DETAILED ACTION
1. 	This is in response to the application No. 16/783,351 field on December 21, 2020. Claims 1-19 are submitted for examination. Thus, claims 1-19 are pending and considered for examination. Claims 1, 9 and 16 are independent.  
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority

	3.	This application filed on 12/21/2020 is a continuation of application NO. 15598207, filed on 05/17/2017, now U.S. Patent #10885165
				Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 12/21/2020 has been considered. The submission is in-compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Drawings
5.	The drawings filed on December 21, 2020 are accepted. 
Specification
6.	The specification filed on December 21, 2020 is also accepted.

Double Patenting
		
              7.	The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


8.	Claims 1-19 are rejected under judicially created doctrine of obviousness-type double patenting on the ground of non-statutory double patenting as being unpatentable over claims 1-19 of Patent No. 10885165 B2 (herein after referred as ‘165 patent) 
	
	Although the claims at issue are not identical, they are not patentably distinct from each other because they recite the same limitations and only differ by statutory category of invention. It would have been obvious to a person having ordinary skill in the art at the time the invention was made to have implemented the invention as any of a method, system or computer program product.

The following is referring to the independent claims 1, 9, 16


[Symbol font/0xB7]  Independent claim 1 of the instant application and independent claim 1, of the ‘165 patent recite similar limitation. The above claims, namely 1 of the instant/present application would have been obvious over claim 1, of the ‘165 patent, because every element of the above independent claim 1 of the present application is anticipated by the corresponding claim 1 of the ‘165 patent

[Symbol font/0xB7]  Independent claim 9 of the instant application and independent claim 9, of the ‘165 patent recite similar limitation. The above claims, namely 9 of the instant/present application would have been obvious over claim 9, of the ‘165 patent, because every element of the above independent claim 9 of the present application is anticipated by the corresponding claim 9 of the ‘165 patent.

[Symbol font/0xB7]  Independent claim 16 of the instant application and independent claim 16, of the ‘165 patent recite similar limitation. The above claims, namely 16 of the instant/present application would have been obvious over claim 16, of the ‘165 patent, because every element of the above independent claim 16 of the present application is anticipated by the corresponding claim 16 of the ‘165 patent


[Symbol font/0xB7]  Independent claim 14 of the instant application and independent claim 1, of the ‘530 patent recite similar limitation. The above claims, namely 14 of the instant/present application would have been obvious over claim 1 of the ‘165 patent, because every element of the above independent claim 14 of the present application is anticipated by the corresponding claim 1 of the ‘530 patent




The following is referring to the dependent claims 2-8, 10-15 and 17-19

[Symbol font/0xB7]  Dependent claim 2 of the instant application and dependent claim 2, of the ‘165 patent recite similar limitation. The above claim, namely claim 2 of the instant/present application would have been obvious over claim 2 of the ‘165 patent, because every element of the above dependent claim 2 of the present application is anticipated by the corresponding dependent claim 2 of the ‘165 patent

