Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 2/04/2020.  Claims 1-20 are pending.  Claims 1 (a method), 13 (a machine), and 17 (a non-signal bearing CRM, App. Spec. ¶ 49) are independent.  Claims 1, 13, and 17 are amended.

Response to Arguments
Applicant’s arguments, see page 9, filed 6/09/2022, with respect to the rejection(s) of claim(s) 1, 13, and 17 under Turgeman (US 2017/0221064) in view of Pritchett (US 2010/0191661) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  Turgeman discloses determining a usage pattern and probability of interaction with various User Interface elements, but does not disclose locations on a screen. In other words, Turgeman discloses determining a probability of interaction with user interface elements but does not appear to care about the location of said user interface elements. However, upon further consideration, a new ground(s) of rejection is made in view of Turgeman in view of Agrawal “Masquerade detection on GUI-based Windows systems”, see below for details.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, 5-11, 13, 16, 17, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al., US 2017/0221064 (filed 2017-04), in view of Agrawal et al., “Masquerade detection on GUI-based Windows systems” (published 2015).
As to claims 1, 13, and 17, Turgeman discloses a method comprising:
(Regarding the processor/memory and CRM of claims 13 and 17, see Turgeman ¶ 76)
tracking, by a usage manager, usage of a device, wherein the usage includes activity by a user interacting with the device; (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47)
identifying, based on the usage, a usage pattern, wherein the usage pattern is based on usage data; (“The system may capture the user's application usage behavior, by monitoring and tracking the user page-specific intra-page behavior, such as, order of navigation between fields (text input, buttons, select-boxes, or the like), angle and/or velocity of entering and exiting each field, average or typical time spent in each field, location of mouse clicks within each field (e.g., right-side, center, left-side), or the like.” Turgeman ¶ 47)
generating, based on the usage pattern, a heatmap (“FIG. 3, which is a schematic illustration of a map 300 demonstrating utilization of user-specific usage stream model” Turgeman ¶ 48), wherein the heatmap represents a relative probability of the user interacting with a …  of the device, and the heatmap is based on the usage data; (“Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability.” Turgeman ¶ 48)
predicting future usage of the device by the user, wherein the predicting includes generating a Markov chain of the predicted future usage; (“The system may model the behavior as a hierarchical fully observed continuous-time Markov chain” Turgeman ¶ 49. “When a new session is observed, the system may compare the observed Markov chain with the empirical expected model by a statistical test;” Turgeman ¶ 51)
determining actual usage is different than the predicted future usage;  (“a user identity detection module 743 to determine, based on the comparison results, whether or not the current user is the same as a previous user (or is the genuine user);” Turgeman ¶ 75) (“Some embodiments of the present invention may be utilized in order to differentiate or distinguish between: an authorized user versus an unauthorized user; a genuine user versus an imposter or fraudster or hacker; a human user versus an automatic script or malware or “bot”” Turgeman ¶ 112)
calculating, in response to determining the actual usage is different than the predicted future usage, a difference …; (“server 555 may determine that in the currently-monitored interaction session, the current user moves between fields by using mouse clicks; whereas, in all or in 90 percent (or another threshold percentage) of past interactions that correspond to the currently logged-in user, movement between fields was performed with the Tab key on the keyboard; and thus, server 555 may send back a response indicating “possibly fraudulent interaction”” Turgeman ¶ 64. See also Turgman ¶ 35)
determining the difference … is above a difference threshold; and (“in all or in 90 percent (or another threshold percentage) of past interactions that correspond to the currently logged-in user,” Turgeman ¶ 64)
activating, in response to determining the difference … is above the difference threshold, an alert. (“server 555 may send back a response indicating “possibly fraudulent interaction”” Turgeman ¶ 64. “if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

Turgeman does not disclose: 
A location on a screen … relative to other locations on the screen 
… score …

