DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 11/17/2020 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Status of Claims
This is a final office action in response to Applicant's amendment filed on 12/3/2020. Applicant’s submission has been entered. 
Claims 1, 8, 10, 15, 22-23 are currently amended claims. Claims 2, 4, 16, 21 are previously cancelled claims. Claims 1, 3, 5-15, 17-20, and 22-24 are pending in the application. 
Response to Amendments
The objection of claims 1, 10, 22-23 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
The rejection of claim 8 under 35 USC 112(b) due to lack of antecedent basis has been withdrawn in light of applicant’s amendment to the claim.
Response to Arguments
The Applicant's Remarks and arguments filed on 12/3/2020 respect to Claims 1, 3, 5-15, 17-20, and 22-24 have been fully considered. 
Applicant’s argument, see pages 13-22 of the Remarks filed 12/3/2020 regarding rejections under the 35 USC §103, on claims 1, 3,5-7,15,19-20 and 23 over Yang in view of Kahn and Carothers have been fully considered and not persuasive due to reasons below. 
              Regarding independent claim 1 (similarly claim 15), applicant argued the combination of Yang, Kahn and Carothers does not render claim 1 unpatentable, specifically to limitations reciting “in accordance with the determining that the ratio of the number of successful login attempts to total login attempts is below a predetermined threshold, implementing, at the front-end server, addition of the IP subnet to a greylist”. In particular, applicant argued that Yang’s denial is a standard blacklist from which no login request are accepted, not a greylist that awaits a further determination (See pages 12-13 of the Remark). Applicant further argued reference Kahn does not teach that the subnet is added to a greylist, and Carothers discloses a greylist but not a greylist of IP subnets, and applicant respectfully submits further that there is no demonstrated motivation to modify Yang+ Kahn according to Carothers (See pages 13-15 of the Remarks).
	The examiner acknowledged applicant’s perspective however respectively disagrees. The examiner have shown in the previous office actions that Yang discloses the main features of the claimed invention, especially independent claims, namely determining a ratio of a number of successful login attempts to total login attempts and in accordance with the ratio being below than a predetermined threshold, implement security actions. Kahn is used in the office action to further specify the login attempts may relate to IP subnet in addition to IP address. Yang has not specifically identify the security action is blacklisting or greylisting, rather states: Such security actions may include blocking access to all accounts associated with a 
	Examiner notes that in response to applicant’s statement that “Applicant notes the Office's statement on pages 3-4 that "claim 1 specifies when the ratio is below a predetermined threshold, adding the IP subnet to greylist, suggesting adding to greylist is one of the options (i.e. greylist or blacklist)." Respectfully, Applicant requests the Office to refrain from characterizing the claim” (See pages 14-15 of the Remarks). The examiner acknowledges applicant’s perspective, however would like to point out that the examiner has no intention to characterize the claim but rather indicate how the claim may be interpreted, since it is known to ordinary skilled in the art that greylisting, blacklisting, or whitelisting is one of option (choice) in response to a determination that the determining factor (i.e. ratio) is compared to a threshold to determine whether the further login attempts are to be allowed, denied, or other options. 
	Applicant’s further argument regarding dependent claims 3, 5-7, 17-20 and 22-24 is not persuasive due to the same reason as discussed above since the independent claims are not patentable.
Applicant’s argument, see pages 17-19 of the Remarks filed 12/3/2020 regarding to rejection of independent claim 8 and the respective dependent claims has been considered and not persuasive. First, the discussion regarding the use of reference Yang above also apply to claim 8. Instead of teachings of login attempts by Yang, Newman has been used to teach segmenting collectively the plurality of login attempts into a plurality of segmentation types of login attempts, such as login attempt associated with Company/East group and East/Marketing group each having their own access right (i.e. permission). Therefore a method of login attempt control to a computer system of Yang can also apply to a plurality of segmentation types of login attempts since determining a ratio of a number of successful login attempts to total login attempts of the plurality of login attempts is for each segmentation type individually. 
Applicant’s further argument regarding dependent claims 9-10 is not persuasive since the independent claim 8 is found not patentable.
Applicant is suggested to further incorporate innovative features into the independent claims to advance the case.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 1, 3, 5-7, 15, 20, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US9148424B1-IDS provided by applicant, hereinafter, "Yang"), in view of Kahn et al (US8312540B1, hereinafter, “Kahn”), further in view of Carothers (US20130232574A1-IDS provided by applicant, hereinafter, “Carothers”).
Regarding claim 1, Yang teaches: A system, comprising: 
a front-end server (Yang, Fig. 1 System 130, more specifically combination of Interface Module 140 and Analysis Module 166); a base data loader (Yang, Fig. 1 combination of Login Module 162 and Application Logic Module 150); a base load database (Yang, Fig. 1 History Module) that stores information about login attempts to the system (Yang, Col. 5 lines 26-30, client device 110 or client application 112 interactions with application logic modules 150 may be logged and stored in a history module 164 along with any interface module 140 or any other module interactions for later use by an analysis module 166); 
at least one processor; and memory including a plurality of computer-executable components that are executable by the at least one processor to perform a plurality of actions (Yang, Col. 4 lines 8-10, each module or engine shown in FIG. 1 represents a set of executable software instructions and the corresponding hardware (e.g., memory and processor) for executing the instructions. Also see Fig. 7)), the plurality of actions comprising: 
