DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on August 18, 2020.
Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on August 18, 2020. The submission is         in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6 and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 6 and 17 recite the limitation “the initial data” in line 4. There is insufficient antecedent basis for this limitation in the claim, since it is unclear which data the term is referring to. For examination purposes the limitation “the initial data” will be treated as “a data”. The examiner suggests to clarify the difference between “the initial data” to rectify the issue.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 10-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Su (US 2016/0210450 A1) in view of Mahaffey et al. (US 2019/0342759 A1).

In regards to claim 1, Su discloses a computing device, comprising: 
at least one processor; 
memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing device to (Para. 0011, an apparatus may include a processor and a computer readable medium storing instructions): 
receive data indicative of usage of the computing device by a user (Su, Para. 0009, the fraud detection module may monitor usage of the mobile device for multiple parameters and record user input events pertaining to the parameters in a recordation log);
 compare the received data with other data stored on the computing device to identify instances of abnormal usage of the computing device (Su, Para. 0009, The fraud detection module may compare the current usage pattern with the historical usage pattern and may use the comparison result to compute a confidence score), the other data indicative of how an authorized user for that computing device uses the computing device (Su, Para. 0012, the apparatus may generate a first signature representative of a historical usage pattern of the apparatus by an authorized user based on a first set of parameter values); and
 prevent access to a computing environment with use of the computing device in response to detection of unauthorized use (Su, Para. 0069, Remedial actions may include preventing access (e.g., locking) one or more apps of mobile device 109 and/or locking mobile device 109 itself). 
Su fails to disclose detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold;
However, Mahaffey teaches detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028, When a measure of difference for each stored usage pattern is beyond a threshold measure, a security component may determine that the usage was not caused by one of the authorized users);
Su and Mahaffey are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su to incorporate the teachings of Mahaffey to include detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028). Doing so would aid the users of the system to be able to secure, control, and manage one or more personal devices and the administrators of the system to be able to secure, control and manage a plurality of devices of multiple device types in order to be effective in an organization that has a heterogeneous mobile device deployment (Mahaffey, Para. 0007).

In regards to claim 2, the combination of Su and Mahaffey teaches the computing device of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing device to: 
receive the other data, wherein receiving the other data comprises receiving data corresponding to one or more metrics, and wherein the one or more metrics comprise one or more of: location data or information indicating interactions of the authorized user with an application on the computing device (Su, Para. 0046, mobile device 109 may receive one or more inputs (e.g., a set of user inputs) from a user. Example inputs include opening an app, moving mobile device to another geographic location, using a feature of app).  

In regards to claim 3, the combination of Su and Mahaffey teaches the computing device of claim 2, wherein the one or more metrics are selected based on a job title of the authorized user of the computing device (Mahaffey, Para. 0010, should the device have access to privileged organizational or enterprise data or resources (as might, for example, a company-supplied device or user-supplied Bring Your Own Device (BYOD)), the user delay in initiating security measures may endanger the data or resources).  Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su to incorporate the teachings of Mahaffey to include wherein the one or more metrics are selected based on a job title of the authorized user of the computing device (Mahaffey, Para. 0010). Doing so would aid the users of the system to be able to secure, control, and manage one or more personal devices and the administrators of the system to be able to secure, control and manage a plurality of devices of multiple device types in order to be effective in an organization that has a heterogeneous mobile device deployment (Mahaffey, Para. 0007).

In regards to claim 10, the combination of Su and Mahaffey teaches the computing device of claim 1, wherein preventing access to the computing environment with the use of the computing device comprises one or more of: deleting data from the computing device, disabling an authentication token, or prompting for re- authentication (Su, Para. 0069, fraud detection module 233 may wipe (uninstall and remove) one or more apps from mobile device 109. Alternatively, fraud detection module 233 may wipe mobile device 109 entirely).  

In regards to claim 11, the combination of Su and Mahaffey teaches the computing device of claim 10, wherein preventing access to the computing environment is in response to determining that a connection between the computing device and an enterprise server is unavailable for communication (Su, Para. 0069, Remedial actions may include preventing access (e.g., locking) one or more apps of mobile device 109 and/or locking mobile device 109 itself).  

