Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 The amendment filed 7/08/2022 has been placed of record in the file.
Claims 1, and 11 have been amended. 
Claims 1-20 are pending.
The applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the following new grounds of rejection. 

                                    Continued Examination Under 37 CFR 1.114
 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 7/08/2022 has been entered. 

                                                     Response to Arguments
On Pages 7-10 of remarks by applicant, the applicant argues that the cited references do not
appear to teach or suggest the claim element “the amount of deviation of the observed behavior from the normal behavior pattern to derive a risk level score value for a user account to which the computing device is associated", as in independent claims 1 and 11 and the claims that depend thereon.
Applicant’s arguments with respect to claim(s) 1 and 11 have been considered but are moot
because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 5, and 11-15 are rejected under 35 U.S.C. 103 as being unpatentable over Diamanti et al. (US 10,142,794 B1) in view of PAESCHKE et al. (US 2020/0089849 A1).

In regards to claim1, Diamanti discloses a method for authenticating a user through behavioral analysis, comprising:
collecting, by a computing device, observation data specifying an observed behavior of the user while interacting with the computing device (Diamanti, Col. 9, lines 10-17, the security controller may transmit the video and audio and geolocation tracking data to cognitive security service 120 for aggregation with video and audio and geolocation data captured from other mobile devices and for analysis, to learn the types of behavior);
using, by the computing device, the observation data to obtain a degree to which the observed behavior matches a known behavior pattern of an authorized user (Diamanti, Col. 12, lines, 25-31, periodically or continuously, normal cycle 322 may trigger location manager 132 to update the modeling, ranges of locations, and predicted mapping and routines with locations and other data collected from current user behavior that does not trigger verification requirements);
obtaining, by the computing device, an amount of deviation of the observed behavior from a normal behavior pattern (Diamanti, Col. 17, lines 50-59, location manager 132 may detect the amount of deviation of the current location from the baseline model for the highest probability location);
using at least the value which was selected and the amount of deviation of the observed behavior from the normal behavior pattern to derive a risk level score value for a user account to which the computing device is associated (Diamanti, Col. 24, lines 31-40, a determination whether the deviation from the forecast location exceeds a threshold for a risk level set by the user for the current location);
comparing, by the computing device, the risk level score value to a threshold value (Diamanti, Col. 6, lines 51-57, if a mobile device location is outside the radius surrounding a forecasted location or the risk level for the forecasted location is higher than the threshold); and
performing, by the computing device, at least one action to protect user account security when the risk level score value is equal to or greater than the threshold value (Diamanti, Col. 24, lines 34-44, if the deviation from the forecast location does exceed a threshold for a risk level set by the user for the current location, then the process passes to block 1314. Block 1314 illustrates triggering a verification cycle for a selection of one or more mobile devices for the user that are currently at the location that deviates from the forecast location beyond the threshold, and the process ends).
Diamanti fails to disclose obtaining, by the computing device, a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device, where the confidence value is determined based on the degree to which the observed behavior matches known behavior pattern of the authorized user;
selecting, by the computing device, a value from a plurality of values based on the confidence value and a reference confidence value;
However, PAESCHKE teaches obtaining, by the computing device, a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device (PAESCHKE, Para. 0090, a resultant confidence value and the use of the resultant confidence value for behaviour-based authentication of the user to the mobile, portable communication system, only a single numerical value advantageously is necessary for the authentication, in order to authenticate the user), where the confidence value is determined based on the degree to which the observed behavior matches known behavior pattern of the authorized user (PAESCHKE, Para. 0089, The forming of the resultant confidence value makes it possible to specify the likelihood with which the current user is the user registered in the mobile, portable communication system);
selecting, by the computing device, a value from a plurality of values based on the confidence value and a reference confidence value (PAESCHKE, Para. 0094, By specifying the weighting factors by the checking criterion, different confidence values advantageously can be weighted individually in dependence on the security level of the checking criterion);
Diamanti and PAESCHKE are both considered to be analogous to the claim invention because they are in the same field of authorizing or unauthorizing a user by collecting observation data specifying an observed behavior of the user while interacting with a computing device. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti to incorporate the teachings of PAESCHKE to include obtaining, by the computing device, a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device (PAESCHKE, Para. 0090), where the confidence value is determined based on the degree to which the observed behavior matches known behavior pattern of the authorized user (PAESCHKE, Para. 0089);
selecting, by the computing device, a value from a plurality of values based on the confidence value and a reference confidence value (PAESCHKE, Para. 0094). Doing so would help a behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication (PAESCHKE, Para. 0031).