receiving, at the front-end server a plurality of new login attempts to the system, the plurality of login attempts being originated from an Internet Protocol (IP) [subnet] (Yang, [Abstract] a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address (i.e. associated with IP network) and a first request time associated with the first login request). Examiner notes that claim recites “new login attempts” where new is a relative term without specific limitation of how long of time or how recent is new. There is no boundary between new and old. Therefore new login attempts is interpreted as login attempts; 
sending, from the front-end server to the base data loader, information about the new login attempts to the system (Yang, Col. 5 lines 9-12, On receipt of such a login request via interface 140, login module 162 may access analysis module 166 to perform IP-based intrusion detection); 
querying, at the front-end server, the base data loader for information about login attempts to the system); receiving, at the base data loader from the front-end server, the information about the new login attempts to the system (Yang, Col. 5 lines 13-14, Analysis module 166 may access (i.e. querying) history module 164 for data related to previous login requests as part of a security analysis triggered by a login); 
sending, at the base data loader to the base load database, the information about the new login attempts to the system for storage In the base load database (Yang, Col. 5 lines 26-31, client device 110 or client application 112 interactions with application logic modules 150 may be logged and stored in a history module 164 (i.e. base load database) along with any interface module 140 or any other module interactions for later use by an analysis module 166); 
querying, at the base data loader, the base load database for Information about the login attempts to the system; sending, at the base load database to the base data loader in response to the query from the base data loader, the Information about the login attempts to the system; sending, at the base data loader to the front-end server in response to the query from the front-end server, the information about the login attempts (Yang, Col. 5 lines 26-30, client device 110 or client application 112 interactions with application logic modules 150 may be logged and stored in a history module 164 along with any interface module 140 or any other module interactions for later use by an analysis module 166 or any other module of security modules 160); 
determining, at the front-end server, a ratio of a number of successful login attempts to total login attempts of the login attempts queried by the base data loader (Yang, Col. 3 lines 16-19, then the security system calculates an overall success ratio for the login requests from the first IP address during the time period and checks to see if the overall success ratio is below a threshold success ratio value. And Col. 6 lines 24-27, the analysis module 166 uses the identified time at which the login request is received to request history data from history module 164. The login request data may be used with the history data in analyzing a login history); and
in accordance with the determining that the ratio of the number of successful login attempts to total login attempts is below a predetermined threshold (Yang, Col. 3 lines 20-22, Such security actions may include blocking access to all accounts associated with a username and password login attempted during the time period). And Col. 8 lines 3-8, Operation 214 then involves, in response to determining the login success ratio is below the threshold login success ratio and determining, using analysis module 166, that the number of unique usernames is above the unique username threshold, automatically performing a security action using security event module 168), [implementing, at the front-end server, addition of the IP subnet to a greylist] (see Carothers below).   
While Yang teaches intrusion detection by analyzing the login attempts with login success ratio of IP network, but does not explicitly teach IP subnet, however in the same field of endeavor Kahn teaches: 
the plurality of login attempts being originated from an Internet Protocol (IP) subnet (Kahn, Col. 10. Lines 13-18, Login capture module 108 may generate an entry in the history of network logins 124 for all or a subset of the login attempts received by network access controller 26. And Col. 10 lines 46-51, One example of a signature-based algorithm includes determining the presence of a network password attack when a threshold number of invalid login requests occurs from a particular user, endpoint device, subnet, or other location within the network system). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kahn in the intrusion detection system of Yang by analyzing user login request from an IP subnet instead of a single IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to implement the method of analyzing the history of successful network logins to determine what ratio of login requests originate from a sub network (see Kahn, [Abstract]) in the IP network of Yang with the goal of controlling access to a network by slowing down the actions of password attack (Kahn, Col. 10 Ln. 46-50, Col. 11 Ln. 10-21) by identifying a known subnet from where a user usually accesses the network (Kahn, Col. 13 Ln. 20-23).
While the combination of Yang-Kahn teaches security action against faulty login attempt, but does not explicitly teach adding IP subnet to greylist, however in the same field of endeavor Carothers teaches: 
implementing, at the front-end server (Carothers, see Fig. 1 DNS Server 120), addition of the IP subnet to a greylist (Carothers, [Abstract] To counteract that, the disclosed systems and methods of DNS greylisting place a domain name in a grey list for a time period. And [0032] In block 370, a determination of whether the host (i.e. IP subnet in view of Kahn) is suspicious is made from the heuristics. If the host is determined to be suspicious, then, in block 380, the host (i.e. IP subnet) is added to the grey list cache).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Carothers in the intrusion detection system of Yang-Kahn by adding suspicious host to greylist for a time period in response of domain name system contact request by internet service provider. This would have been obvious because the person having ordinary skill in the art would have been motivated to include those entities with negative event as suspicious to greylist for purpose of anti-virus botnet solutions (Carothers, [Abstract], [0054]).

