims 1 and 12, wherein the one or more processors are configured to: generate the authentication report that further includes the first aggregated description of each first aggregated event that is not correlated with a third security event, to further describe the authentication process (note paragraphs [0079]-[0081], AC system stores different authentication factors, e.g. device identifiers, passwords, pin codes, biometric identifiers, device signatures, OTP values, and the like, from different authentication requests, i.e. descriptions not correlated with a third authentication request, in the identity database).

	For claim 9, Piel teaches claim 1, wherein the one or more processors are configured to:
	perform a hash operation on the portion of the common portion in the first aggregated description in each first aggregated event to provide a respective first hash (note paragraphs [0046] and [0085], aggregated factor data is hashed and stored in hashed format); and
	correlate the at least one of the one or more first aggregated events and the at least one respective third security event based at least in part on the first hash for the first aggregated event in each associated event pair and a hash of a portion of the third description in the third security event in the respective associated event pair being same (note paragraphs [0047], [0075] and [0088]-[0089], AC correlates receives authentication requests to the stored aggregated data that is stored in hashed format).


Claim Rejections - 35 USC § 103
6.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Piel as applied to claim 1 above, and further in view of Njemanze et al. (U.S. Patent 7,219,239; hereafter “Njemanze”).
	For claim 10, Piel differs from the claimed invention in that they fail to teach:
	wherein the one or more processors are configured to: generate one or more objects to represent the one or more respective first aggregated events; and store the one or more objects in memory without writing the one or more objects to disk.

	Njemanze teaches:
	wherein the one or more processors are configured to: generate one or more objects to represent the one or more respective first aggregated events; and store the one or more objects in memory without writing the one or more objects to disk (note column 16, lines 23-28 and 49-66, events are represented with a label stored in a buffer until a counter expires).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the security event correlation and aggregation of Piel and the aggregation of events using a buffer of Njemanze. One of ordinary skill would have been motivated to combine Piel and Njemanze because a buffer would allow for a determined prioritization of security events for a period of time (note column 2, lines 19-27 of Njemanze).


7.	Claims 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Piel as applied to claims 1 and 12 above, and further in view of Reybok, JR. et al. (U.S. Patent Application Publication 2017/0171231; hereafter “Reybok”).
	For claims 11 and 19, Piel differs from the claimed invention in that they fail to teach:
	wherein the one or more processors are configured to: assign a threshold value to each first security event, each second security event, and each third security event; assign a number that is greater than the threshold value to each first aggregated event; sum the number that is assigned to each first aggregated event and the threshold value that is assigned to the third security event with which the first aggregated event is aggregated to provide a summed value that is assigned to the respective second aggregated event; and generate the authentication report to not include a description of each event that has a value that is less than or equal to the threshold value.

	Reybok teaches:
	wherein the one or more processors are configured to: assign a threshold value to each first security event, each second security event, and each third security event (note paragraph [0047], events have associated scores, i.e. a threshold value); assign a number that is greater than the threshold value to each first aggregated event (note paragraph [0098], correlated events have an aggregated score assigned); sum the number that is assigned to each first aggregated event and the threshold value that is assigned to the third security event with which the first aggregated event is aggregated to provide a summed value that is assigned to the respective second aggregated event (note paragraph [0061], scores are combined in a weighted manner); and generate the authentication report to not include a description of each event that has a value that is less than or equal to the threshold value (note paragraph [0054], specific action, i.e. event is not reported, when the threshold is not met).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the security event correlation and aggregation of Piel and the security event score aggregation and thresholds of Reybok. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of correlating and aggregated authentication security events (Piel) where each event is given a score and aggregated scores below a threshold do not result in action (Reybok).


Allowable Subject Matter
8.	Claims 3-8 and 14-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Response to Arguments
9.	For claims 1, 12 and 20, Applicant argues, “Piel does not even contemplate correlating first security event(s) that include respective first description(s) that describe respective attempt(s) to authenticate a user, which are initiated by respective authentication request(s) regarding the user, and respective second security event(s) that include respective second description(s) that further describe the respective attempt(s) to authenticate the user, which are initiated by the respective authentication request(s) regarding the user. 
	For at least these reasons, Piel does not teach ‘correlate one or more first security events that include one or more respective first descriptions that describe one or more respective attempts to authenticate a user, which are initiated by one or more respective authentication requests regarding the user, using an authentication protocol and one or more respective second security events that include one or more respective second descriptions that further describe the one or more respective attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user, using the authentication protocol to identify one or more respective correlated event pairs based at least in part on a portion of the first description in the first security event in each correlated event pair and a portion of the second description in the second security event in the respective correlated event pair being same to define a respective common portion,’ as recited by amended independent claim 1 (note Remarks, pages 15-16; emphasis added by Applicant). 

	Examiner disagrees. As noted in the rejection above, Piel discloses an authentication correlation (AC) system that correlates authentication requests, i.e. first and second security events (note paragraphs [0020] and [0023]). Thus, Piel teaches, “correlate one or more first security events… and one or more respective second security events”

	These authentication requests are initiated by an authentication request made by a user device or merchant POS to facilitate a website login or financial transaction of the user (note paragraphs [0015], [0027] and [0077]). Thus, Piel teaches, “security events…, which are initiated by one or more respective authentication requests regarding the user”.

