DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed 
Claims 2-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 21-40 and over claims 21-37 of U.S. Patent Nos. 9,754,311 and 10,089,679. Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn towards using a session identifier and multiple fingerprints of a session to indicate the presence of a third device which indicates a hijack/denial.

Claim Objections
Claims 2, 5, 6, 7, 15, 20, and 21 are objected to because of the following informalities:  Claims 1, 20, and 21 should recite “a one-to-many relationship”.  Claims 5, 6, 7, and 15 should recite “the one-to-many relationship”.  Claim 5 should recite “an occurrence”.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in the United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by another filed in the United States before the invention by the applicant 

Claims 2, 3, 6, 9-11, 14-16, 20, and 21 are rejected under pre-AIA  35 U.S.C. 102(e) as being anticipated by Tabi (US 2005/0015601).
Regarding claims 2, 20, and 21, Tabi teaches a method (and corresponding system, and storage) comprising:
Determining a session identifier for an online session between a first device and a second device, wherein the first device is a user device (User session authenticator receives a session ID from the user regarding login at web browser (which would intrinsically include user terminal and server)) – see [0027] – [0030].
Receiving a plurality of fingerprints collected during the online session (Session ID (bundled with IP address (fingerprint)) of user collected at login and IP address (fingerprint) looked up again during initiation of another application of web application) – see [0027] and [0030].
Determining, based at least in part on the session identifier and the plurality of fingerprints, that one-to-many relationship exists such that a third device is associated with the online session (IP address (fingerprint) stored with session ID compared with IP address (fingerprint) of user during initiation of another application of web application.  IP address is from a user of another computer (one-to-many)) – see [0030].
Determining that the third device is an unauthorized device (Authentication fails) – see [0030].
Denying activity requested during the online session, wherein the activity requested can originate from any device including the first device, second device, and third device (Authentication fails and the user is rejected) – see [0030].
Generating and transmitting a notification of denial of the activity to the first device (User is rejected) – see [0030].

Regarding claim 3, Tabi teaches that the plurality of fingerprints are collected at multiple points of time during the online session (At login and at initiation of another application of web application) – see [0027] and [0030].

Regarding claim 6, Tabi teaches that the determination that the one-to-many relationship exists is accomplished real-time during the online session – see [0030].

Regarding claims 9-11, Tabi teaches that the fingerprint comprises one or more characteristics attributed to a user device associated with the online session, wherein the one or more characteristics comprise an IP address or a time-based characteristic (IP address of user or time indication) – see [0029].

Regarding claims 14 and 15, Tabi teaches that the one-to-many relationship indicates that the fingerprint associated with the session identifier are not identical, and the determination that the one-to-many relationship exists comprise comparing the plurality of fingerprints to see if all of the fingerprints from the online session are all identical – see Tabi [0030].

Regarding claim 16, Tabi teaches that the plurality of fingerprints comprise a first fingerprint and a second fingerprint, the first fingerprint is collected prior to determining the session identifier, the second fingerprint is collected after determining the session identifier (IP address is bundled with the session ID (i.e., first fingerprint collected prior to session ID), and IP address is then checked when user initiates another application of web application (i.e., second fingerprint collected after session ID)) – see [0027] and [0030].

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claim 4 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tabi (US 2005/0015601) view of Denton et al. (US 2003/0237000).
The teachings of Tabi are relied upon for the reasons set forth above.
Regarding claim 4, Tabi does not teach that the plurality of fingerprints are collected at selected time intervals.
Denton teaches a monitoring system wherein data is monitored and analyzed at predetermined time intervals (such as every 5 minutes) to detect intrusion – see [0023].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Tabi by collecting fingerprint information (intrusion detection information) at regular intervals, in order to regularly monitor for attack, based upon the beneficial teachings provided by Denton.  These modifications would result in increased security to the system.

Claims 5 and 17-19 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tabi (US 2005/0015601) view of Ronning et al. (US 7,165,051).
The teachings of Tabi are relied upon for the reasons set forth above.

Regarding claim 5, Tabi does not teach that upon determination that the one-to-many relationship exists, generate a signal or identify an occurrence of session hijacking.
Ronning teaches a system that detects the same order being submitted with different IP addresses (i.e., one-to-many relationship) which indicates fraud (i.e., hijacking) – see column 12 lines 8-16.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Tabi by indicating hijacking due to a one-to-many relationship, in order to prevent attack, based upon the beneficial teachings provided by Ronning.  These modifications would result in increased security to the system.

Regarding claims 17-19, Tabi does not teach that the plurality of fingerprints are collected by one or more fingerprint collectors and wherein the fingerprint collectors are placed in preselected location on a website, wherein the preselected locations are pages of the web site, or wherein the preselected locations vary based at least in part of the type of the web site.
Ronning teaches a system which processes snapshots which are used to prevent fraud.  The snapshot refers to information identifying contents of a page at a particular time.  The snapshots involve saving page information including an order form at various points in the transaction process and comparing later pages with the stored page information to determine if the user has changed anything in the order form. This processing generally involves recording how a user progressed through the transaction, such as the sequence of pages accessed, and comparing that progression with known profiles indicating fraudulent transactions and known profiles indicating normal (non-fraudulent) transactions. System stores the known profiles for use in the comparison, and the known profiles may be updated as system records additional profiles and associates them with attempted fraudulent or normal transactions. For example, a progression of pages for a normal transaction may include a user accessing welcome page, search page, product information page, and then check out page. A progression of pages for attempted fraudulent transaction may include, for example, a user repeatedly accessing shopping basket page and then check out page several times in a row – see column 11 lines 10-38.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Tabi by collecting snapshots (i.e., fingerprints) using .

Claims 13 and 14 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tabi (US 2005/0015601) view of Kinsley et al. (US 2007/0026942).
The teachings of Tabi are relied upon for the reasons set forth above.
Regarding claims 13 and 14, Tabi does not teach that the time based characteristic is a time differential with regard to a reference clock or a clock skew.
Kinsley teaches that clock skew deviations are approximately constant over time for each device, but the clock skew of a particular machine will be different from that of another machine – see [0049].  The examiner notes that this is also true for a time differential with regard to a reference clock.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Tabi by using a time differential or clock skew, in order to identify a particular device, based upon the beneficial teachings provided by Kinsley.  These modifications would result in increased accuracy to the system.
	
	
Allowable Subject Matter
Claims 7 and 8 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims (and if claim objections are corrected).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LISA C LEWIS whose telephone number is (571)270-7724.  The examiner can normally be reached on Monday - Thursday 7am-2pm.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/LISA C LEWIS/Primary Examiner, Art Unit 2495