DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is a response to an application filed 11/13/2018, wherein Claims 1-20 are pending and ready for examination.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This application currently names joint inventors. In considering patentability of the claims, the Examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, found at http:/www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax, which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Information Disclosure Statement
As required by the provisions of 37 CFR 1.97, 1.98 and MPEP § 609, the Applicant’s submission of the Information Disclosure Statement (IDS) dated  11/25/2019 is acknowledged by the Examiner and the cited references have been considered in the examination of the claims now pending.  As required by the provisions of 37 CFR 1.97, 1.98 and MPEP § 609, an initialed and dated copy of each PTOL-1449 corresponding to each considered IDS is attached to the instant office action.

Priority
The instant application, filed 11/13/2018, does not claim priority.

Specification
Applicant’s cooperation is requested in correcting any errors of which Applicant may become aware in the specification.

Drawings
The submitted drawings, filed 11/13/2018, are acceptable for the examination purpose.

Claim Objections
Claim 12 is objected due to the following informalities:
Claim 12 recites a method comprising (1) “receiving a login request comprising compromised login credentials from a computing device” and (2) determining that the login request is for a fictitious account previously created for the compromised login credentials that indicated fraud”. There is insufficient antecedent basis for “the compromised login credentials that indicated fraud”. In addition, Claim 12 is indefinite and confusing because it is unclear whether “the compromised login credentials that indicated fraud” refers to the “request comprising compromised login credentials
Claim 13 is objected due to the following informalities:
Claim 13 recites “wherein the fictitious account is created in real-time during a previous login request having the compromised login credentials that indicated fraud.” It is not clear whether the Applicant refers to ““wherein the fictitious account [[is]] was created in real-time during a previous login request having the compromised login credentials that indicated fraud.” or ““wherein the fictitious account is created in real-time during a [[previous]] login request having the compromised login credentials that indicate[[d]] fraud.” Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Examiner’s note: text in bold correspond to the cited prior art reference, ad verbatim
Claims 1-6 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. Patent No. US 10,298,598 ('598 McClintock).
Referring to independent Claim 1
Regarding Claim 1, McClintock teaches a sys comprising:
a non-transitory memory storing instructions (McClintock discloses a non-transitory computer-readable medium for use by or in connection with an instruction execution system... including instructions and declarations that can be fetched from the computer-readable medium... [col. 12, 30-36].); and 
one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory (McClintock discloses software or code can be embodied in any non-transitory computer-readable medium for use by or in connection with an instruction execution system such as, for example, a processor 503 in a computer system or other system. In this sense, the logic may comprise, for example, statements including instructions and declarations that can be fetched from the computer-readable medium and executed by the instruction execution system. [col. 12, 30-37].) to cause the system to perform operations comprising: 
detecting an account login attempt from a computing device (McClintock discloses a user interface 103 is rendered by a client device of a malicious user, where a sign-in form has been requested. [col. 2, 20-22]. An authentication request for an account to log into an application is received from a client. [Abstract].); 
determining that the account login attempt indicates fraud (McClintock discloses [i]t is determined that the authentication request specifies an incorrect security credential for the account... [Abstract]... the server has detected fraudulent intent by the user... [col. 2, 44].); 
determining, in response to the determining that the account login attempt indicates fraud, a fictitious account [[that provides limited account functionality]] (In light of the disclosure, the term "fictitious account" is construed as a real account the honeypot environment will provide access to a fake account in response to an incorrect security credential such that the attackers believe that they have access to a real account. [col. 2, 5-8]. The user interface 112 constitutes part of the honeypot environment and includes various elements to replicate what appears to be a successful login {i.e. into a fictitious account}. For example, fake user data, such as a fake name, fake address information, and/or other information may be generated and included in the user interface 112. In some cases, portions of this fake data may be generated based at least in part on real data associated with the account {i.e. determining a fictitious account} for which a malicious user is attempting to gain access. [col. 2, 54-62].); 
permitting the computing device to log in to the fictitious account (McClintock discloses the user interface 112 greets the malicious user as “Welcome, John Doe!,” where “John Doe” may be the name associated with the user account identified by the email address “johndoe123@email.”... the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... [col. 2, 65 - col. 3, 3].); and 
monitoring account usage data of the fictitious account (McClintock discloses [a]s the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... his or her behavior can be tracked and analyzed. [col. 3, 1-5].).