In regards to claim 2, the combination of Diamanti and PAESCHKE teaches the method according to claim 1, further comprising collecting, by the computing device, training data specifying (1) a device type of the computing device (PAESCHKE, Para. 0006, portable communication systems, such as smartphones, are nowadays equipped anyway with sensors, which can capture the position of the device in space), (2) a screen size of the computing device (PAESCHKE, Para. 0060, maintain contact with the screen surface), (3) an operating system of the computing device (PAESCHKE, Para. 0126, the operating system), (4) an orientation of the computing device (PAESCHKE, Para. 0006, the spatial orientation of the device), (5) computing device capabilities (PAESCHKE, Para. 0101, capable of authenticating the user applications), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035, user uses his mobile, portable communication system and/or wishes to authenticate himself, it can be assumed, depending on the executed application). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti to incorporate the teachings of PAESCHKE to include collecting, by the computing device, training data specifying (1) a device type of the computing device (PAESCHKE, Para. 0006), (2) a screen size of the computing device (PAESCHKE, Para. 0060), (3) an operating system of the computing device (PAESCHKE, Para. 0126), (4) an orientation of the computing device (PAESCHKE, Para. 0006), (5) computing device capabilities (PAESCHKE, Para. 0101), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035). Doing so would help a behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication (PAESCHKE, Para. 0031).

In regards to claim 3, the combination of Diamanti and PAESCHKE teaches the method according to claim 2, further comprising using the training data to train the machine learning module with the known behavior pattern of the authorized user (Diamanti, during training cycle 320, server manager 122 may ingest location related data for a user from multiple sources, evaluate the location related data, learn user location and movement patterns, and forecast future location patterns).

In regards to claim 4, the combination of Diamanti and PAESCHKE teaches the method according to claim 3, wherein the training data is collected during a first time period when the user first logs into the user account, during a second time period when the software application is being used by the user for a first time, or during a third time period immediately after a successful authentication of the user (Diamanti, when server manager 122 initiates training cycle 320, location manager 132 may initially ingest and analyze user routines and usage patterns and location manager 132 may infer or predict behavior, such as the forecasted locations of a user).

In regards to claim 5, the combination of Diamanti and PAESCHKE teaches the method according to claim 1, wherein the observation data specifies (1) a device type of the computing device (PAESCHKE, Para. 0006, portable communication systems, such as smartphones, are nowadays equipped anyway with sensors, which can capture the position of the device in space), (2) a screen size of the computing device (PAESCHKE, Para. 0060, maintain contact with the screen surface), (3) an operating system of the computing device (PAESCHKE, Para. 0126, the operating system), (4) an orientation of the computing device (PAESCHKE, Para. 0006, the spatial orientation of the device), (5) computing device capabilities (PAESCHKE, Para. 0101, capable of authenticating the user applications), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035, user uses his mobile, portable communication system and/or wishes to authenticate himself, it can be assumed, depending on the executed application). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti to incorporate the teachings of PAESCHKE to include collecting, by the computing device, training data specifying (1) a device type of the computing device (PAESCHKE, Para. 0006), (2) a screen size of the computing device (PAESCHKE, Para. 0060), (3) an operating system of the computing device (PAESCHKE, Para. 0126), (4) an orientation of the computing device (PAESCHKE, Para. 0006), (5) computing device capabilities (PAESCHKE, Para. 0101), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035). Doing so would help a behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication (PAESCHKE, Para. 0031).

