Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to communication filed on 10/29/2020. Claims 1-4, 6-13 and 15-18 are elected. Claims 1, 6, 10 and 15 are independents. Claims 1-4, 6-13 and 15-18 are currently pending.

Restriction/Election
	Applicant's election with traverse of 1-4, 6-13 and 15-18 in the reply filed on 10/29/2020 is acknowledged. The traversal is on the grounds that since no serious burden exists for search and examination of the groups defined in the outstanding office action, no benefit is derived from imposing restriction among Species I and II. This is not found persuasive because group I uses set model and group II uses superset and bloom filter and salt technique. There would be a serious search and/or examination burden if restriction were not required.
The requirement is still deemed proper and is therefore made FINAL.

Examiner's Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided 
Authorization for this examiner’s amendment was given in a telephone interview with Applicant’s representative Gunnar G. Leinberg, Reg No 35584 on 2/12/2020.
BEGAIN AMENDMENT
Amendment to Claims
Claim 1. (Canceled)
Claim 2. (Canceled)
Claim 3. (Canceled)
Claim 4. (Canceled)
Claim 5. (Canceled)
Claim 10. (Canceled)
Claim 11. (Canceled)
Claim 12. (Canceled)
Claim 13. (Canceled)
Claim 14. (Canceled)
Amendment to Specification
[0016] A "module” may be software and/or hardware stored in, or coupled to, a memory and/or one or more processors on one or more computers. Additionally or alternatively, a module may comprise specialized circuitry. For example, a module, such as credential processing module 112 attack detection model 114, or credential set module 116, in FIG. 1 and discussed further herein, may be hardwired or persistently programmed to support a set of instructions to, and/or that 
[0069] Attack detection computer 110 comprises credential processing module 112, attack detection model 114, and credential set module 116. Attack detection computer 110, or one or more modules or computers that attack detection computer 110 comprises, may be operably coupled to client computer 120, client computer 122, website computer 130, and/or website computer 132. Attack detection computer 110 is illustrated a single computer, but may comprise one or more computers. 
[0070] In FIG. 1, credential processing module 112, attack detection model 114, and credential set module 116 are illustrated as being executed or stored on the same one or more computers. However, at least a portion of credential processing module 112, attack detection model 114, or credential set module 116 may be executed or stored on one or more different computers. 
[0071] Credential processing module 112 may receive credentials from credential set module 116, learn one or more of the credentials by training attack detection model 114, or determine whether one or more credentials attack detection model 114. 
 [0072] attack detection model 114 may be a set model comprising one or more set models or data structures discussed herein or other set model(s) or data structure(s). For example, attack detection model 114 may be the superset model discussed in section 2.3.2, Modifying Objects May Reduce Ambiguity.
[0083] In step 230, process 200 learns the credential that was part of an attack as a spilled credential (e.g. adds the credential at issue to the set of spilled credential). For example, in response to determining that the first request is an attack, and if detection module 116 is configured to be optimistic, credential set module 116 may send the first candidate credential to credential processing module 112 to learn or train attack detection model 114. However, even though the request is determined to be part of an attack, the first candidate credential might not be a valid credential associated with an account on website computer 130. Training attack detection model 114 with a credential that is not a valid credential can cause credential processing module 112 to produce false positives or false negatives.
 [0084] If credential set module 116 is configured to be pessimistic, then credential set module 116 need not send the first candidate credential to credential processing module 112 to train attack detection model 114. credential set module 116 may forward the first request to website computer 130 with one or more values indicating that the request is part of an attack. In response, website computer 130 may respond with data indicating whether or not the first candidate credential in the first request is a valid credential associated with an account on website computer 130. If not, then credential set module 116 need not send the first candidate credential to credential processing module 112 to learn; otherwise, credential set module 116 determines that the first candidate credential is a spilled credential, and sends the first candidate credential to credential processing module 112 to learn. Credential processing module 112 may train attack detection model 114 to represent a set of spilled credentials that includes the first candidate credential. However, as discussed herein, attack detection model 114 need not include the first candidate credential or any other credential represented in the set of spilled credentials.
[0088] In step 215, process 200 receives a second request with the credential from a client computer for a second website. For example, process 200 may receive the second request at a time after the first request from step 210 is processed. For purposes of illustrating a clear example, assume the following: 
“The first request includes a first candidate credential comprising a first candidate 
username and a first candidate password; 
“Credential processing module 112, as discussed above, trained attack detection model 114 using the first credential; 
“The second request includes a second candidate credential comprising a second 
candidate username and a second candidate password; 
“The second candidate username matches the first candidate username;
 “The second candidate password matches the first candidate password;
[0090] In step 240, process 200 determines whether the credential is a spilled credential (e.g. a credential that has been learned, that is, a credential in the set of spilled credentials). If so, process 200 proceeds to step 250; otherwise, process 200 proceeds to step 260. Continuing with the current example, credential set module 116 may send the second candidate credential to credential to processing module 112. Credential processing module 112 tests the second candidate credential against attack detection model 114. Since credential processing module 112 learned the first candidate credential, credential processing module 112 determines that the second candidate credential is a member of the set of spilled credentials represented by attack detection model 114. Accordingly, credential set module 116 proceeds to step 250.
END AMENDMENT

