DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/20/2021 in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2-6, 9-13, and 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 2, 9, and 16 recite: “determining that the exposure level is greater than a predetermined threshold”. However, in their respective parent claims 1, 8, and 15, the same step is performed. It is unclear if the “determining” steps in claims 2, 9, and 16 were intended to further define the previous “determining” steps in their respective parent claims, or directed to a distinct determining step (e.g. a different exposure level and predetermined threshold).
Claims 3, 10, and 17 recite: “electronically receive, from the computing device of the user, a request to access the resource allocation portfolio of the customer”. However, in their respective parent claims 1, 8, and 15, the same step is performed. It is unclear if the “electronically receive” steps in claims 3, 10, and 17 are directed to further defining the previous “electronically receive” steps in their respective parent claims, or directed to a subsequent, different receiving step (e.g. “a request to access…” raises the presumption that the limitation may be directed to a different request). Claims 4, 11, and 18 are dependent on claims 3, 10, and 17, respectively, and are similarly rejected.
Claims 5, 12, and 19 recite: “the resource allocation portfolio of the user”. It is unclear if this limitation was intended to be directed to “the resource allocation portfolio of the customer”, or that of the user. If the later, then there is lack of proper antecedent basis.
Claims 6, 13, and 20 recite: “determining that the geographic information of the user does not match the geographic information of the customer” and “determining that the geographic information of the user matches the geographic location of the customer.” However, these steps contradict each other. If the geographic information does not match after the initial determining step, how does the same geographic information match in a subsequent determining step? No prior art rejection is asserted for these claims as it is unclear what these claims are attempting to convey.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8-12, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0026026 to Calman et al. (hereinafter, “Calman”) in view of US 2010/0121929 to Lin (hereinafter, “Lin”).
As per claim 1: Calman discloses: A system for intrusion detection using resource activity analysis, the system comprising (a system and associated method for restricting access to a customer’s online banking account [Calman, Abstract]; the system comprises of a mobile device 400 associated with an online banking customer and a computing device 500, both in communication with an online banking system 600 [Calman, ¶0062; Fig. 3]): at least one non-transitory storage device; and at least one processing device coupled to the at least one non-transitory storage device, wherein the at least one processing device is configured to (the online banking system 600 includes a processing device 620 and memory device 650 [Calman, ¶0082; Fig. 6]): electronically receive, from a computing device of a user, an indication that the user has accessed a resource allocation portfolio of a customer (the computing device initiates an online banking transaction associated with a customer’s online banking account [Calman, ¶0046; Fig. 2B(255)]); determine a geographic information of the user based on at least receiving the indication that the user has accessed the resource allocation portfolio of the customer; retrieve a geographic information of the customer (determining the geographic location information of the computing device and/or the mobile device [Calman, ¶0051]); determine that the geographic information of the user does not match the geographic information of the customer (determining whether the geographic location information associated with the computing device is geographically proximate to a predefined location, and/or whether the geographic location information associated with the computing device is geographically proximate to the geographic location information associated with the mobile device [Calman, ¶0052; Fig. 2B(275)]); .
Furthermore, Calman discloses denying the online banking transaction by the online banking system when the geographic information is not proximate (“does not match”). Calman does not disclose the above strikethrough features. However, Lin is directed to analogous art of calculating a total risk of an information access request in a system [Lin, ¶0008]. Therefore, Lin discloses: determine an exposure level associated with the user access of the resource allocation portfolio of the customer based on at least determining that the geographic information of the user does not match the geographic information of the customer (a risk level is assigned for each information access [Lin, ¶0026]; wherein the risk level is based on user policies defined for accessed location [Lin, ¶0032]); determine that the exposure level is greater than a predetermined threshold; and automatically trigger a transmission of a notification to a computing device of an administrator indicating that the exposure level associated with the user access of the resource allocation portfolio of the customer is greater than the predetermined threshold (if an information access is classified as high risk, as assigned based on a threshold value being reached, the system may issue an alert; wherein the alert is sent to a system administrator to take some action [Lin, ¶0032, 0026]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement a risk scoring method, such as disclosed in Lin, to supplement the access control techniques in Calman. The usage of risk scores would have identified unauthorized accesses of significant impact (e.g. high risk) and enable a flag for human review or action.

As per claim 2: Calman in view of Lin disclose all limitations of claim 1. The motivation for incorporating Lin with Calman in claim 1 is also applicable to claim 2. Therefore, Calman in view of Lin disclose: wherein the at least one processing device is further configured to: determine that the exposure level is greater than the predetermined threshold (assigning a risk level if the threshold value is reached [Lin, ¶0026]); and transmit control signals configured to cause the computing device of the user to restrict access to the resource allocation portfolio of the customer (denying the online banking transaction [Calman, ¶0060]; access failures contribute to the risk level according to [Lin,¶0033]).