In regards to claim 11, Diamanti discloses a system, comprising: a processor; and a non-transitory computer-readable storage medium comprising programming instructions that are configured to cause the processor to implement a method for authenticating a user through behavioral analysis, wherein the programming instructions comprise instructions to: 
collect observation data specifying an observed behavior of the user while interacting with a computing device (Diamanti, Col. 9, lines 10-17, the security controller may transmit the video and audio and geolocation tracking data to cognitive security service 120 for aggregation with video and audio and geolocation data captured from other mobile devices and for analysis, to learn the types of behavior;
 use the observation data to obtain a degree to which the observed behavior matches a known behavior pattern of an authorized user (Diamanti, Col. 12, lines, 25-31, periodically or continuously, normal cycle 322 may trigger location manager 132 to update the modeling, ranges of locations, and predicted mapping and routines with locations and other data collected from current user behavior that does not trigger verification requirements); 
obtain an amount of deviation of the observed behavior from a normal behavior pattern (Diamanti, Col. 17, lines 50-59, location manager 132 may detect the amount of deviation of the current location from the baseline model for the highest probability location); 
using at least the value which was selected and the amount of deviation of the observed behavior from the normal behavior pattern to derive a risk level score value for a user account to which the computing device is associated (Diamanti, Col. 24, lines 31-40, a determination whether the deviation from the forecast location exceeds a threshold for a risk level set by the user for the current location); 
comparing the risk level score value to a threshold value (Diamanti, Col. 6, lines 51-57, if a mobile device location is outside the radius surrounding a forecasted location or the risk level for the forecasted location is higher than the threshold); and 
causing at least one action to protect user account security to be performed by the computing device when the risk level score value is equal to or greater than the threshold value (Diamanti, Col. 24, lines 34-44, if the deviation from the forecast location does exceed a threshold for a risk level set by the user for the current location, then the process passes to block 1314. Block 1314 illustrates triggering a verification cycle for a selection of one or more mobile devices for the user that are currently at the location that deviates from the forecast location beyond the threshold, and the process ends).
Diamanti fails to disclose obtaining a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device, where the confidence value is determined based on the degree to which the observation data matches the known behavior pattern of the authorized user; select a value from a plurality of values based on the confidence value and a reference confidence value; 
However, PAESCHKE teaches obtaining a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device (PAESCHKE, Para. 0090, a resultant confidence value and the use of the resultant confidence value for behaviour-based authentication of the user to the mobile, portable communication system, only a single numerical value advantageously is necessary for the authentication, in order to authenticate the user), where the confidence value is determined based on the degree to which the observation data matches the known behavior pattern of the authorized user (PAESCHKE, Para. 0089, The forming of the resultant confidence value makes it possible to specify the likelihood with which the current user is the user registered in the mobile, portable communication system); select a value from a plurality of values based on the confidence value and a reference confidence value (PAESCHKE, Para. 0094, By specifying the weighting factors by the checking criterion, different confidence values advantageously can be weighted individually in dependence on the security level of the checking criterion);
Diamanti and PAESCHKE are both considered to be analogous to the claim invention because they are in the same field of authorizing or unauthorizing a user by collecting observation data specifying an observed behavior of the user while interacting with a computing device. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti to incorporate the teachings of PAESCHKE to include obtaining a confidence value reflecting a degree of confidence that the user is the authorized user of the computing device or an unauthorized user of the computing device (PAESCHKE, Para. 0090), where the confidence value is determined based on the degree to which the observation data matches the known behavior pattern of the authorized user (PAESCHKE, Para. 0089); select a value from a plurality of values based on the confidence value and a reference confidence value (PAESCHKE, Para. 0094). Doing so would help a behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication (PAESCHKE, Para. 0031).

