DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Claims 1-16 were previously pending and subject to a non-final action on 02/18/2022. In the response filed on 04/21/2022, claims 1-4, 6-9, and 12-15 were amended. Therefore, claims 1-16 are currently pending and subject to the final action below.

Response to Arguments
Applicant’s arguments filed 04/21/2022, with respects to claims 1-16 under 35 U.S.C. 103 have been fully considered but are moot because the arguments do not apply to the new combination of references being used in the current rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 12 recites the limitation "obtaining a min subsequence length to divide each one of the plurality of sets into the subsequences so as to define, within a given one of the plurality of sets, for a given subsequence length from the minimum subsequence to the maximum subsequence length, a respective plurality of subsequences;".  There is insufficient antecedent basis for the terms the minimum subsequence to the maximum subsequence length, in this limitation of the claim.
Dependent claims 2-11 and 13-16 are rejected in view of their dependency on independent claims 1 and 12

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-8, 10, and 12, 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al. (US PGPUB: 20160306974, Filed Date: Jun. 30, 2016, hereinafter “Turgeman-6974”) in view of Zhao (US PGPUB: 20180322287 A1, Filed Date: May 05, 2017, hereinafter “Zhao”).
Regarding independent claim 1, Turgeman-6974 teaches: A method for training a Machine Learning Algorithm (MLA), the MLA executed by a server, the MLA for classifying a user action sequence that is performed by a user with an electronic service using a computer device, the method executable by the server, the method comprising: (Turgeman-6974 − [0016] The present invention comprises systems, devices, and methods to enable detection (or determination, or estimation) of a “bot” or malicious automatic script or malware or a cyber-attack module or unit or computerized module, which is produces or generates or imitates human-like user-interaction data that resembles (or is posing as) human utilization of mouse, keyboard, touch-screen, touch-pad, or other input units of an electronic device or computing device or computer. [0045] a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
receiving an indication of interface elements of the electronic service and events associated with the interface elements to be monitored; (Turgeman-6974 − [0026] The Applicants have realized that the interactions of a user with a computerized service (e.g., a website or an online service), may be monitored, logged and tracked in order to detect user-specific characteristics that may enable the system to differentiate among users, or that may enable the system to differentiate between a legitimate user (e.g., a genuine user who is the account-owner, an authorized user) and an attacker (or impersonator or “fraudster” or imposter or impostor or other illegitimate user). [0029] Accordingly, the present invention may perform automatic scanning and mapping of the website (or webpage, or application, or service) that is being protected or being monitored or that is expected or intended to be monitored for fraudulent activity. The mapping process may identify UI elements or GUI elements (e.g., buttons, drop-down menus, selection boxes, data fields) and other elements (e.g., entire page or web-page; a tab or area in a website; a tab or area in a webpage; a tab or area in an application; an entire form; a sequence of operations or forms or pages), and may further classify or categorize or map such elements based on their context, based on their associated risk potential, or based on the level of damage that may occur if such element is fraudulently utilized, or based on the level of sufficiency of possible-fraud that would be required in order to trigger a fraud notification. TABLE 1 Risk Relatedness or UI Element Fraud Relatedness “Contact Us” button or link 4 “Branch Locator” button or link 2 “F.A.Q.” button or link 1 “Show Account Balance” button or link 49 “Show Monthly Statement” button or link 47 “Perform Payment to Payee” button or link 51 “Define New Payee” button or link 90 “Perform Money Transfer” button or link 89 “Beneficiary Name” field 92 “Beneficiary Account Number” field 87 “Amount to Wire” field 85 “Send Email Confirmation” yes/no selector 88 “Submit Payment Now” button 96 “Wire the Funds Now” button 98 [0064] In accordance with the present invention, a UI-Element-Based Fraud Estimator 168 may operate, in real-time as a user engages with the web-page or with UI elements, and/or in retrospect or retroactively (e.g., by reviewing and analyzing a log of previously-recorded user interactions), in order to estimate whether a particular user operation, or a set of operations, is estimated to be fraudulent, or is estimated to be associated with fraudulent behavior, or is estimated to be associated with a fraudulent user. Events being UI elements reference in Table 1.)
