DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/14/2021 has been entered.
 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/14/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Claims 1, 17 and 19 have been amended and claims 4, 7, 18 and 20 have been cancelled. Claims 1-3, 5-6, 8-17 and 19 are currently pending.

Response to Arguments
Applicant’s arguments with respect to claim 1 have been considered but are moot in view of new grounds of rejections. Applicant’s remaining arguments are based on Applicant's arguments against claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 5-6, 8, 11-17 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ge et al., US-20070255821-A1 (hereinafter “Ge ‘821”) in view of Chiles, US-9225738-B1 (hereinafter “Chiles ‘738”) and Rehak, US-20180219890-A1 (hereinafter “Rehak ‘890”).
Per claim 1 (independent):
Ge ‘821 discloses: A server computer system comprising: a processor; and memory coupled to the processor and storing instructions that, when executed by the processor, cause the server computer system to perform operations comprising: retrieving, from a client computing device of a user, a characteristic of a web browser session engaged in by the client computing device and associated with the user (FIG. 2, [0007], “The invention introduces a new way to detect the major click fraud based on the collaboration between server side log and client side log. … this system can stop click fraud in real time”; [0008], “A searchable database (Global Fraudulent Database, GFD) stores the real-time traffic parameters: the server side log, client side log and a fraud score report data … Client side log is the data from client browser … When a client loads a web page, the tracking code will execute on client computer and send client side parameters to the database. The client side log parameters include (a) static parameters: tracking ID, client IP, client user agent, visited page, referrer source, cookies, time stamp, computer display settings, browser settings, page title and (b) dynamic parameters: mouse over activity, mouse click, and scroll bar movement, key strobe, page view time length and clicked link” where the client side log (characteristic of a web browser session) is retrieved from the client computer in real time, including the static and dynamic parameters.); 
determining whether the web browser session characteristic changes during the web browser session ([0008], “The click fraud detection methods will identify click fraud based on the two set log data. And a fraudulent score will be given to each web request”; [0009], “First the filter sends server side parameters to database GFD. The database GFD logs the server side parameters and sends the fraudulent score back to the filter. The filter will block the client if the fraudulent score is higher than a threshold. If the client web request is normal, the filter will add tracking code to the web page and render the web page to client” where the two sets of log data from both the client side and the server side are used to determine whether a web request is normal or not by calculating a fraudulent score (entropy score) based on the logs (web browser session characteristic) stored in the database GFD and comparing the score with a threshold.); 
determining an entropy score based on the determination of whether the web browser session characteristic changes during the web browser session, wherein the entropy score reflects  ([0009], “First the filter sends server side parameters to database GFD. The database GFD logs the server side parameters and sends the fraudulent score back to the filter. The filter will block the client if the fraudulent score is higher than a threshold” [Emphasis added.]; [0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user activities and other non significant parameters S=f(IP, R, U, C, T, A, TrID, O)”; FIG. 8, FIG. 9, [0083], “                        
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” where the fraud score Sv (entropy score) is calculated by considering the diverse parameters (web browser characteristic) such as the IP, user agent, cookie or user activities etc. on the database GFD. The fraud score is sent back to the web server where the score is compared with the threshold in order to decide whether a change is fraudulent (or valid) or not.);
identifying, based on the entropy score, anomalous behavior for a second web browser session, engaged in by the client computing device and associated with the user, that involves a change in the web browser characteristic during the second web browser session ([0009], “The filter program running on web servers with filter program accomplishes multiple tasks. First the filter sends server side parameters to database GFD. The database GFD logs the server side parameters and sends the fraudulent score back to the filter. The filter will block the client if the fraudulent score is higher than a threshold” [Emphasis added.]; FIG. 6(b), [0057], “The log data includes a tracking ID, Client IP, Client User Agent, Visited Page, Referrer Source, Time Stamp and two Cookies, a Session Cookie” [Emphasis added.]; [0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user activities and other non significant parameters S=f (IP, R, U, C, T, A, TrID, O) …” where a fraud score Sv (entropy score) is calculated by considering the diverse parameters (web browser characteristic) such as the IP, user agent, permanent cookie and user activities etc., which can be collected for each different client session 
wherein identifying the anomalous behavior includes determining an anomaly level associated with a change in the web browser session characteristic, and wherein the anomaly level is based on one or more of: a degree of change of the web browser session characteristic during the second web browser session, and  ([0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user activities and other non significant parameters S=f (IP, R, U, C, T, A, TrID, O)”; FIG. 9, [0083], “                        
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                        
                             