Agrawal discloses a similar system directed to malicious user detection using a hidden markov model (Agrawal § 2.2).  Specifically, Agarwal discloses:
A location on a screen (“We log mouse clicks, distinguishing between left and right clicks. At each mouse click we also record the mouse coordinates, a timestamp, and the application on which the event occurred.” Agrawal § 3.1) … relative to other locations on the screen (“For the purposes of our HMM, the observation sequence consists of the type of click and the mouse position…. The score results for user 1 are given in Figures 5 and 6, for N = 2 and N = 3 hidden states, respectively. The corresponding ROC curves are given in Figures 7 and 8, respectively. TheAUC values for these curves appear in Table 5.” Agrawal § 4.1)
… score … (“Given the model λ = (A, B, π) and an observation sequence O, determine P(O | λ). That is, we can score a sequence to see how well it fits a given model” Agarrawal § 2.2. “use GUI-based data to train HMMs for a user (Problem 3). Then we score user data and attack data (Problem 1) to determine the effectiveness of our models” Agarwal § 2.2. see Agrawal Figures 3, 5 and 6)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have modified Turgeman with Agrawal by utilizing the GUI-based mouse click data and thresholds of Agrawal to generate a model of expected user behavior for detecting malicious users.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Turgeman with Agarwal in order to improve the GUI-based masquerade detection by utilizing a plurality of models (“a combined score involving both mouse and keyboard activity can yield an improvement over models based on mouse activity alone.” Agrawal § 5)


As to claim 2, Turgeman in view of Agrawal discloses a method of claim 1 and further discloses:  wherein tracking the usage comprises: 
capturing a series of snapshots, wherein each snapshot (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47) includes data corresponding to at least one of a running application (the application of Turgeman), a location, a time of day, and a set of inputs (a user-interface (UI) element). (“Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability. Moreover, each state, whether external or internal, is also characterized by the time duration.” Turgeman ¶ 48)

As to claims 5, 16, and 20, Turgeman in view of Agrawal discloses a method/machine/CRM of claims 1, 13, and 17 and further discloses:  wherein the heatmap is a first heatmap and the first heatmap is correlated to a first application, the method further comprising: generating a second heatmap, wherein the second heatmap is correlated to a second application. (“Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like).” Turgeman ¶ 48. “Application Usage Stream or interaction stream. The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence), as well as navigation order and time span between the user-interface elements within each screen or web-page (intra-page sequence).” Turgeman ¶ 47)

As to claim 6, Turgeman in view of Agrawal discloses the method of claim 1 and further discloses: wherein the user is an authorized user (“the system and method may differentiate between: (i) a “legitimate” user, which may be the authorized user, the user who owns an online account” Turgeman ¶ 228) and the difference score represents a likelihood a current user is an unauthorized user of the device. (“model can be used to score a sequence and thereby determine its similarity to the training sequence” Agrawal § 2.2)

As to claim 7, Turgeman in view of Agrawal discloses a method of claim 1 and further discloses: wherein the usage manager includes a policy, the policy including a set of policy attributes. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35. Whatever action the system takes being the policy.)

As to claim 8, Turgeman in view of Agrawal discloses a method of claim 7 and further discloses: wherein a first policy attribute of the set of policy attributes includes a set of contacts to alert. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 9, Turgeman in view of Agrawal discloses a method of claim 1 and further discloses: wherein the activating the alert includes sending a message to a set of contacts. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 10, Turgeman in view of Agrawal discloses a method of claim 1 and further discloses: wherein activating the alert includes requesting verification from a current user. (“if the currently-captured motor behavior does not correspond to the pre-calculated user-specific model, then the system may determine or may estimate that the current user is not the genuine user, and may generate an alert or alarm, may send notification(s) to relevant personnel or administrators, and/or may require the user to perform additional security tasks (e.g., to contact a customer service or fraud department by phone, to utilize two-factor authentication, to answer one or more pre-defined security questions, or the like).” Turgeman ¶ 35)

As to claim 11, Turgeman in view of Agrawal discloses a method of claim 1 and further discloses: wherein the device is a mobile device, and the mobile device includes a touch screen.
(“The term “pointing device” as used herein may include, for example, a mouse, a trackball, a pointing stick, a stylus, a joystick, a motion-sensing input device, a touch screen” Turgeman ¶ 114)