In regards to claim 12, the combination of Diamanti and PAESCHKE teaches the system according to claim 11, wherein the programming instructions further comprise instructions to collect training data specifying (1) a device type of the computing device (PAESCHKE, Para. 0006, portable communication systems, such as smartphones, are nowadays equipped anyway with sensors, which can capture the position of the device in space), (2) a screen size of the computing device (PAESCHKE, Para. 0060, maintain contact with the screen surface), (3) an operating system of the computing device (PAESCHKE, Para. 0126, the operating system), (4) an orientation of the computing device (PAESCHKE, Para. 0006, the spatial orientation of the device), (5) computing device capabilities (PAESCHKE, Para. 0101, capable of authenticating the user applications), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035, user uses his mobile, portable communication system and/or wishes to authenticate himself, it can be assumed, depending on the executed application). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti to incorporate the teachings of PAESCHKE to include collecting, by the computing device, training data specifying (1) a device type of the computing device (PAESCHKE, Para. 0006), (2) a screen size of the computing device (PAESCHKE, Para. 0060), (3) an operating system of the computing device (PAESCHKE, Para. 0126), (4) an orientation of the computing device (PAESCHKE, Para. 0006), (5) computing device capabilities (PAESCHKE, Para. 0101), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035). Doing so would help a behaviour-based authentication of the user to the mobile, portable communication system, a regular position of the user (for example at home, at work or at other locations regularly frequented by the user) is advantageously captured. An unauthorised user, in particular a thief, who is using the mobile, portable communication system will not generally reside at the locations regularly frequented by the registered user. The mobile, portable communication system is thus able to recognise whether the user is the registered user. The position data can thus contribute to improving the behaviour-based authentication (PAESCHKE, Para. 0031).

In regards to claim 13, the combination of Diamanti and PAESCHKE teaches the system according to claim 12, wherein the programming instructions further comprise instructions to use the training data to train the machine learning module with the known behavior pattern of the authorized user (Diamanti, during training cycle 320, server manager 122 may ingest location related data for a user from multiple sources, evaluate the location related data, learn user location and movement patterns, and forecast future location patterns).

In regards to claim 14, the combination of Diamanti and PAESCHKE teaches the system according to claim 13, wherein the training data is collected during a first time period when the user first logs into the user account, during a second time period when the software application is being used by the user for a first time, or during a third time period immediately after a successful authentication of the user (Diamanti, when server manager 122 initiates training cycle 320, location manager 132 may initially ingest and analyze user routines and usage patterns and location manager 132 may infer or predict behavior, such as the forecasted locations of a user).

In regards to claim 15, the combination of Diamanti and PAESCHKE teaches the system according to claim 11, wherein the observation data specifies (1) a device type of the computing device (PAESCHKE, Para. 0006, portable communication systems, such as smartphones, are nowadays equipped anyway with sensors, which can capture the position of the device in space), (2) a screen size of the computing device (PAESCHKE, Para. 0060, maintain contact with the screen surface), (3) an operating system of the computing device (PAESCHKE, Para. 0126, the operating system), (4) an orientation of the computing device (PAESCHKE, Para. 0006, the spatial orientation of the device), (5) computing device capabilities (PAESCHKE, Para. 0101, capable of authenticating the user applications), and (6) a manner in which the user interacted with the computing device while using a software application (PAESCHKE, Para. 0035, user uses his mobile, portable communication system and/or wishes to authenticate himself, it can be assumed, depending on the executed application).

Claims 6-10, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Diamanti et al. (US 10,142,794 B1) in view of PAESCHKE et al. (US 2020/0089849 A1), and further in view of Miltonberger (US 2015/0186901 A1). 

