Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action pertains to the U.S. patent application 18365781 filed on August 4, 2023, and is responsive to Applicant’s Amendment filed on March 10, 2026.
Claims 1, 3-8 and 10-20 were pending. Independent claims 1, 8 and 15 have been amended. New claims 21-22 have been added. As a result of the foregoing, claims 1, 3-8 and 10-22 are pending and have been examined in this application. This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on March 10, 2026, with respect to limitations listed below, have been fully considered but they are not persuasive as follows.
Applicant’s arguments: “The Examiner acknowledged that amendments according to those included herein would likely overcome the present rejection subject to further search and consideration”.
The Examiner respectfully traverses, and respectfully notes that the February 25, 2026, Interview Summary document expressly indicated that “No agreement was reached…” In any event, it has been determined that the March 10, 2026, claim amendments have not overcome the present rejection, as shown by the rejection(s) ahead.
Applicant’s arguments: “…independent claim I is amended to recite inter alia ''transmitting, in response to receiving the interaction request, a software package to the user device, the software package comprising instructions executable to generate a first similarity-preserving hash based on real-time behavior data of a target entity associated with the user device," ''receiving from the user device, the first similarity-preserving hash that comprises a first one-way encrypted feature vector based on the real-time behavior data of the target entity with respect to the interactive computing environment," and ''the first similarity-preserving hash is generated using the same instructions as the second similarity-preserving hash." Applicant respectfully submits that Mainali does not disclose or make obvious each and every feature of amended claim 1.”.
The Examiner respectfully traverses, and respectfully notes: Mainali para. [0006], “active involvement and cooperation in the authentication process of the user that is being authenticated, for example by requiring the user to provide a password or communicate a dynamic credential”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0095], “may be performed at a personal client computing device associated with said user, whereby said personal client computing device may be physically distinct from said authentication server”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device”.
Applicant’s arguments: “…neither Mainali's dynamic credential nor Mainali's contextual data are the same as the similarity-preserving hash, as in amended claim 1. For example, Mainali does not disclose or even contemplate transmitting a software package to a user device to cause the user device to provide a similarity-preserving hash. Thus, Mainali does not disclose or make obvious each and every feature of amended claim 1.”
The Examiner respectfully traverses, and respectfully notes the following: Mainali para. [0053], “the privacy preserving anonymization transformation of a contextual data element may comprise or may consist of applying a one-way function to the value of the contextual data element, wherein a one-way function is a mathematical function that is easy to compute on every input, but hard to invert given the image (i.e., the result of applying the function) of a random input. For example, in some embodiments the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”; Mainali para. [0096], “…anonymizing the collected one or more sets of contextual data are performed by a software application running on said personal client computing device”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0172], “The one or more sets of anonymized collected recent contextual data may be transmitted, for example by the user's smartphone or access device, to an authentication server, for example the ConSec-Auth application, which may match the received anonymized recent contextual data against the user authentication data models”; Mainali para. [0171], “The behavior contextual data may include for example data representing: apps used by the user, apps usage duration, phone call pattern and phone call duration.”).
Claim Interpretation - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “processing device for …causing/receiving/transmitting/providing/generating/initiating/challenging/synchronizing/revoking” recited in claims 15-2
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 3-8 and 10-22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mainali (“Mainali”; US20190260730A1).