McClintock does not explicitly teach the following feature that '598 McClintock teaches:
a fictitious account that provides limited account functionality ('598 McClintock discloses a limited and/or restricted account on the host computer system. The host computer system may then allow the attacker to access the fake user account and may, for example, record the actions of the attacker while the attacker is connected to the fake account. [col. 8, 60-64].).
for improving computer system security. [‘598 McClintock; Abstract].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the countering technique of ‘598 McClintock in the honeypot environment of McClintock in order to provide false responses to the communications attempts by an identified attacker [and thus] the attacker may be led to believe that the attack is succeeding against a vulnerable system.
Referring to Claim 2
Regarding Claim 2, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
the determining that account login attempt indicates fraud is based on at least one of identifying that the computing device is utilizing an account checker tool for the account login attempt, determining a number of failed login attempts from the computing device (McClintock discloses considering a failed login attempt as having fraudulent intent {i.e. indicates fraud} when more than a predetermined number of permissible failed login attempts (e.g., five failed attempts) are exceeded. [col. 5, 24-45].), determining a failure rate of account login attempts on an online platform associated with the account login attempt, or detecting a number of reversed transactions on the online platform with the system.
Referring to Claim 3
Regarding Claim 3, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
the fictitious account provides access to an account dashboard interface with the system, and wherein the fictitious account provides false personal information and financial information in the account dashboard interface (In light of the disclosure, the term "account dashboard" is construed as an account interface that displays account information. Specification p. 7, ¶ 20. user interface 112 {i.e. account dashboard} constitutes part of the honeypot environment and includes various elements to replicate what appears to be a successful login. For example, fake user data, such as a fake name, fake address information {i.e. fake personal information}, and/or other information {i.e. fake financial information; note user interface 112 in FIG. 1 includes payment information and order history} may be generated and included in the user interface 112. [col. 2, 54-59]. Such fake honeypot data 243 may include fake names, fake payment instruments, fake order history {i.e. fake financial information}, and so on. [col. 6, 60-62].).
Referring to Claim 4
Regarding Claim 4, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
determining a real account corresponding to the account login attempt (McClintock discloses honeypot application 221 determines an account {i.e. determining a real account} corresponding to the honeypot. [col. 10, 13-14].); and 
generating the fictitious account based on the real account (McClintock discloses the honeypot application 221 may generate fake honeypot data 243 (FIG. 2) based at least in part on the {i.e. real} account data 224 (FIG. 2) corresponding to the account. [col. 10, 14-17]. {Real} account data 224 includes various data regarding user accounts {i.e. a real account} or machine accounts within the computing environment 203. [col. 4, 47-54]. [T]he fake honeypot data 243 may be generated based at least in part on real account data 224. [col. 6, 62-64].).
Referring to Claim 5
Regarding Claim 5, the combination of McClintock and ‘598 McClintock teaches the system of Claim 4.
The previous combination further teaches:
the fictitious account is generated based on the real account at one of a previous time prior to the account login attempt or after the determining that the account login attempt indicates fraud fake honeypot data 243 may include fake or bogus data generated as part of the operation of the honeypot application 221 {i.e. suggests generated at a previous time prior to the account login attempt}... In some scenarios, the fake honeypot data 243 may be generated based at least in part on real account data 224… [and] may be stored for return accesses to honeypot environments {i.e. that is, during the return access, the fictitious account had already been generated at a previous time prior to the account login attempt}. [col. 6, 56-65].).
