DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 2 and 29-36 have been examined. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/29/2021 has been entered.

Response to Amendment
Claims 32, 33 and 35 have been amended.
Claim 36 has been newly added. 
Examiner’s objections to claims 39, 32 and 35 are withdrawn in light of the applicant’s amendments to the claims. 
Applicant’s arguments with respect to claims 1 and 30 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 36 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10063593. Although the claims at issue are not identical, they are not patentably distinct from each other because: 
Instant application
U.S. Patent No. 10063593
36. (new) A method comprising: receiving, by a gateway enforcement point, through a communication network and from a client device used by a user, a first request to access a protected resource; 
responsive to receipt of the first request, authenticating, by the gateway enforcement point, the client device to establish a first authenticated communication session between the gateway enforcement point and the client device, with the authentication including receiving, by the gateway enforcement point, authentication data relating to the user; 
further responsive to receipt of the first request, sending, by the gateway enforcement point of a first cloud fraud detection system, a second request for fraud information relating to the user, with the second request including: (i) the authentication data, and (ii) a session identifier identifying the first authenticated communication session; 

receiving, by the gateway enforcement point and from the first cloud fraud detection system, a first fraud data set indicative of fraud related information relating to the user; 




further responsive to receipt of the request to access the protected resource, sending, by the enforcement point and to a second cloud fraud detection system, a third request for fraud information relating to the user, with the third request including: (i) the authentication data, and (ii) the session identifier; 
receiving, by the gateway enforcement point and from the second cloud fraud detection system, a second fraud data set indicative of fraud related information relating to the user; and 




controlling access, by the gateway enforcement point, to the protected resource by the client device in a manner based upon both of the following: (i) the fraud related information of the first fraud data set, and (ii) the fraud related information of the second fraud data set.
1. A method comprising: 
receiving, by a gateway enforcement point, through a communication network from a client device used by a user, a first request to access a protected resource; 
responsive to receipt of the first request, authenticating, by the gateway enforcement point, the client device to establish a first authenticated communication session between the gateway enforcement point and the client device, with authenticating the client device including receiving, by the gateway enforcement point, authentication data relating to the user; further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a first cloud fraud detection system, a second request for fraud information relating to the user, with the second request including: (i) the authentication data, and (ii) a session identifier identifying the first authenticated communication session; receiving, by the gateway enforcement point from the first cloud fraud detection system, a first fraud data set indicative of fraud related information relating to the user; 
caching, in the gateway enforcement point as part of the first authenticated communication session, the first fraud data set; 
further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a second cloud fraud detection system, a third request for fraud information relating to the user, with the third request including: (i) the authentication data, and (ii) the session identifier; 
receiving, by the gateway enforcement point from the second cloud fraud detection system, a second fraud data set indicative of fraud related information relating to the user; 
caching, in the gateway enforcement point as part of the first authenticated communication session, the second fraud data set; and 
controlling, by the gateway enforcement point, access to the protected resource by the client device in a manner based upon both of the following: (i) the fraud related information of the first fraud data set, and (ii) the fraud related information of the second fraud data set.


Claims 1, 2 and 29-35 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9 of U.S. Patent No. 10063593. Although the claims at issue are not identical, they are not patentably distinct from each other because: Claims 1, 2 and 29-35 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9 of U.S. Patent No. 10063593 in view of US 20100325357 to Reddy et al (hereinafter Reddy). 