receiving a plurality of indications of a given training user action sequence of a plurality of training user sequences, the given training user action sequence including occurrence of at least one of: (i) the events associated with the interface elements and (ii) user interactions with the interface elements; and associated timestamps, the plurality of indications being of at least two different types of classes, for which the MLA is to be trained for classifying user actions into; (Turgeman-6974 − [0031] The contextual mapping information of such elements may be stored in a lookup table or database or other data-structure, or as a fraud risk-level parameter associated with each element; and may subsequently be utilized as a factor or a parameter in the process of determining whether or not an operation or a transaction (or a set of operations) is fraudulent or legitimate, or in the process of assigning or generating a total fraud-possibility score for a transaction or for on operation or set of operations. Table 1. [0064] In accordance with the present invention, a UI-Element-Based Fraud Estimator 168 may operate, in real-time as a user engages with the web-page or with UI elements, and/or in retrospect or retroactively (e.g., by reviewing and analyzing a log of previously-recorded user interactions), in order to estimate whether a particular user operation, or a set of operations, is estimated to be fraudulent, or is estimated to be associated with fraudulent behavior, or is estimated to be associated with a fraudulent user. [0065] In a demonstrative example, the UI-Element-Based Fraud Estimator 168 may detect that a highly-suspicious behavior has been identified in conjunction with engaging with the “Branch Locator” button; such as, that the on-screen mouse-pointer, when moving towards the “Branch Locator” button, appears to “jump” (e.g., indicating a possible Remote Access user, rather than a direct user that sits in front of a computing device), or that the mouse-pointer moves in an entirely perfect straight line (e.g., typically associated with an automatic script that moves the mouse-pointer, and not with a human user that rarely performs perfectly-linear moves).)
generating a training set comprising a plurality of training objects, given training object of the plurality of training objects being generated based on a respective training user action sequence of the plurality of training user actions sequences, (Turgeman-6974 − [0045] Optionally a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction); optionally, without necessarily using any specific pre-define features or characteristics or features, and optionally using a heuristic approach or holistic approach or “fuzzy logic” algorithm that attempts to find a unique identifier or a unique digital footprint without necessarily being tied to a specific biometric parameter or to a set of pre-defined biometric parameters. [0089] It is noted that in accordance with the present invention, monitoring and/or analyzing of “user interactions” and/or “user gestures”, may further comprise the monitoring and/or analyzing of interactions, gestures, and/or sensed data that is collected shortly before or immediately before the actual interaction, and/or interactions, gestures, and/or sensed data that is collected shortly after or immediately after the actual interaction; in addition to the data collected or sensed or monitored during the interaction itself. [0096] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns. The two different type of classes referring to fraudulent user and legitimate user)
determining a respective frequency value of each subsequence appearing in each of the plurality of training user action sequences belonging to a given one of the at least two different types of classes; (Turgeman-6974 – [0045] The user-specific features, whose values may be compared or matched across usage-sessions, may include, for example, rate or frequency of mouse clicks; [0070] Optionally, the Bot/Malware/Script determination module 174 may comprise, or may utilize or may be associated with, a Statistical Analysis Unit which may perform statistical analysis of data of input-unit(s) interactions; for example, calculating average, mean, standard deviation, variance, distribution, distribution pattern(s), and/or other statistical properties of the registered or reported input-unit(s) events or gestures or data; and then, comparing them or matching them to general-population statistical properties of human-users utilization of such input-units, in order to find a mismatch or a significant deviation from human-characterizing statistical properties of human behavior. For example, determining that the keyboard exhibited an average (or median) typing speed of 650 words-per-minute, within one usage session or over multiple usage-sessions of the same user, indicates that this is non-human characteristic (e.g., as human can type at a speed of up to around 200 words-per-minute), thereby indicating that a computerized script more-probably than a human-user was responsible for entering such keyboard data. Similarly, statistical distribution of input-unit data or metadata (e.g., time-gaps between key-down/key-up events, time-gaps between typed characters, time-gaps between mouse-clicks or on-screen taps, or the like) may similarly be used for detecting non-human behavior of an automated, impostor, script or “bot”.)