Referring to Claim 6
Regarding Claim 6, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
the account login attempt is selected from a plurality of account login attempts indicating fraud (The term “selected” is interpreted as “identified” or “determined”. See OneLook.com. In light of the disclosure, this feature limitation is read as to determine the attempted login indicates fraud when a computing device performs mass account login attempts. Specification p. 6, ¶ 19. McClintock discloses selection criteria 230 may include considering a {i.e. selected, identified or determined} failed login attempt as having fraudulent intent when more than a predetermined number of permissible failed login attempts {i.e. plurality of login attempts indicating fraud} (e.g., five failed attempts) are exceeded. [col. 5, 24-45].), and wherein monitoring the account usage data comprises at least one of: 
determining at least one of an IP address or a MAC address associated with the computing device during use of the fictitious account ('598 McClintock discloses [o]nce an attack is detected, a host computer system may then attempt to identify the attacker... by, for example, the IP address of the remote machine that originates the communications requests to the host computer system... the attacker may be identified by a set of IP addresses or by one or more IP addresses of routers, bridges, switches {i.e. IP address associated with the computing device} and/or other such network devices. In some embodiments, the attacker may also be identified by one or more media access control (MAC) addresses of the attacking machines... [col. 5, 31-44].); or 

Referring to Claim 10
Regarding Claim 10, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
the fictitious account is generated using a login name or a login email address utilized for the account login attempt, and wherein the login name or the login email address is displayed in an account dashboard for the fictitious account (McClintock discloses a honeypot environment {i.e. a fictitious account} is configured to mimic a successful login to the application via the account. [Abstract]. The user interface 112 {i.e. account dashboard for the fictitious account} constitutes part of the honeypot environment and includes various elements to replicate what appears to be a successful login {i.e. to the fictitious account}. For example, fake user data, such as a fake name, fake address information, and/or other information may be generated and included in the user interface 112... portions of this fake data may be generated based at least in part on real data associated with the account for which a malicious user is attempting to gain access. In some cases, it may be configured to use the real name, or real first name, of the user account identified by the malicious user via the entered email address. Here, the user interface 112 greets the malicious user as “Welcome, John Doe!,” where “John Doe” may be the name associated with the user account identified by the email address “johndoe123@email.” [FIG. 1; col. 2, 54 - col. 3, 1]. If a user provides a credential “password1” for username “johndoe123” {i.e. login name utilized for the account login attempt} and then is routed to a honeypot environment, “password1” is recorded in association with “johndoe123” so that when the user returns and supplies the credential “password1,” the same honeypot environment may be provided {i.e. fictitious account generated using login name utilized for the account login attempt}. [col. 6, 29-34].).
Referring to Claim 11
Regarding Claim 11, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
The previous combination further teaches:
the limited account functionality comprises at least one of electronic transaction processing services, funding source usage processes, account transaction history lookup, or account information lookup ('598 McClintock discloses a limited and/or restricted account... [col. 8, 59-61]. McClintock discloses functionality relating to placing customer orders {i.e. transaction processing services}… [col. 5, 20-21]… if a user navigates to an order history {i.e. transaction history lookup} in the honeypot environment, the honeypot log data 239 may record that action… [col. 6, 44-46].).
Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. Patent No. US 10,298,598 ('598 McClintock) and further in view of U.S. PGPub No. 2013/0263226 (Sudia).
Referring to Claim 7
Regarding Claim 7, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
McClintock further teaches:
a dashboard associated with the fictitious account (In light of the disclosure, the feature "dashboard associated with the fictitious account " is construed as an account interface that displays account information. Specification p. 7, ¶ 20. McClintock discloses user interface 112 {i.e. dashboard} constitutes part of the honeypot environment and includes… fake user data, such as a fake name, fake address information {i.e. fake personal information}, and/or other information {i.e. fictitious account; note user interface 112 in FIG. 1 includes payment information and order history}. [col. 2, 54-59]. Such fake honeypot data 243 may include fake names, fake payment instruments, fake order history {i.e. fictitious account}... [col. 6, 60-62].).
The previous combination does not explicitly teach the following feature limitation that Sudia teaches:
placing customer orders {i.e. transaction processing request}… [col. 5, 20-21]. Sudia discloses a criminal goes through the motions of initiating and confirming the transfer, with minimal security… nothing happens in reality, since the feature is not hooked up to the real wire transfer system {i.e. but rather, the fictitious account}.  [¶ 108].); and 
providing a falsified processing report for the electronic transaction processing request [[within a dashboard associated with the fictitious account]] (Sudia discloses receiving normal confirmation messages... [¶ 108].).
McClintock, ‘598 McClintock and Sudia are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for detecting, tracing, tracking down, arresting, and prosecuting perpetrators of online fraud and other illegal online activity. [Sudia; ¶ 2].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the false banking, credit card, and ecommerce system of Sudia in the honeypot environment of McClintock in order to provide trace information for use by law enforcement to apprehend and prosecute cyber offenders.
Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. Patent No. US 10,298,598 ('598 McClintock) and further in view of U.S. PGPub No. 2018/0060842 (Waltermann).
Referring to Claim 8
Regarding Claim 8, the combination of McClintock and ‘598 McClintock teaches the system of Claim 1.
McClintock further teaches:
monitoring the account usage data (McClintock discloses [a]s the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... his or her behavior can be tracked and analyzed. [col. 3, 1-5].).
explicitly teach the following feature limitation that Waltermann teaches:
determining a subsequent account login attempt is a valid login attempt [[based on the monitoring the account usage data]] (Waltermann discloses to receive input from the account owner (via the owner's device) that pertains to the owner's account {i.e. account login attempt}... [¶ 35]… responsive to a correct password being received subsequent {i.e. determining a subsequent account login attempt is a valid login attempt} to a threshold number of failed login attempts, account access may be granted... [¶ 37].); and
logging the computing device into a real account associated with the subsequent account login attempt (Waltermann discloses responsive to a correct password being received subsequent to a threshold number of failed login attempts, account access may be granted... [¶ 37].).