Regarding claim 15, Yang-Kahn-Carothers combination discloses:
A non-transitory computer-readable storage medium, bearing computer-executable instructions that, when executed upon a computing device (Yang, Col. 16 lines 55-59, FIG. 7 is a block diagram illustrating components of a machine 700, according to some embodiments, able to read instructions from a machine-readable medium (e.g., a machine-readable storage medium) and perform any one or more of the methodologies discussed herein), cause the computing device at least to: to perform the method steps substantially similar to the action steps of claim 1, therefore rejected with the same reason set forth as rejection of claim 1 above.

Regarding claim 3, Yang-Kahn-Carothers combination further teaches:
The system of claim 1, wherein the actions further comprise: randomizing, at the front-end server, an amount of time to response to the plurality of new login attempts (Yang, Col .3 lines 8-12, The security system then checks (i.e. to response) a login history for other login requests from that same first IP address that have been received within a certain time period, for example, 30 minutes, 2 hours, or another such time period). It is noted that no specific time period is specified as requirement suggesting the time period may be random value. 

Regarding claim 5, Yang-Kahn-Carothers combination further teaches:
The system of claim 1, wherein: the determining the ratio includes determining the ratio of the number of successful login attempts to total login attempts of the plurality of login attempts that have occurred over a period of time (Yang, Col. 3 lines 14-19, If the number of requests is above the threshold number of requests, then the security system calculates an overall success ratio for the login requests from the first IP address during the time period (i.e. period of time) and checks to see if the overall success ratio is below a threshold success ratio value).  

Regarding claim 6, Yang-Kahn-Carothers combination further teaches:
The system of claim 1, wherein the determining the ratio includes determining the ratio of the number of successful login attempts to total login attempts of the plurality of login attempts independent of when the successful login attempts and total login attempts occurred (Yang, Col. 7 lines 49-54, Certain embodiments may not identify a security event when similar usernames are used within a time period (i.e. independent of when), since the embodiments are weighted towards identifying intrusions based on theft of actual username-password pairs from a third party source where usernames are unlikely to be similar).  

