DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Acknowledgements
This is a first office action on the merits in response to the application filed June 27, 2025.
Claims 1-20 are pending in the application.
Claims 1-20 are examined below.
Based on a comparison of the PGPub US 2025/0328895 A1 with applicant’s originally submitted specification, the PGPub appears to be a fair and accurate record of the applicant’s specification. Therefore, references to applicant’s specification will typically be made by this examiner as references to the PGPub. Unless otherwise noted, references to applicant’s specification as published via PGPub will be in the format [####], and references to applicant’s specification as filed will be in the format ¶## or by page and line number.
The notations in the immediately preceding paragraph apply to any future office actions from this examiner.
Examiner Request
Applicant is requested to indicate where in the specification there is support for amendments to claims should applicant amend. The purpose of this is to reduce potential 35 USC 112(a) or 35 USC 112, 1st paragraph issues that can arise when claims are amended without support in the specification. Examiner thanks applicant in advance. See also relevant portions of MPEP 2163.II.A:
With respect to newly added or amended claims, applicant should show support in the original disclosure for the new or amended claims. See, e.g., Hyatt v. Dudas, 492 F.3d 1365, 1370, n.4 (Fed. Cir. 2007) (citing MPEP § 2163.04 which provides that a "simple statement such as ‘applicant has not pointed out where the new (or amended) claim is supported, nor does there appear to be a written description of the claim limitation ‘___’ in the application as filed’ may be sufficient where the claim is a new or amended claim, the support for the limitation is not apparent, and applicant has not pointed out where the limitation is supported."); see also MPEP § 714.02 and § 2163.06 ("Applicant should ... specifically point out the support for any amendments made to the disclosure."); and MPEP § 2163.04 ("If applicant amends the claims and points out where and/or how the originally filed disclosure supports the amendment(s), and the examiner finds that the disclosure does not reasonably convey that the inventor had possession of the subject matter of the amendment at the time of the filing of the application, the examiner has the initial burden of presenting evidence or reasoning to explain why persons skilled in the art would not recognize in the disclosure a description of the invention defined by the claims.").
Priority
This application is a continuation application. See MPEP § 201.07. In accordance with MPEP § 609.02 A. 2 and MPEP § 2001.06(b) (last paragraph), the examiner has reviewed and considered the prior art cited in the prior-filed application(s). Also in accordance with MPEP §2001.06(b) (last paragraph), all documents cited or considered ‘of record’ in the prior-filed application(s) are now considered cited or ‘of record’ in this application. Additionally, applicant is reminded that a listing of the information cited or ‘of record’ in the prior-filed application(s) need not be resubmitted in this application unless applicant desires the information to be printed on a patent issuing from this application. See MPEP §609.02 A. 2. Finally, applicant is reminded that the prosecution history of the prior-filed application(s) is relevant in this application. See e.g., Microsoft Corp. v. Multi-Tech Sys., Inc., 357 F.3d 1340, 1350, 69 USPQ2d 1815, 1823 (Fed. Cir. 2004) (holding that statements made in prosecution of one patent are relevant to the scope of all sibling patents).
Claim Objections
Claim 10 is objected to because of the following informalities: it appears that the second to last line (beginning with “upon identifying”) should be further indented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either statute.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following is a quotation of 35 U.S.C. 103(a) (pre-AIA ) which forms the basis for all obviousness rejections set forth in this office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Turgeman (US 2017/0054702 A1).
Turgeman discloses as follows:
Claim
Limitation
Turgeman
1,10,19
during the secure transaction, actively perturbing the network to change conditions in the network
"a remote-access burdening module 234 may be used by system 200 in order to intentionally burden or overload the victim's computer resources and/or to burden or overload the remote access protocol (for example, by requiring the victim's computer to upload and/or download large amounts of data from a server controlled by the service being protected, thereby leaving narrower bandwidth and increased latency for the attacker's remote access communication channel); and thereby increasing the effects of such noises due to overloaded communication protocol, or making such communication noise more significant and more observable, and enabling system 200 to detect the remote attacker more rapidly or in a more certain manner." [0046]
1,10,19
collecting user interaction data relating to user interactions with a user interface associated with the user computing device during the perturbing of the network
1,10,19
comparing the user interaction data collected during the perturbing of the network to reference data relating to user interactions carried out prior to the secure transaction or prior to perturbing of the network
"the comparator/matching module 204 may compare the features characterizing the current session of the current user, to features characterizing known RAT mechanisms, known malware or “bot” mechanisms, or other pre-defined data; in order to determine that, possibly or certainly, the current user is actually a non-genuine user and/or is accessing the service via a RAT mechanism." [0031]
1,10,19
based on the comparing, determining a probability that the secure transaction is carried out via a remote access tool
"The user-specific signal characteristics may be stored in the database 203, and may be used subsequently by comparator/matching module 204 in order to compare or match between current-characteristics and previously-estimated characteristics, thereby enabling a decision whether or not the current user is genuine or fraudulent." [0047] Turgeman does not explicitly disclose calculating a probability. However, Turgeman does employ thresholds to determine whether to take action against a fraudulent actor, and labeling the quantity being compared to a threshold will not distinguish the claimed invention from the prior art in terms of patentability, because this amounts to nonfunctional descriptive material.
