DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 2,  6, 16, 18 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 recites the limitation "each type of user action".  There is insufficient antecedent basis for this limitation in the claim.  Claim 6 recites the limitation “each user action type”.  There is insufficient antecedent basis for this limitation in the claim.
Claims 1, 18 and 19 recite the limitation “determine a subsequent session security level in response to an adjustment of a session security level by a security value of the requested user action”.  The meaning of this recitation is unclear.  Is the security value making the adjustment?  Is the security value the amount of adjustment?  Is it the session security level of the user action?
Claim 16 recites the limitation “the security value being neutral”.  The meaning of this recitation is unclear.  What is meant by ‘neutral’?

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mathew et al. (US Pub. 20170118223 A1)  and further in view of Choyi et al. (US Pub. 20180013782 A1).

	Regarding claim 1, Mathew discloses a non-transitory machine readable medium having tangibly stored thereon executable instructions for execution by a processor of a computing device, wherein the executable instructions, when executed by the processor, cause the computing device to: 
detect a request to perform a user action (para. 22- The authentication level of the session may be the first authentication level that enables the user at the computing device to access the resource provided by the resource computer system.; para. 78- Starting at step 202, a user 102 operates device 104 to request a resource (“requested resource”) for which access is managed by an access management system, e.g., access management system 140.); 
determine a subsequent session security level in response to an adjustment of a session security level by a security value of the requested user action (para. 80- Authorization engine 144 may determine whether authentication is necessary to access a resource, and if so, what credential information is needed based on an authentication level to access a resource. Resources may be associated with one or more authentication levels, each having different access requirements); 
permit the requested user action and adjust the session security level based on the security value of the requested user action in response to a determination that the subsequent session security level is greater than or equal to a threshold session security level (para. 80-83- Web Gate 106 may determine whether a session is active to access a requested resource (e.g., check if there is a valid authentication session). For example, Web Gate 106 may determine that a session is active to provide access to resources including the requested resource. In some embodiments, Web Gate 106 may determine whether a requested resource is protected, such that authentication is required to access the resource and that minimum level of authentication is needed to access the resource.); 
cause a user authentication challenge in response to a determination that the session security level is less than the threshold session security level (para. 89- access management system 140 may perform a process 222 (“Step-up”) to adjust (e.g., “step-up”) the authentication level of a session such that additional authentication is performed before access is permitted to one or more resources. For example, at step 230, user 102 may operate device 104 to request access to a resource that is accessible based on authentication at an authentication level that higher, or elevated compared to the authentication level at which user 102 authenticated in the previous steps. At step 232, Web Gate 106 may intercept the request to access the resource at the higher authentication level. At step 234, Web Gate 106 may request access from session engine 142, which may include determining authorization to access the resource based on previous authentication of user 102. As such, authorization engine 144 may be requested to determine authorization to access the resource based on the authentication level for which user 102 is authenticated. Upon determining that the authentication level does not enable access to the resource, at step 240, session engine 142 may send a request to device 104 for additional credential information from user 102 as part of step-up authentication to access a resource at a higher authentication level. At step 242, user 102 may be requested by device 104 for input of additional credential information (“additional credentials”) to device 104. At step 244, device 104 may send the input (e.g., additional credential information) to session engine 142 to perform authentication of user 102 for the higher authentication level. At step 246, session engine 142 may determine authentication of user 102 (e.g., validate additional credentials) at the higher authentication level based on the additional credential information.); 
permit the requested user action and adjust the session security level based on one or both of the security value of the requested user action and a security value of a successful user authentication challenge in response to a successful user authentication challenge (para. 89- The authentication level of the session may be modified to the higher authentication level at step 248. Session engine 142 may inform device 104 directly or indirectly through Web Gate 106 that access to the requested resource at step 230 is permitted based on authentication at a higher authentication level. At step 250, access to the requested resource may be allowed at device 104 through application 108 for the higher authentication level.); and 
reject the user action in response to an unsuccessful user authentication challenge. (para. 6- The user may continue to access protected resources so long as the user successfully responds to the challenge, thereby maintaining a valid session for an SSO system.)
	Mathew does not specifically teach determining whether the subsequent security level is greater than a threshold.  However, this concept is known and used in the art as evidenced by Choyi (see para. 28-29) and therefore, one skilled in the art would have found it obvious to utilize it in Mathew as a simple known alternative to determining when a user can be provided access to resources. 