Regarding claim 7, Yang-Kahn-Carothers combination further teaches:
The system of claim 1, wherein the actions further comprise: determining the ratio based on an amount of times that login attempts from the IP subnet have previously been denied temporarily (Yang, Col. 3 lines 4-9, If the number of requests is above the threshold number of requests, then the security system calculates an overall success ratio for the login requests from the first IP address during the time period and checks to see if the overall success ratio is below a threshold success ratio value).  
Examiner notes the ratio is calculated based on successful login attempts and failed login attempts (denied attempts). Temporarily is a relative word and is not specifically related to how the ratio is defined except it is related to a period of time.

Regarding claim 19, Yang-Kahn-Carothers combination further teaches:
The non-transitory computer-readable storage medium of claim 15, wherein the computer-executable instructions, when executed upon the computing device, cause the computing device further at least to: determine that an end user identification associated with the plurality of new login attempts corresponds to a particular end user identification (Yang, [Abstract] a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request),
wherein implementing the addition of the IP subnet to the greylist (Carothers, [Abstract] To counteract that, the disclosed systems and methods of DNS greylisting place a domain name in a grey list for a time period) is in response (Carothers, [0032] In block 370, a determination of whether the host is suspicious is made from the heuristics. If the host is determined to be suspicious, then, in block 380, the host (i.e. IP subnet) is added to the grey list cache) to the ratio being below the predetermined threshold (Yang, [Abstract] In response to determining a login success ratio is below a threshold login success ratio) and the determination that the end user identification corresponds to the particular end user identification (Yang, Col. 6 lines 29-33, The first IP address may be identified using a text parser to parse information from a transmission control protocol (TCP) IP or user datagram protocol (UDP) IP communication used to transmit the login request).  

Regarding claim 20, Yang-Kahn-Carothers combination further teaches:
The non-transitory computer-readable storage medium of claim 19, wherein the end user identification indicates a category, an operation, a status, or an account (Yang, Col. 2 lines 15-17, Login credentials for an online account may consist of a username and password, or may consist of other authenticating data for a user).

Regarding claim 23, Yang-Kahn-Carothers combination further teaches:
The system of claim 1, wherein the front-end server is configured to transmit streaming updates regarding the information about the new login attempts to the base data loader (Yang, [Claim 16] … and updating the login history with a security indicator).

