DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This action is in response to the communications and remarks filed on 04/02/2021. Claims 1- 20 are presently pending for examination. 
Response to Arguments
Acknowledgement of Applicant's response to obviousness-type double patenting and is further noted as set forth in the Non-Final Office Action mailed 01/07/2021. However, the terminal disclaimer has been held in abeyance per Applicant’s request. Examiner maintains the Double Patenting rejection.
	
Applicants’ arguments in the instant Amendment, see pages 10-12, filed 04/02/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Claims 1, 6-8, 13-15, and 20 are rejected under 35 U.S.C. § 103 as unpatentable over US 2014/0283067 (hereinafter “Call”) in view of US 2012/0166533 (hereinafter “Rubinstein”). Claims 2, 9, and 16 are rejected under 35 U.S.C. § 103 as unpatentable over Call, in view of Rubinstein and US 8,622,828 (hereinafter “Harrington”). Claims 3-4, 10-11, and 17-18 are rejected under 35 U.S.C. § 103 as unpatentable over Call, in view of Rubinstein and US 2007/0204033 (hereinafter “Bookbinder”). Claims 5, 12, and 19 are rejected under 35 U.S.C. § 103 as unpatentable over Call, in view of Rubinstein and US 2010/0205671 (hereinafter “Milliken”). The Applicant respectfully traverses each rejection.
		1. “scanning, by a content management system, one or more content items associated with a first user account In the Action, the Office alleges that Call teaches the above referenced functionality. Specifically, the Office cites to paragraphs [0073] and [0077] of the Call reference. The Applicant respectfully disagrees.
		Call is generally directed to a system for detecting anomalous actions through “alien” code installed on client computers. See Call, para. [0005], Anomalous actions may be detected or identified based on actions taken by the alien code that do not match appropriate actions for a web page that content provider has served to the particular computer. See Call, para. [0006], The example provided by Call is when code for a webpage may be rewritten when the page is served, so as to change the manner in which the page is served each time someone accesses the page. See id. To detect such anomalous actions, code may be provided that periodically analyzes the document object models on various machines that have loaded code for a particular web site or page. See Call, para. [0008], The server device of Call may receive information that comes from the injected code and analyze a representation of the aggregated information to identify common anomalous activity by different devices. See Call, para. [0011], To perform the analysis, the system in call assigns a dimension to each feature in a hyperplane. See Call, para. [0012], Call then uses a learning engine to identify the emergence of clusters within the data. See id. Based on the clustering, Call can identify a cluster of computer devices that contain alien code.
		In the Action, the Office equates the scanning recited in claim 1 to Call identifying a cluster within the hyperplane. The Applicant disagrees. In order for the Office’s rejection to work, the Office had to equate clusters of Call to the content items recited in claim 1. This interpretation is incorrect. As described by Call, the clusters are representative of terminals or physical computer devices. Call is unable to perform an analysis on the user account level. In particular, because Call is focused on the terminal or client computer level, and not the user account level, Call cannot account for the possibility of a fraudulent individual accessing multiple accounts on the same client device, such as that contemplated by the present claims. At no point does Call differentiate between user accounts.” 
The Examiner disagrees with the Applicant. The Examiner respectfully submits that Call does disclose the limitation of “scanning, by a content management system, one or more content items associated with a first user account.” The specification describes a content management system 106 including a content storage 160 that can download malicious content items 234 a-n to the content library 232 within various associated client devices 230 – 250; as well as share, retrieve, modify, and browse content making it possible for a user to access content from multiple client devices. Further, the security 
Analogous to the content management system 106 of the specification, is a central security system 105 via coupled security sub-system(s) 104 that assist and serves as the collection and sharing point for client devices 110a-n in analyzing instrumentation code, generating reports, and executing overall coordination the Call reference describes. System 100 interfaces merchant/bank web servers 102 connected to load balancers 121 connected to the security sub-system(s) 104. The client devices 110a-n are coupled to the security sub-system(s) 104 via network 108 where the exchange of requests from applications (i.e. web page, an e-mail, or other media file) are processed and examined for anomalies. The approach in how it identifies anomalous or “alien” code that may be on a client computers is by identifying clusters to determine whether anomalous actions are benign or malicious [Call, Fig. 1A and ¶¶0005, 0036, and 0044]. In Fig 1B, a closer look at the security sub-system(s) 104 that includes a HTML recorder 122, HTTP handler 124, and cluster analyzer 126; shows a scenario where malware 116 has infected particular ones of the client devices 110C, 110D, and 110F, but not others of the shown client devices 110.  [Call, Fig. 1B and ¶¶0044, 0084, and 0104-0110]. Additionally, the executing resources provided by web server(s) and instrumented with code by the server sub-system(s) 104 for detecting (and possibly deflecting) malicious activity or other abnormal computer behavior. There is a document object model (DOM) 112 associated with each web page, “scanning, by a content management system, one or more content items associated with a first user account.”
Applicant’s arguments: “2. “identifying, by the content management system, within the one or more content items, a subset of content items comprising suspicious content.”
		Continuing with the above description of Call, the Office alleges that the identification of clusters on the hyperplane is equivalent to the claimed subset of content items comprising suspicious content. The Applicant disagrees. As provided in (1) above, Call analyzes the data on a client computer level. The act of clustering that is performed by Call is not performed with respect to content items, but instead with respect to client computers. Despite the Office’s claims to the contrary, this interpretation is directly supported in the Office’s rejection. In particular, the Office and Call provide “[t]he second cluster (a subset of content items) includes data from the client device 110C, 110D, 110F, which each have some form of malicious code 116.” See Office Action, p. 14. Such portion of Call does not contemplate the identification of a subset of content items, but instead focuses on a subset of client devices. Accordingly, the Office’s reliance on Call is in error.”