Regarding claim 2, the combination of Mathew and Choyi disclose the non-transitory machine readable medium of claim 1, wherein each type of user action has a security value, wherein the security value of each type of user action is based on a time of inactivity measured from a last user action of the respective type. (Mathew- para. 80- Resources may be associated with one or more authentication levels, each having different access requirements. A resource accessible at a lower authentication level may be accessible by any higher, or elevated, authentication level that demands additional credential information. Authentication for a higher authentication level may include step-up authentication whereby a user must provide additional credential information to gain access to resources at the higher authentication level.; Choyi- para. 28 )

Regarding claim 3, Mathew discloses in the non-transitory machine readable medium of claim 2, wherein the security value is gradually increased based on the time of inactivity measured from the last user action of the respective type. (para. 8- When a user accesses a protected resource defined by a higher authentication level, the access management system may challenge the user for extra credentials determined by the authentication scheme(s) defined for the higher authentication level. Upon validation of the user for a higher authentication level, the authentication session of the user may be increased (e.g., “stepped up”) to gain access to the protected resourced at the higher authentication level. One or more other protected resources may be accessible at the higher authentication level. As such, the user can access the other protected resources at the higher level for the authentication session or any level lower than the higher authentication level.)

Regarding claim 4, Choiyi discloses in the non-transitory machine readable medium of claim 1, wherein the session security level is based on a time of inactivity measured from a last user action. (para. 28)

Regarding claim 5, Mathew discloses in the non-transitory machine readable medium of claim 4, wherein the session security level is gradually decreased based on the time of inactivity measured from the last user action. (para. 17- In some embodiments, a session may be configured to reduce (e.g., step-down) a current authentication level based on satisfaction of one or more conditions. The condition(s) to reduce an authentication level may be configurable by a user. The conditions may be specific based on a variety of criteria, including a types of resource, the user accessing a resource, time, or other events in an enterprise system.)

Regarding claim 6, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein each user action type is an explicit security action, an implicit security action, or a non-security action. (para. 91- Events may include a request for a user, satisfaction of one or more criteria for step-down authentication, or a combination thereof. Criteria may include a time period, a request for accessing a resource that is accessible at a lower authentication level, or other conditions related to authentication)

Regarding claim 7, Mathew discloses in the non-transitory machine readable medium of claim 6, wherein an explicit security action comprises a re-authentication action, an implicit security action comprises a non-resource specific user action, and a non-security action comprises a resource specific user action. (para. 14- By reducing the authentication level to a lower authentication level, a user may be prompted to provide credentials for authentication according to the authentication schemes defined for higher authentication levels. These techniques can reduce, if not prevent, unauthorized access to protected resources by challenging a user for credentials to authenticate to higher authentication levels. In the context of a session providing single sign-on (SSO) functionality, the ability to control the authentication level enables the user to prevent unauthorized access to multiple protected resources accessible at a higher authentication level.; para. 19- an access management system may involuntarily (e.g., automatically) request a step-down of a current authentication level of a session. The access management system may be configured based on one or more conditions to step-down an authentication level, if a lower authentication level exists, for a session. The conditions may be defined based on resources and/or other events related to the access management system. The conditions may be configured based on input from a user. For example, a user may indicate to step-down an authentication level upon completion of authentication to establish a session.; para. 45- Resources may include, without restriction, a file, a web page, electronic content, a document, web content, a computing resource, or an application. For example, system 100 may include resources such as applications 120 and/or content accessible through those applications 120. A resource may be requested and accessed using an application. For example, an application may request access to a web page from a resource server based on a URL identifying a requested resource.)

Regarding claim 8, Mathew discloses in the non-transitory machine readable medium of claim 7, wherein an implicit security action comprises any one or more of session information or biometric information. (para. 17- a session may be configured to reduce (e.g., step-down) a current authentication level based on satisfaction of one or more conditions. The condition(s) to reduce an authentication level may be configurable by a user. The conditions may be specific based on a variety of criteria, including a types of resource, the user accessing a resource, time, or other events in an enterprise system. The access management system may store data with session information for a session. The data may be stored to indicate the conditions for reducing an authentication level, to indicate when an authentication level has been reduced, to indicate a current authentication level after reduction from a higher authentication level, or a combination thereof.)

Regarding claim 9, Choyi discloses in the non-transitory machine readable medium of claim 8, wherein the biometric information comprises any one or more of a typing speed, a typing cadence, a clicking speed, a clicking cadence, gait, finger print or eye scan. (para. 30- For example, active data sessions may provide indications related to an AAL. In some cases, re-authentication is performed that intrudes the user and disrupts service minimally. Continuous authentication implementations described herein may utilize behavioral aspects of a user. Example behavioral aspects include a user's commonly used vocabulary or speech patterns when talking or when sending an email/SMS, a user's frequently visited websites, a user's typing speed or pattern, a user's frequent physical location (e.g., city, country, work, home, etc.), or the like. Continuous authentication implementations described herein may utilize biometrics associated with a user. For example, a camera on a device may be used to detect or identify (e.g., via an iris scan) a user. Continuous authentication may also rely on detecting a heartbeat, detecting heat, detecting movement, detecting a person's gait, or the like)

Regarding claim 10, Mathew discloses in the non-transitory machine readable medium of claim 8, wherein the session information comprises any one or more of an idle time duration, a user activity rate, or a session duration. (para. 108- the event is an expiration of a time period during which the session is active at the authentication level. The event may be configured by a user, such that upon detection, the authentication level of the session may be modified to prevent access to one or more resources.)