Claims 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US9148424B1-IDS provided by applicant, hereinafter, "Yang"), in view of Newman et al (US20040260952A1, hereinafter, “Newman”), further in view of Poder et al (US20160234232A1, hereinafter, “Poder”).
Regarding claim 8, Yang discloses: A method, comprising: 
receiving, at a front-end server (Yang, Fig. 1 System 130, more specifically combination of Interface Module 140 and Analysis Module 166), a plurality of login attempts to a computer system (Yang, [Abstract] a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request); 
determining a ratio of a number of successful login attempts to total login attempts of the plurality of login attempts for each segmentation type individually (Yang, Col. 3 lines 16-19, then the security system calculates an overall success ratio for the login requests from the first IP address during the time period and checks to see if the overall success ratio is below a threshold success ratio value);
While Yang does not explicitly teach the following limitation(s), however in the same field of endeavor Newman teaches: 
segmenting collectively the plurality of login attempts into a plurality of segmentation types of login attempts, Including segmenting one login attempt of the plurality of login attempts into more than one segment of the plurality of segmentation types, wherein the plurality of segmentation types are associated with respective access permissions (Newman, [Abstract] A user access security subsystem of a computer information database system utilizes computer grouping criteria (i.e. segmentation type) and user type criteria to control user access to both computer profile data and system administrative features. And [0041] The East login group is designated as Company/East/ (i.e. one segmentation type), and thus, a user who has the East login group has a right to access the record. The users who have East/Marketing/ (i.e. another segmentation type) as their login group do not, however, have the right to access to the data record since the group tree Company/East/Marketing/ is not contained within the group tree specified by the GroupName string in the record); 
determining an access permission for the one login attempt, wherein the access permission determined for the one login attempt is the lowest access permission of the respective access permissions associated with the segmentation types into which the one login attempt is segmented (Newman, [Abstract] The combination of the computer grouping and the user type criteria restricts a given user to exercising the delegated administrative authority only with respect to the particular grouping of computers to which the user has been granted access through the associated login group. To maintain access security, the subsystem allows a given user to grant to another only those access rights that are equal to or more restrictive than the given users rights (i.e. lowest access permission of the respective access permissions). Thus, the given user cannot grant access to a login group that is a peer or a superior of his own login group and/or cannot assign a user type that is associated with greater access to system administrative features than his own user type); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Newman in the intrusion detection system of Yang by controlling user access to computer resources using computer grouping criteria and user type criteria. This would have been obvious because the person having ordinary skill in the art would have been motivated to managing user access in to different types of groups with corresponding access permission to maintain access security (Newman, [Abstract], [0041]).
The combination of Yang-Newman des not explicitly teach the following limitation(s), however in the same field of endeavor Poder teaches:
and implementing, at the front-end server, processing of the one login attempt according to a blacklist, whitelist, or greylist in accordance with its determined access permission (Poder, [0019] The local office 103 may also include one or more application servers 107 (i.e. front-end server). And [0042] the local office 103 might determine whenever a device communicates with other devices with permission. Also [0060] the local office 103 (or other entity) may blacklist a malicious device or a threatening device. Alternatively or additionally, if the deviation is less frequent or if the deviation is less drastic, the local office 103 may associate this device as being possibly malicious or posing a possible threat to the networks 100 or 180a or to other devices. According to some aspects, the local office 103 (or other entity) may greylist a possibly malicious or possibly threatening device. Alternatively or additionally, if the deviation is less than a threshold, the local office 103 may associate this device as being non-malicious, and may whitelist the device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Poder in the intrusion detection system of Yang-Newman by monitoring communication pattern associated with device and security measure can be applied. This would have been obvious because the person having ordinary skill in the art would have been motivated to apply security measure of blacklist, whitelist or greylist on device according to permission of device to access the network to protect network device from suspicious communications (Poder, [Abstract], [0042], [0060]).

Regarding claim 9, Yang-Newman-Poder combination further teaches:
The method of claim 8, wherein: the plurality of login attempts to the computer system are received across a plurality of front-end servers of the computer system including the front-end server (Yang, Fig. 1 System 130 specifically combination of Interface Module 140 and Analysis Module 166).29 Attorney Docket No. TMPO436US  

Regarding claim 10, Yang-Newman-Poder combination further teaches:
The method of claim 9, wherein the determining the ratio of the number of successful login attempts to total login attempts for each segmentation type individually is performed by a computing device that includes a base data loader (Yang, see Fig. 1 Application Logic Module) that is separate from the plurality of front-end servers (Yang, Col. 3 lines 55-58, the security layer 125 may be implemented as a separate device that communicates with interface layer 124 to implement all or part of login security for a system 130). Examiner notes that it is obvious to one ordinary skilled in the art that Yang’s teachings can be applied to each individual segment of login attempts. 

Claims 11, 12, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Yang-Newman-Poder as applied above to claim 8, further in view of Kunjachan et al (US20180349643A1, hereinafter, “Kunjachan”).
Regarding claim 11, Yang-Newman-Poder combination teaches:
The method of claim 8, wherein the segmentation types include a geographical location from which the one login attempt originated that corresponds to a particular geographical location (Yang, Col. 9 lines 1-5, Another independent Source of information that may be used by operation 306 IP based intrusion detection analysis includes IP-based location data 322... different blocks of IP numbers are associated with different geographic locations); and
wherein implementing, at the front-end server, processing of the one login attempt [includes adding the segmentation type having the lowest access permission to the greylist] in accordance with the determination that the geographical location corresponds to the particular geographical location (Yang, Col. 9 lines 27-31, different blocks of IP numbers are associated with different geographic locations.  Login history 308 may include an older history of timestamp 314 and IP address information 316 that is outside of the time period associated with the current login request which is being analyzed).  
While the combination of Yang-Newman-Poder does not explicitly teach includes adding the segmentation type having the lowest access permission to the greylist, however in the same field of endeavor Kunjachan teaches:
includes adding the segmentation type having the lowest access permission to the greylist (Kunjachan, [0039] the access controller (110) may reference a greylist (226) that includes a list of entities (230b-230x) who have incurred a negative event (232b-232x)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kunjachan in the intrusion detection system of Yang-Newman-Poder by implementing access control with greylist as alternative to whitelist or blacklist based on the secure identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to include those entities with negative event as suspicious identifier in greylist for purpose of access control in managing transactional data (Kunjachan, [0054]).