As per claim 3: Calman in view of Lin disclose all limitations of claim 1. Furthermore, Calman discloses: wherein the at least one processing device is further configured to: electronically receive, from the computing device of the user, a request to access the resource allocation portfolio of the customer (the computing device initiates an online banking transaction associated with a customer’s online banking account [Calman, ¶0046; Fig. 2B(255)]); initiate, via the computing device of the user, an authentication request in response to receiving the request to access the resource allocation portfolio of the customer; electronically receive, from the computing device of the user, one or more authentication credentials in response to the authentication request; validate the one or more authentication credentials to verify an identity of the user; and authorize the user to access the resource allocation portfolio of the customer based on at least verifying the identity of the user (the online banking system 600 authenticates the customer in order to access the customer’s account, which requires receiving the customer’s credentials [Calman, ¶0064]).

As per claim 4: Calman in view of Lin disclose all limitations of claim 3. Furthermore, Calman discloses: wherein the at least one processing device is further configured to: determine an authorization level of the user based on at least the one or more authentication credentials (restricted transaction definition defines one or more restricted transactions associated with the customer's online banking account [Calman, ¶0033]; allowing and completing a restricted transaction if the computing device provides predefined authentication information [Calman, ¶0041]); determine an authorization requirement associated with the resource allocation portfolio of the customer (searching a database of records to determine if the online banking transaction is within a restricted transaction definition [Calman, ¶0038]); determine that the authorization level of the user meets the authorization requirement of the resource allocation portfolio of the user (allowing and completing a restricted transaction if the computing device provides predefined authentication information [Calman, ¶0041]); and authorize the user to access the resource allocation portfolio based on at least determining that the authorization level of the user meets the authorization requirement of the resource allocation portfolio of the user (if the online banking transaction is not within a restricted transaction definition, then the online banking system will complete the online banking transaction [Calman, ¶0040]).

As per claim 5: Calman in view of Lin disclose all limitations of claim 1. The motivation for incorporating Lin with Calman in claim 1 is also applicable to claim 5. Therefore, Calman in view of Lin disclose: wherein the at least one processing device is further configured to: determine a number of instances the resource allocation portfolio of the user has been accessed by the user within a predetermined period of time (the system may detect an abnormal access rate to a particular database (when in view of Calman, this would be the access rate to the online banking account), e.g., the number of accesses exceeds a predefined threshold number [Lin, ¶0033]); determine an exposure level associated with the user access of the resource allocation portfolio of the customer based on at least the number of instances the resource allocation portfolio of the user has been accessed by the user within the predetermined period of time (the risk level is assigned according to user policies defined for the accessed object, accessed method, accessed time, or accessed location [Lin, ¶0032]).

As per claim 8: Claim 8 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 8 is directed to a computer program product corresponding to the system of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 8.

As per claim 9: Claim 9 incorporates all limitations of claim 8 and is a computer program product corresponding to the system of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 8 are equally applicable to claim 9 and rejected for the same reasons.

As per claim 10: Claim 10 incorporates all limitations of claim 8 and is a computer program product corresponding to the system of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 8 are equally applicable to claim 10 and rejected for the same reasons.

As per claim 11: Claim 11 incorporates all limitations of claim 10 and is a computer program product corresponding to the system of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 10 are equally applicable to claim 11 and rejected for the same reasons.

As per claim 12: Claim 12 incorporates all limitations of claim 8 and is a computer program product corresponding to the system of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 8 are equally applicable to claim 12 and rejected for the same reasons.

As per claim 15: Claim 15 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 15 is directed to a method corresponding to the system of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 15.

As per claim 16: Claim 16 incorporates all limitations of claim 15 and is a method corresponding to the system of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 15 are equally applicable to claim 16 and rejected for the same reasons.

As per claim 17: Claim 17 incorporates all limitations of claim 15 and is a method corresponding to the system of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 15 are equally applicable to claim 17 and rejected for the same reasons.

As per claim 18: Claim 18 incorporates all limitations of claim 17 and is a method corresponding to the system of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 17 are equally applicable to claim 18 and rejected for the same reasons.

As per claim 19: Claim 19 incorporates all limitations of claim 17 and is a method corresponding to the system of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 17 are equally applicable to claim 19 and rejected for the same reasons.

Allowable Subject Matter
Claims 7 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2016/0275285: Authentication to access striped data includes determining the proximity of client devices belonging to the account of a user [0059].
US 2013/0262303: The physical location of a mobile device is compared to the location of an ATM to determine if they match prior granting access [0044].
US 2013/0167203: Authorizing a request for remote access to customer account information based on matching a requesting location to device fingerprints authorized to access the customer account information [Abstract, 0036].
US 2007/0055672: The location of a request to access financial information with a physical location of an account owner carrying a mobile device is compared [0096].

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        9-08-2022