DETAILED ACTION
The present Office Action is in response to an application filed on 09/21/2022 wherein claims 1-20 are pending and ready for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/21/2021 is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-7, 9, 11, 15, 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Marien (US 20160191498 A1) in view of Zhai (US 20160042163 A1).
Regarding claim 1, Marien discloses a system comprising:
one or more processors (one or more server computers may comprise a data processor component such as a microprocessor – see [0063]); and
one or more computer-readable storage media collectively storing program instructions which, when executed by the one or more processors, are configured to cause the one or more processors to perform a method (a data storage component such as a RAM memory and/or a hard disk for storing data and computer code for carrying out one or more tasks and/or method steps – see [0063]) comprising:
collecting usage frequency metrics for features of an electronic device over time (the step of obtaining (personal historical application) data related to historical interactions of the user with the plurality of computer based applications may comprise obtaining some or all of this data from the plurality of computer based applications – see [0014]; see also [0021-23]; the SSO system may be adapted to generate or compose a series of questions to be submitted to the user […] related to the dynamic personal application information of the user and may be designed to probe the knowledge of the person claiming to be the user about that dynamic personal application information of the user – see [0030]; see also step 220, [0067], FIG. 2; examiner’s note: questions may involve parameters such as usage frequency, for example: “which email application have you been using most frequently in the last month?”, as discussed in [0030]);
determining a set of critical features of the features (not all information obtained in this way may have the same significance […] – see [0032]; the SSO system may therefore be adapted to judiciously select the information about which to ask the user questions […] for example, the SSO system may be adapted to preferably select information that is difficult to guess by other persons than the legitimate user – see [0033]);
determining whether a condition is met for use-based authentication (the SSO system may use the dynamic personal application data questions authentication mechanism as an alternative or back-up to a traditional authentication mechanism to authenticate the user, for example in case that the traditional authentication mechanism has been compromised or is no longer useable or accessible to the user – see [0051]; see also [0045] and [0053]);
generating, in response to determining that the condition is met for use-based authentication, a use-based security challenge using a critical feature of the set of critical features, the use-based security challenge based on use frequency of the critical feature (the SSO system may be adapted to generate or compose a series of questions to be submitted to the user; these questions may be related to the dynamic personal application information of the user and may be designed to probe the knowledge of the person claiming to be the user about that dynamic personal application information of the user – see [0030]; the SSO system may use the dynamic personal application data questions authentication mechanism as a back-up authentication mechanism to authenticate the user and for example to issue the user new credentials for the traditional authentication mechanism (such as resetting a password and issuing the new value of the password to the user) – see [0051-53]; examiner’s note: questions may involve parameters such as usage frequency, for example: “which email application have you been using most frequently in the last month?”, as discussed in [0030]);
presenting the generated use-based security challenge to a user (the person claiming to be a particular user may be presented with a series of questions relating to the historical interactions of the user with the plurality of computer based applications – see [0019]; the SSO system may comprise […] a question presentation component (330) adapted to submit a series of questions to a person claiming to be the user, the questions relating to the historical interactions of the user with the plurality of computer based applications – see [0091], FIG. 3; see also step 230, [0068], FIG. 2);
receiving a response to the use-based security challenge from the user (see also step 240: the step of receiving (240) from the person claiming to be the user answers to the series of questions, [0068], FIG. 2; see also [0011-13]);
determining a sufficiency of the response to the use-based security challenge (the SSO system may be adapted to compare the application information related to the user that has been obtained by the SSO on the one hand to the answers provided by the person claiming to be the user to these questions on the other hand – see [0030]; the SSO system may obtain some measure of the degree the user answered the questions overall correctly and may use that measure as an indication of the probability the person who claims to be a particular user is effectively the legitimate user – see [0039]; see also [0038-42]; see also step 250/255, [0070], FIG. 2); and
authorizing access to the electronic device based on the sufficiency of the response to the security challenge (SSO server (130) for authenticating the user and for providing the user access to the various computer based applications – see [0060]; the step of using (260) the outcome of the evaluation of the answers in for example deciding on whether or not to authenticate the person claiming to be the user, e.g., to a computer system, network, and/or application - see [0071] and step 260, FIG. 2; see also [0050]).