Regarding claim 12, Yang-Newman-Poder combination teaches:
The method of claim 8, wherein the segmentation types include a telecommunications network associated with a mobile device from which the one login attempt originated that corresponds to a particular telecommunication network (Yang, Col. 17 lines 1-5, In a networked deployment, the machine 700 may operate in the capacity of a server machine or a client machine in a server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment); and
wherein implementing, at the front-end server, processing of the one login attempt [includes adding the segmentation type having the lowest access permission to the greylist] in accordance with the determination that the telecommunications network corresponds to the particular telecommunication network (Yang, Col. 19 lines 51-58, one or more portions of the network 780 can be an ad hoc network, an intranet, an extranet, a virtual private network (VPN), a local area network (LAN), a wireless LAN (WLAN), a wide area network (WAN), a wireless WAN (WWAN), a metropolitan area network (MAN), the Internet, a portion of the Internet, a portion of the public switched telephone network (PSTN), a telephone service network…).  
While the combination of Yang-Newman-Poder does not explicitly teach includes adding the segmentation type having the lowest access permission to the greylist, however in the same field of endeavor Kunjachan teaches:
includes adding the segmentation type having the lowest access permission to the greylist (Kunjachan, [0022] a security rule may specify that a particular access control procedure be used based on a type of a secure identifier and/or a target of a request (i.e. permission). And [0040] the access controller (110) may reference a greylist (226) that includes a list of entities (230b-230x) who have incurred a negative event (232b-232x)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kunjachan in the intrusion detection system of Yang-Newman-Poder by implementing access control with greylist as alternative to whitelist or blacklist based on the secure identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to include those entities with negative event as suspicious identifier in greylist for purpose of access control in managing transactional data (Kunjachan, [0054]).