McClintock, ‘598 McClintock and Waltermann are from a similar field of technology. Prior to the instant application’s effective filing date, there were no adequate solutions to prevent electronically transfer money to another account dictated by the assailant. [Waltermann; ¶ 2].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the technique for initiating electronic financial transactions disclosed by Waltermann in the honeypot environment of McClintock in order to prevent the [fraudulent] transfer from being completed.
Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. Patent No. US 10,298,598 ('598 McClintock) and further in view of U.S. PGPub No. 2018/0060842 (Waltermann) and of U.S. PGPub No. 2019/0260777 (Mehrotra).
Referring to Claim 9
Regarding Claim 9, the combination of McClintock, ‘598 McClintock and Waltermann teaches the system of Claim 8.
The previous combination further teaches:
considering a failed login attempt as having fraudulent intent {i.e. determining that the account login attempt indicates fraud} when more than a predetermined number of permissible failed login attempts (e.g., five failed attempts) are exceeded {i.e. comprises receiving a plurality of failed logins for the real account}. [col. 5, 24-45]. Waltermann discloses to receive input from the account owner (via the owner's device) that pertains to the owner's account {i.e. for the real account}... [¶ 35]… [and] a correct password {i.e. a valid login} being received subsequent to a threshold number of failed login attempts {i.e. the plurality of failed logins for the real account were received prior to receiving the valid login}... [¶ 37].); and
a dashboard interface provided by the fictitious account (McClintock discloses a honeypot environment will provide access to a fake account {i.e. fictitious account} in response to an incorrect security credential… [col. 2, 5-7]… [and] routing failed login attempts to a honeypot environment... [col. 5, 30]... when more than a predetermined number of permissible failed login attempts (e.g., five failed attempts) are exceeded. [col. 5, 43-45]. The user interface 112 {i.e. dashboard interface} constitutes part of the honeypot environment {i.e. fictitious account} and includes various elements to replicate what appears to be a successful login. For example, fake user data, such as a fake name, fake address information {i.e. data for the fictitious account}, and/or other information may be generated and included in the user interface 112. [col. 2, 54-59].).
The combination of McClintock, ‘598 McClintock and Waltermann does not explicitly teach the following feature limitation that Mehrotra teaches:
requesting that the computing device re-login to the real account in a dashboard interface [[provided by the fictitious account]] (Mehrotra discloses multiple actions are triggered to increase the security around the compromised credential (e.g., username). These actions include... prompting any end user using the compromised credential (e.g. username) to re-login... [¶ 31]. As such, user interface 230 {i.e. a dashboard interface} can facilitate a user software interaction... [¶ 39].).
McClintock, ‘598 McClintock, Waltermann and Mehrotra are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to prevent another user's use of [a] credential to remain logged into the user account via a third computing device. [Mehrotra; ¶ 6].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the techniques for detecting and thwarting attacks disclosed by Mehrotra in the honeypot environment of McClintock in order to increase the vigilance on other high risk user credentials.
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia).
Referring to independent Claim 12
Regarding Claim 12, McClintock teaches a method comprising:
receiving a login request comprising compromised login credentials from a computing device (McClintock discloses a user interface 103 is rendered by a client device of a malicious user, where a sign-in form has been requested. [col. 2, 20-22]. Upon selecting the "Sign in" button, the entered email address and password are transmitted to a server.... [col. 2, 29-30]…. the user has provided one or more password dictionary credentials or credentials that correspond to known compromised credentials {i.e. compromised login credentials}... [col. 2, 50-53].);
determining that the login request is for a fictitious account previously created [[for the compromised login credentials that indicated fraud]] (The term “account” is interpreted as a username and a password that allows access (see netlingo.com), or as an established relationship between a user and information service that is assigned a username and  password for online services (see encyclopedia2.thefreedictionary.com). In light of the disclosure, this feature limitation is construed as a fictitious account that may be selected and used during a fraudulent login attempt. Specification p. 7, ¶ 21. McClintock discloses credentials that were supplied by users {i.e. login request} before they were provided access to a honeypot environment. If a user provides a credential "password1" for username "johndoe123" and then is routed to a honeypot environment, "password1" is recorded in association with "johndoe123"  {i.e. a fictitious account is created} so that when the user returns and supplies the credential "password1" the same honeypot environment {i.e. the fictitious account that was created during the previous login request} may be provided {i.e. provides a fictitious account previously created}. [col. 6, 28-34].);
providing access to the fictitious account by the computing device (McClintock discloses if the supplied credentials are not valid, the authentication service 215 may instead provide the client device 206 {i.e. the computing device} with access to resources of the honeypot application 221 {i.e. fictitious account}… [col. 3, 58-61]. [A]ccess to a honeypot environment is to be provided if the failed login attempt specifies a credential from compromised credential data... [col. 5, 58-60].);
monitoring activity of the fictitious account conducted through the computing device (McClintock discloses [a]s the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... his or her behavior can be tracked and analyzed. [col. 3, 1-5].); and
storing the activity with the fictitious account for the compromised login credentials (McClintock discloses honeypot log data 239 may record {i.e. thus storing} any or all actions {i.e. activity} performed in the honeypot environment by users. [col. 6, 42-43].).