[Symbol font/0xB7]  Dependent claim 3 of the instant application and dependent claim 3, of the ‘165 patent recite similar limitation. The above claim, namely claim 3 of the instant/present application would have been obvious over claim 3 of the ‘165 patent, because every element of the above dependent claim 3 of the present application is anticipated by the corresponding dependent claim 3 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 4 of the instant application and dependent claim 4, of the ‘165 patent recite similar limitation. The above claim, namely claim 4 of the instant/present application would have been obvious over claim 4 of the ‘165 patent, because every element of the above dependent claim 4 of the present application is anticipated by the corresponding dependent claim 4 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 5 of the instant application and dependent claim 5, of the ‘165 patent recite similar limitation. The above claim, namely claim 5 of the instant/present application would have been obvious over claim 5 of the ‘165 patent, because every element of the above dependent claim 5 of the present application is anticipated by the corresponding dependent claim 5 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 6 of the instant application and dependent claim 6, of the ‘165 patent recite similar limitation. The above claim, namely claim 6 of the instant/present application would have been obvious over claim 6 of the ‘165 patent, because every element of the above dependent claim 6 of the present application is anticipated by the corresponding dependent claim 6 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 7 of the instant application and dependent claim 7, of the ‘165 patent recite similar limitation. The above claim, namely claim 7 of the instant/present application would have been obvious over claim 7 of the ‘165 patent, because every element of the above dependent claim 7 of the present application is anticipated by the corresponding dependent claim 7 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 8 of the instant application and dependent claim 8, of the ‘165 patent recite similar limitation. The above claim, namely claim 8 of the instant/present application would have been obvious over claim 8 of the ‘165 patent, because every element of the above dependent claim 8 of the present application is anticipated by the corresponding dependent claim 8 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 10 of the instant application and dependent claim 10, of the ‘165 patent recite similar limitation. The above claim, namely claim 10 of the instant/present application would have been obvious over claim 10 of the ‘165 patent, because every element of the above dependent claim 10 of the present application is anticipated by the corresponding dependent claim 10 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 11 of the instant application and dependent claim 11, of the ‘165 patent recite similar limitation. The above claim, namely claim 11 of the instant/present application would have been obvious over claim 11 of the ‘165 patent, because every element of the above dependent claim 11 of the present application is anticipated by the corresponding dependent claim 11 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 12 of the instant application and dependent claim 12, of the ‘165 patent recite similar limitation. The above claim, namely claim 12 of the instant/present application would have been obvious over claim 12 of the ‘165 patent, because every element of the above dependent claim 12 of the present application is anticipated by the corresponding dependent claim 12 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 13 of the instant application and dependent claim 13, of the ‘165 patent recite similar limitation. The above claim, namely claim 13 of the instant/present application would have been obvious over claim 13 of the ‘165 patent, because every element of the above dependent claim 13 of the present application is anticipated by the corresponding dependent claim 13 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 14 of the instant application and dependent claim 14, of the ‘165 patent recite similar limitation. The above claim, namely claim 14 of the instant/present application would have been obvious over claim 14 of the ‘165 patent, because every element of the above dependent claim 14 of the present application is anticipated by the corresponding dependent claim 14 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 15 of the instant application and dependent claim 15, of the ‘165 patent recite similar limitation. The above claim, namely claim 15 of the instant/present application would have been obvious over claim 15 of the ‘165 patent, because every element of the above dependent claim 15 of the present application is anticipated by the corresponding dependent claim 15 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 17 of the instant application and dependent claim 17, of the ‘165 patent recite similar limitation. The above claim, namely claim 17 of the instant/present application would have been obvious over claim 17 of the ‘165 patent, because every element of the above dependent claim 17 of the present application is anticipated by the corresponding dependent claim 17 of the ‘165 patent
[Symbol font/0xB7]  Dependent claim 18 of the instant application and dependent claim 18, of the ‘165 patent recite similar limitation. The above claim, namely claim 18 of the instant/present application would have been obvious over claim 18 of the ‘165 patent, because every element of the above dependent claim 18 of the present application is anticipated by the corresponding dependent claim 18 of the ‘165 patent

[Symbol font/0xB7]  Dependent claim 19 of the instant application and dependent claim 19, of the ‘165 patent recite similar limitation. The above claim, namely claim 19 of the instant/present application would have been obvious over claim 19 of the ‘165 patent, because every element of the above dependent claim 19 of the present application is anticipated by the corresponding dependent claim 19 of the ‘165 patent

	Examiner Note: The following table maps at least each independent claim of the instant application with the corresponding claims of the ‘165 patent.



Instant application: application No. 17/129,454
US Patent No. ‘165 Patent.
1. A method comprising:



accessing the data structure for information associated with a login request of an account, wherein the login request is associated with a physical location, and wherein the information associated with the login request comprises a login duration;







, comparing a portion of the information associated with the login request with information associated with a previous login request;
determining a score associated with the login request;
accessing a threshold;
determining, by a processing device, whether to initiate a security action based on the score associated with the login request and the threshold; and
storing the information associated with the login request.
1. A method comprising:
generating a data structure comprising physical location and login information for a plurality of accounts;
accessing the data structure for information associated with a login request of an account, wherein the login request is associated with a physical location, and wherein the information associated with the login request comprises a login duration;
determining whether an initial phase of monitoring the account of the plurality of accounts associated with the login request is in progress;
in response to the initial phase being determined to be in progress,
 comparing a portion of the information associated with the login request with information associated with a previous login request;
determining a score associated with the login request;
accessing a threshold;
determining, by a processing device, whether to initiate a security action based on the score associated with the login request and the threshold; and
storing the information associated with the login request.