Marien discloses the selection of “critical features” in terms of significance and difficulty (see [0032-33]), freshness (using more recent data – see [0034]), heterogeneity (see [0035-36]), etcetera. Marien also discloses collecting “usage frequency metrics” as one of the security challenge questions that may be presented to the user relates to which email application the user has been using most frequently in the last month, for instance (see [0030]).
Nevertheless, Marien does not disclose [determining a set of critical features of the features] based on the collected usage frequency metrics, wherein each critical feature of the set of critical features has a usage frequency exceeding a usage frequency threshold. Note: limitations in brackets are added for context but are taught by the primary reference.
However, in the same field of endeavor, Zhai discloses a system and method for user authentication using first and second-type authentication information, including specific interaction behavior and occurrence frequency, and presenting an authentication challenge set to the user (see abstract) wherein the system and method include [determining a set of critical features of the features] based on the collected usage frequency metrics, wherein each critical feature of the set of critical features has a usage frequency exceeding a usage frequency threshold (the specific interaction behavior of the terminal may include a behavior that the terminal accesses an application in the terminal, and the first-type authentication information and the second-type authentication information are specific attribute information of the application – see [0061]; the first-type authentication information includes the specific attribute information that is in the specific attribute information of the interaction object corresponding to the specific interaction behavior of the terminal and whose occurrence frequency within the preset time falls in the preset range, where the occurrence frequency falls in the preset range, and this range may be an absolute frequency range, or may be a relative frequency range [[i.e., threshold]] – see [0063]; determining a first-type authentication information includes configuring a parameter which may include a valid time requirement T on use of an application (e.g. specific number of days or hours, etc.) and an occurrence frequency requirement X on use of the application (e.g., preset quantity of times, ranking, percentage, etc.); with this information a set L of first-type APP information is determined – see [0226], [0232-0238] and FIG. 6; see also [0071] and FIG. 1; examiner’s note: as explained with different examples of “critical features” (i.e., contact information in FIG. 2, played music in FIG. 3, accessed website in FIG. 4, read ebook in FIG. 5 and used application in FIG. 6) the first-type authentication information is based on specific attributes of the “critical features” and these features are chosen based on “usage frequency metrics” T and X, and included in a set L, for instance, in order to generate a challenge set to authenticate the user as discussed in [0239-0247]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien to include [determining a set of critical features of the features] based on the collected usage frequency metrics, wherein each critical feature of the set of critical features has a usage frequency exceeding a usage frequency threshold, as taught by Zhai. One would have been motivated to make such a combination because information about a recently most frequently used specific interaction object belongs to information within a memory period of the user, a memory price of the user can be reduced, and meanwhile, authentication information that appears each time is not fixed, which can also avoid the authentication information from being stolen due to a peep, resulted from incaution, at the authentication information; thus, reducing the memory price of memorizing the authentication information by the user, and also providing certain anti-peeping capability at the same time, as recognized by Zhai (see [0071]).
Regarding claim 3, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above. Furthermore, Marien discloses the system, wherein the condition includes determining that a currently set authentication mechanism has been failed (the SSO system may use the dynamic personal application data questions authentication mechanism in addition ([0045]) or as an alternative or back-up to a traditional authentication mechanism in case that the traditional authentication mechanism has been compromised or is no longer useable or accessible to the user, for example if the static password has been compromised or has been blocked due to too many wrong attempts or forgotten by the user – see [0045] and [0051]; examiner’s note: too many wrong attempts or forgotten password is being considered as an authentication failure).
Regarding claim 4, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above.
Furthermore, Marien discloses the system, wherein the usage frequency metrics include a number of usage interactions for the features (the personal historical application data may comprise data related to the time and/or date of the user accessing one or more of the computer based applications; the personal historical application data may comprise data related to the time and/or date of the user doing certain interactions with one or more of the computer based applications – see [0021]; the SSO system may be adapted to generate or compose a series of questions to be submitted to the user asking, for instance, “which email application have you been using most frequently in the last month?” – see [0030]; the system could ask a series of multiple choice questions; for example the first question could be “please indicate all of the following applications (if any) that you have accessed in the last month: app X, app Y, app Z, none of the above ?”; if the user responded “app X and app Z” the next question could be “when did you last access app X: today, yesterday, last week, longer ago than last week, I don't remember ?” – see [0047] examiner’s note: there is an inherent usage frequency metric that includes a number of usage interactions with the feature (i.e., email application) as, by definition, frequency is number of times an event occurs; there is also a usage interaction metric as the system knows if/when the user accessed (i.e., launched) certain application(s)).
