Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02-17-2019 and 09-01-2020 were is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a bucket B configured to hold…” in claim 1, “an excluder which excludes” in claim 5, “a threshold tuner which initializes or changes” in claim 7 and “a breached account finder which finds” in claim 8.
The claim does have structure in “memory” and therefore it is construed that the bucket and memory are part of the IDS.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 9 and 16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. 7523499 in view of Honda et al (US Pub. #: 20150350193), hereafter Honda. 
Pending App. 16278127
Patent #: 7523499
1. An intrusion detection system for a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection system comprising: a processor; a memory in operational communication with the processor; an access failure event set residing at least piecewise in the memory, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts; a bucket B configured to hold user account identifiers, B having a failure count range R which has at least one endpoint value; an attack window which specifies a time period; an alert threshold T which represents an amount of user accounts; and a behavior analyzer which utilizes execution of the processor to analyze GCS access attempt behavior based on at least some of the access failure events by (a) inserting in B the identifiers of user accounts whose number of access failure events within the attack window time period is in the range R, (b) computing an extent E based on the number of user account identifiers in B, and (c) generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T; whereby the intrusion detection system enhances cybersecurity of the GCS by generating the spray attack alert in response to detection of an apparent credential spray attack against the GCS.
9. An intrusion detection process for detecting credential spray attacks against a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection process comprising: locating a digital bucket B; associating a failure count range R with the bucket B, R having at least one endpoint value; getting an alert threshold T which represents an amount of user accounts; reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS; inserting in B the identifiers of user accounts whose number of access failure events is in the range R; computing an extent E based on the number of user account identifiers in B; and generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T; whereby the intrusion detection process enhances cybersecurity of the GCS by generating the spray attack alert in response to detection of activity which is consistent with a credential spray attack against the GCS.
16. A storage medium configured with code which upon execution by one or more processors performs an intrusion detection process for detecting credential spray attacks against a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection process comprising: locating a plurality of N digital buckets B1..BN, with N being at least 2; associating respective failure count ranges R1..RN with the buckets B1..BN, each Ri having at least one endpoint value; getting respective alert thresholds T1..TN which each represent an amount of user accounts; reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS; inserting in each bucket Bi of the buckets B1..BN the identifiers, if any, of user accounts whose number of access failure events is in the corresponding range Ri of the ranges R1..RN; computing an extent Ei based on the number of user account identifiers in each respective non-empty bucket Bi; and generating a spray attack alert when the computed extent Ei meets or exceeds the corresponding alert threshold Ti, for at least one Ti in T1..TN; whereby the intrusion detection process enhances cybersecurity of the GCS by generating the spray attack alert in response to a credential spray attack against the GCS.
1. A method of detecting an attack on an authentication service, said method comprising: storing data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said requests each including a login identifier, a network address from which the request was communicated, and a password, and wherein storing the data relating to the requests comprises storing the login identifier and network address and storing the password of each of the requests in a database of the authentication service only if the request is unsuccessful; searching the stored data based on a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, comparing the stored data associated with the identified requests with a predefined pattern characterizing an attack based on the stored data of the identified requests to determine when the identified requests indicate the characterized attack on the authentication service; and detecting the attack in response to determining that the identified requests indicate the characterized attack. 
2. The method of claim 1, wherein said storing the data relating to the plurality of the requests comprises storing one or more of the following: a credential type of the one of the plurality of the requests; a user account associated with the one of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp indicating a date and time of the one of the plurality of the requests; a type of interface from which the one of the plurality of the requests is communicated; and the user agent from which the one of the plurality of the requests is communicated. 
3. The method of claim 2, wherein said status of the one of the plurality of the requests comprises one of more of the following: the one of the plurality of the requests is successful; the one of the plurality of the requests is unsuccessful; and the user account associated with the one of the plurality of the requests has been locked. 
4. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following: using a single password to unsuccessfully attempt at least a predetermined quantity of requests on multiple user accounts within a predefined time interval; using the single password to unsuccessfully attempt at least the predetermined quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and unsuccessfully attempting at least the predetermined quantity of the requests from the single network address within the predefined time interval. 
5. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following: using multiple passwords to unsuccessfully attempt at least a predetermined quantity of requests on a single user account within a predefined time interval; using the multiple passwords to unsuccessfully attempt at least the predetermined quantity of the requests from a single network address on the single user account within the predefined time interval; and unsuccessfully attempting at least the predetermined quantity of the requests on the single user account within the predefined time interval. 
6. The method of claim 1, wherein said comparing the stored data associated with each of the identified requests with the predefined pattern comprises comparing the stored data with a pattern characterized by one or more of the following: a single password to unsuccessfully attempt at least a predetermined quantity of requests from multiple network addresses on a single user account within a predefined time interval; and unsuccessfully attempting at least the predetermined quantity of the requests from the multiple network addresses on the single user account. 
7. The method of claim 1, further comprising generating a report in response to detecting the attack, said report providing information regarding the attack for use in defending against the attack.
15. A system of detecting an attack on an authentication service, said system comprising: a first memory area to store data relating to a plurality of authentication requests communicated to an authentication service from a plurality of user agents via a data communication network, said data being stored in the first memory area as a log of the authentication service, wherein each of the requests communicated to the authentication service includes a login identifier, a network address from which the request was communicated, and a password and wherein the stored data contains the login identifier and the network address and contains the password of each of the requests only if the request is unsuccessful, and wherein said first memory area is a database of the authentication service; a second memory area to store a predefined pattern of a plurality of requests, said predefined pattern characterizing an attack on the authentication service; and a processor configured to execute computer-executable instructions to: search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, compare the stored data associated with each of the identified requests with the predefined pattern, determine whether the identified requests indicate the attack characterized by the predefined pattern, and detect the attack in response to determining that the identified requests indicate the attack characterized by the predefined pattern. 
16. The system of claim 15, wherein the stored data comprises one or more of the following: a credential type of the one of the plurality of the requests; a user account associated with the one of the plurality of the requests; a failed password associated with the one of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp indicating a date and time of the one of the plurality of the requests; a type of interface from which the one of the plurality of the requests is communicated; and the user agent from which the one of the plurality of the requests is communicated. 
17. The system of claim 15, wherein said predefined pattern is characterized by one or more of the following: using a single password to unsuccessfully attempt a quantity of requests on multiple user accounts within a predefined time interval; using the single password to unsuccessfully attempt the quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and unsuccessfully attempting the quantity of the requests from the single network address within the predefined time interval. 
18. The system of claim 15, wherein said predefined pattern is characterized by one or more of the following: using multiple passwords to unsuccessfully attempt a quantity of requests on a single user account within a predefined time interval; using the multiple passwords to unsuccessfully attempt the quantity of the requests from a single network address on the single user account within the predefined time interval; unsuccessfully attempting the quantity of the requests on the single user account within the predefined time interval; using a single password to unsuccessfully attempt a quantity of requests from multiple network addresses on a single user account within a predefined time interval; and using the multiple network addresses to unsuccessfully attempt the quantity of the requests on the single user account. 
19. The system of claim 15, wherein the processor is configured to search the stored data to identify a plurality of the requests by generating a result set based on one or more of the following query variables: a network address that communicates a request, a quantity of user accounts for which access has been attempted, a password associated with a failed request, a quantity of failed requests for one or more user accounts, a quantity of requests for one or more user accounts, and a time interval during which one or more requests are communicated; wherein the result set identifies the stored data relating to one or more requests that correspond to the query variables. 
20. The system of claim 15, wherein the processor is further configured to generate a report in response to detecting the attack, said report providing information regarding the characterized attack for use in defending against the attack.