In regards to claim 12, Su discloses a method comprising: at a computing device comprising at least one processor, a communication interface, and memory (Su, Para. 0011, an apparatus may include a processor and a computer readable medium storing instructions):
 receiving data indicative of usage of the computing device by a user (Su, Para. 0009, the fraud detection module may monitor usage of the mobile device for multiple parameters and record user input events pertaining to the parameters in a recordation log);
 comparing the received data with other data stored on the computing device to identify instances of abnormal usage of the computing device (Su, Para. 0009, The fraud detection module may compare the current usage pattern with the historical usage pattern and may use the comparison result to compute a confidence score), the other data indicative of how an authorized user for that computing device uses the computing device (Su, Para. 0012, the apparatus may generate a first signature representative of a historical usage pattern of the apparatus by an authorized user based on a first set of parameter values) - 40 -B&W Ref.: 007737.01261Client Ref.: 20-0071-USO1; and
 preventing access to a computing environment with use of the computing device in response to detection of unauthorized use (Su, Para. 0069, Remedial actions may include preventing access (e.g., locking) one or more apps of mobile device 109 and/or locking mobile device 109 itself). 
Su fails to disclose detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold;
However, Mahaffey teaches detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028, When a measure of difference for each stored usage pattern is beyond a threshold measure, a security component may determine that the usage was not caused by one of the authorized users);
Su and Mahaffey are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su to incorporate the teachings of Mahaffey to include detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028). Doing so would aid the users of the system to be able to secure, control, and manage one or more personal devices and the administrators of the system to be able to secure, control and manage a plurality of devices of multiple device types in order to be effective in an organization that has a heterogeneous mobile device deployment (Mahaffey, Para. 0007).
 
In regards to claim 13, the combination of Su and Mahaffey teaches the method of claim 12, further comprising:
 receiving the other data, wherein receiving the other data comprises receiving data corresponding to one or more metrics, and wherein the one or more metrics comprise one or more of: location data or information indicating interactions of the authorized user with an application on the computing device (Su, Para. 0046, mobile device 109 may receive one or more inputs (e.g., a set of user inputs) from a user. Example inputs include opening an app, moving mobile device to another geographic location, using a feature of app).  

In regards to claim 14, the combination of Su and Mahaffey teaches the method of claim 13, wherein the one or more metrics are selected based on a job title of the authorized user of the computing device (Mahaffey, Para. 0010, should the device have access to privileged organizational or enterprise data or resources (as might, for example, a company-supplied device or user-supplied Bring Your Own Device (BYOD)), the user delay in initiating security measures may endanger the data or resources). Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su to incorporate the teachings of Mahaffey to include wherein the one or more metrics are selected based on a job title of the authorized user of the computing device (Mahaffey, Para. 0010). Doing so would aid the users of the system to be able to secure, control, and manage one or more personal devices and the administrators of the system to be able to secure, control and manage a plurality of devices of multiple device types in order to be effective in an organization that has a heterogeneous mobile device deployment (Mahaffey, Para. 0007). 

In regards to claim 20, Su discloses one or more non-transitory computer-readable media storing instructions that, when executed by a computing device comprising at least one processor, a communication interface, and memory, cause the computing device to (Su, Para. 0011, an apparatus may include a processor and a computer readable medium storing instructions): 
 receive data indicative of usage of the computing device by a user (Su, Para. 0009, the fraud detection module may monitor usage of the mobile device for multiple parameters and record user input events pertaining to the parameters in a recordation log); 
compare the received data with other data stored on the computing device to identify instances of abnormal usage of the computing device (Su, Para. 0009, The fraud detection module may compare the current usage pattern with the historical usage pattern and may use the comparison result to compute a confidence score), the other data indicative of how an authorized user for that computing device uses the computing device (Su, Para. 0012, the apparatus may generate a first signature representative of a historical usage pattern of the apparatus by an authorized user based on a first set of parameter values); and 
prevent access to a computing environment with use of the computing device in response to detection of unauthorized use (Su, Para. 0069, Remedial actions may include preventing access (e.g., locking) one or more apps of mobile device 109 and/or locking mobile device 109 itself).
Su Fails to disclose detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold;
However, Mahaffey teaches detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028, When a measure of difference for each stored usage pattern is beyond a threshold measure, a security component may determine that the usage was not caused by one of the authorized users);
Su and Mahaffey are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su to incorporate the teachings of Mahaffey to include detect unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold (Mahaffey, Para. 0028). Doing so would aid the users of the system to be able to secure, control, and manage one or more personal devices and the administrators of the system to be able to secure, control and manage a plurality of devices of multiple device types in order to be effective in an organization that has a heterogeneous mobile device deployment (Mahaffey, Para. 0007).

