DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/11/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-11 and 14-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 2018/0288063 to Koottayi et al. (hereinafter, “Koottayi”).
As per claim 1: Koottayi discloses: A computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to (“…a threat intelligence platform that can provide real-time threat detection and analytics…”; furthermore, a system is provided that includes a processor and a memory with instructions to perform the real-time threat detection [Koottayi, ¶0060]): receive, via the communication interface, from enterprise computing infrastructure, user interaction data (“…the information management system 110 is configured to collect information regarding user access to resources, generate and publish rules and policies based on the information, determine a user's behavior background based on the information, build models around the behavior background, detect anomalous access requests from users based on the rules and models in order to determine a threat perception for the end user, and ultimately authenticate/authorize the user's access into the target system 130 in real-time.” [Koottayi, ¶0084]; Fig. 1 depicts an environment connected within a network 120; network 120 can be any known network in the art [Koottayi, ¶0066-0067]); train, using a machine learning engine, one or more authentication models based on the user interaction data (“The behavior models are generated for one or more users based on analysis of information related to the user's or group of users' access request(s) (e.g., analyzing a pattern in which a user accesses various applications stored on the target system)…” [Koottayi, ¶0088]; also refer to [Koottayi, ¶0084] as cited in the previous limitations and to [Koottayi, ¶0112], wherein a behavior analytics engine 320 has machine learning component 325 for generating the models); receive, from a first application server associated with the enterprise computing infrastructure, a request to authenticate a first user to a first user account in a first usage session hosted by the first application server (one or more access managers 155 forwards a user to a login service of an identity access manager [Koottayi, ¶0078]); in response to receiving the request to authenticate the first user to the first user account, identify whether session-specific interaction data for the first usage session is valid based on the one or more authentication models (“…upon determining that no session has been established for the user, the information management system 110 is configured to analyze information associated with request against enforcement policies and a behavior model generated for the user to determine if the user's access request is anomalous…” [Koottayi, ¶0079]); and based on identifying that the session-specific interaction data for the first usage session is valid based on the one or more authentication models: generate one or more commands directing the first application server to allow the first user to access the first user account in the first usage session hosted by the first application server (“Based on determining that the user is authentic, the one or more access managers 155 may forward the user back to the one or more agents 145, one or more proxies 150, and/or one or more Webgates 160. Thereafter, the one or more agents 145, one or more proxies 150, and/or the one or more Webgates 160 establish a first session for the user.” [Koottayi, ¶0080]; the agents, proxies, and/or Webgates control access to resource 125, wherein a valid established session is checked before granting access [Koottayi, ¶0078; Fig. 1]); and send, to the first application server, the one or more commands directing the first application server to allow the first user to access the first user account in the first usage session hosted by the first application server, wherein sending the one or more commands directing the first application server to allow the first user to access the first user account in the first usage session hosted by the first application server causes the first application server to allow the first user to access the first user account in the first usage session hosted by the first application server (access to the resources 125 are controlled by using various types of accounts, such as user accounts [Koottayi, ¶0071]; “The one or more access managers 155 responds to the one or more agents 145, one or more proxies 150, and/or one or more Webgates 160 with an allow or deny message based on the enforcement policies and the behavior analysis.” [Koottayi, ¶0081]).

As per claim 2: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein receiving the user interaction data from the enterprise computing infrastructure comprises receiving unused customer data (one example of information used in generating the behavior model for a user is based on time parameters of the user’s access requests [Koottayi, ¶0112]).

As per claim 3: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein training the one or more authentication models based on the user interaction data comprises training at least one population level model based on the user interaction data (“The behavior models are generated for one or more users based on analysis of information related to the user's or group of users' access request(s)…” [Koottayi, ¶0088]; Note: “population level” is understood as a non-user-specific model that is applicable to a group of users as described in [0035] of the filed specifications).

As per claim 4: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein training the one or more authentication models based on the user interaction data comprises training at least one user-specific model for the first user (“The behavior models are generated for one or more users based on analysis of information related to the user's or group of users' access request(s)…” [Koottayi, ¶0088]).