The Examiner disagrees with the Applicant. The Examiner respectfully submits that Call does disclose “identifying, by the content management system, within the one or more content items, a subset of content items comprising suspicious content.” First, the specification states that content items are being stored by content storage 160 of the content management system 106; there are variations in how content items are stored, hiding the detail complexity from the clients. Content items can be stored as: in a network accessible storage (i.e. storage area network (SAN) or redundant array of inexpensive disks (RAID)), partitioned in (i.e. FAT, FAT32, NTFS, EXT2, EXT3, EXT4, ReiserFS, BTRFS, and so forth), metadata for content items can be stored separately, assigned a system-wide unique identifier, and stores a single copy then uses a pointer to link duplicate [specification, ¶¶0023-0025]. The central service may identify related clusters in such anomalous action, which is likely generated by a common source of code that has been distributed broadly to many machines so that it performs similar operations; also determines whether such anomalous actions are benign or malicious. The invention characterizes subsets of associated, particular DOM for rendered web pages; at least a portion of the data that characterizes subsets of particular document object models to a central security server, wherein the central security server is configured to receive data from a plurality of computer server subsystem. The information that characterizes execution of the one or more web resources can include representations of Document Object Models (DOMs) of the web pages. Identifying the subset of the executions of the one or more web resources that deviated from the expected execution of the one or more resources can include identifying clusters of particular executions of the one or more web resources in a hyperplane. The 
Applicant’s arguments: “3. “in response to identifying the subset of content items, identifying, by the content management system, that at least one second user account is related to the first user account based on at least authentication data associated with the first user account and authentication data associated with the second user account”
		In the Action, the Office concedes that Call fails to contemplate the above referenced functionality. Instead, the Office relies on Rubinstein. Rubinstein is generally directed to a social networking system that performs account recovery for a user with the help of the user’s connections. Se Rubinstein, abstract. In the Action, the Office alleges that Rubinstein teaches the above referenced functionality by stating that “Client devices are matched by comparing information (that at least one second user account is related to the first user account) associated with the client devices including the internet address of the client device, cookies stored in the client device, or information identifying an application.” See Office Action, p. 15. The Applicant disagrees.
		While Rubinstein does indeed state that client devices are matched, they are not matched in manner that would reveal whether a first user account is related to a second user account. Instead, Rubinstein provides the system merely identifies other users that may have some real-world interaction with the target user based on various metrics, such as location information. Such functionality is not equivalent to the Applicant’s claims.
		Still further, even if Rubinstein does teach the above referenced functionality, which the Applicant does not concede, there is simply no reasonable basis to combine the teachings of Rubinstein with that of Call. As provided above, the system in Call looks at the client device level, i.e., the physical computing devices, and not the user account level. In contrast, Rubinstein looks at the user account level. Accordingly, even with the alleged authentication information from Rubinstein, Call would be unable to determine whether user accounts are related because Call never considers malicious activity at the user account level. Therefore, the Office’s reliance on Rubinstein is in error.”
The Examiner disagrees with the Applicant. The Examiner respectfully submits that Rubinstein does disclose analogously the teachings of a partial match between a device type information. Examiner broadly interprets a partial match as part a fragmentary, section, or sectional match of the device. Hence, Rubinstein teaches that there is a comparison performed to determine the 
Applicant’s arguments: “Further, none of Harrington, Bookbinder, or Milliken, either alone or in combination, cures the deficiencies of Call and Rubinstein. Harrington is generally directed to a system for hosting an online social game in such a manner that individual users may log into the same user account in the social game from a plurality of different social network platforms, and/or such that users that have logged into the social game from different social network platforms can still participate in the social game together. See Harrington, abstract. Bookbinder is generally directed to a system for detecting abuse of network services by obtaining network service activity information associated with a plurality of network service accounts, comparing via a fraud detection system the network service activity information with a term of a service agreement of a service provider, and identifying abusive activity based on the comparison. See Bookbinder, abstract. Milliken is generally directed to a system for detecting and/or preventing the transmission of malicious packets, such as polymorphic worms and viruses. See Milliken, abstract. None of Harrington, Bookbinder, or Milliken contemplates the above referenced functionality.
		Therefore, the Applicant respectfully submits that the claims are patentable over any combination of Call, Rubinstein, Harrington, Bookbinder, and Milliken.”
The Examiner disagrees with the Applicant. The Examiner respectfully submits that Applicant does not disclose any further arguments with respects to Harrington, Bookbinder, and Milliken yet describes the invention types. As such, Examiner maintains Harrington, Bookbinder, and Milliken for the dependent claim limitations taught and are maintained below.
Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-5, 7, 10-11, 14, and 17-18 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 2, 6-8 and 12-15 of U.S. Patent No. 10,091,174 and claims 5-7, 9, 14-15, and 17 of U.S. Patent No. 10,623, 391. Although the claims at issue are not identical, they are not patentably distinct from each other scanning for suspicious content by either computing device or content management system; blocking malicious identified data from related first and second user accounts are conceptually similar.
Instant Application16/832,463
US Patent10,091,174 B2
US Patent10,623,391 B2
Claim 11. A computer-implemented method comprising:
























