DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to amendment filed on 4/25/2022.  Claims 1-20 have been examined by the Applicant.  This office action is Final.

Response to Amendment
Applicant's arguments filed 4/25/2022 have been fully considered but they are not persuasive. 
On page 9 of the Applicant’s argument in regards to independent claims 1, 10 and 19  the Applicant argues that the prior art of Abdelaziz fails to disclose the newly added limitations “the one or more stress triggers being designed to cause a reaction from the user entity, the reaction from the user entity generating an additional action of the user entity, the additional action being analyzed by the security analytics environment to develop the context of the first plurality of electronically-observable actions of the user entity” .
Zavesky discloses a stress trigger, because Zavesky discloses a trigger that causes a reaction.  The Examiner asserts the request for the user to provide the sign-in information causes a reaction, which the Examiner asserts is the user signing in (Zavesky: 0013, 0040, stress trigger is the request for the user to provide the sign-in information, and to cause a reaction, which the Examiner asserts is the user signing in), the reaction from the user entity generating an additional action of the user entity, is the additional authentication by being provided by the user, which is the additional user/sign data (Zavesky: para. 0051, and 0123-0124, additional authentication by providing additional user/sign-in data (i.e. additional action).  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zavesky et al (2020/0279455) in view of Abdelaziz (2020/0089848).
As per claim 1, Zavesky discloses a computer-implemented method for developing context of risk-associated behavior in a security analytics environment, the method comprising:
monitoring a first plurality of electronically-observable actions of a user entity
operating within the security analytics environment, wherein the first plurality of electronically-observable actions of the user entity correspond to a respective plurality of events enacted by the user entity (Zavesky: para. 0015, and 0069, monitoring a first plurality of electronically-observable actions (i.e. monitoring an execution of a game, game is online and thus monitoring the execution of the game, the “execution” are electronically-observable actions of a user correspond to a respective plurality of events (i.e. suspicious activities) enacted by the user);
converting the first plurality of electronically-observable actions of the user entity to
electronic information representing the plurality of events enacted by the user
entity (Zavesky: para. 0015, and 0033-0034, converting “execution”, plurality of electronically-observable actions of the user to electronic information (i.e. determination a user is impersonating a second user based on teleoperations, representing the plurality if events (i.e. suspicious activities).
Zavesky does not explicitly disclose generating a risk adaptive score based on the electronic information representing the plurality of events enacted by the user entity; and
generating one or more stress triggers at an endpoint device in the security analytics environment accessed by the user entity if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of electronically-observable actions of the user entity; and generating one or more stress triggers at an endpoint device in the security analytics environment accessed by the user entity if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of electronically-observable actions of the user entity.
However, in analogous art of Abdelaziz discloses generating a risk adaptive score based on the electronic information representing the plurality of events enacted by the user entity (Abdelaziz: para. 0032, and 0123-0124, generating a risk score (i.e. risk score than can be modified) based on the electronic information (i.e. sign-in event data user behavior), representing the plurality of events enacted by the user); and generating one or more stress triggers at an endpoint device in the security analytics environment accessed by the user entity if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of electronically-observable actions of the user entity (Abdelaziz: para. 0123-0124,
generating one or more stress triggers (i.e. request the user to sign-in)) if the risk score exceeds threshold);
the one or more stress triggers being designed to cause a reaction from the user entity (Zavesky: para. 0013, 0040 stress trigger is the request for the user to provide the sign-in information, and to cause a reaction, which the Examiner asserts is the user signing in), the reaction from the user entity generating an additional action of the user entity (Zavesky: para. 0051,  0123-0124, additional authentication by providing additional user/sign-in data (i.e. additional action)) , the additional action being analyzed by the security analytics environment to develop the context of the first plurality of electronically-observable actions of the user entity (Zavesky: para. 0123-0124, the additional user/sign-in data being analyzed by the machine learning tools (i.e. security analytics) to develop the context of the first electronically-observable actions (i.e. sign-in event data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include generating a risk adaptive score based on the electronic information representing the plurality of events enacted by the user entity; and generating one or more stress triggers at an endpoint device in the security analytics environment accessed by the user entity if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of electronically-observable actions of the user entity; and generating a risk adaptive score based on the electronic information representing the plurality of events enacted by the user entity; and generating one or more stress triggers at an endpoint device in the security analytics environment accessed by the user entity if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of electronically-