Per claim 1: Mainali discloses a system (Mainali FIG. 1B) comprising:
a processor (Mainali para. [0143], “a microprocessor or a CPU (Central Processing Unit)”); and
a non-transitory computer-readable medium (Mainali para. [0143], “); one or more memory components, such as for example a RAM (Random Access Memory) memory or a hard disk, for storing data or instructions”) comprising instructions that are executable by the processor to cause the processor to perform operations comprising:
receiving an interaction request from a user device, the interaction request comprising a request to access an interactive computing environment (Mainali para. [0143], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”);
transmitting, in response to receiving the interaction request, (Mainali para. [0006], “active involvement and cooperation in the authentication process of the user that is being authenticated, for example by requiring the user to provide a password or communicate a dynamic credential”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0095], “may be performed at a personal client computing device associated with said user, whereby said personal client computing device may be physically distinct from said authentication server”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device”);
receiving from the user device, the first similarity-preserving hash (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) that comprises a first one-way encrypted feature vector (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) based on the real-time behavior data of the target entity with respect to the interactive computing environment (Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”);
receiving entity data relating to a known entity, the entity data comprising interaction data that indicates a manner in which the known entity historically interacted with webpages (Mainali para. [0165], “ConSec-Auth application, comprising an enrollment phase and an authentication phase. During the enrollment phase, which may for example last for about 4 weeks, the enrollment contextual data may be collected for a particular user. These enrollment contextual data may be used, e.g., by the ConSec-Auth application, to learn user authentication data models for that particular user. The learned user authentication data models may then be used, e.g., by the ConSec-Auth application, in the authentication phase to authenticate that user.”; Mainali para. [0014], “applications or websites that they have accessed”; Mainali para. [0138], “embodiments described in detail below may be applied to other embodiments”);
generating, using the instructions from the software package, a second similarity-preserving hash based on at least a portion of the entity data that relates to the known entity (Mainali para. [0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data mentioned above. The one or more sets of anonymized collected recent contextual data may be transmitted, for example by the user's smartphone or access device, to an authentication server, for example the ConSec-Auth application, which may match the received anonymized recent contextual data against the user authentication data models”; Mainali para. [0171], “The behavior contextual data may include for example data representing: apps used by the user, apps usage duration, phone call pattern and phone call duration.”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device. In some embodiments, said software application may comprise the anonymization component of the fourth set of embodiments.”) wherein the second similarity--preserving hash is a second one-way encrypted feature vector based on historical behavior data of the known entity with respect to the interactive computing environment (Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”), and wherein the first similarity -preserving hash is generated using the same (Mainali para. [0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data”; Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”);
determining, based on a comparison between the first one-way encrypted feature vector and the second one-way encrypted feature vector, a likelihood that the interaction request from the user device is legitimate (Mainali para. [0297], “a corresponding feature vector (f) may be computed and standardized, exactly as before during the learning. The feature vector may then be compared to the authentication data models which may have been obtained during the enrolment phase (and which may have been updated one or more times since then). An authentication score may be computed from the degree that the feature vector matches the authentication data models”); and
providing a responsive message based on a threshold relating to the likelihood (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”), the responsive message usable to control access to the interactive computing environment (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”).
Per claim 3: Mainali disclosed the system of claim 1. Mainali further discloses an arrangement wherein the operation of determining the likelihood that the interaction request is legitimate comprises:
determining a similarity score between the first one-way encrypted feature vector and the second one-way encrypted feature vector (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”); and
determining, by comparing the similarity score to a threshold similarity score value, the likelihood that the interaction request is legitimate (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”).
Per claim 4: Mainali disclosed the system of claim 1. Mainali further discloses an arrangement wherein the operation of determining the likelihood that the interaction request is legitimate comprises determining, based on a comparison between the first one-way encrypted feature vector and the second one-way encrypted feature vector, that the target entity is the entity (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”).
Per claim 5: Mainali disclosed the system of claim 1. Mainali further discloses an arrangement wherein:
the operation of receiving the first similarity-preserving hash comprises generating the first similarity-preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the first similarity-preserving hash is a one- way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173] “the feature vectors may be computed, …for example as part of the anonymization process.”); and
the operation of receiving the second similarity-preserving hash comprises generating the second similarity-preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the second similarity-preserving hash is a one-way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173], “the feature vectors may be computed, …for example as part of the anonymization process.”).