In regards to claim 6, Diamanti in view of PAESCHKE fail to teach the method according to claim 1, wherein the risk level score value is defined by the following Mathematical Equation
 S useraccount =f (S previous, W model, D normal, A status, F attempts, C, X)
where S useraccount  represents the risk level score value for the user account, W model  represents a weight value given to the device type of the computing device, D normal  represents the amount of deviation of the observed behavior from the normal behavior pattern, A status  represents a current authorization status, F attempts  represents a number of recently failed authorization attempts, S previous represents a previous risk level score value determined for the user account, C represents a number determined based on the confidence value, X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria, f represents a function over all aforementioned parameters.
However, Miltonberger teaches wherein the risk level score value is defined by the following Mathematical EquationS useraccount =f (S previous, W model, D normal, A status, F attempts, C, X)
where Suseracount represents the risk level score value for the user account (Miltonberger, Abstract, lines 1-2, Systems and methods generate a risk score for an account event), Wmodel represents a weight value given to the computing device's device type (Miltonberger, Paragraph [0043], lines 6-7, Operations begin by dynamically generating 302 a causal model corresponding to a user), Dnormal represents the observed behavior' s amount of deviation from the normal behavior pattern (Paragraph [0043], lines 7-11, using event parameters of a first set of events undertaken by the user in an account of the user. Expected behavior of the user is predicted 306 during a second set of events using the causal model), Astatus represents a current authorization status (Miltonberger, Paragraph [0042], lines 1-4, The user or “consumer” 220 in this example logs in to the online banking system 210), Fattempts represents a number of recently failed authorization attempts (Miltonberger, Paragraph [104], lineas2-5, a sequence of four login attempts (probably failed logins) from what appears to be the real account holder), Sprevious represents a previous risk level score value determined for the user account (Fig.4 and Paragraph [0486], lines 10-17, the AUI displaying for any event in the account at least one of the risk score and event parameters of any event in the account), C represents a number determined based on the confidence value (Miltonberger, Paragraph [0187], by limiting the amount of confidence that observing one expected parameter has on the overall risk score), X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria (Miltonberger, Paragraph [0043], lines 6-11, Operations begin by dynamically generating 302 a causal model corresponding to a user. Components of the causal model are estimated 304 using event parameters of a first set of events undertaken by the user in an account of the user), f represents a function over all aforementioned parameters (Miltonberger, Paragraph [0308], lines 1-3, The plurality of components of an embodiment includes a plurality of probability distribution functions that represent the event parameters).
Diamanti, PAESCHKE and Miltonberger are all considered to be analogous to the claimed invention because they are in the same field of authenticating a user based on the behavioral analysis. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include where Suseracount represents the risk level score value for the user account (Miltonberger, Abstract, lines 1-2), Wmodel represents a weight value given to the computing device's device type (Miltonberger, Paragraph [0043]), Dnormal represents the observed behavior' s amount of deviation from the normal behavior pattern (Paragraph [0043]), Astatus represents a current authorization status (Miltonberger, Paragraph [0042]), Fattempts represents a number of recently failed authorization attempts (Miltonberger, Paragraph [104]), Sprevious represents a previous risk level score value determined for the user account (Fig.4 and Paragraph [0486]), C represents a number determined based on the confidence value (Miltonberger, Paragraph [0187]), X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria (Miltonberger, Paragraph [0043]), f represents a function over all aforementioned parameters (Miltonberger, Paragraph [0308]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 7, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the method according to claim 6, wherein the predefined criteria comprises at least one of a time since a low confidence level was obtained, a time since Dnormal exceeded a threshold value (Miltonberger, Paragraph [0118], lines 1-6, λ(E) can be used as part of a binary decision process by introducing a threshold: Decide Fraud if λ(E)>τ), and a type of authentication method last used to authenticate the user’s identity (Miltonberger, Paragraph [0118], lines 1-6, Decide User if λ(E)≦τ). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein the predefined criteria comprises at least one of a time since a low confidence level was obtained, a time since Dnormal exceeded a threshold value (Miltonberger, Paragraph [0118]), and a type of authentication method last used to authenticate the user’s identity (Miltonberger, Paragraph [0118]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 8, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the method according to claim 6, where the value of C is determined based on the difference between the confidence value and a reference confidence value (Miltonberger, Paragraph [0085], lines 4-9,The FPS models behavior, as described above, based on the fact that as more data is received tying a particular user to a particular parameter value (e.g., 98% of logins by Jane Doe are in US), it determines a probability that this particular parameter will be different for the particular user (e.g., what is the probability that Jane Doe logs in from Mexico)). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include where the value of C is determined based on the difference between the confidence value and a reference confidence value (Miltonberger, Paragraph [0085]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 9, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the method according to claim 6, wherein f describes a linear or non-linear relation between S previous, W model, D normal, A status, F attempts, C, and X, and is statically defined or periodically re-determined in response to trigger events (Miltonberger, Paragraph [0127], lines 7-9, Similar models can be developed for other parameter types (for example, continuous parameters)).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein f describes a linear or non-linear relation between S previous, W model, D normal, A status, F attempts, C, and X, and is statically defined or periodically re-determined in response to trigger events (Miltonberger, Paragraph [0127], lines 7-9). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 10, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the method according to claim 9, wherein the trigger events comprise at least one of a false conclusion that the user is the authorized or unauthorized user (Miltonberger, Paragraph [0042], lines 15-19, The risk application 204 also provides alerts and allows authorized personnel to perform correlations, reporting, and investigations using the event data), expiration of a defined period of time (Miltonberger, Paragraph [0207], lines8-9,  it could be a timeout by the Online Banking), a location of the computing device, an operational characteristic of the computing device (Miltonberger, Paragraph [0281], lines 1-4, The derived fraud parameters of an embodiment include one or more of a location of the device), an identity of the user, and an identity of an enterprise associated with the user account (Miltonberger, Paragraph [0281], lines 1-4, electronic service provider of the device). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein the trigger events comprise at least one of a false conclusion that the user is the authorized or unauthorized user (Miltonberger, Paragraph [0042], lines 15-19), expiration of a defined period of time (Miltonberger, Paragraph [0207], lines8-9), a location of the computing device, an operational characteristic of the computing device (Miltonberger, Paragraph [0281], lines 1-4), an identity of the user, and an identity of an enterprise associated with the user account (Miltonberger, Paragraph [0281]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 16, Diamanti in view of PAESCHKE fail to teach the system according to claim 11, wherein the risk level score value is defined by the following Mathematical Equation 
