DETAILED ACTION
This Office Action is in response to the application 16/351,535 filed on March 13th, 2019.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending and herein considered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 10-18 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claim 10; claim 10 calls for computer system; however, the body of the claim does not positively recite any hardware element. As recited in the body of the claim, the claimed system contains “a database” and “a processor.” The database can be construed by a software component. Regarding the claim a processor, one of ordinary skill in the art would understand that a “processor” could be a software processor (See “The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000). Because the elements of claim 10 are interpreted as merely software and the claim lacks any physical device or machine, the claim is directed to non-statutory subject matter. It is suggested that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory under 35 U.S.C. 101.
Regarding claims 11-18; claims 11-18 do not recite any hardware element to resolve the issue in the independent claim 10. Therefore, claims 11-18 are also non-statutory under 35 U.S.C. 101.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C 103(a) as being unpatentable over Gummaraju et al. (Gummaraju), U.S. Pub. Number 2018/0034858, in view of Bondesen et al. (Bondesen), U.S. Pub. Number 2015/0254642.
Regarding claim 1; Gummaraju discloses a method of mitigating leakage of credentials of a user of a computer network, the method comprising:
monitoring, by a processor in communication with the computer network, at least one data source to scrape data that is compatible with credential data (par. 0039; monitoring the networked member 120 for one or more application-layer operations and/or protocol used by the networked member 120.);
(par. 0040; the injection mechanism 240 identifies one or more appropriate tokens 222 (e.g., identity token 224 associated with the client resource 122 and access token 226 associated with the destination resource 124) and injects the tokens 222 into the network communication.);
authenticating, by an active directory application of the computer network, the identified at least one potential leaked credential by a database of valid credentials of the computer network (par. 0047; one or more tokens 222 are injected into the network communication for use is authenticating and/or authorizing the client resource 122 in accordance with one or more security policies 142 included in the tokens 222.).
Gummaraju fails to explicitly disclose replacing credentials corresponding to the at least one leaked credential, by the active directory application.
However, in the same field of endeavor, Bondesen discloses digital wallet exposure reduction comprising replacing credentials corresponding to the at least one leaked credential, by the active directory application (Bondesen: par. 0030; financial transactions as utilizing a “token” (e.g., an alias, substitute, surrogate, or other like identifier) as a replacement for sensitive account information, and in particular account numbers.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bondesen into the system of Gummaraju comprising replacing credentials corresponding to the at least one leaked credential, by the active directory application to verify a user’s identity before transferring any personal information using an electronic means (Bondesen: par. 0001)
Regarding claim 2; Gummaraju and Bondesen disclose the method of claim 1, Gummaraju further discloses comprising training the machine learning algorithm on a predetermined set of credentials to identify credentials in an unstructured text (Gummaraju: par. 0055; a predetermined client security threshold.).
Regarding claim 3; Gummaraju and Bondesen disclose the method of claim 2, wherein Gummaraju further discloses the machine learning algorithm is configured to identify credentials in chunks of the unstructured text (Gummaraju: par. 0078; information such as text, images, audio, video, graphics, alerts, and the like may be presented to a user via one or more presentation devices such as a monitor 566, a printer 567, and/or a speaker 568.).
Regarding claim 4; Gummaraju and Bondesen disclose the method of claim 1, Bondesen further discloses comprising checking if the at least one potential leaked credential corresponds to at least one predetermined domain name of the computer network (Bondesen: par. 0043; the payment association networks 30.).
Regarding claim 5; Gummaraju and Bondesen disclose the method of claim 1, wherein Gummaraju further discloses the at least one data source is external to the computer network (Gummaraju: par. 0080; in a LAN networking environment, the computer 510 is coupled to the LAN 582 through a network interface or adapter 584; in a WA networking environment, the computer 510 may include a modem 585 or other means for establishing communications over the WAN 583, such as the Internet.).
Regarding claim 6; Gummaraju and Bondesen disclose the method of claim 1, wherein Gummaraju further discloses the scraping of data is carried out periodically at predetermined times (Gummaraju: par. 0082; the cryptographically-signed tokens are valid for a predetermined time period, limiting an opportunity for a potential attacker to use a leaked token.).
Regarding claim 7; Gummaraju and Bondesen disclose the method of claim 1, Gummaraju further discloses comprising issuing an alert to the user corresponding to the authenticated at least one leaked credential (Gummaraju: par. 0083; the controller is configured to identify inconsistent authentication patterns and alert administrators in real time about suspicious activity.).
Regarding claim 8; Gummaraju and Bondesen disclose the method of claim 1, Gummaraju further discloses comprising removing the authenticated at least one leaked credential from the at least one data source (Gummaraju: par. 0041; removing the service credential 146 from the network communication, and/or cryptographically signing the network communication.).
Regarding claim 9; Gummaraju and Bondesen disclose the method of claim 1, Bondesen further discloses comprising filtering out irrelevant credentials from the identified at least one potential leaked credential in accordance with the active directory application (Bondesen: par. 0083; filter other attributes of the transaction that may lead to financial loss using one or more of the attributes; e.g., the frequency and/or velocity of transactions may be analyzed in a similar manner, such that the transaction history of the payment vehicle involving in a purchase transaction is used to determine a first threshold and a second threshold to be used in determining the potential of exposure to loss.).
Regarding claims 10-18
Regarding claims 19-20; Claims 19-20 are directed to method which have similar scope as claims 1-9. Therefore, claims 19-20 remain un-patentable for the same reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 



/KHOI V LE/
Primary Examiner, Art Unit 2436