Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to reply filed by Applicant on 7/7/2022. Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on the same exact combination of art applied in the prior rejection of record for the newly amended teaching or matter specifically challenged in the argument.
 	
	B) Applicant argues that Grajek fails to disclose, teach or even suggest “wherein: the first user is a client of the one or more organizations, wherein the monitored user behavior information associated with the first user comprises behaviors of the first user while the first user has been accessing a particular account of the first user associated with each organization from among the one or more organizations,” regarding claim 1.  Examiner respectfully disagrees.  
	Examiner submits that Grajek teaches wherein: the first user is a client of the one [[or more organizations]] wherein the monitored user behavior information associated with the first user comprises behaviors of the first user while the first user has been accessing a particular account of the first user associated with each organization from among the one [[or more organizations]].  Grajek, Paragraph 0051 recites “For example, for web and or solution as a service (SaaS) applications, the asserted identity can be in the context of a formatted web assertion (e.g., in the form of a SAML, WS-Fed, OpenID, OpenIDConnect, and/or the like). In some aspects, the logon can be in the format of an established exchange of logon data (e.g., an identity that follows the OAuth protocol).”
	Applicant argues that despite listing, protocols used to login, that this doesn’t necessarily mean that the user is a client of.  Examiner felt that by using one these techniques it is implied that an organization will use them to authenticate that a user is a client of an organization.  Grajek explicitly shows the use of these authentication methods in Paragraph 0077 which recites “Authentication for a user is initiated, at 510, based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored, at 520, for anomalous activity to generate first data. Differences between the first data and historical utilization data for the user are determined based on the monitoring, at 530, to determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.” Which demonstrates a user being authenticated using one of the listed authentication protocols, and if authenticated the user will have proved to be a client of the organization.  Rejection will now reflect this for clarification purposes.  As a result, Grajek teaches the limitation argued above.

	C) Applicant argues that Grajek fails to disclose, teach or eve suggest “wherein: the software application uses an open authentication to allow the first user to log in to the account of the first user on the software application by authenticating another account of the first user associated with a different organization and the one [[or more organizations]] are associated with the software application,” regarding claim 1.  Examiner respectfully disagrees.
	Examiner submits that Grajek teaches “wherein: the software application uses an open authentication to allow the first user to log in to the account of the first user on the software application by authenticating another account of the first user associated with a different organization and the one [[or more organizations]] are associated with the software application.”  Grajek, Paragraph 0051 recites “For example, for web and or solution as a service (SaaS) applications, the asserted identity can be in the context of a formatted web assertion (e.g., in the form of a SAML, WS-Fed, OpenID, OpenIDConnect, and/or the like). In some aspects, the logon can be in the format of an established exchange of logon data (e.g., an identity that follows the OAuth protocol).” And Paragraph 0021 recites “The system 100 can be utilized when a user requests access to and/or initiates a procedure to obtain access to an IT resource.” 
	Applicant argues that Grajek does not teach an open authentication, however, Grajek explicitly recites that the use of OAuth is an authentication protocol to used for logon.  OAuth is an Open authentication protocol.  And that the user is not logging into a different account in order to gain authentication with the application.  Again Grajek uses OAuth, where a user is associated with another organization such as Amazon, Google, Facebook, Microsoft, and Twitter to permit the users to share information about their accounts with third-party applications or websites.  Therefore a user would have to logon and be authenticated with one of the above companies, prior to being given access to an additional website or application.  As a result Grajek teaches the limitations argued above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	
Claims 1-6, 8-13 and 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grajek et al. (US 2018/0069867) in view of Khalil et al. (US 2017/0034164) and Buda et al. (US 2019/0362245).