Claims 4- 8, 15-18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Su (US 2016/0210450 A1) in view of Mahaffey et al. (US 2019/0342759 A1), and further in view of Kirti et al. (US 2020/0153855 A1).

In regards to claim 4, Su in view of Mahaffey fails to teach the computing device of claim 2, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing device to:
train, using the other data stored on the computing device, a machine learning model, wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device.  
However, Kirti teaches train, using the other data stored on the computing device, a machine learning model (Kirti, Para. 0112, algorithms and profiles can be trained to intelligently predict whether an unusual behavior is a security risk), wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device (Kirti, Para. 0113, a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious).  
Su, Mahaffey, and Kirti are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su and Mahaffey to incorporate the teachings of Kirti to include train, using the other data stored on the computing device, a machine learning model (Kirti, Para. 0112), wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device (Kirti, Para. 0113). Doing so would aid as outlier detection establish a baseline that is useful for detecting anomalous activities. Such anomalous activities along with contextual threat intelligence can provide more accurate prediction of threats with low prediction errors (Kirti, Para. 0118).

In regards to claim 5, the combination of Su, Mahaffey, and Kirti teaches the computing device of claim 4, wherein training the machine learning model comprises: 
computing, for each of the one or more metrics, a weight value, wherein the weight values indicate how relevant each of the one or more metrics are to identifying unauthorized access to the computing device (Kirti, Para. 0181, a weight value may be determined for each feature. Based on the indicator and weight, a measure of security can be computed for each feature individually or collectively. In some embodiments, the measure of security may be computed for an application based on use by multiple users, such as a group of users as a tenant with an account for access).  

In regards to claim 6, the combination of Su, Mahaffey, and Kirti teaches the computing device of claim 5, wherein computing the weight values comprises: 
computing, for a first metric of the one or more metrics and based on a first average deviation value of the initial data corresponding to the first metric, a first weight value (Kirti, Para. 0146 and Para. 0147, a first weighted value may be computed based on multiplying a first value of a first indicator by a first weight value); and 
computing, for a second metric of the one or more metrics and based on a second average deviation value of the initial data corresponding to the second metric, a second weight value (Kirti, Para. 0146 and Para. 0147, a second weighted value may be computed based on multiplying a second value of a second indicator by a second weight value), and wherein: 
the first average deviation value is lower than the second average deviation value (Kirti, Para. 0216, a lesser value for a weight may be considered when an indicator has less importance or suggestion about a security risk of a user; note a lesser value can interpret as the first average deviation), and 
the first weight value is larger than the second weight value (Kirti, Para. 0145, A greater value for a weight may be considered when an indicator has more importance or suggestion about a security risk).  

In regards to claim 7, the combination of Su, Mahaffey, and Kirti teaches the computing device of claim 5, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, further cause the computing device to: 
compare the weight values to a predetermined metric selection threshold (Burns, Para. 0088, When the average weighted metric score does not exceed the threshold); 
determine that a subset of the weight values do not exceed the predetermined metric selection threshold (Kirti, Para. 0187, applying a security policy may include determining whether the measure of security satisfies a risk threshold for the application. The measure of security may be compared to one or more values in a policy to assess the severity of a security risk); and 
remove, from the machine learning model, initial data corresponding to metrics affiliated with the subset of the weight values (Kirti, Para. 0148, The sources, indicators, and/or weights may be added or removed from what was used to compute combined score 908).  

In regards to claim 8, the combination of Su, Mahaffey, and Kirti teaches the computing device of claim 4, wherein training the machine learning model comprises establishing, based on the other data and for the one or more metrics, one or more metric thresholds that separate other data corresponding to each of the one or more metrics into subgroups for the corresponding one or more metrics (Kirti, para. 0049, and Para. 0187, The measure of security may be compared to one or more values in a policy to assess the severity of a security risk), and wherein comparing the received data to the other data comprises: 
filtering the received data based on the one or more metric thresholds (Kirti, Para. 0228, Filtering may be performed based on one or more attributes, such as time, date, application type, action, risks, or any other type of information displayed for an application that is discovered); and 
comparing the received data for each of the one or more metric thresholds with the other data for the corresponding metric thresholds of the one or more metric thresholds (Kirti, Para. 0187, The measure of security may be compared to one or more values in a policy to assess the severity of a security risk. The values may be defined based on one or more security indicators. The values may be defined based on one or more security indicators such that the measure of security is compared to a threshold that is defined based on the security indicators used to compute the measure of security).  