Instant application
U.S. Patent No. 10063593
1. A computer implemented method comprising: 























collecting, machine readable fraud data in a fraud related data cache of a policy enforcement point;
intercepting, by the policy enforcement point, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device; 











determining, by the policy enforcement point, an authorization related data set, based, at least in part, on the machine readable fraud related data, with the authorization related data set relating to a fraud risk; and 
modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response.
1. A method comprising: receiving, by a gateway enforcement point, through a communication network from a client device used by a user, a first request to access a protected resource; responsive to receipt of the first request, authenticating, by the gateway enforcement point, the client device to establish a first authenticated communication session between the gateway enforcement point and the client device, with authenticating the client device including receiving, by the gateway enforcement point, authentication data relating to the user; further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a first cloud fraud detection system, a second request for fraud information relating to the user, with the second request including: (i) the authentication data, and (ii) a session identifier identifying the first authenticated communication session; receiving, by the gateway enforcement point from the first cloud fraud detection system, a first fraud data set indicative of fraud related information relating to the user; caching, in the gateway enforcement point as part of the first authenticated communication session, the first fraud data set; 
further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a second cloud fraud detection system, a third request for fraud information relating to the user, with the third request including: (i) the authentication data, and (ii) the session identifier; receiving, by the gateway enforcement point from the second cloud fraud detection system, a second fraud data set indicative of fraud related information relating to the user; caching, in the gateway enforcement point as part of the first authenticated communication session, the second fraud data set; and controlling, by the gateway enforcement point, access to the protected resource by the client device in a manner based upon both of the following: (i) the fraud related information of the first fraud data set, and (ii) the fraud related information of the second fraud data set.


U.S. Patent No. 10063593 does not teach: intercepting, by the policy enforcement point, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device; and modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response. However, Reddy teaches:
intercepting, by the policy enforcement point, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device (Reddy: [0106]: The appliance 200 comprises one or more virtual servers or virtual internet protocol servers, referred to as a vServer, VIP server, or just VIP 275a-275n (also referred herein as vServer 275). The vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106 in accordance with the configuration and operations of the appliance 200. [0109]: In one embodiment, the appliance 200 controls the flow of network traffic and communication sessions based on policies of the policy engine 236. [0232]: at step 652 the intermediary device 200 can receive any type and form of request for content, such as a request for web content. [0234]: the intermediary device 200 can forward the request to a server 106, client 102, another appliance 200', or networked device that may provide or host the web content. The intermediary device 200 can then receive 656 the HTTP response. A browser script in a browser generating requests for web content was well known to one of ordinary skill in the art before the effective filing date of the claimed invention);
modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response (Reddy: [0109]: In one embodiment, the appliance 200 controls the flow of network traffic and communication sessions based on policies of the policy engine 236. [0235] The intermediary device can further process 658 the received HTTP response. [0236] The step of processing 658 the HTTP response can further comprise modifying a cache control header of the received HTTP response. In some embodiments, the modifying comprises inserting cache control information generated by the application firewall 290 into the cache control header, i.e., the response (session data) is modified in the intercepted response. [0247]: a user session associated with a first request for a particular web content. [0248]: In some embodiments, the HTTP response is provided as a modified copy of the HTTP response stored in cache. For example, the HTTP response stored in cache is assembled for transmission and a cookie header inserted into the reproduction. The modified copy with a selected cookie header is then transmitted, i.e., the response (session data) is modified in the intercepted response. Also, [0250]-[0251]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Reddy in the invention of U.S. Patent No. 10063593 to include the above limitations. The motivation to do so would be to improve performance of cache management and application firewall processing of web content exchanged in networked systems (Reddy: [0003]).
In a similar manner, claim 30 is similar to claim 4 of U.S. Patent No. 10063593.