and selecting, from the subsequences associated with the respective training user action sequence, based on respective frequency values thereof, a number of most informative subsequences indicative of a probability of the respective training user action sequence belonging to the given one of the at least two different types of classes; (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II). In still other embodiments, the fraud estimation module 160 may generate as output a fraud-probability score, indicating the estimated probability (e.g., on a scale of 0 to 100, or other suitable range of values) that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is fraudulent (or, is associated with a fraudulent transaction, or with fraudulent purposes, or with a fraudulent user). Other types of outputs or determinations or scores may be generated by the systems and methods of the present invention. Generate a probability for determining a particular engagement is either a legitimate, or fraudulent activity.)
and using the training set to train the MLA to classify an in-use user action sequence into one of the at least two types of classes. (Turgeman-6974 − [0096] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns. This may be used for detection of “friendly fraud” incidents, or identification of users for accountability purposes, or identification of the user that utilized a particular function in an Administrator account (e.g., optionally used in conjunction with a requirement that certain users, or users with certain privileges, may not share their password or credentials with any other person); or identification of a licensee in order to detect or prevent software piracy or unauthorized usage by non-licensee user(s), for software or products that are sold or licensed on a per-user basis or a per-seat basis.)
Turgeman-6974 does not explicitly teach: generating the given training object including: subdividing the respective training user action sequence into subsequences, by obtaining a max subsequence length to divide the respective training user action into a plurality of sets of the max subsequence length each; and obtaining a min subsequence length to divide each one of the plurality of sets into the subsequences so as to define, within a given one of the plurality of sets, for a given subsequence length from the minimum subsequence to the maximum subsequence length, a respective plurality of subsequences;
However, Zhao teaches: generating the given training object including: subdividing the respective training user action sequence into subsequences, by obtaining a max subsequence length to divide the respective training user action into a plurality of sets of the max subsequence length each; (Zhao − [0007] Fig.2 determining a plurality of subsequences in the series of events; identifying a plurality of most frequent subsequences in the plurality of subsequences; [0032-0034] At 202, once the dataset is received by the processing system 104, the dataset may be analyzed to determine a plurality of subsequences in the dataset. [0034] determining max number of subsequence of events when it exceeds the maximum support threshold.)
and obtaining a min subsequence length to divide each one of the plurality of sets into the subsequences so as to define, within a given one of the plurality of sets, for a given subsequence length from the minimum subsequence to the maximum subsequence length, a respective plurality of subsequences; (Zhao − [0007] Fig. 2 determining a plurality of subsequences in the series of events; identifying a plurality of most frequent subsequences in the plurality of subsequences; [0032-0034] [0033] At 208, at least one subsequence may be selected from the most frequently occurring subsequences in the plurality of subsequences. The selection of this subsequence may be based on one or more predetermined thresholds. if occurrence of a subsequence of events exceeds the minimum support threshold value, then that subsequence of events may be selected for further analysis.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974 with Zhao since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Zhao to determine a plurality of subsequences in malware attack analysis. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.
Regarding dependents claim 2, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the subdividing the respective user sequence into the subsequences is further based on a number of the most informative subsequences. (Turgeman-6974 − [0043] [0070] User-specific features extractor 115 may extract or estimate user-specific features or traits or characteristics or attributes, that characterize an interaction (or a set or batch or group or flow of interactions, or a session of interactions) of a user with the computerized service 102. Optionally, an extracted features database 116 may store data or records which reflects users and their respective values of extracted (or estimated) user-specific features.)
Regarding dependents claim 3, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the subdividing the respective training user action sequence into the subsequences further comprises: identifying, in the respective training user action sequence in the training set, searching for n most informative subsequences to generate a respective set of Boolean features, where each Boolean feature is indicative of whether a corresponding subsequence from the n most informative subsequence is present in the respective training user action sequence; and the method further comprises: using respective sets of Boolean features as part of the training set. (Turgeman-6974 − [0070] Similarly, statistical distribution of input-unit data or metadata (e.g., time-gaps between key-down/key-up events, time-gaps between typed characters, time-gaps between mouse-clicks or on-screen taps, or the like) may similarly be used for detecting non-human behavior of an automated, impostor, script or “bot”. The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like. Similarly, the Bot/Malware/Script determination module 174 may search for, and may detect, other types of abnormal behavior that does not (or cannot) characterize human utilization of an input-unit; for example, occurrence of two (or more) mouse-clicks or touchpad-taps or touch-screen taps, simultaneously or concurrently, at two (or more) different locations or on-screen locations; thereby indicating an automated “bot” or script, and not a human user.)