1,10,19
upon identifying that the probability exceeds a predefined threshold, performing an action related to the secure transaction
"the output of comparator module 204 may be taken into account in combination with other information, security information, user information, meta-data, session data, risk factors, or other indicators (e.g., the IP address of the user; whether or not the user is attempting to perform a high-risk activity such as wire transfer; whether or not the user is attempting to perform a new type of activity that this user did not perform in the past at all, or did not perform in the past 1 or 3 or 6 or 12 months or other time-period; or the like). The combined factors and data may be taken into account by a user identity determination module 205, which may determine whether or not the current user is a fraudster or is possibly a fraudster. The user identity determination module 205 may trigger or activate a fraud mitigation module 206 able to perform one or more fraud mitigating steps based on that determination; for example, by requiring the current user to respond to a challenge, to answer security question(s), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like." [0032]
2,11,20
wherein the actively perturbing comprises at least one of increasing a load on the network, throttling the network, increasing a percentage of packet loss in the network, or increasing delays of communications within the network
"latency or delays or lags may be injected into the communication channel, by one or more suitable means, for example: by re-sending duplicate or erroneous packets or redundant packets; by causing the server to wait a pre-defined time period between sending of packets; by avoiding to send a packet (or several packets) for a pre-defined time-period; by sending redundant or unnecessary data together with relevant data; by sending large multimedia content (e.g., video, audio, images), larger than a pre-defined threshold size, in order to over-burden the communication channel and cause delays and latency; by causing the end-user device to respond slowly and/or to transmit packets slowly, e.g., by over-burdening the processor and/or the memory and/or the wireless transceiver of the end-user device; and/or other suitable means." [0345]. See also [0046] quoted above.
3,12,20
wherein the user interaction data comprises at least one of mouse movement data, keystroke data, or touchscreen gesture data
"such 'noises' in the remote access protocol may affect the latency (or timing) of user reaction to the injected perturbation, and/or may affect the pattern or other characteristics of the user reaction (e.g., the shape of the mouse movement itself)" [0046]
4,13
wherein determining the probability is based on timing distributions of the user interaction data
5,14
wherein determining the probability is based on a difference in data patterns between the user interaction data collected during the perturbing and the reference data
6,15
wherein the actively perturbing is performed only during periods of active user interaction with the server
This limitation is not explicitly disclosed. However, as Turgeman does not disclose perturbing while the user is *not* active, it would be obvious to restrict the perturbations to periods of user activity in order to limit the amount of unproductive network perturbation.
7,16
prior to the secure transaction, collecting additional user interaction data during standard network conditions;
"if the system determines that the current user is genuine, then, his long-term profile may be updated in view of his interactions in the current session" [0055]"the system may periodically update the user-specific GUI-utilization profile, based on the ongoing utilization by the user." [0144]
7
using the additional user interaction data as part of the reference data during the comparing
16
store the additional user interaction data as part of the reference data
8,17
identifying at least one data distribution pattern indicative of remote access tool usage
"comparator/matching module 204 may compare or match, between values of user-specific features that are extracted in a current user session (or user interaction), and values of respective previously-captured or previously-extracted user-specific features (of the current user, and/or of other users, and/or of pre-defined sets of values that correspond to known automated scripts or “bots” or RAT mechanism)." [0030]. See also [0031]
8
using the at least one data distribution pattern as part of the reference data during the comparing
17
store the at least one data distribution pattern as part of the reference data
9,18,20
wherein the action related to the secure transaction comprises at least one of terminating the secure transaction, flagging the secure transaction for further review, or requiring additional authentication
"The combined factors and data may be taken into account by a user identity determination module 205, which may determine whether or not the current user is a fraudster or is possibly a fraudster. The user identity determination module 205 may trigger or activate a fraud mitigation module 206 able to perform one or more fraud mitigating steps based on that determination; for example, by requiring the current user to respond to a challenge, to answer security question(s), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like." [0032]
Citation of Relevant Prior Art
All references listed on form PTO-892 are cited in their entirety. The following prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Breitling (US 20210117979 A1) discloses a method for identifying transactions where the user is being coached by a fraudster. The method uses a machine learning classification model applied to behavioral data to make this determination. Not detecting remote access tool usage.
Varghese (US 2006/0282660 A1) discloses device authentication including use of network statistics as part of device fingerprinting (see [0132] and use of neural network techniques to evaluate access requests ([0136]).
Niv (US 2022/0159025 A1) discloses a system for monitoring network behavior to detect cyberattacks.
Kaminsky (US 2015/0156214 A1) discloses a system for detecting online user interface manipulation via remote control. This includes use of network statistics and active probing.
Saadon (US 2023/0229765 A1) discloses a cybersecurity agent.
Perez (US 2015/0363785 A1) discloses a system for authenticating consumers using behavioral biometrics.
Novick (US 2020/0273040 A1) discloses a system for using behavior profiling to detect mule bank accounts, etc.
Moritz (US 9,516,035 B1) discloses a system for authentication via behavior profiling.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMIE KUCAB whose telephone number is (571)270-3025. The examiner can normally be reached Monday through Friday, 9 a.m. to 4:30 p.m. ET. The examiner’s email address is Jamie.Kucab@USPTO.gov. See MPEP 502.03 regarding email communications. Following is the sample authorization for electronic communication provided in MPEP 502.03.II: “Recognizing that Internet communications are not secure, I hereby authorize the USPTO to communicate with the undersigned and practitioners in accordance with 37 CFR 1.33 and 37 CFR 1.34 concerning any subject matter of this application by video conferencing, instant messaging, or electronic mail. I understand that a copy of these communications will be made of record in the application file.” Without such an authorization in place, an examiner is unable to respond via email.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel, can be reached at telephone number (571) 270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated-interview-request-air-form.
/JAMIE R KUCAB/Primary Examiner, Art Unit 3699