Moreover, Zhai also discloses the system, wherein the usage frequency metrics include a number of usage interactions for the features (a parameter of a first-type APP information selection method, which may include a valid time requirement (denoted as T, for example, three days, five days, or 10 hours) on use of an APP, and an occurrence frequency requirement (denoted as X, representing a preset quantity of times, for example, five times, or representing preset ranking, for example, the top three, or representing a preset percentage, for example, 3%) on use of the APP; first-type APP information determined based on T and X may be denoted as L – see [0226]; examiner’s note: occurrence frequency (e.g., quantity of times on use of the APP) is being considered as a usage frequency metric including number of usage interactions).
Note: In this particular instance, Marien is considered to be teaching all the limitations of claim 4 and Zhai is included to show that it also teaches these limitations. Thus, no motivation to combine is required.
Regarding claim 5, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above. Marien discloses determining “critical features” in terms of significance and difficulty (see [0032-33]), freshness (using more recent data – see [0034]), heterogeneity (see [0035-36]), etcetera. Marien also discloses collecting “usage interaction metrics” as one of the security challenge questions that may be presented to the user relates to which email application the user has been using most frequently in the last month, for instance (see [0030]), and/or “please indicate all of the following applications (if any) that you have accessed in the last month: app X, app Y, app Z, none of the above ?”; if the user responded “app X and app Z” the next question could be “when did you last access app X: today, yesterday, last week, longer ago than last week, I don't remember ?” (see [0047]).
Nevertheless, Marien does not disclose the system, wherein the critical feature is determined to be critical based on a usage interaction metric for the critical feature exceeding a usage interaction threshold.
However, in the same field of endeavor, Zhai discloses the system, wherein the critical feature is determined to be critical based on a usage interaction metric for the critical feature exceeding a usage interaction threshold (the specific interaction behavior of the terminal may include a behavior that the terminal accesses an application in the terminal, and the first-type authentication information and the second-type authentication information are specific attribute information of the application – see [0061]; the first-type authentication information includes the specific attribute information that is in the specific attribute information of the interaction object corresponding to the specific interaction behavior of the terminal and whose occurrence frequency within the preset time falls in the preset range, where the occurrence frequency falls in the preset range, and this range may be an absolute frequency range, or may be a relative frequency range [[i.e., threshold]] – see [0063]; determining a first-type authentication information includes configuring a parameter which may include a valid time requirement T on use of an application (e.g. specific number of days or hours, etc.) and an occurrence frequency requirement X on use of the application (e.g., preset quantity of times, ranking, percentage, etc.); with this information a set L of first-type APP information is determined – see [0226], [0232-0238] and FIG. 6; see also [0071] and FIG. 1; examiner’s note: as explained with different examples of “critical features” (i.e., contact information in FIG. 2, played music in FIG. 3, accessed website in FIG. 4, read ebook in FIG. 5 and used application in FIG. 6) the first-type authentication information is based on specific attributes of the “critical features” and these features are chosen based on “usage frequency metrics” T and X, and included in a set L, for instance, in order to generate a challenge set to authenticate the user as discussed in [0239-0247]; X includes usage interaction metrics as it takes into consideration the quantity of times an APP is used (e.g., launched/accessed/opened)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien to include the system, wherein the critical feature is determined to be critical based on a usage interaction metric for the critical feature exceeding a usage interaction threshold, as taught by Zhai. One would have been motivated to make such a combination because information about a recently most frequently used specific interaction object belongs to information within a memory period of the user, a memory price of the user can be reduced, and meanwhile, authentication information that appears each time is not fixed, which can also avoid the authentication information from being stolen due to a peep, resulted from incaution, at the authentication information; thus, reducing the memory price of memorizing the authentication information by the user, and also providing certain anti-peeping capability at the same time, as recognized by Zhai (see [0071]).
Regarding claim 6, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above.
Marien do not disclose the system, where in the usage frequency metrics include a viewing time for the features.