	The authentication requests include descriptive material such as authentication factors (note paragraph [0042]), account identifier and timestamp (note paragraph [0078]) which are parsed by the AC system and used in correlating the authentication requests, e.g. the same user identifier requesting authentication from the same device within a short time span (note paragraph [0023]). Thus, Piel teaches, “first security events that include one or more respective first descriptions that describe one or more respective attempts to authenticate a user…second security events that include one or more respective second descriptions that further describe the one or more respective attempts to authenticate the user”.
	Contrary to applicant’s assertion, Piel does disclose “correlating first security event(s) that include respective first description(s) that describe respective attempt(s) to authenticate a user, which are initiated by respective authentication request(s) regarding the user, and respective second security event(s) that include respective second description(s) that further describe the respective attempt(s) to authenticate the user, which are initiated by the respective authentication request(s) regarding the user”. 
	Therefore, Piel teaches “correlate one or more first security events that include one or more respective first descriptions that describe one or more respective attempts to authenticate a user, which are initiated by one or more respective authentication requests regarding the user, using an authentication protocol and one or more respective second security events that include one or more respective second descriptions that further describe the one or more respective attempts to authenticate the user, which are initiated by one or more respective authentication requests regarding the user, using the authentication protocol to identify one or more respective correlated event pairs based at least in part on a portion of the first description in the first security event in each correlated event pair and a portion of the second description in the second security event in the respective correlated event pair being same to define a respective common portion” as required by the claims.



	Applicant further argues, “Piel does not contemplate correlating at least one of the first aggregated event(s) that include respective first aggregated description(s) that describe the respective attempt(s) to authenticate the user, which are initiated by the respective authentication request(s) regarding the user, and at least one respective third security event that includes at least one respective third description that describes at least one of the attempt(s) to authenticate the user, which are initiated by the respective authentication request(s) regarding the user. For instance, approving or denying authentication requests based on authentication factors from previous requests does not constitute correlating at least one of the first aggregated event(s) that include respective first aggregated description(s) that describe the respective attempt(s) to 
AMENDMENT AND REPLYPage 18Serial Number: 16/732,714Attorney Docket No.: 407866-US-NPFiling Date: January 2, 2020Title: USING SECURITY EVENT CORRELATION TO DESCRIBE AN AUTHENTICATION PROCESSauthenticate the user, which are initiated by the respective authentication request(s) regarding the user, and at least one respective third security event that includes at least one respective third description that describes at least one of the attempt(s) to authenticate the user, which are initiated by the respective authentication request(s) regarding the user. 
	For at least these reasons, Piel does not teach ‘correlate at least one of the one or more first aggregated events that include one or more respective first aggregated descriptions that describe the one or more respective attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user, and at least one respective third security event that includes at least one respective third description that describes at least one of the one or more attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user, using the authentication protocol to identify at least one respective associated event pair based at least in part on a portion of the common portion in the first aggregated description in the first aggregated event in each associated event pair and a portion of the third description in the third security event in the respective associated event pair being same,’ as recited by amended independent claim 1” (note Remarks, pages 16-18; emphasis added by Applicant).

	Examiner disagrees. As noted in the rejection above, Piel discloses aggregating authentication factors from user identifiers received in authentication requests (note paragraphs [0040], [0045] and [0078]-[0079]). Then when a new authentication request, i.e. third security event, is received, it is correlated with the stored aggregated factor data, i.e. one or more first aggregated events (note paragraphs [0047], [0075] and [0088]-[0089]). Thus, Piel teaches “correlate at least one of the one or more first aggregated events… and at least one respective third security event”
	The aggregated factor data includes data parsed from previous authentication requests including account identifier and timestamp (note paragraphs [0078] and [0084]). Thus, Piel teaches “first aggregated events that include one or more respective first aggregated descriptions that describe the one or more respective attempts to authenticate the user”.

	As noted in the arguments above, the authentication requests, i.e. security events, are initiated by an authentication request made by a user device or merchant POS to facilitate a website login or financial transaction of the user (note paragraphs [0015], [0027] and [0077]). Thus, Piel teaches, “aggregated events…, which are initiated by one or more respective authentication requests regarding the user”.

	As noted in the arguments above, the authentication requests include descriptive material such as authentication factors (note paragraph [0042]), account identifier and timestamp (note paragraph [0078]) which are parsed by the AC system and used in correlating the authentication requests (note paragraphs [0023], [0075]-[0078] and [0088]-[0089]). Thus, Piel teaches, “first aggregated events that include one or more respective first aggregated descriptions that describe one or more respective attempts to authenticate the user…third security events that include one or more respective third descriptions that further describe the one or more respective attempts to authenticate the user”.

	Thus, Piel teaches “correlate at least one of the one or more first aggregated events that include one or more respective first aggregated descriptions that describe the one or more respective attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user, and at least one respective third security event that includes at least one respective third description that describes at least one of the one or more attempts to authenticate the user, which are initiated by the one or more respective authentication requests regarding the user, using the authentication protocol to identify at least one respective associated event pair based at least in part on a portion of the common portion in the first aggregated description in the first aggregated event in each associated event pair and a portion of the third description in the third security event in the respective associated event pair being same” as required by the claims.


Conclusion
10.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438