Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This communication is in response to Applicant's Amendment filed 11/03/2022.  Applicant has amended claims 1 and 10 and cancelled claims 8 and 17.  Currently, claims 1-7, 9-16, and 18-20 are pending in the application.

Response to Arguments
Applicant’s arguments filed in the amendment filed 11/03/2022, have been fully considered but are moot in view of new grounds of rejection.  The new grounds are explained below, in the rejection section of this office action.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-7, 9-16, 18-20 rejected under 35 U.S.C. 103 as being unpatentable over Turgeman et al. (WO 2022/130374 A1, hereinafter “Turgeman”) in view of Griffin et al. (US 2012/0144492 A1, hereinafter “Griffin”).

Regarding claim 1, Turgeman teaches:
1. A method, comprising: 
collecting (par 132; i.e. game-like operations and user reactions or behaviors are used for identification and fraud-detection purposes) telemetry data (par 132; i.e. gamification features) related to an interaction between a user and a device (par 132: “game-like operations (e.g., move or drag items, handle items relative to a virtual on-screen “magnet” in a particular location on the screen, complete an on-screen puzzle, rotate a spindle or on-screen wheels or handles of a virtual vault)”); 
evaluating the collected telemetry data based on a standard dataset associated with a previous interaction between the user and the device (par 134: “If the way in which the user drags-and-drops the digits onto the slots, matches previously-recorded information that indicates how the user typically performs such GUI operation”); 
determining whether the user is genuine or suspicious based on the evaluation (par 138: “ if the current manner of GUI utilization does not match the previously-determined user-specific profile of GUI utilization, then the system may declare that the user failed to authenticate, or that a possible fraud exists”); and 
Turgeman teaches in another embodiment:
enforcing a first authentication when the user is deemed genuine (par 139: “ In some embodiments, the present invention may be used to facilitate a process of PIN-reset or password-reset. For example, a PIN-reset process may require the user to enter his current PIN, both by entering the correct PIN value as well as (without the user necessarily knowing) in the particular GUI-utilization manner that matches his userspecific profile. If both factors are met…”; Examiner notes that this portion shows that a first authentication (i.e. two way authentication) is used for a user that is deemed genuine) and enforcing a second authentication when the user is deemed suspicious (par 139: “If both factors are met, then PIN-reset may be enabled, without the need to utilize a complex process in which the user is also contacted by phone or by email.”; Examiner notes that this portion implies that when the factors are not met (i.e. user is deemed suspicious), then a complex process of contacting the user by phone or email (i.e. a second form of authentication) is used).
Although Tugeman teaches that additional telemetry is collected for a PIN-reset process, and if all authentication matches, then the PIN-reset is enabled (i.e. authentication level has changed) without then need for other complex process from user (see par 138-139), however, Griffin more explicitly suggests:
collecting additional telemetry data (par 27; i.e. obtaining telemetry data); and
changing an authentication level on the fly when (par 7; i.e. protection level is dynamically variable) determining, from the additional telemetry data (par 19; i.e. user is profiled based on telemetry data), that the user is suspicious (par 7; i.e. protection level is dynamically variable based on what the user is attempting to do and the current threat conditions).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have implemented an on the fly authentication mechanism based on telemetry data collected in which a user is deemed a threat, as taught by Griffin, to Turgeman’s invention.  The motivation to do so would have been in order to mitigate threat by increasing protection on a host or decreasing access for the user (Griffin: par 38).
	
Regarding claim 2, the combination of Turgeman and Griffin teach:
2. The method of claim 1, further comprising registering the user by collecting telemetry data for generating the standard dataset (Turgeman: par 134, 138; i.e. previously recorded information or previously determined user specific information).

Regarding claim 3, the combination of Turgeman and Griffin teach:
3. The method of claim 1, wherein registering the user includes receiving an image from the user, generating a puzzle from the image and presenting the puzzle to the user (Turgeman: par 132, 137, see also par. 304).  
Regarding claim 4, the combination of Turgeman and Griffin teach:
4. The method of claim 3, wherein the telemetry data for the standard dataset includes interactions between the user and the device as the user solves the puzzle (Turgeman: par 132, 137).  

Regarding claim 5, the combination of Turgeman and Griffin teach:
5. The method of claim 4, wherein the interactions include one or more of: 
which part of the puzzle was selected first (Turgeman: par 154; i.e. drags a right side into the left); 
which part of the puzzle was selected N-th; 
which area of the puzzle is the user clicking; 
is the user solving the puzzle from the middle or the corners; 
time taken on moving one piece to a correct location; and 
information related to scroll, drag and drop, and mouse click movements (par 154; i.e. drag and drop pieces, solving the puzzle in particular direction…).  

Regarding claim 6, the combination of Turgeman and Griffin teach:
6. The method of claim 1, further comprising determining that the user is suspicious when less than a threshold percentage of parameters from the collected telemetry data match the standard dataset (Turgeman: par 37: “latency in user reaction; a greater latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a remote attacker or a RAT-based attacker; while a shorter latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a local (genuine) user and not a remote attacker”).