scanning, by a content management system, one or more content items associated with a first user account;

identifying, by the content management system, within the one or more content items, a subset of content items comprising suspicious content;


in response to identifying the subset of content items, identifying, by the content management system, that at least one second user account is related to the first user account based on at least authentication data associated with the first user account and authentication data associated with the second user account; and









blocking access to the first user account and the at least one second user account on the content management system.

1. A method comprising:

detecting, by a computing device, one or more content items stored in a folder on a client device associated with a first activated user account, wherein the folder of the client device is synchronized to a storage device hosted on the computing device;

uploading the each of the one or more content items stored in the folder on the client device to the storage device hosted on the computing device, such that the first activated user account can access each of the one or more content items on both the client device and another client device associated with the first activated user account;

detecting, by a computing device, a malicious activity associated with the first activated user account;

scanning each of the one or more content items to identify malware contained in at least one content item of the one or more content items, responsive to detecting the malicious activity associated with the first activated user account;




in response to identifying malware contained in the at least one content item identifying, by the computing device, that at least the second activated user account of the computing device is related to the first activated user account based on at least authentication data associated with the first activated user account and the second activated user account, wherein the authentication data are stored on the computing device and the authentication data includes a referral account identifier linking the second activated user account to the first activated user account; and

blocking access of the first activated user account or the at least one second activated user account to the storage device hosted on the computing device.



Claim 7
7. A non-transitory computer readable medium including one or more sequences of instructions which, when executed by one or more processors, cause:
collecting a first authentication data associated with a first activated user account of a computing device;
collecting a second authentication data associated with a second activated user account of the computing device;
detecting, by a computing device, one or more content items stored in a folder on a client device associated with the 
uploading each of the one or more content items stored in the folder on the client device to the storage devices hosted on the computing device, such that the first activated user account can access each of the one or more content items on both the client device and another client device associated with the first activated user account;
detecting a malicious activity associated with the first activated user account;
scanning each of the one or more content items to identify malware contained in at least one content item of the one or more content items, responsive to detecting the malicious activity;
in response to identifying malware contained in the at least one content item, comparing the first authentication data to the second authentication data, the second authentication data comprising a referral account identifier linking the second activated user account to the first activated user account;
determining that the second activated user account is related to the activated user account based on the comparison; and
blocking access of the first activated user account or the at least one second activated user account to a content item stored in the storage device by modifying the security setting of the content item.