2. The method of claim 1, wherein the physical location associated with the login request comprises at least one of a department or a sub department and the physical location is associated with a device that sent the login request.
2. The method of claim 1, wherein the physical location associated with the login request comprises at least one of a department or a sub department and the physical location is associated with a device that sent the login request.
3. The method of claim 1, wherein the information associated with the login request comprises a timestamp associated with the login request.
3. The method of claim 1, wherein the information associated with the login request comprises a timestamp associated with the login request.
4. The method of claim 1, wherein the information associated with the previous login request comprises one or more resources accessed.
4. The method of claim 1, wherein the information associated with the previous login request comprises one or more resources accessed.
5. The method of claim 1, wherein the determining of whether to initiate the security action is performed is based on further information received after the information associated with the login request.
5. The method of claim 1, wherein the determining of whether to initiate the security action is performed is based on further information received after the information associated with the login request.
6. The method of claim 1, wherein the security action comprises sending a notification comprising an account name associated with the login request.
6. The method of claim 1, wherein the security action comprises sending a notification comprising an account name associated with the login request.
7. The method of claim 1, wherein the security action comprises initiating a network access change of a device that sent the login request, and wherein the security action is based on a policy.
7. The method of claim 1, wherein the security action comprises initiating a network access change of a device that sent the login request, and wherein the security action is based on a policy.
8. The method of claim 1, wherein the information associated with the login request is stored with the information associated with the previous login request and the information associated with the login request is operable to be used with subsequently received information to determine whether to initiate the security action.
8. The method of claim 1, wherein the information associated with the login request is stored with the information associated with the previous login request and the information associated with the login request is operable to be used with subsequently received information to determine whether to initiate the security action.
9. A system comprising:
a memory; and
a processing device, operatively coupled to the memory, to:



access the data structure for information associated with a login request of an account, wherein information associated with the login request comprises a physical location, and wherein the information associated with the login request comprises a login duration;







compare a portion of the information associated with the login request with information associated with a previous login request, wherein the information associated with the previous login request comprises a one or more security properties of a device associated with the login request;
determine a score associated with the login request based on the information associated with the previous login request;
access a threshold;
determine whether to initiate an action based on the score associated with the login request and the threshold; and
store the information associated with the login request.
9. A system comprising:
a memory; and
a processing device, operatively coupled to the memory, to:
generate a data structure comprising physical location and login information for a plurality of accounts;
access the data structure for information associated with a login request of an account, wherein information associated with the login request comprises a physical location, and wherein the information associated with the login request comprises a login duration;
determine whether an initial phase of monitoring the account of the plurality of accounts associated with the login request is in progress;
in response to the initial phase being determined to be in progress, 
compare a portion of the information associated with the login request with information associated with a previous login request, wherein the information associated with the previous login request comprises a one or more security properties of a device associated with the login request;
determine a score associated with the login request based on the information associated with the previous login request;
access a threshold;
determine whether to initiate an action based on the score associated with the login request and the threshold; and
store the information associated with the login request.
10. The system of claim 9, wherein the physical location associated with the login request comprises at least one of a department, a sub department, or a room name.
10. The system of claim 9, wherein the physical location associated with the login request comprises at least one of a department, a sub department, or a room name.
11. The system of claim 9, wherein the information associated with the login request comprises a timestamp associated with the login request.
11. The system of claim 9, wherein the information associated with the login request comprises a timestamp associated with the login request.
12. The system of claim 9, wherein the information associated with the login request comprises one or more resources accessed by the account of the login request.
12. The system of claim 9, wherein the information associated with the login request comprises one or more resources accessed by the account of the login request.
13. The system of claim 9, wherein the determining of whether to initiate the security action is performed is based on further information received after the information associated with the login request.
13. The system of claim 9, wherein the determining of whether to initiate the security action is performed is based on further information received after the information associated with the login request.
14. The system of claim 9, wherein the score is an alert score and the action comprises sending an alert comprising an account name associated with the login request.
14. The system of claim 9, wherein the score is an alert score and the action comprises sending an alert comprising an account name associated with the login request.
15. The system of claim 9, wherein the score is a security score and the action is a security action comprising initiating a network access change of a device that sent the login request and initiating an update service on the device.
15. The system of claim 9, wherein the score is a security score and the action is a security action comprising initiating a network access change of a device that sent the login request and initiating an update service on the device.
16. A non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device, cause the processing device to:



access the data structure for information associated with a login request of an account, wherein information associated with the login request comprises a physical location, and wherein the information associated with the login request comprises a login duration;






compare a portion of the information associated with the login request with information associated with a previous login request, wherein the information associated with the login request comprises a login information entry time;
determine a score associated with the login request based on the information associated with the previous login request;
access a threshold;
determine whether to initiate a security action based on the score associated with the login request and the threshold; and
store the information associated with the login request.
16. A non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device, cause the processing device to:
generate a data structure comprising physical location and login information for a plurality of accounts;
access the data structure for information associated with a login request of an account, wherein information associated with the login request comprises a physical location, and wherein the information associated with the login request comprises a login duration;
determine whether an initial phase of monitoring the account of the plurality of accounts associated with the login request is in progress;
in response to the initial phase being determined to be in progress, 
compare a portion of the information associated with the login request with information associated with a previous login request, wherein the information associated with the login request comprises a login information entry time;
determine a score associated with the login request based on the information associated with the previous login request;
access a threshold;
determine whether to initiate a security action based on the score associated with the login request and the threshold; and
store the information associated with the login request.
17. The non-transitory computer readable medium of claim 16, wherein the processing device further to determine whether a device or a human entered login information based on the login information entry time.
17. The non-transitory computer readable medium of claim 16, wherein the processing device further to determine whether a device or a human entered login information based on the login information entry time.
18. The non-transitory computer readable medium of claim 16, wherein the information associated with the previous login request comprises an indicator of compromise (IOC).
18. The non-transitory computer readable medium of claim 16, wherein the information associated with the previous login request comprises an indicator of compromise (IOC).
19. The non-transitory computer readable medium of claim 16, wherein the information associated with the previous login request comprises an indicator of a login failure.
19. The non-transitory computer readable medium of claim 16, wherein the information associated with the previous login request comprises an indicator of a login failure.




Claim Rejections - 35 USC § 103
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Examiner’s note: text in bold corresponds to the claimed limitations; text in italics underlined or not underlined correspond to the cited prior art reference (i.e., verbatim, and/or examiner’s clarification. Meaning, text after a limitation in brackets [ ] corresponds to examiner’s mapping (including further explanation and/or comments) and/or prior art reference citations. Furthermore text in brackets [ ] points out explanation how the claim limitation is taught or explicitly taught by the reference being cited for that particular limitation or part of the limitation]



12.	Claims 1-5, 8-13 and 15-19 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Bjorn Markus Jakobsson (herein after referred as Jakobsson) (US Publication No. 2013/0340052 A1) (Publication Date: Dec 19, 2013) in view of Maurice Samuels (herein after referred as Samuels) (US Pub. No. 2008/0162338 A1) (July 3, 2008)