McClintock does not explicitly teach the following feature limitation that Sudia teaches:
a fictitious account previously created for the compromised login credentials that indicated fraud (Sudia discloses seemingly valid websites (or false user accounts on genuine websites) {i.e. fictitious accounts} at which cyber criminals may use the seemingly valid credentials they believe they have stolen {i.e. compromised login credentials}... [¶ 94]... [and] to create a possibly vast number of such sites {i.e. fictitious accounts}, where our seemingly valid credentials may be used {i.e. in this scenario, the fictitious accounts were previously created specifically for the compromised login credentials}. [¶ 95].).
for detecting, tracing, tracking down, arresting, and prosecuting perpetrators of online fraud and other illegal online activity. [Sudia; ¶ 2].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the false banking, credit card, and ecommerce system of Sudia in the honeypot environment of McClintock in order to apprehend and prosecute cyber offenders.
Claims 13 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia) and further in view of U.S. Patent No. 10,230,564 (Hu).
Referring to Claim 13
Regarding Claim 13, McClintock in view of Sudia teaches the method of Claim 12.
McClintock in view of Sudia further teaches:
the fictitious account is created [[in real-time]] during a previous login request having the compromised login credentials that indicated fraud (The term "previous" is interpreted as "preceding", "earlier", or "last". See OneLook.com. Similarly, the term “account” is interpreted as a username and a password that allows access (see netlingo.com), or as an established relationship between a user and information service that is assigned a username and  password for online services (see encyclopedia2.thefreedictionary.com). McClintock discloses an attacker, in particular, may employ lists of compromised credentials {i.e. login request having the compromised login credentials that indicated fraud; for credentials that correspond to known compromised credentials, fraudulent intent may be inferred [col. 2, 52-53]}... [col. 7, 32-34]... authentication service 215 may route the network traffic from the client device 206 to the honeypot application 221 {i.e. fictitious account}... [col. 7, 54-61]. If a user provides a credential “password1” for username “johndoe123” {i.e. during a previous login request} and then is routed to a honeypot environment, “password1” is recorded in association with “johndoe123” {i.e. fictitious account is created} so that when the user returns and supplies the credential “password1,” the same honeypot environment {i.e. the fictitious account that was created during the previous login request} may be provided. [col. 6, 29-34]. Sudia discloses seemingly valid websites (or false user accounts on genuine websites) {i.e. fictitious accounts} at which cyber criminals may use the seemingly valid credentials they believe they have stolen {i.e. compromised login credentials}... [¶ 94]... [and] to create a possibly vast number of such sites {i.e. fictitious account is created}, where our seemingly valid credentials may be used {i.e. in this scenario, the fictitious account is created for, or created having, the compromised login credentials that indicated fraud}. [¶ 95].).
McClintock in view of Sudia does not explicitly teach the following feature limitation that Hu teaches:
the account is created in real-time during a previous login request (Hu discloses an account that has been previously created… [col. 1, 31-32]… creating a user account during the login {i.e. account created in real-time during a previous login request}... [col. 1, 47-49]…  automatically based on the user identification specified by the sign-on request 206... [col. 5, 65 - col. 6, 3]… locating… a user account instance corresponding to the account service specified by the sign-on request 206 {i.e. locating the account created in real-time during the previous login request}… [and] selecting or using the existing and known account, along with user security credentials that have been previously associated with the account {i.e. selecting or using the account created in real-time during the previous login request}… [col. 6, 7-16].).