31. One or more computer-readable storage media having computer-executable components for detecting an attack on an authentication service, said authentication service receiving a plurality of authentication requests communicated from a plurality of user agents via a data communication network, each of said requests including a login identifier, a network address from which the request was communicated, and a password associated therewith, said computer-readable media comprising: a memory component to store data relating to a plurality of unsuccessful requests communicated to the authentication service from the plurality of user agents, wherein the stored data includes the login identifier and the network address, and includes the password of each of the unsuccessful requests communicated to the authentication service and does not include the password of any successful requests, wherein said memory component comprises a database of the authentication service, a query component to search the stored data as a function of a query variable to identify a plurality of the requests communicated from at least one of the plurality of the user agents, and an analyzing component to compare the stored data associated with each of the identified requests with a predefined pattern characterizing an attack based on the stored data of each of the identified requests to determine when the identified request indicates the characterized attack on the authentication service and to detect the attack on the authentication service in response to determining that the identified request indicates the characterized attack. 
32. The computer-readable storage media of claim 31, wherein the stored data comprises one or more of the following information: a credential type of the one of the plurality of the requests; a user account associated with the one of the plurality of the requests; a failed password associated with the one of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp indicating a date and time of the one of the plurality of the requests; a type of interface from which the one of the plurality of the requests is communicated; and the user agent from which the one of the plurality of the requests is communicated. 
33. The computer-readable storage media of claim 31, wherein said predefined pattern is characterized by one or more of the following: using a single password to unsuccessfully attempt a quantity of requests on multiple user accounts within a predefined time interval; using the single password to unsuccessfully attempt the quantity of the requests from a single network address on the multiple user accounts within the predefined time interval; and unsuccessfully attempting the quantity of the requests from the single network address within the predefined time interval. 
34. The computer-readable storage media of claim 31, further comprising a report component to generate a report in response to detecting the attack, said report providing information regarding the attack for use in defending against the attack.


Patent #: 7523499 reads on the pending app. 16278127 but is silent on getting an alert threshold T which represents an amount of user accounts;
However, the analogous art Honda teaches getting an alert threshold T which represents an amount of user accounts; ([0072] analysis setting DB, at least a threshold of the correlation coefficient used to identify an attacked destination group (user accounts), and a time period of IDS log data).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of threshold as a function of user accounts as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 9 and 16 recite the limitation "the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts; a bucket B configured to hold user account identifiers… an alert threshold T which represents an amount of user accounts … (a) inserting in B the… range R, … extent E".  It is not clear if the terms “user accounts, user accounts identifiers, bucket B, range R, extent E (used later)” There is insufficient antecedent basis for this limitation in the claim. Therefore the corresponding dependent claims 2 – 8, 10 – 15 and 17 – 20 are also rejected for the same rationale.
The term "an access failure event set residing at least piecewise in the memory" in claim 1 is a relative term which renders the claim indefinite.  The term "at least piecewise" is not defined by the claim, the specification [0005] does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  It is not clear what the phrase means and only a vague meaning is attributed in the spec. [0005] meaning at least part of the data of the event set is in the memory. If the applicant intends a different meaning or the applicant is suggested to qualify or quantify the same or amend the claim to remove it without adding any new matter. Therefore the corresponding dependent claims 2 – 8 are also rejected for the same rationale.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to non-statutory subject matter.  The claim(s) 16 does/do not fall within at least one of the four categories of patent eligible subject matter because Claim 16 is directed to “A storage medium” (signal per se) a non-statutory subject matter.  The claim(s) 16 does/do not fall within at least one of the four categories of patent eligible subject matter because computer-readable medium is non-statutory and does not fall in any of the four categories of process, manufacture, machine or composition – as it does not provide any hardware or tangible structure to the claim(s). Therefore all corresponding dependent claims 17 – 20 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gurkok et al (US Pub. #: 20180205748), hereafter Gur and Honda et al (US Pub. #: 20150350193), hereafter Honda.