13.	As per dependent claim 1 Jakobsson discloses a method comprising:
accessing information associated with a login request, wherein the login request is associated with a physical location [See at least figures 3-4 and paragraph 0040 and 0037, on paragraph 0040 see “As shown in FIG. 4, the method begins by receiving a request for authentication (402). Consistent with some embodiments, the request for authentication may be transmitted by a device such as client mobile device 102 or client computing device 104, each of which may correspond to computing system 200or device 300. The request for authentication may be transmitted to network 108 and received by payment service provider server 106. Consistent with some embodiments, the request for authentication may correspond to at least one data packet 312 sent by device 300 that includes user and device information that may include at least a username 306 and user credentials such as a PIN 308 as well as additional information” and on paragraph 0037 and figure 3, see, “The additional information may also include low-quality or low-entropy information such as an IP address of device 300, a device identification (ID) of device 300, or a location of device 300. The “request for authentication” meets or corresponds to the limitation, “login request” and “user and device information” meets or corresponds to the limitation, “information associated with a login request” and “a location of device 300” meets or corresponds to the limitation. “a physical location”];

comparing a portion of the information associated with the login request with information associated with a previous login request [See paragraph 0041 and 0042, on paragraph 0041, the following has been disclosed. “For example, if at least one data packet 312 includes a cookie indicating that user 116 and device 300 have previously been authenticated by payment service provider server 106, the cookie may be assigned a relatively high score. Similarly, if at least one data packet 312 includes a local object such as a FlashObject previously assigned by payment service provider server 106 upon a successful authentication, the local object may also be assigned a relatively high score” and see paragraph 0042, “Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location” A cookie or a local object or a previous successful authentication or previous location meets or corresponds to “ a portion of information associated with a previous login request” and consulted or comparison meets or corresponds to the claim limitation “comparing”]

determining a score associated with the login request;[See at least figure 4 and paragraph 0041, “After analyzing the received user and device information, a score is computed based on the received user and device information (406)”] Computing the score meets or corresponds to the limitation “determining a score”] accessing a threshold [See paragraph 0042, After the score has been computed, a threshold is determined (408). Consistent with some embodiments, the threshold is dependent on user 116. For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126, may be consulted in order to determine the threshold. If user 116 has previously had fraudulent activity on their account, the threshold may be higher than that for a user having no fraudulent activity. Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location, recent successful or failed interactions with the payment service provider” determining the threshold meets or corresponds to the limitation “ accessing a threshold”]

determining, by a processing device, whether to initiate a security action based on the score associated with the login request and the threshold [See at least paragraph 0043, “After the threshold is determined, the computed score is compared with the determined threshold (410). If the computed score is determined to be less than the threshold, payment service provider server 106 may request additional low-quality or low-entropy information (412)” Note “comparing the threshold and the computed score”
meets or corresponds to the limitation, “determining based on the score and the threshold” and request additional low-quality or low-entropy information 412 meets or corresponds to the claim limitation, “initiate a security action”]and 

storing the information associated with the login request [See at least paragraph 0042, “For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126”. Note: the past interactions stored in the account meets or corresponds to the claim limitation, “storing the information associated with the login request”]

Jakobsson substantially discloses all the limitation recited in the claim.
Jakobsson does not disclose the following limitations: 
“the information associated with the login request comprises a login duration”

However Samuels on at least paragraph 0029 discloses the following that meets the above limitation:

“An embodiment uses session statistics as authentication attributes to compare attributes of a login by a particular user ID with previous logins by the same user ID. The session_statistics table contains pre-login statistics including, preferably, login_time (date and time of login), browser_id (browser footprint with a hash of User-Agent string), and IP address (the IP address from which the customer accesses the Internet banking system, which includes information about the network and subnetwork containing the IP address), the presence of a persistent cookie (i.e., a cookie that remains on the end user's computer from session to session) or other device ID, and a referrer ID (the Internet address of a referring site) and also, preferably, post-login statistics including last_time (date/time of logout or last click, which can be used to determine the duration of a session), and clicks (number of clicks by the end-user within a session)”
Furthermore Samuels discloses:

accessing information associated with a login request, wherein the login request is associated with [See at least abstract and claim 1, “A method and system are provided for mitigating the risk of fraud in Internet banking. In an embodiment comprising an end user seeking access to the Internet banking site of a financial institution, the end user having already satisfied a first authentication requirement (such as providing a valid user id and password)”], and wherein the information associated, with the login request comprises a login duration [See at least paragraph 0029, “and also, preferably, post-login statistics including last_time (date/time of logout or last click, which can be used to determine the duration of a session),];