Claim 13
13. A system comprising:

a computer readable medium including one or more sequences of instructions which, when executed by one or more processors, cause:
collecting a first authentication data associated with a first activated user account of a computing device and a second authentication data associated with a second activated user account of the computing device, the second activated user account comprising a referral account identifier;
detecting one or more content items stored in a folder on a client device associated with a first activated user account, wherein the folder of the client device is synchronized to a storage device hosted on the system;
uploading each of the one or more content items stored in the folder on the client device to the storage device hosted on the system, such that the first activated user account can access each of the one or more content items on both the client device and another client device associated with the first activated user account;
detecting a malicious activity associated with the first activated user account;
scanning each of the one or more content items to identify malware contained in at least one content item of the one or more content items;
comparing, in response to identifying malware contained in the at least one content item, the at least one content item of the first activated user account to one or more second content items associated with the second activated user account;
determining that the second activated user account is related 
determining that the second activated user account is a malicious user account based on a result of the comparing; and
blocking access of the first activated user account or the at least one second activated user account to the at least one content item on the computing device by modifying the security setting of the at least one content item.

1. A computer-implemented method comprising:

storing, by a content management system, one or more content items associated with a first user account on the content management system;

detecting, by the content management system, a malicious activity associated with the first user account;















scanning each of the one or more content items to identify malicious content in at least one content item of the one or more content items, responsive to detecting the malicious activity associated with the first user account;





in response to identifying malicious content in the at least one content item, identifying, by the content management system, that at least a second user account is related to the first user account based on at least authentication data associated with the first user account and the second user account, wherein the authentication data includes a referral account identifier linking the second user account to the first user account; and






blocking access to the first user account and the at least one second user account on the content management system.



Claim 9
9. A non-transitory computer readable medium including one or more sequences of instructions which, when executed by one or more processors, cause:
storing, by a content management system, one or more content items associated with a first user account on a content management system;
detecting a malicious activity associated with the first user account;
scanning each of the one or more content items to identify malicious content in at least one content item of the one or more content items, responsive to 
in response to identifying malicious content in the at least one content item, identifying that at least a second user account is related to the first user account based on at least authentication data associated with the first user account and the second user account, wherein the authentication data includes a referral account identifier linking the second user account to the first user account; and
blocking access to the first user account and the at least one second user account on the content management system.


Claim 17
17. A system, comprising:
one or more processors; and
a computer readable medium including one or more sequences of instructions which, when executed by one or more processors, cause:
storing one or more content items associated with a first user account on a content management system;
detecting a malicious activity associated with the first user account;
scanning each of the one or more content items to identify malicious content in at least one content item of the one or more content items, responsive to detecting the malicious activity associated with the first user account;
in response to identifying malicious content in the at least one content item, identifying that at least a second user 
blocking access to the first user account and the at least one second user account on the content management system.


2. The computer-implemented method of claim 1, wherein the first user account and the at least one second user account are accessed via a common client device.

Claim 5
5. The computer-implemented method of claim 1, wherein the first user account and the second user account are accessed via a common client device.

Claim 3
3. The computer-implemented method of claim 1, wherein 

identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:

identifying that the second user account is related to the first user account based on at least a portion of a first internet protocol (IP) address associated with the first user account at least partially matches a second IP address associated with the second user account.


Claim 10
10. The system of claim 8, wherein identifying that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
identifying that the second user account is related to the first user account based on at least a portion of a first internet protocol (IP) address associated with the first user account at least partially matches a second IP address associated with the second user account.

Claim 17
17. The non-transitory computer readable medium of claim 15, wherein
identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
identifying that the second user account is related to the first user account based on at least a portion of a first internet 




Claim 6
6. The computer-implemented method of claim 1, further comprising:










identifying, by the content management system, that a third user account and the first user account are accessed via a common client device based on  first internet protocol (IP) address associated with the first user account at least partially matching a second IP address associated with the third user account; and

blocking access to the third user account on the content management system.



Claim 14
14. The non-transitory computer readable medium of claim 9, further comprising:
identifying that a third user account and the first user account are accessed via a common client device based on at least a portion of a first internet protocol (IP) address associated with the first user account at least partially matching a second IP address associated with the third user account; and
blocking access to the third user account on the content management system.