As per claim 5: Koottayi discloses all limitations of claim 4. Furthermore, Koottayi discloses: wherein training the at least one user-specific model for the first user comprises training a first user-specific model comprising one or more of: a first parameter indicative of how often the first user accesses one or more specific enterprise systems (generating one or more models by analyzing historical data regarding access requests received from the user [Koottayi, ¶0112]); a second parameter indicative of how the first user interacts with the one or more specific enterprise systems (“…the subset of parameters to be monitored may be identified/defined by a resource (e.g., a target application) on the target system that the user generally accesses” [Koottayi, ¶0102]); a third parameter indicative of how the first user authenticates with the one or more specific enterprise systems (tracking a user’s time of access [Koottayi, ¶0102]); a fourth parameter indicative of how much time the first user takes to make one or more selections (a duration of access [Koottayi, ¶0102]); a fifth parameter indicative of one or more items actioned by the first user and one or more items not actioned by the first user (“…the user may commence activity, such as running different applications, accessing cloud storage, accessing resources, creating/editing resources, or the like” [Koottayi, ¶0082]; “…constantly learning from historical data and real-time data to create and modify the end user identity profiles or models of behavior and the polices governing the behavior.” [Koottayi, ¶0095]); or a sixth parameter indicative of how the first user responds to options presented by predictive analytics (when a user activity is determined to be suspicious or not allowed, the user may be issued one or more security challenges [Koottayi, ¶0082]; as stated earlier in [Koottayi, ¶0095], the system is constantly learning from real-time data).

As per claim 6: Koottayi discloses all limitations of claim 4. Furthermore, Koottayi discloses: wherein training the at least one user-specific model for the first user comprises training a second user-specific model based on interaction data associated with at least two different user interaction channels (“…the behavior analytics engine 320 is configured to select a user model for the user from a plurality of user models associated with the user. The selection may be based on information regarding the user, the access request received from the user, and/or the target system, application, or resource for the request, for instance, the IP address of the user, the user identifier, and/or the type of application or resource that the user is requesting to access.” [Koottayi, ¶0116]; “For example, a behavior model for a user's typical access request may comprise clusters of data points for the following parameters: user's identifier, time of access, and GPS location. Another behavior model for the same user may comprise clusters of data points for the following parameters: target system identifier, duration of access, and target resource identifier.” [Koottayi, ¶0145]).

As per claim 7: Koottayi discloses all limitations of claim 4. Furthermore, Koottayi discloses: wherein training the at least one user-specific model for the first user comprises training a third user-specific model based on non-interaction data (collecting data from incoming access requests for generating behavior models for a user, wherein the data includes GPS location, IP address, agent name, etc. [Koottayi, ¶0143]).

As per claim 8: Koottayi discloses all limitations of claim 4. Furthermore, Koottayi discloses: wherein identifying whether the session-specific interaction data for the first usage session is valid based on the one or more authentication models comprises identifying whether the session-specific interaction data for the first usage session is valid based on the at least one user-specific model for the first user (“…the information management system 110 is configured to analyze information associated with request against enforcement policies and a behavior model generated for the user to determine if the user's access request is anomalous…” [Koottayi, ¶0079]).

As per claim 9: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: based on identifying that the session-specific interaction data for the first usage session is not valid based on the one or more authentication models: flag the first usage session as a suspicious interaction; generate one or more commands directing the first application server to deny access to the first user account in the first usage session hosted by the first application server; and send, to the first application server, the one or more commands directing the first application server to deny access to the first user account in the first usage session hosted by the first application server, wherein sending the one or more commands directing the first application server to deny access to the first user account in the first usage session hosted by the first application server causes the first application server to deny access to the first user account in the first usage session hosted by the first application server (these limitations largely repeat the language of claim 1 but is directed to determining an invalid authentication/access attempt and is denied; [Koottayi, ¶0079, 0081, 0082, 0091] discloses denying requests that are deemed suspicious/not allowed based on policies and behavior models).

As per claim 10: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi, discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: after identifying whether the session-specific interaction data for the first usage session is valid based on the one or more authentication models, execute one or more continuous learning functions to update the one or more authentication models (“…constantly learning from historical data and real-time data to create and modify the end user identity profiles or models of behavior and the polices governing the behavior.” [Koottayi, ¶0095]).

As per claim 11: Koottayi discloses all limitations of claim 1.  Furthermore, Koottayi discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, via the communication interface, from the enterprise computing infrastructure, updated user interaction data; and re-train, using the machine learning engine, the one or more authentication models based on the updated user interaction data (“…the model is generated based on historical data and updated using real time data and can constantly learn from this information and determine whether an anomaly should be triggered intelligently. Instead of updating the model every week or every other week, the model can be updated in real time such that an anomalous access can be detected based on all the historical data (including the most recent access by the user)” [Koottayi, ¶0117]).