Regarding claim 11, Mathew discloses in the non-transitory machine readable medium of claim 7, wherein the non-security actions comprises any one of a document access or idle time duration. (para. 45- Resources may include, without restriction, a file, a web page, electronic content, a document, web content, a computing resource, or an application. For example, system 100 may include resources such as applications 120 and/or content accessible through those applications 120. A resource may be requested and accessed using an application. For example, an application may request access to a web page from a resource server based on a URL identifying a requested resource.)

Regarding claim 12, Mathew discloses in the non-transitory machine readable medium of claim 11, wherein the document access comprises any one or more of a document read, a document write, a document copy, a document delete, a document move, or a document profile change. (para. 45- Resources may include, without restriction, a file, a web page, electronic content, a document, web content, a computing resource, or an application. For example, system 100 may include resources such as applications 120 and/or content accessible through those applications 120. A resource may be requested and accessed using an application. For example, an application may request access to a web page from a resource server based on a URL identifying a requested resource.)

Regarding claim 13, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein the security value is based at least in part on a resource associated with the user action. (para. 10-A user may desire new and alternative mechanisms to adjust an authentication level for access to limit the number of resources accessible to a user during an active, valid session. For example, a user may desire to step-down (e.g., reduce or lower) an authentication level (e.g., an elevated authentication level) to a lower authentication level to limit access to resources accessible to the lower authentication level.)

Regarding claim 14, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein the session security level is associated with a user account of the session. (para. 54- n attempting to access an application, user 102 may operate an application (e.g., application 108) that manages access to a user's account via access management system 140. For example, application 108 is an access management application that may present GUIs. Using application 108, user 102 may request access to one or more resources, engage in authentication, and request modification of an authentication level.)

Regarding claim 15, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein the security value is dynamically determined based on the user actions within the session. (para. 10-A user may desire new and alternative mechanisms to adjust an authentication level for access to limit the number of resources accessible to a user during an active, valid session. For example, a user may desire to step-down (e.g., reduce or lower) an authentication level (e.g., an elevated authentication level) to a lower authentication level to limit access to resources accessible to the lower authentication level.)

Regarding claim 16, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein the session security level is increased in response to the security value being positive (para. 8- When a user accesses a protected resource defined by a higher authentication level, the access management system may challenge the user for extra credentials determined by the authentication scheme(s) defined for the higher authentication level. Upon validation of the user for a higher authentication level, the authentication session of the user may be increased (e.g., “stepped up”) to gain access to the protected resourced at the higher authentication level. One or more other protected resources may be accessible at the higher authentication level. As such, the user can access the other protected resources at the higher level for the authentication session or any level lower than the higher authentication level.), wherein the session security level is decreased in response to the security value being negative (para. 17- In some embodiments, a session may be configured to reduce (e.g., step-down) a current authentication level based on satisfaction of one or more conditions. The condition(s) to reduce an authentication level may be configurable by a user. The conditions may be specific based on a variety of criteria, including a types of resource, the user accessing a resource, time, or other events in an enterprise system.), and wherein the session security level is unchanged in response to the security value being neutral. (para. 11- An access management system can voluntarily or involuntarily (e.g., by user action) adjust an authentication level of a session such that access to resources can be limited to those currently being accessed or desired for access by a user. By enabling a user to specify a lower level of authentication, security of an enterprise system and it resources may be protected from unauthorized users.

Regarding claim 17, Mathew discloses in the non-transitory machine readable medium of claim 1, wherein the session security level is adjusted in response to each permitted user action. (para. 89- The authentication level of the session may be modified to the higher authentication level at step 248. Session engine 142 may inform device 104 directly or indirectly through Web Gate 106 that access to the requested resource at step 230 is permitted based on authentication at a higher authentication level. At step 250, access to the requested resource may be allowed at device 104 through application 108 for the higher authentication level.)

Regarding claim 18, it is rejected as applied to claim 1 because a corresponding system would have been necessitated to carry forth the steps of claim 1.  The applied prior art also discloses the corresponding architecture.  

Regarding claim 19, the subject matter claimed pertain to method steps that correspond to the steps of the program of claim 1 and thus rejected for the same analysis.  
  
	Regarding claim 20, the subject matter claimed is included in claim 1 and thus rejected for the same rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM A CORUM JR whose telephone number is (303)297-4234. The examiner can normally be reached Mon. - Fri. 8 AM - 5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM A CORUM JR/Examiner, Art Unit 2433     

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433