Per claim 6: Mainali disclosed the system of claim 1. Mainali further discloses an arrangement wherein the interaction request comprises a first type of biometric data for the target entity, wherein the entity data comprises the first type of biometric data for the entity, wherein the first type of biometric data is not unique with respect to a respective entity, and wherein the operation of determining the likelihood that the interaction request is legitimate is performed without directly analyzing the first type of biometric data (Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 7: Mainali disclosed the system of claim 1. Mainali further discloses an arrangement wherein the operation of providing the responsive message based on the comparison comprises one of:
initiating, in response to determining that the likelihood exceeds a threshold likelihood, an interaction based on the interaction request (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”); or
challenging, in response to determining that the likelihood does not exceed the threshold likelihood, the interaction request (Mainali para. [0150], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”; Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 8: Mainali discloses a method comprising:
receiving, by a computing device, an interaction request from a user device, the interaction request comprising a request to access an interactive computing environment (Mainali para. [0143], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”);
transmitting, by the computing device and in response to receiving the interaction request, (Mainali para. [0006], “active involvement and cooperation in the authentication process of the user that is being authenticated, for example by requiring the user to provide a password or communicate a dynamic credential”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0095], “may be performed at a personal client computing device associated with said user, whereby said personal client computing device may be physically distinct from said authentication server”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device”);
receiving, by the computing device (Mainali FIG. 1A) and from the user device he first similarity-preserving hash (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) that comprisesa first one-way encrypted feature vector (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) based on the real-time behavior data of the target entity with respect to the interactive computing environment (Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”);
receiving, by the computing device, entity data relating to a known entity, the entity data comprising interaction data that indicates a manner in which the known entity historically interacted with webpages (Mainali para. [0165], “ConSec-Auth application, comprising an enrollment phase and an authentication phase. During the enrollment phase, which may for example last for about 4 weeks, the enrollment contextual data may be collected for a particular user. These enrollment contextual data may be used, e.g., by the ConSec-Auth application, to learn user authentication data models for that particular user. The learned user authentication data models may then be used, e.g., by the ConSec-Auth application, in the authentication phase to authenticate that user.”; Mainali para. [0014], “applications or websites that they have accessed”; Mainali para. [0138], “embodiments described in detail below may be applied to other embodiments”);
generating, by the computing device and using the instructions from the software package, a second similarity-preserving hash based on at least a portion of the entity data that relates to the known entity (Mainali para[0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data mentioned above. The one or more sets of anonymized collected recent contextual data may be transmitted, for example by the user's smartphone or access device, to an authentication server, for example the ConSec-Auth application, which may match the received anonymized recent contextual data against the user authentication data models”; Mainali para. [0171], “The behavior contextual data may include for example data representing: apps used by the user, apps usage duration, phone call pattern and phone call duration.”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device. In some embodiments, said software application may comprise the anonymization component of the fourth set of embodiments.”) wherein the second similarity-preserving hash is a second one-way encrypted feature vector based on historical behavior data of the known entity with respect to the interactive computing environment (Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”), and wherein the first similarity-preserving hash is generated using the same (Mainali para. [0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data”; Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”);
determining, by the computing device and based on a comparison between the first one-way encrypted feature vector and the second one-way encrypted feature vector, a likelihood that the interaction request from the user device is legitimate (Mainali para. [0297], “a corresponding feature vector (f) may be computed and standardized, exactly as before during the learning. The feature vector may then be compared to the authentication data models which may have been obtained during the enrolment phase (and which may have been updated one or more times since then). An authentication score may be computed from the degree that the feature vector matches the authentication data models”); and
providing, by the computing device, a responsive message based on a threshold relating to the likelihood (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”), the responsive message used to control access to the interactive computing environment (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”).
Per claim 10: Mainali disclosed the method of clain 8, Mainali further discloses an arrangement wherein determining the likelihood that the interaction request is legitimate comprises:
determining a similarity score between the first one-way encrypted feature vector and the second one-way encrypted feature vector (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”); and
determining, by comparing the similarity score to a threshold similarity score value, the likelihood that the interaction request is legitimate (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”).
Per claim 11: Mainali disclosed the method of claim 8, Mainali further discloses an arrangement wherein determining the likelihood that the interaction request is legitimate comprises determining, based on a comparison between the first one- way encrypted feature vector and the second one-way encrypted feature vector, that the target entity is the entity (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”).
Per claim 12: Mainali disclosed the method of claim 8. Mainali further discloses an arrangement wherein:
receiving the first similarity-preserving hash comprises generating the first similarity- preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the first similarity-preserving hash is a one-way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173] “the feature vectors may be computed, …for example as part of the anonymization process.”); and
receiving the second similarity-preserving hash comprises generating the second similarity-preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the second similarity-preserving hash is a one-way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173] “the feature vectors may be computed, …for example as part of the anonymization process.”).