McClintock, Sudia and Hu are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to facilitate usage of multiple local and online accounts by user devices and applications. [Hu; col. 1, 64-65].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the automatic account management and device registration disclosed by Hu in the honeypot environment of McClintock in order to automatically interact[] with the account to register the device or account.
Claims 14 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia) and further in view of U.S. Patent No. 10,230,564 (Hu) and U.S. Patent No. 10,931,691 (Kapelevich).
Referring to Claim 14
Regarding Claim 14, McClintock in view of Sudia  and further in view of Hu teaches the method of Claim 13.
McClintock in view of Sudia and Hu does not explicitly teach the following feature limitation that Kapelevich teaches:
the previous login request was one of a plurality of previous login requests identified as being performed using a mass account checker tool (In light of the disclosure, the term "account checker tool" is a tool that provides mass account logins to test each of the pairs of a user name and a password, known as credential stuffing. Specification p. 24, ¶ 63. Kapelevich discloses detecting and mitigating brute force credential stuffing attacks {i.e. mass account checker tool} includes executable code that, when executed by one or more processors, causes the processors to obtain a dictionary comprising a plurality of credentials... [col. 2, 15-19]. With this technology, a potential credential stuffing attack can be detected {i.e. identified}... [col. 2, 49-50].).
McClintock, Sudia, Hu and Kapelevich are from a similar field of technology. Prior to the instant application’s effective filing date, current brute force attack prevention methods [were] insufficient to protect web applications from credential stuffing attacks. [Kapelevich; col. 1, 41-43].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the network security disclosed by Kapelevich in the honeypot environment of McClintock for improved detection and mitigation of brute force credential stuffing attacks.
Claims 15 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia) and further in view of U.S. PGPub No. 2020/0053121 (Wilcox).
Referring to Claim 15
Regarding Claim 15, McClintock in view of Sudia teaches the method of Claim 12.
McClintock in view of Sudia further teaches:
fake honeypot data 243 {i.e. falsified data} may include fake names, fake payment instruments {i.e. fictitious account}... generated based at least in part on real account data 224 {i.e. falsifies data from a real account}. [col. 6, 60-64]. For example, the fake honeypot data 243 may include user payment instrument information... In box 410, the honeypot application {i.e. fictitious account} 221 generates a user interface {i.e. an interface accessible using the fictitious account} including at least a portion of the fake honeypot data 243. [col. 10, 17-22].).
McClintock in view of Sudia does not explicitly teach the following feature limitation that Wilcox teaches:
displaying a fake balance sheet [[within an interface accessible using the fictitious account]], wherein the fake balance sheet falsifies data [[from a real account]] (In light of the disclosure, the term "fake balance sheet" is construed as false financial data. Specification p. 7, ¶ 20. Wilcox discloses generating and deploying dynamic false user accounts... [Abstract]... fake sensitive information may include, but is not limited to, dummy banking information (i.e., information that appears to be but is not actually associated with a valid bank account)... [¶ 60].).
McClintock, Sudia and Wilcox are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for information that [was] useful in identifying and preventing future attacks. [Wilcox; ¶ 1].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the techniques for deploying dynamic false user accounts of Wilcox in the honeypot environment of McClintock in order to attract malicious computing activities.
Claims 16 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia) and further in view of U.S. Patent No. 10,445,514 B1 (Brandwine).
Referring to Claim 16
Regarding Claim 16, McClintock in view of Sudia teaches the method of Claim 12.

the fictitious account (McClintock discloses the malicious user interacts with the honeypot environment {i.e. fictitious account} via the user interface 112 and successive user interfaces {i.e. note the option to Change Customer Information and Change Payment Information - both options are for performing an account action}... [col. 2, 65 - col. 3, 3].).
McClintock in view of Sudia does not explicitly teach the following feature limitation that Brandwine teaches:
blocking the [[fictitious]] account from performing an account action with a backend service provider process (In light of the disclosure, "blocking" is interpreted as so that the malicious user may be led to believe that he has access to account usage and activities but may be prevented at the backend from maliciously using such account processes. Specification p. 7, ¶ 20. The term "backend" is interpreted as "background" or "server side". OneLook.com. Brandwine discloses if an account is compromised, the computing resource service provider may prevent {i.e. blocking} a customer from invoking certain actions within an account {i.e. performing an account action}... If a compromised account 402 exists, the computing resource service provider {i.e. backend service provider} may generate a set of prohibited actions 404 that a customer would not be permitted to execute... An example of a prohibited action 404 is one that would enable an entity to effect changes to any account credentials {i.e. performing an account action}. Another... is one that would allow an entity apart from the computing resource service provider to modify any administrative rights within the compromised account 404 {i.e. performing an account action}. Administrative rights may include the ability to delete any data contained within an account, modify account permissions for other delegated users of the account and reorganize the data structure within the account. [col. 8, 32-57].).