4. The computer-implemented method of claim 1, wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:

identifying that the second user account is related to the first user account based on a common string pattern in a first user account email address and a second user account email address.




Claim 11
11. The system of claim 8, wherein identifying that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
identifying that the second user account is related to the first 

Claim 18
18. The non-transitory computer readable medium of claim 15, wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
identifying that the second user account is related to the first user account based on a common string pattern in a first user account email address and a second user account email address.



2. The method of claim 1, further comprising:

collecting, by the computing device, authentication data associated with the first activated user account and the second activated user account, the authentication data including an email address; and



determining that the second activated user account is related to the first activated user account based on a common string pattern in the first activated user account email address and the second activated user account email address.

Claim 8
8. The non-transitory computer readable medium of claim 7, wherein the first authentication data includes a first email address, the second authentication data includes a second email address; and wherein the instructions cause:
determining that the first email address and the second email address have a common string pattern.



Claim 15
15. The system of claim 13, wherein the first authentication data includes a first email address, the second authentication data includes a second email address; and
wherein the instructions cause:
determining that the first email address and the second email address have a common string pattern.



7. The computer-implemented method of claim 1, further comprising:
identifying, by the content management system, that a third user account is related to the first user account based on a common string pattern in a first user account email address and a third user account email address; and
blocking access to the third user account on the content management system.

Claim 15
15. The non-transitory computer readable medium of claim 9, further comprising:
identifying that a third user account is related to the first user account based on a common string pattern in a first user account email address and a third user account email address; and
blocking access to the third user account on the content management system.


Claim 5
5. The computer-implemented method of claim 1, wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:

generating a hash value for each content item in the subset of content items;

generating one or more second hash values for one or more 

identifying a match between the hash value and at least one of the one or more second hash values.


14. The system of claim 13, wherein the instructions cause:

generating one or more first hash values based on a first content item of the at least one content item;

generating one or more second hash values based on a second content item of the one or more second content items;

comparing the first hash values to the second hash values; and
determining that the second activated user account is a malicious user account based on the result of the comparing.


Claim 7
7. The computer-implemented method of claim 1, wherein the authentication data associated with the first account comprises one or more of email address, IP address, geographic region, device type, browser type, or referral information.






Claim 14
14. The system of claim 8, wherein the authentication data associated with the first account comprises one or more of email address, IP address, geographic region, device type, browser type, or referral information.

Claim 6
6. The method of claim 1, further comprising:
collecting, by the computing device, authentication data associated with the first activated user account, the authentication data including a browser type; and

determining that the second activated user account is related to the first activated user account based on the first activated user account browser type matching the second activated user account browser type.

Claim 12
12. The non-transitory computer readable medium of claim 7, wherein the first authentication data includes a first browser type, the second authentication data includes a second browser type; and
wherein the instructions cause:
determining that the first browser type matches the second browser type.




Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim 1, 6-8, 13-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Call et al, hereinafter (“Call”), US PG Publication (2014/0283067 A1), in view of Rubinstein et al, hereinafter (“Rubinstein”), US PG Publication (2012/0166533 A1). 
Regarding claims 1, 8, and 15, Call teaches a computer-implemented method comprising; a system, comprising; and a non-transitory computer readable medium comprising one or more sequences of instructions, which, when executed by one or more processors, cause the one or more processors to perform operations, comprising:
one or more processors; [Call, ¶0118] and
a memory having programming instructions stored thereon, which, when executed by the one or more processors, performs one or more operations comprising: [Call, ¶0118-0119]
scanning, by a content management system, one or more content items associated with a first user account; [Call, Fig. 1B and ¶¶0073 and 0077: Cluster analyzer 126 that can be in a server subsystem 104, which identifies clusters in a hyperplane 106 (one or more content items associated) where a first cluster (a first user account) includes information from client devices 110A, 110B, and 110E, which have not been infected with malicious code 116]
¶0077: The second cluster (a subset of content items) includes data from the client devices 110C, 110D, and 110F, which each have some form of malicious code 116 (a subset of content items comprising suspicious content) in them (e.g., man-in-the-browser)]
While Call teaches identifying the subset of content items [See Call, ¶0077: The second cluster (a subset of content items)]; however, Call fails to explicitly teach but Rubinstein teaches in response to identifying the subset of content items, identifying, by the content management system, that at least one second user account is related to the first user account based on at least authentication data associated with the first user account and authentication data associated with the second user account; [Rubinstein, ¶¶0032 and 0035-0037: The social networking system 100 (a content management system) includes: an action logger 225, an account recovery manager 245, a user account store 270, a and security module 250. The action logger 225 tracks user actions (i.e. reading/sending/viewing messages or content, etc.) into log 240; where the system 100 maintains data objects (one or more content items) with which a user interact to user account store 270 (i.e. data structures with fields suitable for describing a user's account (a first user account)) and connection store 275 store instances of corresponding type of objects. ¶¶0037-0039: The security module 250 determines if there is any suspicious activity associated with a user account that warrants locking the user account. Client devices are matched by comparing information (that at least one second user account is related to the first client devices including the internet address of the client device, cookies stored in the client device, or information identifying an application (based on at least authentication data associated with the first user account and authentication data associated with the second user account) used for interacting with the social networking system] and
blocking access to the first user account and the at least one second user account on the content management system. [Rubinstein, ¶0037: The security module 250 determines if there is any suspicious activity associated with a user account that warrants locking the user account. ¶0038: If the security module 250 locks (blocking access) the user account, the user account cannot be accessed by any user (first user account and the at least one second user account on the content management system) including the authorized user without specific authentication. The authentication process followed to unlock the user account is called the account recovery process.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of detecting the introduction of alien content of Call before him or her by including the teachings of predicting real-world connections based on interactions in social networking system of Rubinstein. The motivation is that it would be obvious to try determining real-world interactions between users of a social networking system based on interactions of the users with the social networking system; where client devices are 
Regarding claims 6, 13, and 20, the combination of Call and Rubinstein teach claim 1 as described above.
Call teaches wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
determining a first user device corresponding to the first user account, the first user device comprising first user device type information; [Call, ¶0070: Each client device 110 collects an instrumentation code 115 about particular activity occurring on the client device; information about the user’s operating environment included: client device type. ¶0077: Hence, first cluster includes information from client devices 110A, 110B, and 110E ]
determining a second user device corresponding to the second user account, the second user device comprising second user device type information; [Call, ¶0070: Each client device 110 collects an instrumentation code 115 about particular activity occurring on the client device; information about the user’s operating environment included: client device type. ¶0077: Hence, second cluster includes data from the client devices 110C, 110D, and 110F] and 
¶¶0007-0008: The first device and the second device are matched to determine if they represent the same device; client devices are matched by comparing information associated with the client devices: cookies, Internet address of the client device]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of detecting the introduction of alien content of Call before him or her by including the teachings of predicting real-world connections based on interactions in social networking system of Rubinstein. The motivation is that it would be obvious to try determining real-world interactions between users of a social networking system based on interactions of the users with the social networking system; where client devices are matched by comparing information associated with the client devices including the internet address of the client device [Rubinstein, ¶¶0007-0008].  
Regarding claims 7 and 14, the combination of Call and Rubinstein teach claim 1 as described above.
Call teaches wherein the authentication data associated with the first account comprises one or more of email address, IP address, geographic region, device type, browser type, or referral information. [Call, ¶0074: cluster analyzer 126 may use a hyperplane 106 to identify the data clusters, based on context data including: client’s 110 IP address...
Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Call et al, hereinafter (“Call”), US PG Publication (2014/0283067 A1), in view of Rubinstein et al, hereinafter (“Rubinstein”), US PG Publication (2012/0166533 A1), in view of Harrington, US Patent (8,622,828 B1).
Regarding claims 2, 9, and 16, the combination of Call and Rubinstein teach claim 1 as described above.
However, the combination of Call and Rubinstein fail to explicitly teach but Harrington teaches wherein the first user account and the at least one second user account are accessed via a common client device. [Harrington, Col 4, lines 9-25: A system 10 to facilitate users logged into different social network platforms play in an online game; where Server 12 includes: a social network information module 22, etc. to execute programs. Col 1, lines 50-57: an online game provided to users (i.e. first user and second user) through different social network platforms (i.e. first social network platform and second social network platform) may access a common instance (a common client device) of the online game and/or virtual space. Fig. 1 and Col 3, lines 28-35: Through the space module 18 of the server 12, the instance of the virtual space provides view information as presentation to the first user and second user]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Call and Rubinstein before him or her by including the teachings of a method for facilitating social gaming across social platforms of Harrington. The motivation is that it would be obvious to try hosting a virtual space to be accessible as a virtual space for facilitating a .  
Claims 3-4, 10-11, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Call et al, hereinafter (“Call”), US PG Publication (2014/0283067 A1), in view of Rubinstein et al, hereinafter (“Rubinstein”), US PG Publication (2012/0166533 A1), in view of Bookbinder et al, hereinafter (“Bookbinder”), US PG Publication (2007/0204033 A1).
Regarding claims 3, 10, and 17, the combination of Call and Rubinstein teach claim 1 as described above.
However, the combination of Call and Rubinstein fail to explicitly teach but Bookbinder teaches wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
identifying that the second user account is related to the first user account based on at least a portion of a first internet protocol (IP) address associated with the first user account at least partially matches a second IP address associated with the second user account. [Bookbinder, ¶¶0015 0017 0020: primary and sub-accounts; 0033-0034: fraud detector 202 communicatively coupled to fraud/abuse history data structure 210 which stores IP addresses associated with accounts (the first user account) or sub-accounts (the second user account) compares subsequently obtained Internet activity information to determine use with another ¶¶0068 and 0077: comparator 308 determines if subscriber IP address is valid/invalid through find an exact match or, in some cases, a partial match;  the retrieved subscriber account information may correspond to accounts for which the geographical addresses have already been analyzed and verified]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Call and Rubinstein before him or her by including the teachings of methods and systems to detect abuse of network services of Bookbinder. The motivation is that it would be obvious to try determine whether subscriber account information is suspicious. The data structure 212 may store a plurality of patterns in the fraud and abuse pattern data structure 212 including patterns related to different types of network abuse. Hence, where a recurring pattern becomes common otherwise indicative of fraud [Bookbinder, ¶¶0035-0036].  
Regarding claims 4, 11, and 18, the combination of Call and Rubinstein teach claim 1 as described above.
However, the combination of Call and Rubinstein fail to explicitly teach but Bookbinder teaches wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
 ¶0035: patterns may indicate typical or general characteristics of e-mail spamming; combinations of characters, etc. ¶0054: fraud detector analyzes subscriber information from Internet activity information (i.e. email activity, etc.) for abuse by obtaining pattern information (a common string pattern) from respective fraud/abuse history data structure 210 (a first user account email address) and fraud/abuse history data structure 212 (a second user account email address)]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Call and Rubinstein before him or her by including the teachings of methods and systems to detect abuse of network services of Bookbinder. The motivation is that it would be obvious to try determine whether subscriber account information is suspicious. The data structure 212 may store a plurality of patterns in the fraud and abuse pattern data structure 212 including patterns related to different types of network abuse [Bookbinder, ¶¶0035-0036].  
Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Call et al, hereinafter (“Call”), US PG Publication (2014/0283067 A1), in view of Rubinstein et al, hereinafter (“Rubinstein”), US PG Publication (2012/0166533 A1), in view of Milliken et al, hereinafter (“Milliken”), US PG Publication (2010/0205671 A1).