Claim 3, 4, 14, 15, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al., US 2017/0221064 (filed 2017-04), in view of Agrawal et al., “Masquerade detection on GUI-based Windows systems” (published 2015), and Grajek et al., US 2018/0069867 (filed 2017-09).
As to claims 3, 14, and 18, Turgeman in view of Agrawal discloses the method of claim 1 and further discloses: wherein tracking the usage comprises: capturing a series of snapshots, (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47) wherein each snapshot includes data corresponding to a running application, …, and a set of inputs. (“Each one of the external circles 301-304 represents an application or a website (or, a specific page in an application or website). Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability. Moreover, each state, whether external or internal, is also characterized by the time duration.” Turgeman ¶ 48).

Turgeman in view of Agrawal does not disclose:
a location, a time of day

Grajek discloses: 
a location, a time of day (“the user conduct evaluation 120 may determine, among other things, that the user is attempting to access the system 100 from a GPS location that the user has previously never used at a time when the user has never requested to access the system 100, and may generate a score of “10” out of a possible value of “50”. In some variations, the ID confidence score is determined via a real time engine that collects the results of the biometric and conduct models.” Grajek ¶ 33)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Turgeman in view of Agrawal with Grajek by incorporating the behavior comparison of Turgeman in view of Agrawal into a confidence level based on GPS location and time.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Turgeman in view of Agrawal with Grajek in order to provide provide additional user use context into the model to better distinguish a legitimate user from a fraudulent user, e.g. Grajek ¶ 24.

As to claims 4, 15, and 19, Turgeman in view of Agrawal, and Grajek discloses the method/machine/CRM of claim 3, 14, and 18 and further discloses:
wherein identifying the usage pattern includes analysing the series (“Each one of the inner circles 311-314 represents a user-interface (UI) element (e.g., a dialog box, a drop-down menu, a radio button, a checkbox, a field in a form, a “submit” button, a button, or the like). Each transition is characterized by an associated transition probability.” Turgeman ¶ 48) of snapshots. (“The system may capture the user's application usage behavior, by monitoring and tracking the sequence and time span of each application screen or web-page (inter-page sequence)” Turgeman ¶ 47).

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al., US 2017/0221064 (filed 2017-04), in view of Agrawal et al., “Masquerade detection on GUI-based Windows systems” (published 2015), and Pritchett et al., US 2010/0191661 (filed 2009-11).
As to claim 12, Turgeman in view of Agrawal discloses claim 1 and further discloses:
wherein the alert is a first alert and the difference threshold is a first difference threshold, the method further comprising:  (“server 555 may determine that in the currently-monitored interaction session, the current user moves between fields by using mouse clicks; whereas, in all or in 90 percent (or another threshold percentage) of past interactions that correspond to the currently logged-in user, movement between fields was performed with the Tab key on the keyboard; and thus, server 555 may send back a response indicating “possibly fraudulent interaction”” Turgeman ¶ 64)

Turgeman in view of Agrawal does not disclose:
determining the difference score is above a second difference threshold; and activating, in response to determining the difference score is above the second difference threshold, a second alert.

Pritchett discloses: determining the difference score is above a second difference threshold; and activating, in response to determining the difference score is above the second difference threshold, a second alert.
 (“has increased over a first alert threshold or dropped below a second alert threshold….. the fraud detection system 16 may respond to the score crossing the threshold by communicating the alert to the appropriate monitoring machines 26. For example, the alert may be communicated as an interface that includes an identity identifier, a score, and a warning that the probability score has exceeded or dropped below alert threshold.” Pritchett ¶ 23)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Turgeman in view of Agrawal with Pritchett by providing a plurality of configurable thresholds for different mitigating actions (Turgeman ¶¶ 35, 64, Pritchett ¶ 23) and triggering the action upon reaching each respective threshold.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Turgeman in view of Agrawal with Pritchett in order to allow configuration of the plurality of mitigating actions discussed in Turgeman in view of Agrawal and Pritchett and to allow different alarms to be triggered based on the severity of the suspected fraud.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly.
Colby et al., US 2016/0171734, discloses a user interface interaction probability display for software designers.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492