In regards to claim 15, the combination of Su, Mahaffey, and Kirti teaches the method of claim 13, further comprising: training, using the other data stored on the computing device, a machine learning model, wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device.  
However, Kirti teaches training, using the other data stored on the computing device, a machine learning model (Kirti, Para. 0112, algorithms and profiles can be trained to intelligently predict whether an unusual behavior is a security risk), wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device (Kirti, Para. 0113, a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third-party feed or otherwise) as malicious). Su, Mahaffey, and Kirti are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su and Mahaffey to incorporate the teachings of Kirti to include training, using the other data stored on the computing device, a machine learning model (Kirti, Para. 0112), wherein training the machine learning model configures the machine learning model to distinguish use of the computing device by the authorized user of the computing device from use of the computing device by an unauthorized user of the computing device (Kirti, Para. 0113). Doing so would aid as outlier detection establish a baseline that is useful for detecting anomalous activities. Such anomalous activities along with contextual threat intelligence can provide more accurate prediction of threats with low prediction errors (Kirti, Para. 0118).

In regards to claim 16, the combination of Su, Mahaffey, and Kirti teaches the method of claim 15, wherein training the machine learning model comprises: computing, for each of the one or more metrics, a weight value, wherein the weight values indicate how relevant each of the one or more metrics are to identifying unauthorized access to the computing device (Kirti, Para. 0181, a weight value may be determined for each feature. Based on the indicator and weight, a measure of security can be computed for each feature individually or collectively. In some embodiments, the measure of security may be computed for an application based on use by multiple users, such as a group of users as a tenant with an account for access).  

In regards to claim 17, the combination of Su, Mahaffey, and Kirti teaches the method of claim 16, wherein computing the weight values comprises: computing, for a first metric of the one or more metrics and based on a first average deviation value of the initial data corresponding to the first metric, a first weight value (Kirti, Para. 0146 and Para. 0147, a first weighted value may be computed based on multiplying a first value of a first indicator by a first weight value); and computing, for a second metric of the one or more metrics and based on a second average deviation value of the initial data corresponding to the second metric, a second weight value (Kirti, Para. 0146 and Para. 0147, a second weighted value may be computed based on multiplying a second value of a second indicator by a second weight value), and wherein: the first average deviation value is lower than the second average deviation value (Kirti, Para. 0216, a lesser value for a weight may be considered when an indicator has less importance or suggestion about a security risk of a user; note a lesser value can interpret as the first average deviation), and the first weight value is larger than the second weight value (Kirti, Para. 0145, A greater value for a weight may be considered when an indicator has more importance or suggestion about a security risk).  

In regards to claim 18, the combination of Su, Mahaffey, and Kirti teaches the method of claim 16, further comprising: comparing the weight values to a predetermined metric selection threshold (Burns, Para. 0088, When the average weighted metric score does not exceed the threshold);
 determining that a subset of the weight values do not exceed the predetermined metric selection threshold (Kirti, Para. 0187, applying a security policy may include determining whether the measure of security satisfies a risk threshold for the application. The measure of security may be compared to one or more values in a policy to assess the severity of a security risk); and removing, from the machine learning model, initial data corresponding to metrics affiliated with the subset of the weight values (Kirti, Para. 0148, The sources, indicators, and/or weights may be added or removed from what was used to compute combined score 908).  

In regards to claim 19, the combination of Su, Mahaffey, and Kirti teaches the method of claim 15, wherein training the machine learning model comprises establishing, based on the other data and for the one or more metrics, one or more metric thresholds that separate other data corresponding to each of the one or more metrics into subgroups for the corresponding one or more metrics (Kirti, para. 0049, and Para. 0187, The measure of security may be compared to one or more values in a policy to assess the severity of a security risk), and wherein comparing the received data to the other data comprises: 
filtering the received data based on the one or more metric thresholds (Kirti, Para. 0228, Filtering may be performed based on one or more attributes, such as time, date, application type, action, risks, or any other type of information displayed for an application that is discovered); and - 42 -B&W Ref.: 007737.01261
Client Ref.: 20-0071-USO1comparing the received data for each of the one or more metric thresholds with the other data for the corresponding metric thresholds of the one or more metric thresholds (Kirti, Para. 0187, The measure of security may be compared to one or more values in a policy to assess the severity of a security risk. The values may be defined based on one or more security indicators. The values may be defined based on one or more security indicators such that the measure of security is compared to a threshold that is defined based on the security indicators used to compute the measure of security).  