Claim 1: Gur teaches an intrusion detection system for a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection system comprising: a processor; a memory in operational communication with the processor (Summary, Fig. 3); an access failure event set residing at least piecewise in the memory, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts; a bucket B configured to hold user account identifiers, B having a failure count range R which has at least one endpoint value; an attack window which specifies a time period; ([0013-14] a historical data set of log-in attempts over a historical period for set of all users, presumed normal activity on average, the intrusion detection system (IDS) learns and clusters to identify unusual log-in attempts ([0034] into a hierarchy of time-interval bins... (i.e., B)) Each stored login attempt is a tuple, such as user u, source s, destination d, day of week dy, hour of day hr (i.e., time period), and status st. Source is the server from which the login attempt originated, destination is the target of the attempted login, and status is the success/failure of the login attempt; [0009] outlier score is determined based on values associated with the destination score and the source given destination score of the number of failed login attempts (i.e., R) [0011] for a number of users; [0053] threshold is the magnitude or intensity satisfied for a certain reaction, phenomenon, result, or condition to occur or be manifested);
and a behavior analyzer which utilizes execution of the processor to analyze GCS access attempt behavior based on at least some of the access failure events by (a) inserting in B the identifiers of user accounts whose number of access failure events within the attack window time period is in the range R ([0034] the IDS trains on historical data for the same time-interval bin in the same context. From such training, the IDS determines the previously noted average login unusualness score and number of attempted logins for different time horizons. The IDS scores a user's login activity for how unusual it is, in the past minute, in the past 5 minutes, in the past 30 minutes, etc.);
(b) computing an extent E based on the number of user account identifiers in B ([0032-33] the IDS determines scores, which is suitable aggregates of scores of individual logins. For each user u, and from the set of logins, the user attempted on a day, the IDS derives two statistics, the average of the outlier scores of these logins and the number of logins);
and (c) generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T; ([0053-54] Having determined the outlier score, an alert is outputted if the outlier score satisfies a threshold);
whereby the intrusion detection system enhances cybersecurity of the GCS by generating the spray attack alert in response to detection of an apparent credential spray attack against the GCS. ([0011] IDS can detect unusual activity 24 hours a day and 7 days a week, and alert a security administrator when unusual activity is detected).
Gur teaches the concept but is silent on an alert threshold T which represents an amount of user accounts and failure count range R;
However, the analogous art Honda teaches an alert threshold T which represents an amount of user accounts and failure count range R; ([0072] analysis setting DB, at least a threshold of the correlation coefficient used to identify an attacked destination group (user/victim accounts), and a time period of IDS log data; Fig. 5 indicates number of attacks on a victim account at a given time; Fig. 7 shows a set of user accounts and corresponding identifiers).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of threshold as a function of user accounts at a given time as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 9: Gur teaches an intrusion detection process for detecting credential spray attacks against a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection process comprising (Summary, Fig. 3): locating a digital bucket B; associating a failure count range R with the bucket B, R having at least one endpoint value; reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS; inserting in B the identifiers of user accounts whose number of access failure events is in the range R; computing an extent E based on the number of user account identifiers in B; and generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T; whereby the intrusion detection process ([0013-14] a historical data set of log-in attempts over a historical period for set of all users, presumed normal activity on average, the intrusion detection system (IDS) learns and clusters to identify unusual log-in attempts ([0034] into a hierarchy of time-interval bins... (i.e., bucket)) Each stored login attempt is a tuple, such as user u, source s, destination d, day of week dy, hour of day hr (i.e., time period), and status st. Source is the server from which the login attempt originated, destination is the target of the login attempted, and status is the success or failure of the login attempt; [0009] outlier score is determined based values associated with the destination score and the source given destination score of the number of failed login attempts [0011] for a number of users; [0053] threshold is the magnitude or intensity satisfied for a certain reaction, phenomenon, result, or condition to occur or be manifested; [0034] the IDS trains on historical data for the same time-interval bin in the same context. From such training, the IDS determines the previously noted average login unusualness score and number of attempted logins for different time horizons. The IDS scores a user's login activity for how unusual it is, in the past minute, in the past 5 minutes, in the past 30 minutes, etc; [0032-33] the IDS determines scores, which is suitable aggregates of scores of individual logins. For each user u, and from the set of logins, the user attempted on a day, the IDS derives two statistics, the average of the outlier scores of these logins and the number of logins; [0053-54] Having determined the outlier score, an alert is outputted if the outlier score satisfies a threshold; [0011] IDS can detect unusual activity 24 hours a day and 7 days a week, and alert a security administrator when unusual activity is detected).