Regarding claim 14, Yang-Newman-Poder combination teaches:
The method of claim 8, wherein the segmentation type is login attempts that are associated with a historical bad actor (Yang, Col. 2 lines 58-60, Certain embodiments described herein include security operations that function to identify an IP address that attackers use to try large numbers of stolen login credentials), and
wherein implementing, at the front-end server, processing of the one login attempt [includes adding the segmentation type having the lowest access permission to the greylist] in accordance with the determination that the login attempts are associated with a historical bad actor (Yang, Col. 3 lines 1-6, Certain embodiments described herein include security operations that function to identify an IP address that attackers use to try large numbers of stolen login credentials, and that further functions to detect compromised accounts and take security actions to prevent further malicious activities in compromised accounts).30 Attorney Docket No. TM.PO436US  
While the combination of Yang-Newman-Poder does not explicitly teach includes adding the segmentation type having the lowest access permission to the greylist, however in the same field of endeavor Kunjachan teaches:
includes adding the segmentation type having the lowest access permission to the greylist (Kunjachan, [0039] the access controller (110) may reference a greylist (226) that includes a list of entities (230b-230x) who have incurred a negative event (232b-232x)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kunjachan in the intrusion detection system of Yang-Newman-Poder by implementing access control with greylist as alternative to whitelist or blacklist based on the secure identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to include those entities with negative event as suspicious identifier in greylist for purpose of access control in managing transactional data (Kunjachan, [0054]).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Yang-Newman-Poder as applied above to claim 8, further in view of Sang et al (US20160364465A1, hereinafter, “Sang”) and Kunjachan et al (US20180349643A1, hereinafter, “Kunjachan”).
Regarding claim 13, Yang-Newman-Poder combination teaches: 
The method of claim 8, 
While the combination of Yang-Newman-Poder does not explicitly teach the following limitation(s), however in the same field of endeavor Sang teaches:
wherein the segmentation types include an internet service provider (ISP) associated with an IP address from which the one login attempt originated that corresponds to a particular ISP (Sang, [0015] To track instances of data items that may be malicious or that may indicate malicious acts, a bucket scheme is used. Data items are received from one or more users within the online environments. Examples of types data items that may be tracked include, but are not limited to new user registrations, logins, failed login attempts, messages sent, invitations to connect sent, payments made, content items posted (i.e. segmentation types). For each type of data item, an identifying characteristic is further used to classify the data item such as, but not limited to, member identifier, cookie information, Internet Protocol (IP) address, Internet Service Provider ( ISP),...); 
[and wherein implementing, at the front-end server, processing of the one loin attempt includes adding the segmentation type having the lowest access permission to the greylist] in accordance with the determination that the internet service provider (ISP) corresponds to a particular ISP (Sang, [0069] For example, network link 820 may provide a connection through local network 822 to a host computer 824 or to data equipment operated by an Internet Service Provider (ISP) 826).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Sang in the intrusion detection system of Yang-Newman-Poder by tracking on-line acts with bucket scheme to detect potential malicious behavior. This would have been obvious because the person having ordinary skill in the art would have been motivated to track data items such as logins, failed login attempts, content items posted etc. with classification that associated with IP address and internet service provider etc. (Sang, [0015]).
While the combination of Yang-Newman-Poder-Sang does not explicitly teach the following limitation(s), however in the same field of endeavor Kunjachan teaches: 
and wherein implementing, at the front-end server, processing of the one loin attempt includes adding the segmentation type having the lowest access permission to the greylist (Kunjachan, [0039] the access controller (110) may reference a greylist (226) that includes a list of entities (230b-230x) who have incurred a negative event (232b-232x)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kunjachan in the intrusion detection system of Yang-Newman-Poder-Sang by implementing access control with greylist as alternative to whitelist or blacklist based on the secure identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to include those entities with negative event as suspicious identifier in greylist for purpose of access control in managing transactional data (Kunjachan, [0054]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Yang-Kahn-Carothers combination as applied above to claim 15, further in view of McClure et al (US20070011319A1, hereinafter, “McClure”).
Regarding claim 17, Yang-Kahn-Carothers combination teaches: 
The non-transitory computer-readable storage medium of claim 15, 
While Yang-Kahn-Carothers combination teaches IP based intrusion detection but does not explicitly teach class D subnet, however in the similar field of endeavor McClure teaches: 
wherein the IP subnet comprises a Class D subnet (McClure, [0015] Target computers, in one embodiment, are identified by a unique or temporarily unique IP (Internet Protocol) address, typically in the form A.B.C.D, where each of A, B, C and D represent the Class A, Class B, Class C and Class D sub-networks and each has a value between 0 and 255).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of McClure in the intrusion detection system of Yang-Kahn-Carothers by performing vulnerability detection in sub-networks such as class D subnet. This would have been obvious because the person having ordinary skill in the art would have been motivated to implement the method of McClure of automated testing of vulnerabilities to intrusion on a target network such as class D subnet (McClure, [Abstract]) as the intrusion detection system of Yang-Kahn-Carothers would like to perform.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Yang-Kahn-Carothers as applied above to claim 15, further in view of Ge et al (US20140181968A1, hereinafter, “Ge”).
Regarding claim 18, Yang-Kahn-Carothers combination teaches:
The non-transitory computer-readable storage medium of claim 15, 
While Yang-Kahn-Carothers combination does not explicitly teach Class C subnet, however in the same field of endeavor Ge teaches: 
wherein the IP subnet comprises a Class C subnet (Ge, [0082] Specifically, user login IDs are organized into classes based upon the login owner's management hierarchy. And [0083] To construct the class-profiles, the intrusion detection system 102 can take the median statistic on each dimension (i.e., a feature in the profile of login ID) among all users (u) belonging to the class (C)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ge in the intrusion detection system of Yang-Kahn-Carothers by monitoring operational activities and detecting potential network intrusion for regional ISP network specifically associated with user login with class C subnet. This would have been obvious because the person having ordinary skill in the art would have been motivated to implement the Ge’s method of operation in network device associated user login with class C subnet to monitor the operational activities in network and detecting potential network intrusion (Ge, [Abstract], [0002], [0018]).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Yang-Kahn-Carothers as applied above to claim 15, further in view of Newman et al (US20040260952A1, hereinafter, “Newman”).
Regarding claim 22, Yang-Kahn-Carothers combination teaches:
The non-transitory computer-readable storage medium of claim 15, wherein the computer-executable instructions, when executed upon the computing device, 
While the combination of Yang-Kahn-Carothers does not explicitly teach segmenting the login attempts, however in the same field of endeavor Newman teaches: 
cause the computing device further at least to Serial No.: 15/847,388Atty Docket No.: TM.P0436USAtty/Agent: Daniel J. Stangersegment collectively the plurality of login attempts into a plurality of segmentation types of the login attempts from the IP subnet (Newman, [Abstract] A user access security subsystem of a computer information database system utilizes computer grouping criteria (i.e. segmentation type) and user type criteria to control user access to both computer profile data and system administrative features. And [0041] The East login group is designated as Company/East/ (i.e. one segmentation type), and thus, a user who has the East login group has a right to access the record. The users who have East/Marketing/ (i.e. another segmentation type) as their login group do not, however, have the right to access to the data record since the group tree Company/East/Marketing/ is not contained within the group tree specified by the GroupName string in the record); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Newman in the intrusion detection system of Yang-Kahn-Carothers by controlling user access to computer resources using computer grouping criteria and user type criteria. This would have been obvious because the person having ordinary skill in the art would have been motivated to managing user access in to different types of groups with corresponding access permission to maintain access security (Newman, [Abstract], [0041]).
Yang and Carothers further teach:
wherein the determining of the ratio includes determining the ratio of the number of successful login attempts to total login attempts for each segmentation type individually (Yang, Col. 3 lines 16-19, then the security system calculates an overall success ratio for the login requests from the first IP address during the time period and checks to see if the overall success ratio is below a threshold success ratio value), and wherein implementing the addition of the IP subnet to the greylist (Carothers, [0029] The botnet administrator uses the same algorithm so that if the botnet connects to the bots on Tuesday, for example, the domain that the bots look for on Tuesday has a particular date used in the algorithm. When the ISP determines that the domain is to be placed on the greylist, ...) includes adding a segmentation type of the plurality of segmentation types at least in response to determining that the ratio of the number of successful login attempts to total login attempts for the segmentation type is below the predetermined threshold for the segmentation type (Yang, Col. 8 lines 3-8, Operation 214 then involves, in response to determining the login success ratio is below the threshold login success ratio and determining, using analysis module 166, that the number of unique usernames is above the unique username threshold, automatically performing a security action using security event module 168).