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Su (US 2016/0210450 A1) in view of Mahaffey et al. (US 2019/0342759 A1), in view of Kirti et al. (US 2020/0153855 A1) and further in view of Ho et ai. US 2019/0171808 A1.

In regards to claim 9, the combination of Su, Mahaffey, and Kirti teaches the computing device of claim 2, wherein detecting the unauthorized use of the computing device comprises: 
computing, based on the comparison of the received data to the other data (Kirti, Para. 0113, algorithms can aggregate and compare data from different clouds in meaningful ways), a weighted security score, wherein computing the weighted security score comprises (Kirti, Para. 0144, a combined score 908 may be based on a combination of indicators using a weight value for each indicator. For example, a weight (“W”) (collectively referred to herein as weights “W1, W2, . . . , Wn” 904) may be selected to be applied to one or more specific indicators for computing combined score 908): 
identifying, for each metric and based on a difference between the received data and the other data, whether the received data for the corresponding metric indicates unauthorized use of the computing device (Kirti, Para. 0084, analytics can utilize information received from external third party feeds 318, 320, and 321 to augment the threat intelligence by providing external information of security threats such as, but not limited to, identification of infected node points, malicious activity from a particular source IP address, malware infected email messages, vulnerable web browser versions, and known attacks on clouds), - 39 -B&W Ref.: 007737.01261 Client Ref.: 20-0071-USO1 
computing, for metrics indicating authorized use of the computing device (Kirti, Para. 0005, The reliance on computing environments has led to widespread use of applications that are either authorized or unauthorized by an organization), a second set of weighted metric scores equal to the corresponding weighted values (Kirti, Para. 0146, The combined score 908 may be computed based on dividing the first value by the second value), and 
computing, by adding the first set of weighted metric scores and the second set of weighted metric scores, a weighted security score (Burns, Para. 0058, Averager 64 calculates an average score from the weighted scores from output of weighting modules 62. In examples that do not include weighting modules 62, averager 64 calculates an average score from the scores calculated by metric calculators 60); and 
Su in view of Mahaffey and Kirti fails to teach computing, for metrics indicating possible unauthorized use of the computing device (Ho, Para. 0066), a first set of weighted metric scores using the formula: weighted metric score = -1 x corresponding weighted value, 
in response to determining that the weighted security score is a negative value, determining that the computing device is being used in an unauthorized manner.
However, Ho teaches computing, for metrics indicating possible unauthorized use of the computing device (Ho, Para. 0066), a first set of weighted metric scores using the formula: weighted metric score = -1 x corresponding weighted value (Ho, Para. 0066, the unlock system 121 calls the invalid password database 125, adds this input password to the invalid password database 125, and sets the weight of the invalid password as a negative value (e.g. −3). At this time, the unlock system 121 does not directly call the protection system 123), 
in response to determining that the weighted security score is a negative value, determining that the computing device is being used in an unauthorized manner (Ho, Para. 0068, the protection system 123 provides a protection mechanism, for allowing the unauthorized user to enter the sandbox system 341 instead of the original operating system, which prevents the unauthorized user from accessing the original contents in the device).
Su, Mahaffey, Kirti and Ho are all considered to be analogous to the claim invention because they are in the same field of detecting unauthorized use of the computing device based on the number of instances of abnormal usage exceeding a threshold. Therefore, it would have been to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Su, Mahaffey and Kirti to incorporate the teachings of Ho to include computing, for metrics indicating possible unauthorized use of the computing device (Ho, Para. 0066), a first set of weighted metric scores using the formula: weighted metric score = -1 x corresponding weighted value (Ho, Para. 0066), 
in response to determining that the weighted security score is a negative value, determining that the computing device is being used in an unauthorized manner (Ho, Para. 0068). Doing so would aid to receive an input password by the electronic apparatus; and determine whether the input password matches a valid password; and when the input password does not match the valid password, activating a protection system, collecting a usage information via the protection system; and posting a warning message based on the usage information to a social networking site (Ho, Para, 0007).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Sharifi Mehr et al. (US 10,382,461 B1) for accurately identifying anomalous requests that may otherwise be determined as non-anomalous, while also reducing incorrect identifications of non-anomalous requests as anomalous.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/               Supervisory Patent Examiner, Art Unit 2496