However, the analogous art Honda teaches getting an alert threshold T which represents an amount of user accounts and failure count range R; ([0072] analysis setting DB, at least a threshold of the correlation coefficient used to identify an attacked destination group (user accounts), and a time period of IDS log data; Fig. 5 indicates number of attacks on a victim account at a given time; Fig. 7 shows a set of user accounts and corresponding identifiers).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of threshold as a function of user accounts at a given time as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 16: Gur teaches a storage medium configured with code which upon execution by one or more processors performs an intrusion detection process for detecting credential spray attacks against a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection process comprising: locating a plurality of N digital buckets B1..BN, with N being at least 2; associating respective failure count ranges R1..RN with the buckets B1..BN, each Ri having at least one endpoint value; reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS; inserting in each bucket Bi of the buckets B1..BN the identifiers, if any, of user accounts whose number of access failure events is in the corresponding range Ri of the ranges R1..RN; computing an extent Ei based on the number of user account identifiers in each respective non-empty bucket Bi; and generating a spray attack alert when the computed extent Ei ([0013-14] a historical data set of log-in attempts over a historical period for set of all users, presumed normal activity on average, the intrusion detection system (IDS) learns and clusters to identify unusual log-in attempts ([0034] into a hierarchy of time-interval bins... (i.e., bucket)) Each stored login attempt is a tuple, such as user u, source s, destination d, day of week dy, hour of day hr (i.e., time period), and status st. Source denotes the server from which the login attempt originated, destination denotes the target of the login attempted, and status denotes the success or failure of the login attempt; [0009] outlier score is determined based values associated with the destination score and the source given destination score of the number of failed login attempts [0011] for a number of users; [0053] threshold is the magnitude or intensity satisfied for a certain reaction, phenomenon, result, or condition to occur or be manifested; [0034] the IDS trains on historical data for the same time-interval bin in the same context. From such training, the IDS determines the previously noted average login unusualness score and number of attempted logins for different time horizons. The IDS scores a user's login activity for how unusual it is, in the past minute, in the past 5 minutes, in the past 30 minutes, etc; [0032-33] the IDS determines scores, which is suitable aggregates of scores of individual logins. For each user u, and from the set of logins, the user attempted on a day, the IDS derives two statistics, the average of the outlier scores of these logins and the number of logins; [0053-54] Having determined the outlier score, an alert is outputted if the outlier score satisfies a threshold; [0011] IDS can detect unusual activity 24 hours a day and 7 days a week, and alert a security administrator when unusual activity is detected).
Gur teaches the concept but is silent on getting respective alert thresholds T1..TN which each represent an amount of user accounts and failure count range R;
However, the analogous art Honda teaches getting respective alert thresholds T1..TN which each represent an amount of user accounts and failure count range R; ([0072] analysis setting DB, at least a threshold of the correlation coefficient used to identify an attacked destination group (user accounts), and a time period of IDS log data; Fig. 5 indicates number of attacks on a victim account at a given time; Fig. 7 shows a set of user accounts and corresponding identifiers).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of threshold as a function of user accounts at a given time as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 2: the combination of Gur and Honda teaches the system of claim 1, further comprising a plurality of N buckets B1..BN, the buckets B1..BN associated with respective failure count ranges R1..RN, wherein the ranges partition a numeric range from a lowest endpoint of R1 to a highest endpoint of RN, wherein the system also includes a plurality of alert thresholds T1..TN and a plurality of computed extents E1..EN corresponding to the buckets B1..BN, and wherein the behavior analyzer analyzes GCS access attempt behavior on a per-bucket basis with N being at least 2. (Gur: [0034] IDS clusters the login attempts into a hierarchy of time-interval bins, based on user, destination, year, month, day, hour, and minutes, covering multiple time horizons; [0009-11, 0032] … the count of attempts by the user to login to the destination server. Outlier aggregate (ensemble) scores is determined based values associated with the destination scores and the source given destination scores. An alert is output if the outlier scores satisfies threshold… detect intrusions by modeling unusual behaviors using feature-based holistic approaches. As a result, users' normal login patterns can be modelled based on historical data; [0053] alert is caused to be outputted if the outlier score satisfies threshold).