comparing a portion of the information associated with the login request with information associated with a previous login request [See at least abstract and claim 1, receiving from a remote site a request for access to a financial institution's Internet banking site, said request having satisfied a first authentication requirement associated with a customer of the financial institution and said request having two or more attribute. OR See abstract, [See at least abstract and claim 1, “A method and system are provided for mitigating the risk of fraud in Internet banking. In an embodiment comprising an end user seeking access to the Internet banking site of a financial institution, the end user having already satisfied a first authentication requirement (such as providing a valid user id and password)”], ];;

determining a score associated with the login request [See at least claim 1 and paragraph 0008, calculating a score corresponding to a measure of improbability of the occurrence of at least two of the attributes];

accessing a threshold [See at least claim 1, if the score exceeds a configurable threshold]

determining, by a processing device, whether to initiate a security action based on the score associated with the login request and the threshold;  [See at least claim 1 and abstract, the end user is required to satisfy a second authentication test when a measure of improbability associated with the login exceeds a threshold. Satisfying a second authentication meets the limitation recited as initiate a security action. See also paragraphs 0008, 0022]


Jakobsson and Samuels are considered to be analogous art as they both pertain to provide security and protection or mitigating risk of fraud of the system using authentication. 
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to implement in the system of Jackobsson a mechanism to use the feature such as “the information associated with the login request comprises a login duration” as taught by Samuels because this would enhance the security of the system by providing protection of the system from unauthorized intruder by comparing extra features/attributes such as user’s or device’s login duration information.[See at least Samuels at least paragraph 0029, 0008 and 0022]

	As per independent claim 9, Independent claim 9 is rejected for the same reason as that of the above independent claim 1.

	As per independent claim 16, Independent claim 16 is rejected for the same reason as that of the above independent claim 1.


	As per dependent claim 2,  the combination of Jakobsson and Samuels, discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the physical location associated with the login request comprises at least one of a department or a sub department and the physical location is associated with a device that sent the login request [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]


	As per dependent claim 3, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the information associated with the login request comprises a timestamp associated with the login request. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]

 	As per dependent claim 4, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the information associated with the previous login request comprises one or more resources accessed. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]


 	As per dependent claim 5, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the determining of whether to initiate the security action is performed is based on further information received after the information associated with the login request. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]


	As per dependent claim 8, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the information associated with the login request is stored with the information associated with the previous login request and the information associated with the login request is operable to be used with subsequently received information to determine whether to initiate the security action. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]

	As per dependent claim 10 dependent claim 10 is rejected for the same reason as that of the above dependent claim 2.

	As per dependent claim 11, dependent claim 11 is rejected for the same reason as that of the above dependent claim 3.

	As per dependent claim 12, dependent claim 12 is rejected for the same reason as that of the above dependent claim 4.

	As per dependent claim 13, dependent claim 13 is rejected for the same reason as that of the above dependent claim 5.


 	As per dependent claim 15, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the score is a security score and the action is a security action comprising initiating a network access change of a device that sent the login request and initiating an update service on the device. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]

	As per dependent claim 17, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Samuels discloses the method, wherein the processing device further to determine whether a device or a human entered login information based on the login information entry time [See at least abstract and paragraph 0029, An embodiment uses session statistics as authentication attributes to compare attributes of a login by a particular user ID with previous logins by the same user ID. The session_statistics table contains pre-login statistics including, preferably, login_time (date and time of login), browser_id (browser footprint with a hash of User-Agent string), and IP address (the IP address from which the customer accesses the Internet banking system, which includes information about the network and subnetwork containing the IP address), the presence of a persistent cookie (i.e., a cookie that remains on the end user's computer from session to session) or other device ID, and a referrer ID (the Internet address of a referring site) and also, preferably, post-login statistics including last_time (date/time of logout or last click, which can be used to determine the duration of a session), and clicks (number of clicks by the end-user within a session)”



	As per dependent claim 18, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore Jakobsson discloses the method, wherein the information associated with the previous login request comprises an indicator of compromise (IOC). [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]