However, Zhai discloses the system, where in the usage frequency metrics include a viewing time for the features (a parameter of a first-type APP information selection method, which may include a valid time requirement (denoted as T, for example, three days, five days, or 10 hours) on a record of accessing a contact – see [0086]; on playback of a musical work – see [0125]; on website information – see [0161]; on reading of an ebook – see [0194]; on use of an APP – see [0226]; examiner’s note: there is a metric of the time spent using (i.e., actually interacting; e.g., reading, playing back music) an application).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien to include the system, where in the usage frequency metrics include a viewing time for the features, as taught by Zhai. One would have been motivated to make such a combination because information about a recently most frequently used specific interaction object belongs to information within a memory period of the user, a memory price of the user can be reduced, and meanwhile, authentication information that appears each time is not fixed, which can also avoid the authentication information from being stolen due to a peep, resulted from incaution, at the authentication information; thus, reducing the memory price of memorizing the authentication information by the user, and also providing certain anti-peeping capability at the same time, as recognized by Zhai (see [0071]).
Regarding claim 7, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above.
Marien do not disclose the system, wherein the critical feature is determined to be critical based on a viewing time metric for the critical feature exceeding a viewing time threshold.
However, Zhai discloses the system, wherein the critical feature is determined to be critical based on a viewing time metric for the critical feature exceeding a viewing time threshold (a parameter of a first-type APP information selection method, which may include a valid time requirement (denoted as T, for example, three days, five days, or 10 hours) on a record of accessing a contact – see [0086]; on playback of a musical work – see [0125]; on website information – see [0161]; on reading of an ebook – see [0194]; on use of an APP – see [0226]; examiner’s note: there is a metric of the time spent using (i.e., actually interacting; e.g., reading, playing back music) an application; the time requirement T is configured as a threshold (e.g., 3 days, 5 days, 10 hrs.)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien to include the system, wherein the critical feature is determined to be critical based on a viewing time metric for the critical feature exceeding a viewing time threshold, as taught by Zhai. One would have been motivated to make such a combination because information about a recently most frequently used specific interaction object belongs to information within a memory period of the user, a memory price of the user can be reduced, and meanwhile, authentication information that appears each time is not fixed, which can also avoid the authentication information from being stolen due to a peep, resulted from incaution, at the authentication information; thus, reducing the memory price of memorizing the authentication information by the user, and also providing certain anti-peeping capability at the same time, as recognized by Zhai (see [0071]).
Regarding claim 9, all limitations correspond to the method performed by the system of claim 1. Therefore, claim 9 is being rejected on the same basis as claim 1.
Regarding claim 11, all limitations correspond to the method performed by the system of claim 3. Therefore, claim 11 is being rejected on the same basis as claim 3.
Regarding claim 15, Marien discloses a computer program product comprising one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising instructions configured to cause one or more processors to perform the method of claim 9 in the system of claim 1 (a data storage component such as a RAM memory and/or a hard disk for storing data and computer code for carrying out one or more tasks and/or method steps – see [0063]).
The remaining limitations of claim 15 are similar in scope to those of claims 1 and 9. Therefore, claim 15 is rejected for the same reasons as set forth in the rejection of claim 1 above.
Regarding claim 17, all limitations correspond to the method performed by the system of claim 3. Therefore, claim 17 is being rejected on the same basis as claim 3.
Regarding claim 18, Marien and Zhai discloses all the claimed subject matter recited in claim 15 above.
Marien do not disclose the computer program product, wherein the usage frequency metrics include a viewing time for each of the features.
However, Zhai discloses the computer program product, wherein the usage frequency metrics include a viewing time for each of the features (a parameter of a first-type APP information selection method, which may include a valid time requirement (denoted as T, for example, three days, five days, or 10 hours) on a record of accessing a contact – see [0086]; on playback of a musical work – see [0125]; on website information – see [0161]; on reading of an ebook – see [0194]; on use of an APP – see [0226]; examiner’s note: there is a metric of the time spent using (i.e., actually interacting; e.g., reading, playing back music) an application; there is a parameter T for each of the features (e.g., music playback, ebook reading, APPs) ).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien to include the computer program product, wherein the usage frequency metrics include a viewing time for each of the features, as taught by Zhai. One would have been motivated to make such a combination because information about a recently most frequently used specific interaction object belongs to information within a memory period of the user, a memory price of the user can be reduced, and meanwhile, authentication information that appears each time is not fixed, which can also avoid the authentication information from being stolen due to a peep, resulted from incaution, at the authentication information; thus, reducing the memory price of memorizing the authentication information by the user, and also providing certain anti-peeping capability at the same time, as recognized by Zhai (see [0071]).