	As per claim 1, Grajek teaches a system for implementing continuous authentication for a software application, the system comprising: a memory operable to store monitored user behavior information associated with a first user received from one [[or more organizations]] (Grajek, Paragraph 0029 recites “n some variations, the behavioral biometrics information can be stored in the user-related information 195, and may be correlated per user and per device. This information can help the system detect anomalies in logon behavior and/or help identify users who are utilizing another user's credentials.”), 
	wherein: the first user is a client of the one [[or more organizations]] (Grajek, Paragraph 0051 recites “For example, for web and or solution as a service (SaaS) applications, the asserted identity can be in the context of a formatted web assertion (e.g., in the form of a SAML, WS-Fed, OpenID, OpenIDConnect, and/or the like). In some aspects, the logon can be in the format of an established exchange of logon data (e.g., an identity that follows the OAuth protocol).” The use of any of these open standard access systems would read on using one of these authentications for one or more organizations. And Paragraph 0077 recites “Authentication for a user is initiated, at 510, based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored, at 520, for anomalous activity to generate first data. Differences between the first data and historical utilization data for the user are determined based on the monitoring, at 530, to determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.”),
	wherein the monitored user behavior information associated with the first user comprises behaviors of the first user while the first user has been accessing a particular account of the first user associated with each organization from among the one [[or more organizations]]; and the monitored user behavior information comprises one or more of an average typing speed in a particular period, an average typing error in the particular period, and mouse movement patterns associated with the first user (Grajek, Paragraph 0028 recites “As illustrated, the pre-authentication procedure 105 can additionally or alternatively include behavioral biometrics evaluation 130. “Behavioral biometrics” can refer to the manner in which the user logs in. For example, these biometrics can include human-to-device input vectors such as a user's speed of typing; intervals between the user's character typing (e.g., time between typing different portions of text); the firmness with which the user presses a keypad or other user interface; the location in and/or the force with which the user presses to provide input to a keyboard, screen, or other user interface; and/or other input vectors. In some aspects, the behavioral biometrics related to a user and/or device can be captured during a logon event. The behavioral biometrics can also evaluated during continuous authentication 160 (e.g., during evaluate behavioral biometrics 164).”);
	and a processor, associated with a server, operably coupled to the memory, configured to: receive a request from the first user to access an account of the first user on a software application (Grajek, Paragraph 0077, recites “FIG. 5 illustrates an example process flow diagram 500 for continuous authentication for one or more information technology resource. Authentication for a user is initiated, at 510, based on an identification confidence score of the user.”);
	wherein: the software application uses an open authentication to allow the first user to log in to the account of the first user on the software application by authenticating another account of the first user associated with a different organization and the one [[or more organizations]] are associated with the software application (Grajek, Paragraph 0051 recites “For example, for web and or solution as a service (SaaS) applications, the asserted identity can be in the context of a formatted web assertion (e.g., in the form of a SAML, WS-Fed, OpenID, OpenIDConnect, and/or the like). In some aspects, the logon can be in the format of an established exchange of logon data (e.g., an identity that follows the OAuth protocol).” And Paragraph 0021 recites “The system 100 can be utilized when a user requests access to and/or initiates a procedure to obtain access to an IT resource.” An IT resource would read on a software application);
