DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 12/02/2021 has been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-25 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-8, 10-21, and 23-25 of USPN 11,301,550 (Appl. No: 15/696057). Although the claims at issue are not identical, they are not patentably distinct from each other. (see Claim-Comparison Table below for independent claim 1 of the instant application against Claim 1 of 11,301,550).
Claim
Application#17/541110
Claim
USPN # 11,301,550
1
A system comprising:
1
A system comprising: 

at least one data processor; 
memory storing instructions, which when executed by at least one data processor, result in operations comprising:

initiating authentication for a user based on an identification confidence score of the user, the identification confidence score based on one or more characteristics of the user; 

continuously monitoring, using a machine learning model for the user, both of user conduct and behavioral biometrics in connection with the utilization of one or more resources by the user to generate first data; 

determining, based on the monitoring, differences between the first data and historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous; and 

removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource.

at least one data processor;
memory storing instructions, which when executed by at least one data processor, result in operations comprising: 

generating, prior to authentication using a behavioral model, an identification confidence score of a user of a plurality of users based on one or more characteristics of the user, wherein the identification confidence score is a numerical value indicating a level of trust that defines whether the user is self-authenticated or requires further authentication, wherein the behavioral model is an individual machine learning model created for each individual user that identifies anomalous behavior based on past behavioral patterns of the user, the behavioral model being trained using the one or more characteristics of the user including mouse movement and keyboard dynamics;

initiating authentication for the user based on the identification confidence score; 

monitoring, using the behavioral model, user activity of the user for anomalous activity to generate first data; 

generating, at predetermined intervals after the authentication, snapshot data of the user activity, the snapshot data comprising both of: (i) current bandwidth usage and (ii) a number of open ports; determining, using the behavioral model based on the monitoring, differences between (a) the first data and historical utilization data for the user and (b) the snapshot data and at least one of (1) the first data, (2) the historical utilization data, (3) known anomalous activity associated with malicious actors, or (4) known anomalous activity associate with other users to determine whether the user's utilization of the one or more resources is anomalous; 

removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource; and 

modifying, when the user's utilization of the one or more resource is anomalous, the identification confidence score by lowering the score when the user's utilization of the one or more resource is anomalous.


Claims 2-25 of the instant application is equivalent in scope with Claims 2-8, 10-21 and 23-25 of USPN 11,301,550.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-6, 9-10, 13-14, 17-19, 22-23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson et al. USPN9,485,237 hereinafter referred to as Johansson, in view of Gibson et al. US2016/0162683 hereinafter referred to as Gibson.
As per claim 1, Johansson teaches a system comprising: at least one data processor; memory storing instructions, which when executed by at least one data processor, result in operations comprising: initiating authentication for a user based on an identification confidence score of the user, the identification confidence score based on one or more characteristics of the user (Johansson col 7 lines 1-10, col 7 lines 20-40, col 8 lines 25-40, col 9 lines 30-45, generate confidence score for a user based on user characteristics and require further authentication to achieve a higher confidence score).
Johansson does not explicitly disclose continuously monitoring, using a machine learning model for user, both of user conduct and behavioral biometrics in connection with utilization of one or more resources by the user to generate first data; 
determining, based on the monitoring, differences between the first data and historical utilization data for the user to determine whether the user's utilization of one or more resources is anomalous; and 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource.  
Gibson teaches continuously monitoring, using a machine learning model for user, both of user conduct and behavioral biometrics in connection with utilization of one or more resources by the user to generate first data (Gibson paragraph [0009], [0021]-[0023], [0048]-[0049], [0056], continuously monitor, collect and process user data/activities using a machine learning model); 
determining, based on the monitoring, differences between the first data and historical utilization data for the user to determine whether the user's utilization of one or more resources is anomalous (Gibson paragraph [0026], [0049], [0051], [0056], compare current user data with baseline profile data to determine confidence score); and 
removing, when the user's utilization of the one or more resource is anomalous, the user's access to the one or more resource (Gibson paragraph [0031]-[0032], [0058], revoke user access to resource).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson with the teachings of Gibson to include monitoring user information and passively authenticating the user based on the monitored information in order to provide continuous authentication of the user to ensure that the user accessing the secured resources is the same user that was initially authenticated.