Claim 3: the combination of Gur and Honda teaches the system of claim 1, further characterized by at least one of the following characteristics: the credentials comprise plaintext passwords, pass phrases, or PINs; the credentials comprise hashes; the credentials comprise digital certificates; or the credentials comprise digital representations of biometric information. (Honda: [0005] each of the users logs into a system of the NW user, using authentication information that has been registered in advance (end user name and password).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of any user credential(s) as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 4: the combination of Gur and Honda teaches the system of claim 1, further characterized by at least one of the following characteristics: the user account identifiers identify accounts in a public cloud GCS; the user account identifiers identify accounts in a hybrid cloud GCS; or the user account identifiers identify accounts in a network GCS which communicates with the internet via a security mechanism. (Gur: [0010, 56] IDS identifies a user attempting to login from a source server to a destination server, a cloud computing environment in which data, applications, services, and other resources are stored and delivered through shared data-centers and appear as a single point of access for the users).
Claim 5: the combination of Gur and Honda teaches the system of claim 1, further comprising an excluder which excludes items by excluding events or user accounts or both, and wherein the behavior analyzer omits excluded items from the GCS access attempt behavior analysis. (Honda: [0079] at the detection time point of an IP address H.sub.4, record of the number of log-in trials (number of attacks) for the IP addresses V.sub.2 and V.sub.3 is not performed. Therefore, the IP address H.sub.4 is not identified as the attack source IP).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of excluding legitimate sources as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 6: the combination of Gur and Honda teaches the system of claim 5, wherein the excluder recognizes as excludable and then excludes at least one of the following items: an access failure event which indicates that a formerly valid credential was used in a failed attempt to access a user account; a user account identifier which identifies a user account whose formerly valid credential was used in a failed attempt to access the user account within the past K days, where K is in the range 1.30 an access failure event which identifies a user account whose credential was changed within the past K days, where K is in the range 1.30; a user account identifier which identifies a user account whose credential was changed within the past K days, where K is in the range 1..30. (Honda: [0044] verification device performs output of the stolen user name (fig. 2). The stolen user name is registered, for example, to a list. The NW user who has known the stolen user name with reference to the list changes the setting of the system so that log-in with the stolen user name is rejected. In addition, the NW user requests the end user to change the stolen end user name for a new end user name. At that time, the NW user requests the end user to change the stolen password for a new password… [0079] at the detection time point of an IP address H.sub.4, record of the number of log-in trials (number of attacks) for the IP addresses V.sub.2 and V.sub.3 is not performed. Therefore, the IP address H.sub.4 is not identified as the attack source IP).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of excluding stolen list as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 7: the combination of Gur and Honda teaches the system of claim 1, further comprising a threshold tuner which initializes or changes the alert threshold T based on historic access failure data. (Gur: [0053] threshold shall be positive or negative and configurable by admins).
Claim 8: the combination of Gur and Honda teaches the system of claim 1, further comprising a breached account finder which finds a user account Z that has apparently been breached, based on the presence of the Z's account identifier in the bucket when the extent E met or exceeded T, thereby generating the spray attack alert, and also based on failed access attempts against Z being followed by an access success event indicating successful access to Z. (Honda: [0043, 72] the verification device determines that an end user name in the record is a "stolen user name". The "stolen user name" indicates an end user name that has been stolen by the attacker… attacked destination group analysis unit obtains data that is matched with the analysis interval, from the IDS log, and selects (identifies) an attacked destination for which the calculation result of the correlation coefficient exceeds the threshold [0103] NW user utilizes the server, knows that the end user names "Alice" and "Bob" have been stolen by the attack source [0012] determines unauthorized log-in success based on a feature in an access log that there is a record in which log-in is performed successfully once after a large amount of log-in trial failures).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of output to admin after several unsuccessful attempts a successful login was done as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 10: the combination of Gur and Honda teaches the process of claim 9, wherein getting the alert threshold T comprises automatically calculating T based on at least the following: an average AR of the number of user accounts whose number of access failure events is in the range R, and a standard deviation of the average AR. (Gur: [0032] the average daily score of user u over the past 60 days had a mean m.sub.u and a standard deviation s.sub.u. The time series of these averages is best fit by a horizontal line, i.e. the averages are neither up-trending nor down-trending. Average score say on a given day for this user is a.sub.u. If a.sub.u.ltoreq.m.sub.u-2 s.sub.u, this strongly suggests that user u's login activity today is very unusual relative to user u's history).