	activate a continuous authentication of the first user based at least in part upon a plurality of monitored user behavior information received from the one [[or more organizations]], wherein, in continuous authentication, the processor uses the plurality of monitored user behavior information associated with the first user to determine whether the first user is accessing the account of the first user on the software application; monitor accessing the account of the first user by monitoring behaviors of a person who is accessing the account of the first user on the software application; determine whether the behaviors of the person who is accessing the account of the first user correspond to the plurality of monitored user behavior information associated with the first user; and in response to a determination that the behaviors of the person accessing the account of the first user correspond to the plurality of monitored user behavior information associated with the first user: determine that the person accessing the account of the first user is the same as the first user; and grant the first user access to the account of the first user (Grajek, Paragraph 0077 recites “FIG. 5 illustrates an example process flow diagram 500 for continuous authentication for one or more information technology resource. Authentication for a user is initiated, at 510, based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored, at 520, for anomalous activity to generate first data. Differences between the first data and historical utilization data for the user are determined based on the monitoring, at 530, to determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.”).
	Grajek is not explicit that a user is associated with one or more organizations.  However, in an analogous art Khalil teaches a user is associated with one or more organizations (Khalil, Paragraph 0032 recites “The OpenID protocols enable a user to log on to many different web sites with a single digital identity known as an OpenID Identifier. An OpenID Service enables the user to create an account, establishes a web identity (e.g., the OpenID Identifier), and registers the web identity with different services to receive various credentials. During the sign-in process, the user may be authenticated for different services using an associated OpenID Identifier (i.e., the universal ID) and related credentials).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Khalil’s multifactor authentication for mail server access with Grajek’s Computer User Authentication Using Machine Learning because Khalil’s explicit use of an OpenID across different services would help with seamless signing on for different organizations.  
	But fails to teach determine that a first monitored user behavior information from among the plurality of monitored user behavior information is an outlier user behavior information, wherein determining that the first monitored user behavior information is the outlier user behavior information comprises: comparing the first monitored user behavior information with at least a portion of the rest of the plurality of monitored user behavior information; and determining that the first monitored user behavior leads to a largest prediction error, from among a plurality of prediction errors determined for the rest of the plurality of monitored user behavior information, in conjunction with verifying the identity of the first user; exclude the outlier user behavior information from consideration in the continuous authentication of the first user.
	However, in an analogous art Buda teaches determine that a first monitored user behavior information from among the plurality of monitored user behavior information is an outlier user behavior information, wherein determining that the first monitored user behavior information is the outlier user behavior information comprises (Buda, Paragraph 0033 recites “Following step 33, the method 30 proceeds to step 34. Step 34 comprises determining whether the data element (under investigation) is an outlier based on the threshold value, the predicted value and the (actual) value of the data element. Thus, it can be determined whether a data element is an outlier based, for example, on at least a comparison between the predicted value and the (actual) value of that data element with reference to the threshold value.”): 
	comparing the first monitored user behavior information with at least a portion of the rest of the plurality of monitored user behavior information; and determining that the first monitored user behavior leads to a largest prediction error, from among a plurality of prediction errors determined for the rest of the plurality of monitored user behavior information, in conjunction with verifying the identity of the first user; exclude the outlier user behavior information from consideration in the continuous authentication of the first user (Buda, Paragraph 0094 recites “In particular, step 34 may comprise calculating an error value using the predicted value and the (actual) value of the data element under investigation. This error value may be compared to the threshold value to determine whether the data element is an outlier (e.g., anomalous) or not. For example, if the error value of the data element under investigation is above the threshold value, it may be determined that the data element is an outlier. Similarly, if the error value of the data element under investigation is below the threshold value, it may be determined that the data element is not an outlier.” Buda is not relied upon to teach continuous authentication, Buda is used in combination with Grajek which teaches continuous authentication.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Buda’s anomaly detection with Grajek’s Computer User Authentication Using Machine Learning because Buda’s prediction error helps to prevent false positives. 