Regarding dependents claim 5, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the at least two types of classes comprise one of a legitimate transaction class and a fraudulent transaction class. (Turgeman-6974 − [0067] In some embodiments, the fraud estimation module 160 may generate as output a binary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent. In other embodiments, the fraud estimation module 160 may generate as output a ternary-type determination, indicating that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is either: (I) legitimate, or (ii) fraudulent, or (III) that the system does not have sufficient data in order to positively select option (I) or option (II). In still other embodiments, the fraud estimation module 160 may generate as output a fraud-probability score, indicating the estimated probability (e.g., on a scale of 0 to 100, or other suitable range of values) that a particular operation, or a particular set-of-operation, or a particular transaction, or a particular engagement with one or more UI elements, is fraudulent (or, is associated with a fraudulent transaction, or with fraudulent purposes, or with a fraudulent user). Other types of outputs or determinations or scores may be generated by the systems and methods of the present invention. Generate a probability for determining a particular engagement is either a legitimate, or fraudulent activity.)
Regarding dependents claim 6, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the number of the most informative subsequences is pre- defined. (Turgeman-6974 − [0070] The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like.)
Regarding dependents claim 7, discloses all the features with respect to claim 6 as outlined above
Turgeman-6974 teaches: wherein the method further comprises pre-defining the number of the most informative subsequences. (Turgeman-6974 − The statistical analysis may comprise, for example, comparison to threshold values; comparison to pre-defined maximum threshold value; comparison to pre-defined minimum threshold value; finding a different from threshold value(s) (e.g., determining that a statistical property that was calculated, is at least 20% less or is at least 20% more than a human-based value of such property); checking whether the calculated statistical property is within a pre-defined range of acceptable human-based values; or the like.)
Regarding dependents claim 8, discloses all the features with respect to claim 7 as outlined above
Turgeman-6974 teaches: wherein the pre-defining the number of the most informative subsequences comprises using a scoring function. (Turgeman-6974 − [0031] The contextual mapping information of such elements may be stored in a lookup table or database or other data-structure, or as a fraud risk-level parameter associated with each element; and may subsequently be utilized as a factor or a parameter in the process of determining whether or not an operation or a transaction (or a set of operations) is fraudulent or legitimate, or in the process of assigning or generating a total fraud-possibility score for a transaction or for on operation or set of operations.)
Regarding dependents claim 10, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 teaches: wherein the MLA is a classifier. (Turgeman-6974 − a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
Regarding independent claim 12, is directed to a method. Claim 12 have similar/same technical features limitation as claim 1 and the claims are rejected under the same rationale.
Regarding dependents claim 14, Turgeman-6974 teaches: wherein the method further comprises training the MLA based on a training set, the trainings set composing a plurality of training objects, each of which has been generated based on a respective training user action sequence of a plurality of training user actions sequences. (Turgeman-6974 − [0016] The present invention comprises systems, devices, and methods to enable detection (or determination, or estimation) of a “bot” or malicious automatic script or malware or a cyber-attack module or unit or computerized module, which is produces or generates or imitates human-like user-interaction data that resembles (or is posing as) human utilization of mouse, keyboard, touch-screen, touch-pad, or other input units of an electronic device or computing device or computer. [0045] a deep learning algorithm and/or a machine learning algorithm or other suitable Artificial Intelligence (A.I.) algorithm may be utilized, in order to learn and to define a user-specific profile based on the data that is monitored or produced during the interaction (and optionally, immediately prior to the interaction and/or immediately after the interaction))
Regarding dependents claim 15, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 teaches: wherein the electronic device is one of the computer device used by the user for executing the user action sequence and a server executing the electronic service. (Turgeman-6974 − [0037] System 100 may enable an end-user device 101 to interact with a computerized service 102. the end-use device 101 may be a stand-alone machine or interface; [0038] The computerized service 102 may be a local and/or a remote computerized platform or service or application or web-site or web-page. [0039] Some demonstrative and non-limiting examples, of suitable computerizes service(s) which may be used in conjunction with the present invention, may include: banking service,)
Regarding dependents claim 16, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 teaches: wherein the electronic service is an on-line banking application and wherein the method is executable while the user is performing user interactions with the on-line banking application. (Turgeman-6974 − [0037] System 100 may enable an end-user device 101 to interact with a computerized service 102. the end-use device 101 may be a stand-alone machine or interface; [0038] The computerized service 102 may be a local and/or a remote computerized platform or service or application or web-site or web-page. [0039] Some demonstrative and non-limiting examples, of suitable computerizes service(s) which may be used in conjunction with the present invention, may include: banking service,)

Claim(s) 4, 11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman-6974 and Zhao as applied to claims 1-3, 5-8, 10, and 12, 14-16  above, and further in view of Turgeman (US PGPUB: 20150310196, Filed Date: Jun. 11, 2015, hereinafter “Turgeman-0196”).