	As per dependent claim 19, the combination of Jakobsson and Samuels discloses a method/system as applied to claims above. Furthermore, Jakobsson discloses the method, wherein the information associated with the previous login request comprises an indicator of a login failure. [See at least paragraphs 0041-0045 and 0038-0040 and figure 3-4]


14.	Claims 6-7 and 14 are rejected under AIA  35 U.S.C. 103(a) as being unpatentable over Bjorn Markus Jakobsson (herein after referred as Jakobsson) (US Publication No. 2013/0340052 A1) (Publication Date: Dec 19, 2013) in view of Maurice Samuels (herein after referred as Samuels) (US Pub. No. 2008/0162338 A1) (July 3, 2008) and in further view of Jinlin Yang (herein after referred as Yang) (US Patent No. 9,148,424 B1) (Sep. 29,2015)

	As per dependent claim 6 the combination of Jakobsson and Samuels discloses a method as applied to claims above. Furthermore Jackobsson discloses the method comprising:
accessing information associated with a login request, wherein the login request is associated with a physical location [See at least figures 3-4 and paragraph 0040 and 0037, on paragraph 0040 see “As shown in FIG. 4, the method begins by receiving a request for authentication (402). Consistent with some embodiments, the request for authentication may be transmitted by a device such as client mobile device 102 or client computing device 104, each of which may correspond to computing system 200or device 300. The request for authentication may be transmitted to network 108 and received by payment service provider server 106. Consistent with some embodiments, the request for authentication may correspond to at least one data packet 312 sent by device 300 that includes user and device information that may include at least a username 306 and user credentials such as a PIN 308 as well as additional information” and on paragraph 0037 and figure 3, see, “The additional information may also include low-quality or low-entropy information such as an IP address of device 300, a device identification (ID) of device 300, or a location of device 300. The “request for authentication” meets or corresponds to the limitation, “login request” and “user and device information” meets or corresponds to the limitation, “information associated with a login request” and “a location of device 300” meets or corresponds to the limitation. “a physical location”];

comparing a portion of the information associated with the login request with information associated with a previous login request [See paragraph 0041 and 0042, on paragraph 0041, the following has been disclosed. “For example, if at least one data packet 312 includes a cookie indicating that user 116 and device 300 have previously been authenticated by payment service provider server 106, the cookie may be assigned a relatively high score. Similarly, if at least one data packet 312 includes a local object such as a FlashObject previously assigned by payment service provider server 106 upon a successful authentication, the local object may also be assigned a relatively high score” and see paragraph 0042, “Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location” A cookie or a local object or a previous successful authentication or previous location meets or corresponds to “ a portion of information associated with a previous login request” and consulted or comparison meets or corresponds to the claim limitation “comparing”]

determining a score associated with the login request;[See at least figure 4 and paragraph 0041, “After analyzing the received user and device information, a score is computed based on the received user and device information (406)”] Computing the score meets or corresponds to the limitation “determining a score”] accessing a threshold [See paragraph 0042, After the score has been computed, a threshold is determined (408). Consistent with some embodiments, the threshold is dependent on user 116. For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126, may be consulted in order to determine the threshold. If user 116 has previously had fraudulent activity on their account, the threshold may be higher than that for a user having no fraudulent activity. Other factors that may be used in order to determine the user-dependent threshold include credit scores, current location of user in comparison to known home location or previous location, recent successful or failed interactions with the payment service provider” determining the threshold meets or corresponds to the limitation “ accessing a threshold”]

determining, by a processing device, whether to initiate a security action based on the score associated with the login request and the threshold [See at least paragraph 0043, “After the threshold is determined, the computed score is compared with the determined threshold (410). If the computed score is determined to be less than the threshold, payment service provider server 106 may request additional low-quality or low-entropy information (412)” Note “comparing the threshold and the computed score”
meets or corresponds to the limitation, “determining based on the score and the threshold” and request additional low-quality or low-entropy information 412 meets or corresponds to the claim limitation, “initiate a security action”]and 

storing the information associated with the login request [See at least paragraph 0042, “For example, if user 116 has interacted with the payment service provider that maintains server 106 in the past, these past interactions, stored in account information 126”. Note: the past interactions stored in the account meets or corresponds to the claim limitation, “storing the information associated with the login request”]

The combination of Jakobsson and Samuels substantially discloses all the limitation recited in the claim.
the combination of Jakobsson and Samuels does not disclose the following limitations: 
“ the security action comprises sending a notification comprising an account name associated with the login request” recited in claim 6 and “security action comprises initiating a network access change of a device that sent the login request, and wherein the security action is based on a policy” recited in claim 7.