	As per claim 2, Grajek in combination with Khalil and Buda teaches the system of claim 1, Grajek further teaches wherein the processor is further configured to: in response to a determination that the behaviors of the person accessing the account of the first user do not correspond to the plurality of monitored user behavior information associated with the first user: determine that the person accessing the account of the first user is not the same as the first user; and log out that person from the account of the first user (Grajek, Paragraph 0044 recites “When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.”).

	As per claim 3, Grajek in combination with Khalil and Buda teaches the system of claim 1, Khalil further teaches wherein the one or more organizations are associated with the software application by the first user registering the account of the first user in the software application with one or more accounts of the first user in the one or more organizations (Khalil, Paragraph 0032 recites “The OpenID protocols enable a user to log on to many different web sites with a single digital identity known as an OpenID Identifier. An OpenID Service enables the user to create an account, establishes a web identity (e.g., the OpenID Identifier), and registers the web identity with different services to receive various credentials. During the sign-in process, the user may be authenticated for different services using an associated OpenID Identifier (i.e., the universal ID) and related credentials).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Khalil’s multifactor authentication for mail server access with Grajek’s  Computer User Authentication Using Machine Learning because Khalil’s explicit use of an OpenID across different services would help with seamless signing on for different organizations.  

	As per claim 4, Grajek in combination with Khalil and Buda teaches the system of claim 1, Grajek further teaches wherein monitoring behaviors of the person accessing the account of the first user on the software application comprises: determining an average typing speed of that person in the particular period; determining an average typing error of that person in the particular period; and determining mouse movement patterns associated with that person in the particular period (Grajek, Paragraph 0028 recites “As illustrated, the pre-authentication procedure 105 can additionally or alternatively include behavioral biometrics evaluation 130. “Behavioral biometrics” can refer to the manner in which the user logs in. For example, these biometrics can include human-to-device input vectors such as a user's speed of typing; intervals between the user's character typing (e.g., time between typing different portions of text); the firmness with which the user presses a keypad or other user interface; the location in and/or the force with which the user presses to provide input to a keyboard, screen, or other user interface; and/or other input vectors. In some aspects, the behavioral biometrics related to a user and/or device can be captured during a logon event. The behavioral biometrics can also evaluated during continuous authentication 160 (e.g., during evaluate behavioral biometrics 164).”).

	As per claim 5, Grajek in combination with Khalil and Buda teaches the system of claim 1, Grajek further teaches wherein determining whether the behaviors of the person accessing the account of the first user correspond to the plurality of monitored user behavior information associated with the first user received from the one or more organizations comprises: for each feature from among the plurality of monitored user behavior information associated with the first user received from the one or more organizations: determining a first value of the feature in the particular period; determining a second value of a corresponding feature from among the behaviors of the person accessing the account of the first user in the particular period; determining whether the first value of the feature is within a particular threshold value from the second value of the corresponding feature; determining whether a majority of features from among the plurality of monitored user behavior information associated with the first user is within their corresponding particular threshold values from their corresponding feature from among the behaviors of the person accessing the account of the first user in the particular period; and in response to determining that the majority of features from among the plurality of monitored user behavior information associated with the first user is within their corresponding particular threshold values from their corresponding feature from among the behaviors of the person accessing the account of the first user, determine that the behaviors of that person correspond to the plurality of monitored user behavior information associated with the first user (Grajek, Paragraph 0077 recites “FIG. 5 illustrates an example process flow diagram 500 for continuous authentication for one or more information technology resource. Authentication for a user is initiated, at 510, based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored, at 520, for anomalous activity to generate first data. Differences between the first data and historical utilization data for the user are determined based on the monitoring, at 530, to determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.”).

	As per claim 6, Grajek in combination with Khalil and Buda teaches the system of claim 5, Grajek further teaches wherein: in response to determining that the majority of features from among the plurality of monitored user behavior information associated with the first user is not within their corresponding particular threshold values from their corresponding feature from among the behaviors of the person accessing the account of the first user, determine that the behaviors of that person do not correspond to the plurality of monitored user behavior information associated with the first user (Grajek, Paragraph 0077 recites “FIG. 5 illustrates an example process flow diagram 500 for continuous authentication for one or more information technology resource. Authentication for a user is initiated, at 510, based on an identification confidence score of the user. The identification confidence score is based on one or more characteristics of the user. Using a machine learning model for the user, user activity of the user is monitored, at 520, for anomalous activity to generate first data. Differences between the first data and historical utilization data for the user are determined based on the monitoring, at 530, to determine whether the user's utilization of the one or more resources is anomalous. When the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource is removed, at 540.”).

Regarding claims 8 and 15, claims 8 and 15 are directed to a method and a non-transitory readable medium associated with the system of claim 1. Claims 8 and 15 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claims 9 and 16, claims 9 and 16 are directed to a method and a non-transitory readable medium associated with the system of claim 2. Claims 9 and 16 are of similar scope to claim 2, and are therefore rejected under similar rationale.