Claim 11: the combination of Gur and Honda teaches the process of claim 10, wherein getting the alert threshold T comprises excluding from calculation of T an access attempt failure which is attributable to use of an obsolete user account credential. (Honda: [0079] at the detection time point of an IP address H.sub.4, record of the number of log-in trials (number of attacks) for the IP addresses V.sub.2 and V.sub.3 is not performed. Therefore, the IP address H.sub.4 is not identified as the attack source IP).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of excluding legitimate sources as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 12: the combination of Gur and Honda teaches the process of claim 10, wherein getting the alert threshold T comprises excluding from calculation of T a failed attempt to access a user account that underwent a credential change within K previous days, K in the range of 1 to 30. (Honda: [0044] verification device performs output of the stolen user name (fig. 2). The stolen user name is registered, for example, to a list. The NW user who has known the stolen user name with reference to the list changes the setting of the system so that log-in with the stolen user name is rejected. In addition, the NW user requests the end user to change the stolen end user name for a new end user name. At that time, the NW user requests the end user to change the stolen password for a new password… [0079] at the detection time point of an IP address H.sub.4, record of the number of log-in trials (number of attacks) for the IP addresses V.sub.2 and V.sub.3 is not performed. Therefore, the IP address H.sub.4 is not identified as the attack source IP).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of excluding stolen list as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 13: the combination of Gur and Honda teaches the process of claim 10, wherein calculation of T is further based on creating at least a predetermined minimum difference between T and the average AR. (Gur: [0032] For each user, and from the set of logins L.sub.u, d the user attempted on day d, the IDS derives two statistics, the average of the outlier scores of these logins, denoted as m.sub.u, d, and the number of logins, i.e. the cardinality of. L.sub.u, d. The IDS determines the historic time series of each of these statistics per user, and use these calculations to check whether user u's activity today is highly unusual).
Claim 14: the combination of Gur and Honda teaches the process of claim 9, wherein the process detects a credential spray attack against the GCS, and the process enhances cybersecurity of the GCS by generating the spray attack alert in advance of at least one of the following responses to the detected credential spray attack: disruption of the credential spray attack; mitigation of harm from the credential spray attack; identification of a source of the credential spray attack; or identification of a user account that was breached by the credential spray attack. (Gur: ([0011] IDS can detect unusual activity 24 hours a day and 7 days a week, and alert a security administrator when unusual activity is detected. [0053] an alert is caused to be outputted if the outlier score satisfies a threshold… the IDS blocks user's current attempt to login to the destination server).
Claim 15: the combination of Gur and Honda teaches the process of claim 9, further comprising ascertaining an attack window time period, and wherein the inserting inserts in B the identifiers of user accounts whose number of access failure events within the attack window time period is in the range R. (Gur: ([0013-14] a data set of log-in attempts over a historical period, presumed to be normal activity on average, the IDS learns to identify unusual log-in attempts… the IDS determines in the training set (historical data set) that user u made 100 login attempts, and the total number of login attempts in this data set (across all users)).