Per claim 13: Mainali disclosed the method of claim 8. Mainali further discloses an arrangement wherein the interaction request comprises a first type of biometric data for the target entity, wherein the entity data comprises the first type of biometric data for the entity, wherein the first type of biometric data is not unique with respect to a respective entity, and wherein determining the likelihood that the interaction request is legitimate is performed without directly analyzing the first type of biometric data (Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 14: Mainali disclosed the method of claim 8. Mainali further discloses an arrangement wherein providing the responsive message based on the comparison comprises one of:
initiating, in response to determining that the likelihood exceeds a threshold likelihood, an interaction based on the interaction request (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”); or
challenging, in response to determining that the likelihood does not exceed the threshold likelihood, the interaction request (Mainali para. [0150], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”; Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 15: Mainali discloses a non-transitory computer-readable medium (Mainali para. [0143], “); one or more memory components, such as for example a RAM (Random Access Memory) memory or a hard disk, for storing data or instructions”) comprising instructions that are executable by a processing device for causing the processing device to perform operations comprising:
receiving an interaction request from a user device, the interaction request comprising a request to access an interactive computing environment (Mainali para. [0143], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”);
transmitting, in response to receiving the interaction request, (Mainali para. [0006], “active involvement and cooperation in the authentication process of the user that is being authenticated, for example by requiring the user to provide a password or communicate a dynamic credential”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0095], “may be performed at a personal client computing device associated with said user, whereby said personal client computing device may be physically distinct from said authentication server”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device”);
receiving, from the user device, the first similarity-preserving hash (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) that comprises a first one-way encrypted feature vector (Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”) based on the real-time behavior data of the target entity with respect to the interactive computing environment vector (Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”; Mainali para. [0053], “the preserving anonymization transformation may comprise a cryptographic hashing function such as for example SHA-1. An advantage of using a privacy preserving anonymization transformation that comprises or consists of a one-way function is that it may be hard or computationally infeasible to obtain the original value of a contextual data element”);
receiving entity data relating to a known entity, the entity data comprising interaction data that indicates a manner in which the known entity historically interacted with webpages (Mainali para. [0165], “ConSec-Auth application, comprising an enrollment phase and an authentication phase. During the enrollment phase, which may for example last for about 4 weeks, the enrollment contextual data may be collected for a particular user. These enrollment contextual data may be used, e.g., by the ConSec-Auth application, to learn user authentication data models for that particular user. The learned user authentication data models may then be used, e.g., by the ConSec-Auth application, in the authentication phase to authenticate that user.”; Mainali para. [0014], “applications or websites that they have accessed”; Mainali para. [0138], “embodiments described in detail below may be applied to other embodiments”);
generating, using the instructions form the software package, a second similarity-preserving hash based on at least a portion of the entity data that relates to the known entity, (Mainali para. [0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data mentioned above. The one or more sets of anonymized collected recent contextual data may be transmitted, for example by the user's smartphone or access device, to an authentication server, for example the ConSec-Auth application, which may match the received anonymized recent contextual data against the user authentication data models”; Mainali para. [0171], “The behavior contextual data may include for example data representing: apps used by the user, apps usage duration, phone call pattern and phone call duration.”; Mainali para. [0096], “the collected one or more sets of contextual data are performed by a software application running on said personal client computing device. In some embodiments, said software application may comprise the anonymization component of the fourth set of embodiments.”), wherein the second similarity-preserving hash is a second one-way encrypted feature vector based on historical behavior data of the known entity with respect to the interactive computing environment (Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”; Mainali para. [0008], “Contextual data may include the time (for example the time of certain user actions such as the time of a login or access attempt), data about the access device itself that the user is using (which in what follows may be referred to as device data), data about the environment that the user (or, as a proxy, the user's access device) is in or has been in (which in what follows may be referred to as location data), or behavioural data about the way that the user is acting or behaving or has been acting or behaving recently (which in what follows may be referred to as behaviour data). Various contextual data may be associated with times at, close to or well before the moment of authentication.”), and wherein the first similarity-preserving hash is generated using the same (Mainali para. [0172], “anonymization of the one or more sets of collected recent contextual data may for example be done in the same way as the enrollment contextual data”; Mainali para. [0173], “To match the contextual data, feature vectors may be computed in exactly the same way as during the learning phase and the computed feature vectors may be matched with the learned user authentication data models. In some embodiments, the feature vectors may be computed, for example by the authentication server, after the transfer of the anonymized collected recent contextual data to the authentication server. In other embodiments, the feature vectors may be computed, for example on the user's smartphone or access device, before said transfer, for example as part of the anonymization process.”);
determining, based on a comparison between the first one-way encrypted feature vector and the second one-way encrypted feature vector, a likelihood that the interaction request from the user device is legitimate (Mainali para. [0297], “a corresponding feature vector (f) may be computed and standardized, exactly as before during the learning. The feature vector may then be compared to the authentication data models which may have been obtained during the enrolment phase (and which may have been updated one or more times since then). An authentication score may be computed from the degree that the feature vector matches the authentication data models”); and
providing a responsive message based on a threshold relating to the likelihood (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”), the responsive message usable to control access to the interactive computing environment (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”).