observable actions of the user entity of Abdelaziz with Zavesky, the motivation is that improve computer security systems in a manner in which computer systems are able to control access to their restricted computer resources (Abdelaziz: para. 0009).
As per claim 2, Zavesky and Abdelaziz discloses the method of Claim 1.
The combination of Zavesky and Abdelaziz further discloses subsequent to said generating the one or more stress triggers (Abdelaziz: para. 0123-0124, generating one or more stress triggers (i.e. triggers remedial action, requesting supplemental authentication or verification information fi the risk score exceeds the threshold):
monitoring a second plurality of electronically-observable actions of the user entity,
wherein the second plurality of electronically-observable actions of the user
entity correspond to a respective second plurality of events enacted by the user
entity and the second plurality of events (Zavesky: para. 0015, 0028-0029, 0034, and 0069, monitoring a second plurality of electronically-observable actions (i.e. monitoring an execution of a game, game is online and thus monitoring the execution of the game, the “execution” are electronically-observable actions of a user correspond to a respective plurality of events (i.e. suspicious activities) enacted by the user) are in response to one or more of the
stress triggers (Abdelaziz: para. 0123-0124, stress triggers (i.e. triggers remedial action, requesting supplemental authentication or verification);
converting the second plurality of electronically-observable actions of the user entity
to second electronic information representing the second plurality of actions
by the user entity (Zavesky: para. 0015, and 0033-0034, converting “execution”, plurality of electronically-observable actions of the user to electronic information, representing the plurality if events (i.e. suspicious activities);
modifying the risk adaptive score in response to the second plurality of electronically-
observable actions (Abdelaziz: para. 0031-0032, modifying the risk score in response to the second plurality of electronically observable actions (i.e. sign-in data/actions); and
responding to the first and second plurality of electronically-observable actions of the
user entity (Zavesky: para. 0015, 0028-0029, 0034, and 0069, responding to the first and second plurality of electronically-observable actions (i.e. “execution of an online game”) if the modified risk adaptive score exceeds a second predetermined threshold (Abdelaziz: para. 0057, and 0123-0124, modifying the score exceeds a threshold, responding is supplemental authentication or verification information).
	Same motivation as claim 1 above.
As per claim 3, Zavesky and Abdelaziz discloses the method of Claim 2.
            The combination of Zavesky and Abdelaziz further discloses wherein said responding to the first and second plurality of electronically-observable actions (Zavesky: para. 0015, 0028-0029, 0034, and 0069, responding to the first and second plurality of electronically-observable actions (i.e. “execution of an online game”) comprises reducing a risk (Abdelaziz: para. 0031-0032, 0123-0124, reducing risk (i.e. modifying risk) presented by the first plurality of electronically-observable actions of the user entity to a system encompassed within the security analytics environment (Zavesky: para. 0015, 0028-0030, and 0069, a first plurality of electronically-observable actions (i.e. monitoring an execution of a game, game is online and thus monitoring the execution of the game, the “execution” of the user to a system encompassed within the security analytics environment (i.e. security analytics environment because stimuli is introduced during the “execution” of the online game).
	Same motivation as claim 1 above.
As per claim 4, Zavesky and Abdelaziz discloses the method of Claim 2.
Zavesky further discloses wherein said responding to the first and second plurality of electronically-observable actions comprises one or more of (Zavesky: para. 0015, 0028-0029, 0034, and 0069, responding to the first and second plurality of electronically-observable actions (i.e. “execution of an online game”)) logging the user entity off the endpoint device, shutting down the endpoint device, cancelling a process executed by the user entity, signaling a security administrator, and signaling the user entity (Zavesky: para. 0045, only one of the above needs to be disclosed because of the “one or more” limitation, discloses signaling the user entity, by providing a notification).
As per claim 5, Zavesky and Abdelaziz discloses the method of Claim 2.
 	Zavesky further discloses wherein the second plurality of electronically-observable actions of the user entity comprise physical behavior interactions with the endpoint device comprising one or more of key stroke impact, key stroke speed, misspelling words, facial expressions, and movement of a gesture input device (Zavesky: para. 0033-0034, second plurality of electronically-observable actions (i.e. execution of the online game, which includes several electronically observable actions of a user, the physical behavior interactions with the game console includes key stroke speed (i.e. abnormal rates of speed of keystrokes)).