Claim 17: the combination of Gur and Honda teaches the storage medium of claim 16, wherein the range RN is an open-ended range with a fixed and bounded lower endpoint and an arbitrarily large upper endpoint. (Gur: [0032] For each user, and from the set of logins L.sub.u, d the user attempted on day d, the IDS derives two statistics, the average of the outlier scores of these logins, denoted as m.sub.u, d, and the number of logins, i.e. the cardinality of. L.sub.u, d. The IDS determines the historic time series of each of these statistics per user, and use these calculations to check whether user u's activity today is highly unusual).
Claim 18: the combination of Gur and Honda teaches the storage medium of claim 16, wherein getting respective alert thresholds T1..TN comprises: monitoring for at least H days attempts to use credentials to access user accounts of the GCS, where H is at least five; calculating averages AR1..ARN of the number of user accounts whose number of access failure events is in the respective ranges R1..RN; and calculating respective standard deviations STDV1..STDVN of the averages AR1..ARN. (Gur: [0032] the average daily score of user u over the past 60 days had a mean m.sub.u and a standard deviation s.sub.u. The time series of these averages is best fit by a horizontal line, i.e. the averages are neither up-trending nor down-trending. Average score say on a given day for this user is a.sub.u. If a.sub.u.ltoreq.m.sub.u-2 s.sub.u, this strongly suggests that user u's login activity today is very unusual relative to user u's history).
Claim 19: the combination of Gur and Honda teaches the storage medium of claim 16, wherein getting respective alert thresholds T1..TN comprises at least one of the following: excluding from calculation of at least one Ti an access attempt failure which is attributable to use of an Honda: [0044] verification device performs output of the stolen user name (fig. 2). The stolen user name is registered, for example, to a list. The NW user who has known the stolen user name with reference to the list changes the setting of the system so that log-in with the stolen user name is rejected. In addition, the NW user requests the end user to change the stolen end user name for a new end user name. At that time, the NW user requests the end user to change the stolen password for a new password… [0079] at the detection time point of an IP address H.sub.4, record of the number of log-in trials (number of attacks) for the IP addresses V.sub.2 and V.sub.3 is not performed. Therefore, the IP address H.sub.4 is not identified as the attack source IP).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of excluding stolen list as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).
Claim 20: the combination of Gur and Honda teaches the storage medium of claim 16, further comprising finding a user account Z that has apparently been breached, based on the presence of the user account's identifier in at least one bucket Bi, and also based on a subsequent access success event indicating an access to the user account Z. (Honda: [0043, 72] the verification device determines that an end user name in the record is a "stolen user name". The "stolen user name" indicates an end user name that has been stolen by the attacker… attacked destination group analysis unit obtains data that is matched with the analysis interval, from the IDS log, and selects (identifies) an attacked destination for which the calculation result of the correlation coefficient exceeds the threshold [0103] NW user utilizes the server, knows that the end user names "Alice" and "Bob" have been stolen by the attack source [0012] determines unauthorized log-in success based on a feature in an access log that there is a record in which log-in is performed successfully once after a large amount of log-in trial failures).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gur to include the idea of output to admin after several unsuccessful attempts a successful login was done as taught by Honda so that even in the log-in trial attack performed by the relatively-small number of times, the attack source IP is identified ([0111]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. BE'ERY et al (US Pub. #: 20170195346): SYSTEMS AND METHODS FOR THE DETECTION OF ADVANCED ATTACKERS USING CLIENT SIDE HONEYTOKENS.
2. Addala et al (US Pub. #: 9438604): Managing user authentication in association with application access.
3. Wilkins et al (US Pub. #: 7523499): Security attack detection and defense.
4. Ge et al (US Pub. #: 20140181968): Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses.
5. Rosenoer (US Pub. #: 8424061): Method, system and program product for authenticating a user seeking to perform an electronic service request.
6. White et al (US Pub. #: 7444263): Performance metric collection and automated analysis.
SYSTEM FOR DETECTING ABNORMAL BEHAVIOR BY ANALYZING PERSONALIZED INITIAL USE BEHAVIOR PATTERN.
8. Keohane et al (US Pub. #: 20200112585): DYNAMIC PROTECTION FROM DETECTED TO BRUTE FORCE ATTACK.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.