As per claim 4, Johansson in view of Gibson teaches the system of claim 1, wherein the one or more characteristics of the user after the authentication includes at least one of a device in use by the user, a geographical location of the device, an authentication history of the user, a manner in which the user uses the device, and a reputation of the internet protocol address used by the device (Johansson col 3 lines 35-45, col 4 lines 40-50, col 8 line 60 – col 9 line 5, client characteristics and user behavior; Gibson paragraph [0008], [0021]-[0023], [0031], [0056], device location and user behavior).  

As per claim 5, Johansson in view of Gibson teaches the system of claim 4, wherein the manner in which the user uses the device comprises one or more of the user's speed of typing, intervals between the user typing characters, a firmness of the user pressing a user interface, and a location of the user's input on the user interface (Johansson col 4 lines 44-50; Gibson paragraph [0022]-[0023]).  

As per claim 6, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data; and comparing the snapshot data against historical utilization data for the user to determine whether the user's utilization of the one or more resources is anomalous (Gibson paragraph [0008], [0022]-[0023], [0026], [0031], [0048]-[0049], [0051], [0056], [0058], continuously monitor, collect and process user data/activities.  compare current user data with baseline profile data to determine anomaly).  

As per claim 9, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: modifying, after the removing, the identification confidence score based on the one or more characteristics of the user (Gibson paragraph [0031]-[0032], [0058], revoke user access to resource; paragraph [0008]-[0009], [0022], [0026]-[0027], [0050]-[0052], [0056], [0058], modifying the confidence score of the user via continuous authentication of the user).  

As per claim 10, Johansson in view of Gibson teaches the system of claim 1, wherein the anomalous activity includes one or more observed user behavior that is not consistent with previously observed actions of the user (Gibson paragraph [0026], [0049], [0051], [0056], compare current user data with baseline profile data to determine anomaly).  

As per claim 13, Johansson in view of Gibson teaches the system of claim 1, wherein the authentication comprises requesting user biometrics (Johansson col 7 lines 1-10, col 9 lines 20-45; Gibson paragraph [0030]).  

As per claims 14, 17-19, 22-23 and 26, the claims claim a method essentially corresponding to the system claims 1, 4-6, 9-10 and 13 above, and they are rejected, at least for the same reasons.

Claims 2-3, 7, 15-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson, and further in view of Nguyen et al. USPN10,237,298 hereinafter referred to as Nguyen.
As per claim 2, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: suspending, in response to anomalous activity by the user, processes associated with the user (Gibson paragraph [0031], [0033], [0058], revoke user access/logout user).  
Johansson in view of Gibson does not explicitly disclose suspending all processes associated with user.
Nguyen teaches suspending all processes associated with user (Nguyen col 8 lines 25-40, terminate session processes of a user in response to anomalous activity of the user).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson of revoking user access/logging out a user in response to anomalous activity with the teachings of Nguyen to include terminating all session processes for a user in response to anomalous activity in order to prevent any/all active activities of the anomalous user.

As per claim 3, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: terminating, in response to anomalous activity by the user, processes associated with the user (Gibson paragraph [0031], [0033], [0058], revoke user access/logout user).
Johansson in view of Gibson does not explicitly disclose terminating all processes associated with user.
Nguyen teaches terminating all processes associated with user (Nguyen col 8 lines 25-40, terminate session processes of a user in response to anomalous activity of the user)
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson of revoking user access/logging out a user in response to anomalous activity with the teachings of Nguyen to include terminating all session processes for a user in response to anomalous activity in order to prevent any/all active activities of the anomalous user.