Regarding claim 7, the combination of Turgeman and Griffin teach:
7. The method of claim 1, further comprising, based on how the collected telemetry data matches the standard dataset, imposing a single layer authentication, a dual layer authentication, or a multi-factor authentication.  (Turgeman: par 29, 138)  
Claim 8 (Cancelled)  

Regarding claim 9, the combination of Turgeman and Griffin teach:
9. The method of claim 1, further comprising performing machine learning on all collected telemetry data to predict to generate a machine model configured to predict whether the user is genuine or suspicious (par 131: “the system “learns” the habits or the repeated habits of particular subscribers. ”, see also par 132: “utilize visible changes of the UI or GUI or the on-screen experience… in order to identify user(s) or detect possible fraud”).  

Regarding claim 10, all claims are set forth and rejected as previously discussed in claim 1.

Regarding claim 11, all claims are set forth and rejected as previously discussed in claim 2.

Regarding claim 12, all claims are set forth and rejected as previously discussed in claims 3.

Regarding claim 13, all claims are set forth and rejected as previously discussed in claim 4.

Regarding claim 14, all claims are set forth and rejected as previously discussed in claim 5.

Regarding claim 15, all claims are set forth and rejected as previously discussed in claim 6.

Regarding claim 16, all claims are set forth and rejected as previously discussed in claim 7.
Claim 17 (Cancelled)

Regarding claim 18, all claims are set forth and rejected as previously discussed in claim 9.

Regarding claim 19, Turgeman teaches:
19. A method, comprising: 
collecting (par 132; i.e. game-like operations and user reactions or behaviors are used for identification and fraud-detection purposes) telemetry data (par 132; i.e. gamification features) while registering a user to (par 132, 137, see also par. 304, i.e. login process is subject to utilizing gamification features) generate a standard dataset (par 134: “If the way in which the user drags-and-drops the digits onto the slots, matches previously-recorded information that indicates how the user typically performs such GUI operation”), the telemetry data related to input of a user while solving a puzzle based on an image provided by the user (par 132, 137, see also par. 304);
pre-authenticating the user based on new telemetry data and the standard dataset (par 138: “ if the current manner of GUI utilization does not match the previously-determined user-specific profile of GUI utilization, then the system may declare that the user failed to authenticate, or that a possible fraud exists”); 
Turgeman teaches in another embodiment:
authenticating the user, wherein a level of authentication is based on how the new telemetry data matches the standard dataset (par 138: “ if the current manner of GUI utilization does not match the previously-determined user-specific profile of GUI utilization, then the system may declare that the user failed to authenticate, or that a possible fraud exists” and par 139: “ In some embodiments, the present invention may be used to facilitate a process of PIN-reset or password-reset. For example, a PIN-reset process may require the user to enter his current PIN, both by entering the correct PIN value as well as (without the user necessarily knowing) in the particular GUI-utilization manner that matches his userspecific profile. If both factors are met…”; Examiner notes that this portion shows that authentication is used based on how the “factors are met”).
Although Tugeman teaches that additional telemetry is collected for a PIN-reset process, and if all authentication matches, then the PIN-reset is enabled (i.e. authentication level has changed) without then need for other complex process from user (see par 138-139), however, Griffin more explicitly suggests:
collecting additional telemetry data (par 27; i.e. obtaining telemetry data); and
changing an authentication level on the fly when (par 7; i.e. protection level is dynamically variable) determining, from the additional telemetry data (par 19; i.e. user is profiled based on telemetry data), that the user is suspicious (par 7; i.e. protection level is dynamically variable based on what the user is attempting to do and the current threat conditions).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have implemented an on the fly authentication mechanism based on telemetry data collected in which a user is deemed a threat, as taught by Griffin, to Turgeman’s invention.  The motivation to do so would have been in order to mitigate threat by increasing protection on a host or decreasing access for the user (Griffin: par 38).
Regarding claim 20,   the combination of Turgeman and Griffin teach:
20. The method of claim 19, further comprising setting a low authentication level when the new telemetry data meets or exceeds a threshold and setting a higher authentication level when the new telemetry data is below the threshold (Turgeman: par 37: “latency in user reaction; a greater latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a remote attacker or a RAT-based attacker; while a shorter latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a local (genuine) user and not a remote attacker”), wherein the threshold defines how the new telemetry data is supported by the standard dataset (Turgeman: par 37: “latency in user reaction; a greater latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a remote attacker or a RAT-based attacker; while a shorter latency (e.g., relative to previous measurements, or relative to a threshold value) may indicate that the user is a local (genuine) user and not a remote attacker”).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is 571-272-37391787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-37393739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/LIZBETH TORRES-DIAZ/           Primary Examiner, Art Unit 2495                                                                                                                                                                                                        
December 3, 2022