As per claim 6, Zavesky and Abdelaziz discloses the method of Claim 2.
Zavesky further discloses wherein the second plurality of electronically-observable actions of the user entity comprise cyber behavior interactions with the endpoint device comprising one or more of discontinuing file access, disconnecting a storage device from the endpoint device, closing a display window on a display coupled to the endpoint device, changing an operational state of the endpoint device, and closing a lid of the endpoint device (Zavesky: para. 0034, second plurality of electronically-observable actions (i.e. execution of an online game), of the user comprising cyber behavior includes changing an operation state (i.e. hacking code) of the endpoint device (gaming console).
As per claim 7, Zavesky and Abdelaziz disclose the method of Claim 1.   
The combination of Zavesky and Abdelaziz further disclose wherein the one or more stress triggers comprise one or more of (Abdelaziz: para. 0123-0124, one or more stress triggers (i.e. triggers remedial action, requesting supplemental authentication or verification information): modifying brightness of a screen coupled to the endpoint device; modifying display speed of a gesture input device coupled to the endpoint device; modifying responsiveness of a gesture input device coupled to the endpoint device; temporarily swapping one or more key associations of a keyboard coupled to the endpoint device; generating a sound on a speaker coupled to the endpoint device; displaying a popup window on the screen coupled to the endpoint device; and sending an electronic mail message to the user entity (Zavesky: para. 0045, only one needs to be disclose because of the limitation “one or more of”; Zavesky discloses sending an e-mail to the user).
Same motivation as claim 1 above.

As per claim 8, Zavesky and Abdelaziz disclose the method of Claim 1.
The combination of Zavesky and Abdelaziz further disclose performing said generating the one or more stress triggers (Abdelaziz: para. 0123-0124, performing said generating one or more stress triggers (i.e. triggers remedial action, requesting supplemental authentication or verification information) if the first plurality of electronically-observable actions is identified as risk-associated behavior (Zavesky: para. 0015, 0028-0029, 0034, and 0069, a first plurality of electronically-observable actions (i.e. monitoring an execution of a game, game is online and thus monitoring the execution of the game, the “execution” are electronically-observable actions are identified as risk-associated behavior based on suspicious activities).
Same motivation as claim 1 above.
As per claim 9, Zavesky and Abdelaziz disclose the method of Claim 8.
Zavesky further discloses wherein a risk-associated behavior comprises one or more of accessing data labeled as critical, accessing customer data, copying significant quantities of data to a removable memory device, copying significant quantities of data across a network external to the security analytics environment (Zavesky: para. 0034, only one needs to be discloses “one or more of” Zavesky discloses accessing data labeled as critical (changes/alterations to a game code or rules)).
As per claim 10, Zavesky discloses a security analytics system comprising:
a processor (Zavesky: para. 0083, and 0136, processor);
a network interface, coupled to the processor and communicatively coupled to a
remote network node via a network (Zavesky: para. 0085, and 0104, network interface, coupled to the processor and communicatively), and configured to receive electronic information representing a first plurality of events enacted by a user entity accessing the remote network
node (Zavesky: para. 0015, and 0069, receive electronic information representing a first plurality of events (i.e. suspicious activities) enacted by the user).
Zavesky does not explicitly disclose a nontransitory, computer-readable storage medium, coupled to the processor, and storing instructions executable by the processor and configured to 
generate a risk adaptive score based on the electronic information representing the first plurality of events enacted by the user entity, and transmit a signal to the remote network node to generate one or more stress triggers at the remote network node if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of events enacted by the user entity; the one or more stress triggers being designed to cause a reaction from the user entity, the reaction from the user entity generating an additional action of the user entity, the additional action being analyzed by the security analytics environment to develop the context of the first plurality of electronically-observable actions of the user entity.
However, in analogous art of Abdelaziz discloses a nontransitory, computer-readable storage medium, coupled to the processor, and storing instructions executable by the processor and configured to generate a risk adaptive score based on the electronic information representing
the first plurality of events enacted by the user entity (Abdelaziz: para. 0032, and 0123-0124, generating a risk score (i.e. risk score than can be modified) based on the electronic information (i.e. sign-in event data user behavior), representing the plurality of events enacted by the user), and transmit a signal to the remote network node to generate one or more stress triggers at the remote network node if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of events enacted by the user entity (Abdelaziz: para. 0123-0124, generating one or more stress triggers (i.e. request the user to sign-in)) if the 