As per claim 14: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: receive, from a second application server associated with the enterprise computing infrastructure, a request to authenticate a second user to a second user account in a second usage session hosted by the second application server; in response to receiving the request to authenticate the second user to the second user account, identify whether session-specific interaction data for the second usage session is valid based on the one or more authentication models; and based on identifying that the session-specific interaction data for the second usage session is valid based on the one or more authentication models: generate one or more commands directing the second application server to allow the second user to access the second user account in the second usage session hosted by the second application server; and send, to the second application server, the one or more commands directing the second application server to allow the second user to access the second user account in the second usage session hosted by the second application server, wherein sending the one or more commands directing the second application server to allow the second user to access the second user account in the second usage session hosted by the second application server causes the second application server to allow the second user to access the second user account in the second usage session hosted by the second application server (these limitations repeat the language of claim 1 with the exception of replacing the term “first” with “second” and is directed to a second instance of allowing/validating a “second user”; multiple behavior models are generated and selected for users according to [Koottayi, ¶0112, 0117], therefore Koottayi is applicable to detecting anomalous access attempts of multiple, different users (e.g. a “second” user, third, fourth, etc.).

As per claim 15: Claim 15 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 15 is directed to a method with steps corresponding to the functions of the computing platform of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 15.

As per claims 16-19: Claims 16-19 incorporate all limitations of claim 15 and are directed to methods with steps corresponding to the functions of the computing platform of claims 2-5, respectively. Therefore, the arguments set forth above with respect to claims 2-5 and 15 are equally applicable to claims 16-19 and rejected for the same reasons.

As per claim 20: Claim 20 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 20 is directed to one or more non-transitory computer-readable media storing instructions when executed by a processor to cause a computing platform to perform steps corresponding to the steps of the computing platform of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 20.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Koottayi in view of US 2018/0322417 to Bendre et al. (hereinafter, “Bendre”).
As per claim 12: Koottayi discloses all limitations of claim 11. Koottayi does not disclose discarding the information associated with the access requests after using it to update the models. However, Bendre is directed to analogous art of generating machine learning models for enterprise networks [Bendre, ¶0004]. Bendre discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: after re-training the one or more authentication models based on the updated user interaction data, discard the updated user interaction data (after a machine learning trainer device (e.g. the behavior analytics engine in Koottayi) generates a model using training data, the training data may also be deleted at the machine learning trainer device [Bendre, ¶0008]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to add an option to discard training data in Koottayi, such as suggested in Bendre. The option to delete all or some training data would have secured the enterprise’s data against unauthorized access [Bendre, ¶0008]. For example, the data used for training in Koottayi may contain sensitive information of a user. Therefore, it would have been advantageous to a system with the option to delete training data after using it to create a machine learning model to protect the user’s privacy.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Koottayi in view of US 2020/0045049 to Apostolopoulos et al. (hereinafter, “Apostolopoulos”).
As per claim 13: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses adjusting a policy by an administrator to responds to specific detected patterns [Koottayi, ¶0094]. Koottayi does not disclose adjusting the behavior models, such as presented in the features of claim 13. However, Apostolopoulos discloses: wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: after identifying whether the session-specific interaction data for the first usage session is valid based on the one or more authentication models, receive, via the communication interface, from an enterprise user computing device, one or more dynamic adjustment commands (receiving user feedback, such as through a graphical interface, to adjust or modify access scores generated using access rules [Apostolopoulos, ¶0258]); and in response to receiving the one or more dynamic adjustment commands from the enterprise user computing device, adjust one or more parameters of the one or more authentication models based on the one or more dynamic adjustment commands received from the enterprise user computing device (the feedback confirms or refutes a prediction by a machine learned model and is stored and accessed to update an access score graph, wherein the model learns from the provided user feedback [Apostolopoulos, ¶0257-0259]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement a feedback system in Koottayi, such that the accuracy of predictions by the user behavior models are improved. The number of false positives would have been reduced by having a human aspect in the prediction processes to verify the results and adjust the model to compensate for any errors.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2020/0280573: Discloses active mitigation of security risks in enterprise systems. A system builds a user behavior model and a system access model to determine patterns of access and analyze access records and characteristics to determine anomalous access attempts. See ¶0009-0011 & 0014.
US 2016/0112397: Discloses anomalous access requests using machine learning techniques on contextual information related to the access requests. Deviations from a baseline may enforce additional multi-factor authentication. See ¶0021-0022 & 0026.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        7-08-2022