Claim Objections
Claim 32 is objected to because of the following informalities:  claim 32 recites: “the CPP of claim 30…”, i.e., claim 32 begins with a lower case letter instead of an upper case letter.  Appropriate correction is required.
Claim 36 is objected to because of the following informalities:  Claim 36 recites: “sending, by the gateway enforcement point of a first cloud fraud detection system, a second request…” instead of “sending, by the gateway enforcement point to a first cloud fraud detection system, a second request…” in lines 8-9. Also, Claim 36 recites: “the request” instead of the “first request” in line 14 and “the enforcement point” instead of “the gateway enforcement point” in line 15.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2 and 29-35 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 7908645 to Varghese et al (hereinafter Varghese), US 20100325357 to Reddy et al (hereinafter Reddy) and prior art of record US 9137131 to Sarukkai et al (hereinafter Sarukkai).
As per claims 1 and 30, Varghese teaches:
A computer implemented method comprising: 
collecting machine readable fraud data in a fraud related data cache of a policy enforcement point (Varghese: column 11, line 55-column 12, line 12: The DCR process gathers the results of the current request-authentication processing and stores them in DCR database 1110 in association with the identifying information (for example, the Device ID) for the originating user device. Thereby, the DCR database can provide an historical record of the results of previous request-authentication processing to guide the FAAS in current authentication-request processing. The DCR database includes at least data obtained from the current service provider. Preferably, it also includes data from other service providers. Data from the current request can optionally be supplemented by the third party data similar to that data already retrieved by the FAAS); 
determining, by the policy enforcement point, an authorization related data set, based, at least in part, on the machine readable fraud related data, with the authorization related data set relating to a fraud risk (Varghese: column 13, lines 15-40: The methods receive a copy of the request itself or information describing and abstracting the substance of a current request. The input information is processed, and the methods output risk scores, risk alerts, and actions (or action recommendations). Risk scores and alerts are indicia of the likely risks that the current request is incorrect, or malicious, or fraudulent, and so forth. Fraud detection inputs describe the user, the user's device, the location of the user's device, the workflow of transaction entered by the user, historical patterns of user accesses, and data from 3rd party data sources. Column 19, lines 8-20: The user-type data items generally test whether or not a particular user's behavior suggests a likely malicious intent. The device-type data items generally test whether or not a particular device has been used and/or is being used in a manner that suggests it has been accessed by users with a likely malicious intent); 
Varghese does not teach: intercepting, by the policy enforcement point, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device; and modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response.
However, Reddy teaches:
intercepting, by the policy enforcement point, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device (Reddy: [0106]: The appliance 200 comprises one or more virtual servers or virtual internet protocol servers, referred to as a vServer, VIP server, or just VIP 275a-275n (also referred herein as vServer 275). The vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106 in accordance with the configuration and operations of the appliance 200. [0109]: In one embodiment, the appliance 200 controls the flow of network traffic and communication sessions based on policies of the policy engine 236. [0232]: at step 652 the intermediary device 200 can receive any type and form of request for content, such as a request for web content. [0234]: the intermediary device 200 can forward the request to a server 106, client 102, another appliance 200', or networked device that may provide or host the web content. The intermediary device 200 can then receive 656 the HTTP response. A browser script in a browser generating requests for web content was well known to one of ordinary skill in the art before the effective filing date of the claimed invention);
modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response (Reddy: [0109]: In one embodiment, the appliance 200 controls the flow of network traffic and communication sessions based on policies of the policy engine 236. [0235] The intermediary device can further process 658 the received HTTP response. [0236] The step of processing 658 the HTTP response can further comprise modifying a cache control header of the received HTTP response. In some embodiments, the modifying comprises inserting cache control information generated by the application firewall 290 into the cache control header, i.e., the response (session data) is modified in the intercepted response. [0247]: a user session associated with a first request for a particular web content. [0248]: In some embodiments, the HTTP response is provided as a modified copy of the HTTP response stored in cache. For example, the HTTP response stored in cache is assembled for transmission and a cookie header inserted into the reproduction. The modified copy with a selected cookie header is then transmitted, i.e., the response (session data) is modified in the intercepted response. Also, [0250]-[0251]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Reddy in the invention of Varghese to include the above limitations. The motivation to do so would be to improve performance of cache management and application firewall processing of web content exchanged in networked systems (Reddy: [0003]).
Varghese in view of Reddy teaches intercepting a response from a server to the client but does not explicitly teach a from a cloud fraud service to a client device. However, Sarukkai teaches:
a response being transmitted from a cloud fraud service to a client device (Sarukkai: column 6, lines 3-13: All subsequent accesses to the cloud service 12 from the client device 10 are then routed through the monitor proxy server 20 which functions as a reverse proxy for the client device. The client device 10 requests resources from the cloud service 12 through the monitor proxy server 20 and the monitor proxy server 20 retrieves the resources on behalf of the client device 10 from the cloud service 12. The retrieved resources are provided to the client device 10 as though they originate from the monitor proxy server itself. Column 7, lines 32-40: All responses from the cloud services to the client device also flow through the monitor proxy server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Sarukkai in the invention of Varghese in view of Reddy to include the above limitations. The motivation to do so would so that the enterprise is able to obtain deep visibility and control of all traffic to the cloud service from a client device which may be acting on behalf of the enterprise (Sarukkai: column 6, lines 36-42).