Regarding claim 19, all limitations correspond to the method performed by the system of claim 7. Therefore, claim 19 is being rejected on the same basis as claim 7.
Claims 2, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Marien (US 20160191498 A1) and Zhai (US 20160042163 A1), as applied to claims 1, 9 and 15, and in further view of Crawford et al. (US 20120214442 A1), hereinafter Crawford.
Regarding claim 2, Marien and Zhai disclose all the claimed subject matter recited in claim 1 above. Furthermore, Marien discloses the SSO system may use the dynamic personal application data questions authentication mechanism in addition or as an alternative or back-up to a traditional authentication mechanism in case that the traditional authentication mechanism has been compromised or is no longer useable or accessible to the user, among other scenarios – see [0045] and [0051].
Marien and Zhai do not disclose the system, wherein the condition includes determining whether a threshold period of inactivity on the device has lapsed.
However, in the same field of endeavor, Crawford discloses a system and method for controlling access to a computing device by generating an authentication challenge based on information about an activity or interaction of a user with the device (see abstract, [0021]) including the system, wherein the condition includes determining whether a threshold period of inactivity on the device has lapsed (FIG. 1A illustrates an example interface 106 by which an individual attempting to gain access to smart phone 100 may receive and respond to an authentication challenge; as indicated by notification 104, the smart phone 100 has gone into an inactive state (e.g., after a predetermined period of time has passed without receiving any user input) and the example touchscreen display 102 of the phone has been "locked" (e.g., access to applications and non-emergency phone functionality is prohibited); example elements of interface 106 include an authentication challenge message 108 and input elements 110, 112 and 114 for responding to the authentication challenge; the individual is required to confirm, or not, that the named individual was called at the indicated telephone number within the indicated time period (e.g., the last seven days); if the individual answers the question correctly, the smart phone 100 is unlocked (e.g., access is granted); if the individual cancels or answers incorrectly, the display 102 remains locked – see [0039]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien and Zhai to include the system, wherein the condition includes determining whether a threshold period of inactivity on the device has lapsed, as taught by Crawford. One would have been motivated to make such a combination to provide a desired level of security while improving the usability of a computing device for the user, as recognized by Crawford (see [0011] and [0037]).
Regarding claim 10, all limitations correspond to the method performed by the system of claim 2. Therefore, claim 10 is being rejected on the same basis as claim 2.
Regarding claim 16, all limitations correspond to the method performed by the system of claim 2. Therefore, claim 16 is being rejected on the same basis as claim 2.
Claims 8, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Marien (US 20160191498 A1) and Zhai (US 20160042163 A1), as applied to claims 1, 9 and 15, and in further view of Bar et al. (US 20170289168 A1), hereinafter Bar.
Regarding claim 8, Marien and Zhai discloses all the claimed subject matter recited in claim 1 above. Furthermore, Marien discloses the system, wherein the use-based security challenge is generated using a machine learning algorithm using the content of user interactions]] as an input (the SSO system may submit questions regarding the content of the interaction of the user with a certain application; the SSO system may use artificial intelligence and/or expert systems and/or systems for interpreting human language to interpret the application content for formulating meaningful questions and/or to interpret the user's answers and to compare the answers to the information collected from the application in order to judge the degree of correctness of the answers – see [0044]).
Marien discloses that the SSO system may be adapted to generate or compose a series of questions to be submitted to the user asking, for instance, “which email application have you been using most frequently in the last month?” – see [0030];and, that the system could ask a series of multiple choice questions; for example the first question could be “please indicate all of the following applications (if any) that you have accessed in the last month: app X, app Y, app Z, none of the above ?”; if the user responded “app X and app Z” the next question could be “when did you last access app X: today, yesterday, last week, longer ago than last week, I don't remember ?” – see [0047]. Thus, Marien discloses generating challenge questions based on usage frequency metrics.
Marien does not explicitly user-related activity information includes application usage history _ see [0139] - disclose using usage frequency metrics as inputs to the machine learning algorithm.
Zhai does not disclose using usage frequency metrics as inputs to the machine learning algorithm.