As per claim 7, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data (Gibson paragraph [0008], [0021]-[0023], [0048]-[0049], [0056], continuously monitor, collect and process user data/activities).
Johansson in view of Gibson does not explicitly disclose comparing snapshot data against known actions of an attacker to determine whether user's utilization of one or more resources is anomalous.  
Nguyen teaches comparing snapshot data against known actions of an attacker to determine whether user's utilization of one or more resources is anomalous (Nguyen col 1 lines 60 – col 2 line 5, col 7 lines 25-65, col 11 lines 25-35, col 12 lines 20 – col 13 line 30, col 21 lines 30-42, comparing current user data with known malicious behavior).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson of determining anomalous activities with the teachings of Nguyen to include determining anomalous activities based on a comparison of current user data with known malicious actions because the results would have been predictable and resulted in determining anomalous activities based on known malicious actions.

As per claims 15-16 and 20, the claims claim a method essentially corresponding to the system claims 2-3 and 7 above, and they are rejected, at least for the same reasons.

Claims 8 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson, and further in view of Jones et al. USPN9,537,880 hereinafter referred to as Jones.
As per claim 8, Johansson in view of Gibson teaches the system of claim 1, wherein the operations further comprise: monitoring the user's utilization of the one or more resources to generate snapshot data (Gibson paragraph [0008], [0021]-[0023], [0048]-[0049], [0056], continuously monitor, collect and process user data/activities).
Johansson in view of Gibson does not explicitly disclose comparing snapshot data against historical utilization data for a group of users similar to user to determine whether the user's utilization of one or more resources is anomalous.  
Jones teaches comparing snapshot data against historical utilization data for a group of users similar to user to determine whether the user's utilization of one or more resources is anomalous (Jones col 4 lines 35-60, col 8 lines 40-55, col 9 lines 50-65, col 15 lines 40-50, col 15 lines 65-67, comparing user behavior data to behavior data of similar users).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson of determining anomalous activities with the teachings of Jones to include determining anomalous activities based on a comparison of current user data with historical data of similar users because the results would have been predictable and resulted in determining anomalous activities based on historical data of similar users. It would have also been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson of determining anomalous activities with the teachings of Jones to include determining anomalous activities based on a comparison of current user data with historical data of similar users in order to provide a more comprehensive behavioral baseline for authenticating the user.

As per claim 21, the claim claims a method essentially corresponding to the system claim 8 above, and is rejected, at least for the same reasons.

Claims 11 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson, and further in view of Sng US2015/0180868.
As per claim 11, Johansson in view of Gibson teaches the system of claim 1, wherein the one or more resource comprises software applications, application proxies, network services, mobile device managers, desktop access, and server access (Johansson col 3 lines 55-67, col 6 lines 30-35, secure resources; Gibson paragraph [0032], [0051], [0058], resources). 
Johansson in view of Gibson does not explicitly disclose wherein operations further comprise: providing, one or more resources, an identity token for user related to authentication of the user.
Sng teaches wherein operations further comprise: providing, one or more resources, an identity token for user related to authentication of the user (Sng paragraph [0028], providing token).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson with the teachings of Sng to include issuing and providing a security token in order to provide single sign-on solution and identity management via the issued token.

As per claim 24, the claim claims a method essentially corresponding to the system claim 11 above, and is rejected, at least for the same reasons.

Claims 12 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Johansson in view of Gibson and Sng, and further in view of Chia et al. US2008/0072301 hereinafter referred to as Chia.
As per claim 12, Johansson in view of Gibson and Sng teaches the system of claim 11, wherein the removing the user's access to the one or more resources comprises informing the one or more resources of the anomalous activity (Gibson paragraph [0031], [0058]).
Johansson in view of Gibson and Sng does not explicitly disclose removing user's access to one or more resources based on identity token. 
Chia teaches removing user's access to one or more resources based on identity token (Chia paragraph [0083], log out user and revoke token).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Johansson in view of Gibson and Sng with the teachings of Chia to include revoking a user token when terminating the user’s session in order to prevent further use of the user token when the user is determined to be anomalous.

As per claim 25, the claim claims a method essentially corresponding to the system claim 12 above, and is rejected, at least for the same reasons.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/Primary Examiner, Art Unit 2495