As per claims 2, 31 and 34, Varghese in view of Reddy and Sarukkai teaches: 
The computer implemented method of claim 1 wherein the modified response includes filtered fraud related authorization data, the method further comprising: merging the filtered fraud related authorization data into the session cache of the policy enforcement point (Varghese: column 9, lines 47-67 and column 10, lines 1-2: If a user is authenticated, then that user can access service provider applications, e.g., applications A, B, C, D, and so forth. Discrepancies can be identified and scored to determine whether to allow access or not or whether to apply secondary authentication protocols, such as a security question, before allowing access. Sending a response to the user indicating authentication success to the user’s request was well known to one of ordinary skill in the art before the effective filing date of the claimed invention. Column 11, lines 47-67 and column 12, lines 1-12: The entered data is then used as part of the authentication decision by the service provider application 1322 of processes of this invention. The server application, or the FAAS, or both together then decide whether or not to authenticate the current request. The DCR process gathers the results of the current request-authentication processing and stores them in DCR database 1110 in association with the identifying information (for example, the Device ID) for the originating user device. These stored processing results preferably include, at least, whether or not the request was validated or not and/or whether or not the request was found to be fraudulent. The DCR database includes at least data obtained from the current service provider. Preferably, it also includes data from other service providers so that device risk information can be shared and the accuracy of authentication processing can be multiplied. FDM 1200 performs the actual gathering and assembly of the results of the current request-authentication processing. Data from the current request can optionally be supplemented by the third party data similar to that data already retrieved by the FAAS and/or other data retrieved by the FAAS relevant to evaluating the current request).

As per claims 29, 32 and 35, Varghese in view of Reddy and Sarukkai teaches: 
The computer implemented method of claim 2 further comprising: returning a processing success to the client (Varghese: column 9, lines 47-67 and column 10, lines 1-2: If a user is authenticated, then that user can access service provider applications, e.g., applications A, B, C, D, and so forth. Discrepancies can be identified and scored to determine whether to allow access or not or whether to apply secondary authentication protocols, such as a security question, before allowing access. Sending a response to the user indicating authentication success to the user’s request was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).

As per claim 33, Varghese in view of Reddy and Sarukkai teaches: 
the CPP of claim 30 wherein the CPP is in the form of a computer system (CS), the CPP further comprising the processor(s) set (Varghese: column 8, lines 45-55: The systems server 1306 is generally structured as known in the art, and includes a CPU, RAM memory, disc or other database memory 1308, communication interfaces, optional user interface equipment, and the like).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20130144888 to Faith et al: Embodiments of the invention is directed to a dynamic network analytics system capable of receiving and analyzing queries sent in data messages from data requesters. The queries contain a request from the data requester as to a risk level associated with an interaction conducted by a user. The dynamic network analytics system can determine an optimized process for determining the risk level of the interaction, based on an analysis of past interactions by the user and past interactions by users similar to the user. The dynamic network analytics system can retrieve data from internal and external data sources to generate a response to the query. The dynamic network analytics system conducts the optimized process and uses the retrieved data to generate risk assessments and risk scores in response to the query from the data requester.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438