However Yang on column 3, lines 16-33 discloses the following that meets the above limitation:
“In the above example embodiment, if these three threshold tests related to: (1) a total number of login requests; (2) an login success ratio; and (3) a number of usernames are each met, then the security system automatically initiates a security action. Such security actions may include blocking access to all accounts associated with a username and password login attempted during the time period, forcing a password reset via an e-mail for each such account, sending a notice of suspected intrusion, or other such security actions. As described above, certain embodiments operate in environments where multiple successful intrusion account operations occur prior to the system recognizing an intrusion. Thus, an analysis identifying an intrusion following a certain login request may initiate security actions for multiple different accounts, particularly different accounts accessed from a single IP address within a threshold time period, including, e.g., accounts utilized prior to the determination of an intrusion” [See at least column 3, lines 16-33]


Jakobsson, Samuels and Yang are considered to be analogous art as they all pertain to provide security and protection of an account by analyzing login request. 
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to implement in the system of the combination of Jakobsson and Samuels a mechanism to use the feature such as “the security action comprises sending a notification comprising an account name associated with the login request and security action comprises initiating a network access change of a device that sent the login request, and wherein the security action is based on a policy” as taught by Yang because this would enhance the security of the system by automatically initiating a security action and providing intrusion detection. [See at least Yang at least column 3, lines 16-33]


	As per dependent claim 7, dependent claim 7 is rejected for the same reason as that of the above dependent claim 6.

	As per dependent claim 14, dependent claim 14 is rejected for the same reason as that of the above dependent claim 6.
Conclusion
15.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A. 	 US Publication No. 20160210450 A1 to Su discloses a method providing a mobile device with the ability to locally detect fraudulent activity by an unauthorized user. A mobile device may include a fraud detection module that may build a historical usage pattern of a user of the mobile device. The fraud detection module may monitor usage of the mobile device for multiple parameters and record events pertaining to the parameters. Periodically or in response to each event, the fraud detection module may compute a current usage pattern using each of the current parameter values. The fraud detection module may compare the current usage pattern with the historical usage pattern and may use the comparison result to compute a confidence score. The fraud detection module may then compare the confidence score with a preset confidence score to determine whether fraudulent activity is occurring at the mobile device.
B. 	US Publication No. 20040054929 A1 to Serpa discloses a method for enhancing passwords, access codes, and personal identification numbers by making them pace, rhythm, or tempo sensitive. The sequence of characters comprising the password/access code/personal identification number has an associated timing element. To access a restricted device or function a user must enter the correct character sequence according to the correct pace, rhythm, or tempo. The entered sequence and timing element are compared with stored values and access is granted only if the entered and stored values match. In an alternative embodiment the stored timing element is set, and periodically altered, by a computer or program without consent from the user and visual, auditory, and/or tactile prompts indicate the correct timing element to the user during the authentication process.

C. 	US Publication No. 20100263055A1 to Habif discloses a system and method for controlling the use of an electronic device by at least one user, comprising means for verifying if at least one restriction condition related to the use of the electronic device is satisfied; means for applying a restriction action to the electronic device for constraining its use; means for variably determining at least one non-agreed request to the user; means for doing the determined non-agreed request accessible to the user; means for receiving a non-agreed input from the user in response to the request; means for verifying if the received non-agreed input from the user corresponds to the expected input; and means for cancelling the restriction action applied to the electronic device.
D. 	See the other cited references.

16.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMSON B LEMMA whose telephone number is 571-272-3806.  The examiner can normally be reached on M-F 8am-10pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shaw Yin Chen can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.	
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAMSON B LEMMA/
Primary Examiner, Art Unit 2498