Regarding dependents claim 4, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 does not explicitly teach: wherein the given training user action sequence comprises a given one of a plurality past user actions that have been marked as belonging to at least two types of classes.
However, Turgeman-0196 teaches: wherein the given training user action sequence comprises a given one of a plurality past user actions that have been marked as belonging to at least two types of classes. (Turgeman-0196 − [0083] In another example, different keyboard layouts may dictate, or may be indicative of, different speed or rate of typing (in general, or of various words or syllables or sequences); and these parameters may be monitored and evaluated by the keyboard identification module 250, and may allow to distinguish or differentiate among users based on the estimated type of keyboard layout that is being utilized in a current session, compared to historical or past keyboard layout(s) that were observed in prior usage sessions.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974, Zhao and Turgeman-0196  since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.
Regarding dependents claim 11, discloses all the features with respect to claim 1 as outlined above
Turgeman-6974 does not explicitly teach: wherein the classifier is based on a decision tree model.
However, Turgeman-0196 teaches: wherein the classifier is based on a decision tree model. (Turgeman-0196 − [0048] The user-specific signal characteristics may be stored in the database 203, and may be used subsequently by comparator/matching module 204 in order to compare or match between current-characteristics and previously-estimated characteristics, thereby enabling a decision whether or not the current user is genuine or fraudulent. [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974, Zhao and Turgeman-0196  since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.
Regarding dependents claim 13, discloses all the features with respect to claim 12 as outlined above
Turgeman-6974 does not explicitly teach: wherein in response to the predicted class being same as the default class, receiving a next user action sequence for determining a respective predicted class thereof
However, Turgeman-0196 teaches: wherein in response to the predicted class being same as the default class, receiving a next user action sequence for determining a respective predicted class thereof. (Turgeman-0196 − [0102] In some embodiments, the system may detect scenarios of two users using one computing device, in the training phase and/or testing phase. If a user's account is suspected to have multiple users, the system may use unsupervised clustering for separating between users. Afterwards, the system may use separate individual model for each cluster (e.g., each estimated user). This may allow the system to build a combined model, consisted of the individual users' models. This solution may outperform building one model for all users, even though it may require more data as the number of training sessions per user may be decreased. [0103] Some embodiments may identify multiple (different) users that utilize the same device, or the same account, before or after a typical user profile is built, or even during a training period in which the system learns the behavioral patterns.)
Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combined Turgeman-6974, Zhao and Turgeman-0196  since each invention is in the same field of endeavor of detecting a possible cyber-attack. Adding the teaching of Turgeman-0196 to include typing fluency score estimator for detecting a possible cyber-attack. One of ordinary skill in the art would have been motivated to make such modification for detecting legitimate user from fraudulent attacks.

Allowable Subject Matter
Claim 9 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARL E BARNES JR whose telephone number is (571)270-3395. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cesar Paula can be reached on 571-272-4128. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/CARL E BARNES JR/Examiner, Art Unit 2177       

/CESAR B PAULA/Supervisory Patent Examiner, Art Unit 2177