McClintock, Sudia and Brandwine are from a similar field of technology. Prior to the instant application’s effective filing date, online user accounts are prone to security breaches. [Brandwine; col. 1, 17].
 corruption, loss or unauthorized release. [Brandwine; col. 1, 21-22].
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. U.S. 10,574,697 (McClintock) in view of U.S. PGPub No. 2013/0263226 (Sudia) and further in view of U.S. PGPub No. 2006/0161982 (Chari).
Referring to Claim 17
Regarding Claim 17, McClintock in view of Sudia teaches the method of Claim 12.
McClintock in view of Sudia further teaches:
[[the fictitious account is one of]] a plurality of fictitious accounts created prior to a previous login request having the compromised login credentials that indicated fraud (McClintock discloses access to a honeypot environment is to be provided if the failed login attempt specifies a credential from compromised credential data {i.e. compromised login credentials that indicate fraud}... [col. 5, 58-60]. Sudia discloses seemingly valid websites (or false user accounts on genuine websites) {i.e. fictitious accounts} at which cyber criminals may use the seemingly valid credentials they believe they have stolen {i.e. perform a login request having the compromised login credentials}... [¶ 94]... [and] to create a possibly vast number of such sites {i.e. a plurality of fictitious accounts}, where our seemingly valid credentials may be used {i.e. hence, fictitious accounts created prior to a previous login request having the compromised login credentials}. [¶ 95].).
The combination of McClintock and Sudia does not explicitly teach the following feature limitation that Chari teaches:
the fictitious account is one of a plurality of fictitious accounts (Chari discloses predefined honeypot plans are checked to determine if more than one exist… one of the available pre-defined honeypot plans is selected {i.e. fictitious account is one of a plurality of fictitious accounts}… based on certain parameters that may include… identity of the user… [¶ 40].).
[c]omputer security [became] a major concern. [Chari; ¶ 2].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the method of protecting computers against intrusions disclosed by Chari in the honeypot environment of McClintock in order to detect and isolate malicious attacks on computer systems.
Claims 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,574,697 (McClintock) in view of U.S. PGPub No. US 2016/0256775 (Gustafson).
Referring to independent Claim 18
Regarding Claim 18, McClintock teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions {McClintock discloses software or code can be embodied in any non-transitory computer-readable medium for use by or in connection with an instruction execution system such as, for example, a processor 503 in a computer system or other system. In this sense, the logic may comprise, for example, statements including instructions and declarations that can be fetched from the computer-readable medium and executed by the instruction execution system… [col. 12, 30-37]. } executable to cause a machine to perform operations comprising:
generating a fake account for monitoring account usage when a login attempt indicates fraud (The term “generating” is construed as “providing” or “delivering”. See OneLook.com. McClintock discloses providing a honeypot environment {i.e. fake account} in response to incorrect credentials being provided for accounts {i.e. when a login attempt indicates fraud}. [col. 1, 52-54]. The user interface 112 constitutes part of the honeypot environment... fake user data, such as a fake name, fake address information, and/or other information may be generated {i.e. generating a fake account} and included in the user interface 112... based at least in part on real data associated with the account for which a malicious user is attempting to gain access... [col. 2, 54-62]. As the malicious user interacts with the honeypot environment... his or her behavior can be tracked and analyzed {i.e. fake account for monitoring account usage}. [col. 3, 1-5].); 
[i]t is determined that the authentication request specifies an incorrect security credential for the account... [Abstract]... the server has detected fraudulent intent by the user... [col. 2, 44].); 
permitting the computing device to log in to the fake account (McClintock discloses the user interface 112 greets the malicious user as “Welcome, John Doe!,” where “John Doe” may be the name associated with the user account identified by the email address “johndoe123@email.”... the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... [col. 2, 65 - col. 3, 3].); and 
monitoring the account usage of the fake account (McClintock discloses [a]s the malicious user interacts with the honeypot environment via the user interface 112 and successive user interfaces... his or her behavior can be tracked and analyzed. [col. 3, 1-5].).
McClintock does not explicitly teach the following feature limitation that Gustafson teaches:
identifying the [[fake]] account for the login attempt (Gustafson discloses to identify a user account that is associated with the login request... [¶ 53].); 
McClintock and Gustafson are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to ensure that the assigned data center provide[d] the required processing resources and the connection speed. [Gustafson; ¶ 5].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the techniques for assigning a data center to service a request as taught by Gustafson in the honeypot environment of McClintock, thus providing fast access.