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Yang-Kahn-Carothers as applied above to claim 1, further in view of Godwin et al (US20030154396A1, hereinafter, “Godwin”).
Regarding claim 24, Yang-Kahn-Carothers combination teaches:
The system of claim 1, 
While the combination of Yang-Kahn-Carothers does not explicitly teach the following limitation(s), in the same field of endeavor Godwin teaches:
wherein the actions further comprise: randomizing, at the front-end server, an amount of time for the IP subnet to be on the greylist (Godwin, discloses checking tool to examine security logs of attempted login to detect systematic attacks, see e.g. [0021] The invention uses an analysis time frame or "floating period" (i.e. randomizing) in which a threshold of events is defined to indicate a security violation. While no violations are detected within a given floating period, it is advanced by one event repeatedly through the event list to look for other possible violations. If a violation is found within a given floating period, it is next "jumped" to begin at the end of the current floating period to avoid allowing events which have already accumulated to a reported violation also accumulating to another violation report (i.e. greylist), thereby reducing the possibility of "over reporting" violations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Godwin in the intrusion detection system of Yang-Kahn-Carothers by tracking login attempts over floating time period. This would have been obvious because the person having ordinary skill in the art would have been motivated to use host-based systematic attack detection tool to detect login attempts with randomized pattern (Godwin, [Abstract], [0011], [0021]).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436   

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436