risk score exceeds threshold); and the one or more stress triggers being designed to cause a reaction from the user entity (Zavesky: para. 0013, 0040 stress trigger is the request for the user to provide the sign-in information, and to cause a reaction, which the Examiner asserts is the user signing in), the reaction from the user entity generating an additional action of the user entity (Zavesky: para. 0051, and 0123-0124, additional authentication by providing additional user/sign-in data (i.e. additional action)) , the additional action being analyzed by the security analytics environment to develop the context of the first plurality of electronically-observable actions of the user entity (Zavesky: para. 0123-0124, the additional user/sign-in data being analyzed by the machine learning tools (i.e. security analytics) to develop the context of the first electronically-observable actions (i.e. sign-in event data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a nontransitory, computer-readable storage medium, coupled to the processor, and storing instructions executable by the processor and configured to 
generate a risk adaptive score based on the electronic information representing the first plurality of events enacted by the user entity, and transmit a signal to the remote network node to generate one or more stress triggers at the remote network node if the risk adaptive score exceeds a predetermined threshold in order to develop a context of the first plurality of events enacted by the user entity; and the one or more stress triggers being designed to cause a reaction from the user entity, the reaction from the user entity generating an additional action of the user entity, the additional action being analyzed by the security analytics environment to develop the context of the first plurality of electronically-observable actions of the user entity of Abdelaziz with Zavesky, the motivation is that improve computer security systems in a manner in which 

computer systems are able to control access to their restricted computer resources (Abdelaziz: para. 0009).
As per claim 11, Zavesky and Abdelaziz disclose the system of Claim 10.  The combination of Zavesky and Abdelaziz further discloses wherein the network interface is configured to receive second electronic information representing a second plurality of events enacted by a user entity accessing the remote network node events (Zavesky: para. 0015, 0028-0029, 0034, and 0069, to receive second electronic information representing a second plurality of events (i.e. suspicious activities) enacted by the user); and the non-transitory, computer-readable storage medium stores further instructions executable by the processor configured to modify the risk adaptive score in response to the electronic information representing the second plurality of events (Abdelaziz: para. 0031-0032, modifying the risk score in response to the second plurality of electronically observable actions (i.e. sign-in data/actions), and respond to the first and second plurality of events if the modified risk adaptive score exceeds a second predetermined threshold (Abdelaziz: para. 0057, and 0123-0124, modifying the score exceeds a threshold, responding is supplemental authentication or verification information).
Same motivation as claim 1 above.
As per claim 12, Zavesky and Abdelaziz disclose the system of claim 11.  The combination of Zavesky and Abdelaziz further discloses wherein responding to the first and second plurality of events (Zavesky: para. 0015, 0028-0029, 0034, and 0069, responding to the first and second plurality of electronically-observable actions (i.e. “execution of an online game”) comprises reducing a risk presented by the first plurality of events to an environment 

secured by the security analytics system (Abdelaziz: para. 0031-0032, 0123-0124, reducing risk (i.e. modifying risk).  
Same motivation as claim 10 above.
As per claim 13, Zavesky and Abdelaziz disclose the system of claim 11.
Zavesky further discloses wherein responding to the first and second plurality of events (Zavesky: para. 0015, 0028-0029, 0034, and 0069, responding (i.e. countermeasure) to the first and second plurality of electronically-observable actions (i.e. “execution of an online game”))comprises one or more of transmitting a signal to the remote network node to log the user entity off the remote network node; transmitting a signal to the remote network node to shut down the remote network node; transmitting a signal to the remote network node to cancel a process executed by the user entity; transmitting a signal to a security administrator of the security analytics system; and transmitting a signal to the user entity (Zavesky: para. 0045, only one of the above needs to be disclosed because of the “one or more” limitation, discloses signaling the user entity, by providing a notification).
As per claims 14-18, further disclose a remote device (Zavesky: para. 0015)(i.e. gaming console).  Claims 14-18 are rejected under the same rationale as claims 5-9 respectively.
As per claims 19-20, rejected under the same rationale as claims 1-2 respectively.


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



8/22/2022
/J.E.J/Examiner, Art Unit 2439



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439