Allowable Subject Matter
Claims 6-9 and 15-18 are allowed.
The following is an examiner’s statement for allowance:
The closest prior art Bajenov et al. (US 20160197907 A1) teaches a method for determining that a second set of login credentials matches a second set of compromised login credentials on the list of known compromised login credentials. The source associated with a first login attempt is the source associated with a second login attempt is determined. A security challenge is provided to a client device that is associated with the second login attempt before providing the client device with access to a online system, responsive to determining that the source is associated with the first login attempt and second login attempt.
The closest prior art Zaslavsky et al. (US 9092782 B1) teaches a method for evaluating compromised credentials comprises the steps of: collecting data regarding previously compromised credentials that were used to commit an unauthorized activity; applying one or more statistical learning methods to the collected data to identify one or more patterns; and evaluating a risk of credentials that have been compromised by one or more attackers using the identified patterns. According to a further aspect of the invention, a risk score is generated for one or more users and devices. The risk scores are optionally ordered based on an order of risk. The data can be collected, for example, from one or more of anti-fraud servers and information sources.
The closest prior art Srivastava (US 20120297484 A1) teaches a method for detecting a compromised online user account. One or more baselines can be established for a user's online account to determine a normal usage pattern for the account by the user (e.g., frequency of incoming/outgoing emails, text messages, etc.). The online user account can be periodically or continually monitored for use of the same resources used to determine the baseline(s). If a deviation from the baseline is detected, the deviation may be compared against a threshold to determine whether the deviation indicates that the account may be compromised. When an indication of a potentially compromised account is detected, the user can be notified of the indication, so that one or more actions can be taken to mitigate the potentially compromised account.
The closest prior art Wright et al. (US 20180046796 A1) teaches a method for identifying compromised credentials and controlling account access. Compromised credential data comprise compromised credentials for one or more compromised accounts that have been exposed to a malicious actor via an illegitimate method, the compromised credentials including credentials that are useable for authentication to or for accessing the one or more compromised accounts; testing the compromised credentials, wherein testing compromised credentials includes using the compromised credentials to determine a usability of the compromised credentials to attack one or more different accounts from the one or more compromised accounts; and modifying account access associated with one or more of (i) the one or more compromised accounts and (ii) the one or more different accounts.
None of the prior art of record, teaches or suggests, alone or in combination, the particular combination of steps in claim 6 and 15 as recited below:
“receive, from a second client computer, a second request that includes a second candidate credential, wherein the second candidate credential matches the first candidate credential;
test for membership of the second candidate credential in the first set of spilled credentials using the first set model;
determine that the second candidate credential is a member of the first set of spilled credentials, and in response:
determine that the second candidate credential is a spilled credential”.
The claims are allowable in view of the above claimed limitations when in combination with remaining claim limitations.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

	/SHU CHUN GAO/	Examiner, Art Unit 2437 

/ALI S ABYANEH/           Primary Examiner, Art Unit 2437