Per claim 16: Mainali disclosed the medium of claim 15. Mainali further discloses an arrangement and wherein the operation of determining the likelihood that the interaction request is legitimate comprises:
determining a similarity score between the first one-way encrypted feature vector and the second one-way encrypted feature vector (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”); and
determining, by comparing the similarity score to a threshold similarity score value, the likelihood that the interaction request is legitimate (Mainali para. [0033], “a similarity preserving anonymization transformation may only be fulfilled or guaranteed in case the difference in similarity between values being compared is larger (in an absolute sense or in a relative sense with respect to the magnitude of the values) than a certain threshold”).
Per claim 17: Mainali disclosed the medium of claim 16. Mainali further discloses an arrangement wherein the operation of determining the likelihood that the interaction request is legitimate comprises determining, based on a comparison between the first one-way encrypted feature vector and the second one-way encrypted feature vector, that the target entity is the entity (Mainali para. [0068], “step of analyzing the received anonymized contextual data sets may comprise comparing the model to one or more of the received anonymized contextual data sets, for example to estimate the likelihood that the current user for which the one or more of the received anonymized contextual data set that the model is compared to have been collected, is (still) the same user as the user for which the received anonymized contextual data sets have been collected that have been used for training and/or updating the model”).
Per claim 18: Mainali disclosed the medium of claim 15. Mainali further discloses an arrangement wherein:
the operation of receiving the first similarity-preserving hash comprises generating the first similarity-preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the first similarity-preserving hash is a one- way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173] “the feature vectors may be computed, …for example as part of the anonymization process.”); and
the operation of receiving the second similarity-preserving hash comprises generating the second similarity-preserving hash by using a randomized projections algorithm or a trend micro locality sensitive hash algorithm (Mainali para. [0267], “A similarity preserving anonymization transformation, such as the locality-sensitive-hashing (LSH) algorithm may be used to transform or hash (all or some of) the computable contextual data values”), wherein the second similarity-preserving hash is a one-way encrypted feature vector (Mainali para. [0023], “an identity preserving transformation of a contextual data element value may comprise applying a one-way function to that contextual data element value … the one-way function may comprise or may consist of a cryptographic hash function”; Mainali para. [0173] “the feature vectors may be computed, …for example as part of the anonymization process.”).
Per claim 19: Mainali disclosed the medium of claim 15. Mainali further discloses an arrangement wherein the interaction request comprises a first type of biometric data for the target entity, wherein the entity data comprises the first type of biometric data for the entity, wherein the first type of biometric data is not unique with respect to a respective entity, and wherein the operation of determining the likelihood that the interaction request is legitimate is performed without directly analyzing the first type of biometric data (Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 20: Mainali disclosed the medium of claim 15. Mainali further discloses an arrangement wherein the operation of providing the responsive message based on the comparison comprises one of:
initiating, in response to determining that the likelihood exceeds a threshold likelihood, an interaction based on the interaction request (Mainali para. [0150], “the authentication server (220) may return a signal to the remote application to indicate whether the authentication of the user was successful. If the signal indicates that the authentication was successful, the remote application may use that information to take appropriate action, for example in deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”); or
challenging, in response to determining that the likelihood does not exceed the threshold likelihood, the interaction request (Mainali para. [0150], “deciding whether or not to grant access to the user or whether or not to perform a certain operation requested by the user (such as performing a transaction submitted by the user)”; Mainali para. [0303], “In some embodiments, sets of contextual data that don't exceed said second threshold may still be used if an extra authentication factor (such as a static or dynamic password, or a biometric) has been successfully provided.”).