Referring to Claim 19
Regarding Claim 19, McClintock in view of Gustafson teaches the medium of Claim 18.
McClintock in view of Gustafson further teaches:
the login attempt indicates fraud when an account login failure rate from an online sales platform exceeds a failure rate threshold (In light of the disclosure, this feature is interpreted as a spike in account login attempts, where the failure rate exceeds some threshold may be detected from a merchant or other service provider's online platform such that the account login attempts considering a failed login attempt as having fraudulent intent when more than a predetermined number of permissible failed login attempts (e.g., five failed attempts {i.e. failure rate threshold}) are exceeded. [col. 5, 42-45]. [T]he production application 218 may comprise... an electronic commerce system {i.e. online sales platform}, a banking or brokerage system, and/or any other type of system that relies upon authentication of users for access to secured resources. [col. 3, 67 - col. 4, 4].).
Claims 20 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,574,697 (McClintock) in view of in view of U.S. PGPub No. US 20160/256775 (Gustafson) and further in view of U.S. Patent No. 10,068,235 (Boates).
Referring to Claim 20
Regarding Claim 20, McClintock in view of Gustafson teaches the medium of Claim 18.
McClintock further teaches:
the fake account (McClintock discloses the malicious user interacts with the honeypot environment {i.e. fake account} via the user interface 112 and successive user interfaces... [col. 2, 65 - col. 3, 3].).
McClintock does not explicitly teach the following feature limitation that Boates teaches:
monitoring the account usage comprises determining an online merchant that the [[fake]] account attempts to interact with (Boates discloses measures to detect and prevent fraudulent transaction charges {i.e. account usage}. Fraudulent charges may be due to deliberate... customer actions {i.e. the account attempts to interact with an online merchant}. In some cases, in response to detecting or suspecting fraud, the transaction service 108 may disable or otherwise restrict the service account 120 of the merchant 102.... referred to as “freezing” the merchant account {i.e. this necessarily requires determining an online merchant that the account attempts to interact with}. [col. 5, 31-42]. The current transaction data 206 may include the addresses and/or current locations of the merchant and the customer {i.e. monitoring the account usage comprises determining an online merchant that the account attempts to interact with}... [col. 6, 50-52].), and wherein the operations further comprise: 
[i]f the merchant account is not to be automatically frozen, an action 220 is performed of submitting the transaction to a human analyst for manual review {i.e. flagging the online merchant for internal review}. [col. 7, 55-58].).
McClintock, Gustafson and Boates are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to detect fraudulent transactions. [Boates; col. 1, 17-18].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the techniques for detecting and reviewing suspected purchase transactions of Boates in the honeypot environment of McClintock in order to disable accounts associated with parties that are attempting to conduct fraudulent transactions. [Boates; col. 1, 18-21].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
US 10686834 (Hitchcock; Daniel Wade et al.) - generating a network page that permits access to a honeypot environment that mimics having increased access or privilege, logging the event in association with an identification of the client computing device, presenting additional security challenges to the client computing devices before granting further privileges or access, prompting a fraud analysis on transactions of the client computing device, sending an alert to security administrators by email, text message, phone call, and so forth. The particular action that is chosen may selected from a rule set that is manually specified or generated by machine learning.
US 20200126094 (ElHarazi; Sherif Mustafa) - upon user creation of the credentials {i.e. in real-time}, the fraud detection software application may receive the user credentials... verify the user does not have an account and may create an account for the user.
US 20190166141 (Xu; Ye et al.) - in situations where the sign-on request indicates a specific service account, the service account may be created automatically based on the user 
US 20020143686 A1 (Greene, David  et al.) - to open accounts in "real time", i.e. the account is opened while the user waits.
US 20180225653 A1 (Vokes; Jonathan Stewart et al.) - where the credentials were not validated, the user is informed that their logon attempt was unsuccessful and whether the user has exceeded an allowed maximum number of consecutive failed logon attempts. In the event that the user has not exceeded this maximum then the process listens for the user to make another logon attempt. The number of failed logon attempts is preferably reset to zero once a successful logon attempt is made by the user.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD W CRUZ-FRANQUI whose telephone number is (313)446-6571.  The examiner can normally be reached on M-F 5:30-2:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571)272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD W CRUZ-FRANQUI/Examiner, Art Unit 2498                                                                                                                                                                                                        
/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498