However, Bar discloses a system and method to provide a mechanism for controlling access to secure computing resources based on inferred user authentication, wherein access is permitted based on a determined probability that the current user is a legitimate user associated with the secure computing resource (see abstract) and includes the system, wherein the use-based security challenge is generated using a machine learning algorithm using the usage frequency metrics as an input (user-related activity of a legitimate user is monitored to determine a user persona model for the legitimate user; the user-related activity may include user interactions with one or more user devices associated with the legitimate user; user-related activity of the legitimate user also may be used for generating security challenges such as the question-answer pairs - see [0021]; user-related activity information may include, without limitation, location(s), date or time, app usage, online activity, searches, calls, usage duration, application data (e.g. emails, messages, posts, user status, notifications, etc.), audio or visual information (which may be detected by a microphone, camera, or similar sensor on or associated with a user device) or nearly any other data related to user interactions with the user device or user activity via a user device that may be detected or determined – see [0050]; the user persona models, or any activity patterns included in a persona model, may be determined using persona model logic 230; persona model logic 230 may employ machine learning mechanisms to determine feature similarity, or other statistical measures to determine the activity events belonging to a set of “example user actions” that support determining an activity pattern – see [0076]; persona model logic 230 may include logic used for generating security challenges, such as specific types or categories of questions: logic specifying the criteria of legitimate user-related information to be used (e.g. the recency, type, category, such as user interactions, recent venues visited, browsing or app history, or the like) – see [0077]; a security challenge may ask the user to name the contact that the user called the most during the last three days; a security challenge may be temporal as well as dynamic, and thus harder to compromise than traditional security measures – see [0025]; see also [0051-54]; examiner’s note: the persona model logic generates challenge questions using machine learning mechanism that determines activity patterns based on user-related activity information, including application usage duration).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien and Zhai to include the system, wherein the use-based security challenge is generated using a machine learning algorithm using the usage frequency metrics as an input, as taught by Bar. One would have been motivated to make such a combination to provide a significant improvement over traditional password-based security and authorization mechanisms, because it is highly improbable that a hacker or unauthorized user would know or be able to determine the answers to such questions, as recognized by Bar (see [0025]).
Regarding claim 14, all limitations correspond to the method performed by the system of claim 8. Therefore, claim 14 is being rejected on the same basis as claim 8.
Regarding claim 20, all limitations correspond to the method performed by the system of claim 8. Therefore, claim 20 is being rejected on the same basis as claim 8.
Claims 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Marien (US 20160191498 A1) and Zhai (US 20160042163 A1), as applied to claims 1 and 9, and in further view of Sirisilla et al. (US 20170223171 A1), hereinafter Sirisilla.
Regarding claim 12, Marien and Zhai discloses all the claimed subject matter recited in claim 9 above.
Marien and Zhai do not disclose the method, wherein the usage frequency metrics include a launch time for each of the features.
However, in the same field of endeavor, Sirisilla discloses a system and method for providing an additional authentication mechanism and layer of security to an already existing mechanism in a mobile device (see abstract) including the method, wherein the usage frequency metrics include a launch time for each of the features (the usage statistics of the plurality of mobile software applications are calculated based on the parameters, wherein the parameters are stored in the usage bracket matrix – see [0024]; at the step (306), one or more parameters are calculated for one or more mobile applications using the collected data points at a periodically at time interval of “t”; the set of parameter comprises a usage percentage (p1); the p1 is calculated as the total time spent in hours in a wave multiplied by 100 (p1=(Total Time spent on app (in hours) in a wave/w)*100) [[i.e., viewing time]]; the application launch frequency percentage (p2) is calculated by number of times the mobile software application is launched in a wave divided by total number of all applications launches in a wave multiply by 100 (p2=(Number of times the application are launched in a wave/Total number of all applications launches in a wave)*100); a longest active duration for the applications (p3) wherein p3 indicates longest duration of active applications usage in a single session [[i.e., launch time]] – see [0026]; see also FIG. 4).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system in Marien and Zhai to include the method, wherein the usage frequency metrics include a launch time for each of the features, as taught by Sirisilla. One would have been motivated to make such a combination to provide an additional layer of security to an authentication mechanism available on a mobile device by leveraging mobile application usage patterns which are unique and only known to the user, as recognized by Sirisilla (see [0002-0006]).
Regarding claim 13, Marien and Zhai discloses all the claimed subject matter recited in claim 9 above.
Marien do not disclose the method, wherein the critical feature is determined to be critical based on a launch time metric for the critical feature exceeding a launch time threshold.