S useraccount =f (S previous, W model, D normal, A status, F attempts, C, X)
 where Suseracount represents the risk level score value for the user account, Wmodel represents a weight value given to the device type of the computing device, Dnormal represents the amount of deviation of the observed behavior from the normal behavior pattern, Astatus represents a current authorization status, Fattempts represents a number of recently failed authorization attempts, Sprevious represents a previous risk level score value determined for the user account, C represents a number determined based on the confidence value, X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria, frepresents a function over all aforementioned parameters.
where S useraccount  represents the risk level score value for the user account, W model  represents a weight value given to the device type of the computing device, D normal  represents the amount of deviation of the observed behavior from the normal behavior pattern, A status  represents a current authorization status, F attempts  represents a number of recently failed authorization attempts, S previous represents a previous risk level score value determined for the user account, C represents a number determined based on the confidence value, X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria, f represents a function over all aforementioned parameters.
However, Miltonberger teaches wherein the risk level score value is defined by the following Mathematical EquationS useraccount =f (S previous, W model, D normal, A status, F attempts, C, X)
where Suseracount represents the risk level score value for the user account (Miltonberger, Abstract, lines 1-2, Systems and methods generate a risk score for an account event), Wmodel represents a weight value given to the computing device's device type (Miltonberger, Paragraph [0043], lines 6-7, Operations begin by dynamically generating 302 a causal model corresponding to a user), Dnormal represents the observed behavior' s amount of deviation from the normal behavior pattern (Paragraph [0043], lines 7-11, using event parameters of a first set of events undertaken by the user in an account of the user. Expected behavior of the user is predicted 306 during a second set of events using the causal model), Astatus represents a current authorization status (Miltonberger, Paragraph [0042], lines 1-4, The user or “consumer” 220 in this example logs in to the online banking system 210), Fattempts represents a number of recently failed authorization attempts (Miltonberger, Paragraph [104], lineas2-5, a sequence of four login attempts (probably failed logins) from what appears to be the real account holder), Sprevious represents a previous risk level score value determined for the user account (Fig.4 and Paragraph [0486], lines 10-17, the AUI displaying for any event in the account at least one of the risk score and event parameters of any event in the account), C represents a number determined based on the confidence value (Miltonberger, Paragraph [0187], by limiting the amount of confidence that observing one expected parameter has on the overall risk score), X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria (Miltonberger, Paragraph [0043], lines 6-11, Operations begin by dynamically generating 302 a causal model corresponding to a user. Components of the causal model are estimated 304 using event parameters of a first set of events undertaken by the user in an account of the user), f represents a function over all aforementioned parameters (Miltonberger, Paragraph [0308], lines 1-3, The plurality of components of an embodiment includes a plurality of probability distribution functions that represent the event parameters).
 Diamanti, PAESCHKE and Miltonberger are all considered to be analogous to the claimed invention because they are in the same field of authenticating a user based on the behavioral analysis. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include where Suseracount represents the risk level score value for the user account (Miltonberger, Abstract, lines 1-2), Wmodel represents a weight value given to the computing device's device type (Miltonberger, Paragraph [0043]), Dnormal represents the observed behavior' s amount of deviation from the normal behavior pattern (Paragraph [0043]), Astatus represents a current authorization status (Miltonberger, Paragraph [0042]), Fattempts represents a number of recently failed authorization attempts (Miltonberger, Paragraph [104]), Sprevious represents a previous risk level score value determined for the user account (Fig.4 and Paragraph [0486]), C represents a number determined based on the confidence value (Miltonberger, Paragraph [0187]), X represents a number dynamically selected from a set of pre-defined numbers based on a pre-defined criteria (Miltonberger, Paragraph [0043]), f represents a function over all aforementioned parameters (Miltonberger, Paragraph [0308]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 17, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the system according to claim 16, wherein the predefined criteria comprises at least one of a time since a low confidence level was obtained, a time since Dnormal exceeded a threshold value (Miltonberger, Paragraph [0118], lines 1-6, λ(E) can be used as part of a binary decision process by introducing a threshold: Decide Fraud if λ(E)>τ), and a type of authentication method last used to authenticate the user’s identity (Miltonberger, Paragraph [0118], lines 1-6, Decide User if λ(E)≦τ). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein the predefined criteria comprises at least one of a time since a low confidence level was obtained, a time since Dnormal exceeded a threshold value (Miltonberger, Paragraph [0118]), and a type of authentication method last used to authenticate the user’s identity (Miltonberger, Paragraph [0118]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 18, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the system according to claim 16, (Miltonberger, Paragraph [0085], lines 4-9,The FPS models behavior, as described above, based on the fact that as more data is received tying a particular user to a particular parameter value (e.g., 98% of logins by Jane Doe are in US), it determines a probability that this particular parameter will be different for the particular user (e.g., what is the probability that Jane Doe logs in from Mexico)). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include where the value of C is determined based on the difference between the confidence value and a reference confidence value (Miltonberger, Paragraph [0085]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 19, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the system according to claim 16, wherein f describes a linear or non-linear relation between S previous, W model, D normal, A status, F attempts, C, and X, and is statically defined or periodically re-determined in response to trigger events (Miltonberger, Paragraph [0127], lines 7-9, Similar models can be developed for other parameter types (for example, continuous parameters)).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein f describes a linear or non-linear relation between S previous, W model, D normal, A status, F attempts, C, and X, and is statically defined or periodically re-determined in response to trigger events (Miltonberger, Paragraph [0127], lines 7-9). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