Per claim 21: Mainali disclosed the system of claim 1. Mainali further discloses a system wherein the operations further comprise:
generating a policy to synchronize a set of hash generation parameters (Mainali para. [0075], “In some embodiments said analysing the received anonymized contextual data for authenticating the user may comprise exploiting a similarity between various received anonymized contextual data sets that may be preserved by said similarity preserving anonymization transformation. In some embodiments said analysing the received anonymized contextual data for authenticating the user may comprise exploiting a similarity between various received values of one or more contextual data elements of one or more anonymized contextual data sets that may be preserved by said similarity preserving anonymization transformation. In some embodiments ‘exploiting the similarity’ may comprise assessing a degree of proximity or similarity between the received values and corresponding expected values or reference values or other received values in the image space of the transformation, and using that degree of similarity as an element in authenticating the user, for example, by using that degree of similarity to determine or to generate an authentication score such as a score that reflects a degree that said received anonymized contextual data match a learnt user data model. In some embodiments, the corresponding expected values or reference values may for example be earlier received values or may be calculated from earlier received values, for example as a mean of a number of earlier received values or as a representative value for a cluster of earlier received values.”); and
synchronizing, using the policy, the set of hash generation parameters between the system and the user device to facilitate (i) the user device generating the first similarity-preserving hash and (ii) the system generating the second similarity-preserving hash using the synchronized hash generation parameters (Mainali para. [0268]. “LSH algorithms can be broadly grouped into two main categories: data independent algorithms and data dependent algorithms. The LSH algorithms in the first category (data independent LSH algorithms) generate the LSH function parameters randomly and independently from the data, whereas the algorithms in the second category (data dependent LSH algorithms) learn LSH function parameters from the data. The super-bit LSH (SB-LSH) algorithm (see: J. Ji, J. Li, S. Yan, B. Zhang, and Q. Tian, “Super-bit locality-sensitive hashing,” in Advances in Neural Information Processing Systems, 2012, pp. 108-116.) from the first category may be used in some embodiments. It has the following advantages. The LSH function parameters can be generated randomly for each user and hence provide much randomness on the computed location-hash values. If the LSH function parameters are compromised for a particular user, a new set of LSH function parameters can be generated for that user and the authentication system can be re-initialized as well.”), wherein the policy is configured to be updated by the system based on a security event such that subsequent similarity-preserving hashes are configured to be generated using updated hash generation parameters distributed from the system to the user device in response to the security event (Mainali para. [0268]. “If the LSH function parameters are compromised for a particular user, a new set of LSH function parameters can be generated for that user and the authentication system can be re-initialized as well.”).
Per claim 21: Mainali disclosed the system of claim 1. Mainali further discloses a system wherein instructions included in the software package comprise instructions that cause the user device to generate the first similarity-preserving hash based on a combination of at least two different types of the real-time behavior data of a target entity associated with the user device (Mainali para. [0085], “step of learning (or training) one or more user models for said user using at least some of said anonymized collected one or more sets of contextual data”), wherein the instructions included in the software package comprise instructions that cause the system to generate the second similarity-preserving hash using the combination (Mainali para. [0085], “step of learning (or training) one or more user models for said user using at least some of said anonymized collected one or more sets of contextual data”), wherein the second similarity-preserving hash is associated with a temporal validity window, and wherein the operations further comprise revoking the second similarity-preserving hash upon expiration of the temporal validity window (Mainali para. [0093], “updating of said learnt one or more user models is performed at regular intervals”; [Note: “Regular intervals” is being interpreted as the claimed “temporal validity window”; and each “updating” of a model is being interpreted as a “revoking” of a prior model.]).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul J Skwierawski whose telephone number is (571)272-2642. The examiner can normally be reached 6:00am-3:30pm weekdays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisory primary examiner (SPE) Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Paul Skwierawski/
Patent Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439