However, Zhai discloses the system, wherein the critical feature is determined to be critical based on a [[viewing]] time metric for the critical feature exceeding a [[viewing]] time threshold (a parameter of a first-type APP information selection method, which may include a valid time requirement (denoted as T, for example, three days, five days, or 10 hours) on a record of accessing a contact – see [0086]; on playback of a musical work – see [0125]; on website information – see [0161]; on reading of an ebook – see [0194]; on use of an APP – see [0226]; examiner’s note: there is a metric of the time spent using (i.e., actually interacting; e.g., reading, playing back music) an application; the time requirement T is configured as a threshold (e.g., 3 days, 5 days, 10 hrs.)).
Zhai does not disclose using a launch time to determine a critical feature.
However, Sirisilla discloses calculating usage frequency metrics including a launch time for each of the features (the usage statistics of the plurality of mobile software applications are calculated based on the parameters, wherein the parameters are stored in the usage bracket matrix – see [0024]; at the step (306), one or more parameters are calculated for one or more mobile applications using the collected data points at a periodically at time interval of “t”; the set of parameter comprises a usage percentage (p1); the p1 is calculated as the total time spent in hours in a wave multiplied by 100 (p1=(Total Time spent on app (in hours) in a wave/w)*100) [[i.e., viewing time]]; the application launch frequency percentage (p2) is calculated by number of times the mobile software application is launched in a wave divided by total number of all applications launches in a wave multiply by 100 (p2=(Number of times the application are launched in a wave/Total number of all applications launches in a wave)*100); a longest active duration for the applications (p3) wherein p3 indicates longest duration of active applications usage in a single session [[i.e., launch time]] – see [0026]; see also FIG. 4).
Thus, Zhai and Sirisilla each disclose tracking application usage time parameters (e.g., viewing time/launch time) in order to compute a usage pattern for a usage-based authentication method (see Zhai, [0221-0247] and Sirisilla, [0023-26]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have recognized that if a launch time (i.e., p3 in Sirisilla) of a feature (e.g., application) can be calculated and used as a parameter for usage pattern, as taught by Sirisilla ([0026]), it can also be used to determine as threshold to determine a critical feature the same way a viewing time (i.e., T in Zhai; p1 in Sirisilla) is used as a threshold to determine a critical feature in Zhai. Furthermore, a person of ordinary skill in the art would have been able to carry out the modification. Finally, the modification had a reasonable expectation of success due to the fact that a longest active duration for the applications (p3) wherein p3 indicates longest duration of active applications usage in a single session (i.e., launch time) can be tracked, calculated and used as a parameter for usage pattern computation (Sirisilla, [0026]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the launch time (i.e., longest active duration for the applications) of Sirisilla for the viewing time (i.e., valid time requirement T) of Zhai according to known methods to yield the predictable result of providing a usage metric to determine a usage pattern to be used in a usage-based authentication mechanism.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Patent Documents
Castro et al. (US 20140137219 A1) - AUTOMATICALLY GENERATING CHALLENGE QUESTIONS INFERRED FROM USER HISTORY DATA FOR USER AUTHENTICATION
Dotan-Cohen et al. (US 20200401612 A1) - COMPUTER SPEECH RECOGNITION AND SEMANTIC UNDERSTANDING FROM ACTIVITY PATTERNS
McLachlan et al. (US 20140189829 A1) - ADAPTIVE SECONDARY AUTHENTICATION CRITERIA BASED ON ACCOUNT DATA
Votaw et al. (US 20160055326 A1) - DETERMINING USER AUTHENTICATION BASED ON USER/DEVICE INTERACTION
Weber et al. (US 20170317993 A1) - USER AUTHENTICATION BASED ON TRACKED ACTIVITY
Foreign Patent Documents (original and translation provided)
Bolshakov (WO 2021118399 A1) - METHOD AND SYSTEM FOR DYNAMIC AUTHENTICATION AND RISK ASSESSMENT OF A USER
Non-Patent Literature
Ciria, et al. (2014, July). The history-based authentication pattern.
Mahbub, et al. (2019). Continuous authentication of smartphones based on application usage.
Progonov, et al. (2022). Behavior-based user authentication on mobile devices in various usage contexts.
Skračić, et al. (2017). Authentication approach using one-time challenge generation based on user behavior patterns captured in transactional data sets.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DORIANNE ALVARADO DAVID whose telephone number is (571)272-4228. The examiner can normally be reached 9:00am-5:00pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DORIANNE ALVARADO DAVID/Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499