In regards to claim 20, the combination of Diamanti and PAESCHKE in view of  Miltonberger teaches the system according to claim 19, wherein the trigger events comprise at least one of a false conclusion that the user is the authorized or unauthorized user (Miltonberger, Paragraph [0042], lines 15-19, The risk application 204 also provides alerts and allows authorized personnel to perform correlations, reporting, and investigations using the event data), expiration of a defined period of time (Miltonberger, Paragraph [0207], lines8-9,  it could be a timeout by the Online Banking), a location of the computing device, an operational characteristic of the computing device (Miltonberger, Paragraph [0281], lines 1-4, The derived fraud parameters of an embodiment include one or more of a location of the device), an identity of the user, and an identity of an enterprise associated with the user account (Miltonberger, Paragraph [0281], lines 1-4, electronic service provider of the device). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Diamanti and PAESCHKE to incorporate the teachings of Miltonberger to include wherein the trigger events comprise at least one of a false conclusion that the user is the authorized or unauthorized user (Miltonberger, Paragraph [0042], lines 15-19), expiration of a defined period of time (Miltonberger, Paragraph [0207], lines8-9), a location of the computing device, an operational characteristic of the computing device (Miltonberger, Paragraph [0281], lines 1-4), an identity of the user, and an identity of an enterprise associated with the user account (Miltonberger, Paragraph [0281]). Doing so would aid to detect new types of fraud even though this new fraud may not have been seen before because it is based on the user's online behavior. This results in high detection rates and low false alarm rates (Miltonberger, Para. 0055).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Sahar et al. (US 10,354,252 B1) teaches a user authentication based on behavior patterns.
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496