Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Examiner’s Amendment and Examiner’s Reasons for Allowance action is in response to the filing of 09/28/2020. Claims 1-12, 17 and 18 have been amended per applicant’s request, therefore claims 1-20 are presently pending in the application and have been considered as follows.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Christopher J. Volkmann (Reg. No. 60349) on 01/12/2021.

The application has been amended as follows: 

 20. (Cancelled) 
Allowance
Acknowledgement to applicant’s amendment to claims 1 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection 

Acknowledgement to applicant’s amendment to claims 1 and 12 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112(b) which is hereby withdrawn for claims 1-19. 

Acknowledgement to applicant’s amendment to claims 1 and 12 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 103 which is hereby withdrawn for claims 1-19.


Claims 1-19 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: although the prior art of record (such as McGrew et al. (US20160344768)) a data processing method is performed by a central computer. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer selects a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found. (Para. 0024)

none of the prior art, alone or in combination, teaches

 Independent Claim 1:  “…detect a plurality of processes configured to authenticate to the computing system based on a certificate; generate certificate-specific usage data that identifies each of the processes and represents historical usage of the certificate by the set of processes to execute an operation on the computing system; detect that a given process is attempting to authenticate to the computing system using the certificate; determine that the attempted authentication is anomalous based on the certificate-specific usage data; based on the determination, generate a certificate usage anomaly signal indicative of the anomalous attempted authentication; and generate an alert control signal representing a near real time alert based on the certificate usage anomaly signal.”.


in view of other limitations of claim 1.

Independent Claims 12 are allowed based on reasons mentioned above in regards to independent claim 1.

Dependent claims are allowed as they depend from an allowable independent claim.

The closest prior art made of record are:
McGrew et al. (US20160344768) In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.
Ashley et al. (US 9967236) Techniques for credentials enforcement using a firewall are disclosed. In some embodiments, a system, process, and/or computer program product for enforcement using a firewall includes storing a plurality of user credentials at a network device; monitoring network traffic at the network device to determine if there is a match with one or more of the plurality of user credentials; and performing an action if the match is determined. 
Janjua et al. (US 20140283054) A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site.
 Trammel et al. (US 20140075513)   Various techniques for providing a device token protocol for authorization and persistent authentication shared across applications are disclosed. In some embodiments, a device token protocol for authorization and persistent authentication shared across applications includes sending user credentials to a remote server to authenticate a user on a device for a plurality of applications; and receiving a device token from the remote server for the user to authenticate the user for the plurality of applications on the device, in which the device token facilitates authentication and authorization.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Conclusion



Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841.  The examiner can normally be reached on Monday through Friday between 8:00 AM to 4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 





/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432