Regarding claims 10 and 17, claims 10 and 17 are directed to a method and a non-transitory readable medium associated with the system of claim 3. Claims 10 and 17 are of similar scope to claim 3, and are therefore rejected under similar rationale.

Regarding claims 11 and 18, claims 11 and 18 are directed to a method and a non-transitory readable medium associated with the system of claim 4. Claims 11 and 18 are of similar scope to claim 4, and are therefore rejected under similar rationale.

Regarding claims 12 and 19, claims 12 and 19 are directed to a method and a non-transitory readable medium associated with the system of claim 5. Claims 12 and 19 are of similar scope to claim 5, and are therefore rejected under similar rationale.

Regarding claims 13 and 20, claims 13 and 20 are directed to a method and a non-transitory readable medium associated with the system of claim 6. Claims 13 and 20 are of similar scope to claim 6, and are therefore rejected under similar rationale.

Claims 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grajek et al. (US 2018/0069867), Khalil et al. (US 2017/0034164) and Buda et al. (US 2019/0362245) and in further view of Wang et al. (US  2021/0227000).

	As per claim 7, Grajek in combination with Khalil and Buda teaches the system of claim 1, but fails to teach wherein the processor is further configured to: send a security code to a phone number of the first user associated with the software application; request the first user to confirm the security code by entering the security code in the software application; determine whether the security code received from the first user matches the security code sent to the phone number of the first user; in response to a determination that the security code received from the first user matches the security code sent to the phone number of the first user, continue granting the first user access to the account of the first user; and in response to a determination that the security code received from the first user does not match the security code sent to the phone number of the first user; revoke access to the account of the first user on the software application.
	However, in an analogous art Wang teaches wherein the processor is further configured to: send a security code to a phone number of the first user associated with the software application; request the first user to confirm the security code by entering the security code in the software application; determine whether the security code received from the first user matches the security code sent to the phone number of the first user; in response to a determination that the security code received from the first user matches the security code sent to the phone number of the first user, continue granting the first user access to the account of the first user; and in response to a determination that the security code received from the first user does not match the security code sent to the phone number of the first user; revoke access to the account of the first user on the software application (Wang, Paragraph 0036 recites “A user of the connected device may have an account in a cloud computing system and an account with a voice call carrier. A user may link their account in the cloud computing system to their account with the voice call carrier. For example, the user may use credentials, such as a username and password, for their cloud computing account to login to the system of the voice call carrier. The credentials may be sent directly to the cloud computing system, which may verify the credentials before allowing the user to login to the system of the voice call carrier by sending a token, such as OAuth token, that allows access to specific parts of the user's account on the cloud computing system to the system of the voice call carrier. After the user is logged in to the voice call carrier using credentials for the user's account on the cloud computing system, the user may enter their phone number into the system of the voice call carrier. The system of the voice call carrier may verify that the phone number is associated with an account on the system of the voice call carrier If the phone number is determined to be associated with an account on the system of the voice call carrier, the system of the voice call carrier may send a verification code to the phone number, for example, via text messaging protocol such as SMS, or via voice message. The user may receive the verification code on a device associated with their phone number, such as a smartphone or land-line phone, and enter the verification code into the system of the voice call carrier. The system of the voice call carrier may verify that the code entered by the user to determine whether the correct verification code was entered. When the user enters the correct verification code, the system of the voice call carrier may generate a private token, such as, for example, a private OAuth2 token.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Wang’s voice calling with a connected device with Grajek’s  Computer User Authentication Using Machine Learning because Khalil’s explicit use of a 2 factor authentication is a additional layer of security to keep user data safe.  

Regarding claim 14, claim 14 is directed to a method associated with the system of claim 7. Claim 14 is of similar scope to claim 7, and are therefore rejected under similar rationale.






Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439