However, the combination of Call and Rubinstein fail to explicitly teach but Milliken teaches wherein identifying, by the content management system, that at least the second user account is related to the first user account based on at least the authentication data associated with the first user account and the authentication data associated with the second user account, comprises:
generating a hash value for each content item in the subset of content items; [Milliken et al, ¶0016: a method for detecting files suspected of containing a virus or worm on a computer is provided; Fig. 2 and ¶¶0040-0041 and 0043: Packet detection logic 200 include: hash processor 210 and hash memory 220; where generates one or more representations for each received packet and records the packet representations in hash memory 220 as hash value (generating a hash value for each content item in the subset of content items). The hash value may be stored in hash memory 220 or may be used as an index, or address, into hash memory 220]
generating one or more second hash values for one or more second content items associated with the second user account; [Milliken, See Fig. 2 and ¶¶0040-0041: packet detection logic 200 with hash processor where any one of a hosts 111-113 and 121-123, or another type of device, etc. ¶0045: Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet] and
¶0012: The system further includes means for identifying one of the observed packets as a potentially malicious packet when the generated hash values corresponding to the observed packet match the hash values corresponding to the prior packets; ¶0016: comparing the second hash values to the one or more first hash values]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Call and Rubinstein before him or her by including the teachings of hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses of Milliken. The motivation is that it would be obvious to try a method for detecting transmission of potentially malicious packets is provided; where generating hash values based on variable-sized blocks of the received packets [Milliken, ¶0011].  
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SWT/Examiner, Art Unit 2497                                                                                                                                                                                                        


/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497