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” where a fraud score Sv (entropy score) is calculated by considering a different score increase [Symbol font/0x44] (degree of change) for the diverse parameters (web browser characteristics) such as the IP, user agent, cookie or user activities etc. whereby each respective fraud score increase is added to the fraud score Sv (i.e. anomaly level increases) as FIG. 9).
Ge ‘821 does not disclose but Chiles ‘738 discloses: the entropy score reflects a probability of the web browser characteristic experiencing a valid change during a future web browser session associated with the user and a weighting associated with the entropy score for the web browser session characteristic (FIG. 1, [Col. 1], ll. 40-57, “detecting attacks from malicious actors … involve flagging anomalous behavior in a current session when there is sufficient difference between an observed distribution of Markov events in the current session and an observed distribution of Markov events in a global session” [Emphasis added.]; [Col. 1], ll. 65 – [Col. 2], ll. 3, “a method of identifying suspect access to a web server in a current session and an observed distribution of Markov events receiving, by a user input during a current session, the user input indicating a web page address, a session including a collection of web page addresses arranged in temporal order.” [Emphasis added.]; [Col. 2], ll. 40-57, “During a user session, a testing server generates a frequency distribution of a set of Markov events of the user session … also obtains a frequency distribution of previously observed Markov events of a global session, i.e., sets of sessions of previous user sessions” [Emphasis added.]; FIG. 2, [Col. 5], ll. 29-36, “Session frequency distribution 220 of web pages … is a number of occurrences of each web page in session 210 … Session frequency distribution 230 of web page transitions … is a number of occurrences of each 35 web page transition in session 210.” [Emphasis added.]; FIG. 3, [Col. 6], ll. 21-54, “If the Markov event is a web page, then processor 116 proceeds to step 350 … In step 360, … the                         
                            
                                
                                    Χ
                                
                                
                                    2
                                
                            
                        
                     anomaly statistic 138 takes the following form:
                
                    
                        
                            Χ
                        
                        
                            2
                        
                    
                    =
                    
                        
                            ∑
                            
                                B
                            
                        
                        
                            
                                
                                    
                                        
                                            
                                                
                                                    
                                                        
                                                            n
                                                        
                                                        
                                                            B
                                                        
                                                    
                                                    -
                                                    
                                                        
                                                            
                                                                
                                                                    n
                                                                
                                                                
                                                                    B
                                                                
                                                            
                                                        
                                                        ^
                                                    
                                                
                                            
                                        
                                        
                                            2
                                        
                                    
                                
                                
                                    
                                        
                                            
                                                
                                                    n
                                                
                                                
                                                    B
                                                
                                            
                                        
                                        ^
                                    
                                
                            
                        
                    
                
            
for this particular form of anomaly statistic 138, processor 116 penalizes current session 136 equally whether it visits a web page too frequently or not frequently enough (e.g., missing web pages)” [Emphasis added]; [Col. 5], ll. 1-15, “An example of such a comparison operation is the formation of a chi-squared (                        
                            
                                
                                    Χ
                                
                                
                                    2
                                
                            
                        
                    ) statistic 138 that provides a weighted sum over the square of the difference between respective frequencies of current frequency distribution 118 and global frequency distribution 120” [Emphasis added.] where the                         
                            
                                
                                    Χ
                                
                                
                                    2
                                
                            
                        
                     anomaly statistic 138 (entropy score) is calculated by comparing the Markov events (distribution) of the user session and the global session for each target webpage B. Note that the user session may be a future web browser session since the global session is updated to include the sessions that happened prior to the user session.  Anomalous behavior would be flagged in the user session when there is sufficient difference based on the                         
                            
                                
                                    Χ
                                
                                
                                    2
                                
                            
                        
                     anomaly statistic 138. Furthermore, the statistic penalizes the user session equally whether it visits a web page too frequently or not frequently 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Ge ‘821 with the distribution of the Markov events (probability) based on the web page information for the anomaly statistic as taught by Chiles ‘738 because it would allow the testing server to detect anomalies in current sessions when the sessions are short and/or are missing web pages or page transitions [Col. 1], ll. 30-64.
Ge ‘821 in view of Chiles ‘738 does not disclose but Rehak ‘890 discloses: wherein a relatively higher entropy score denotes a flat or dispersing probability distribution, and wherein a relatively lower entropy score denotes a concentrated probability distribution ([0023], “a user role may not index records of the web-based resource because the role of a user may be constant (e.g., the user may always have the role of "audit"), which corresponds to a relatively low entropy … session identifiers (or timestamps, etc.) may not index records of the web-based resource because every session may include a different session identifier, corresponding to a relatively very high entropy.”; [0041], “if user i behavior 505(i) has a high entropy ( e.g., above a pre-set threshold) compared to the model of user i behavior 325(i) and the global behavior 405, user i may be determined to be a security threat to the web-based resources” where a user role may have a relatively low entropy since the user role tends to remain a same in accessing web-based resource, i.e., less number of cases for changing the user role (equal to a concentrated probability) while a session identifier may have a relatively high entropy since the session identifier tend to change for every session, i.e., more number of cases for changing the session identifier (equal to a flat probability).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Ge ‘821 in view of Chiles ‘738 with the selection of parameters based on a range of entropy for determining a security threat to web-based resource as 

Per claim 2 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 1, wherein the entropy score is based on whether the web browser characteristic changes during a plurality of web browser sessions associated with the user (FIG. 2, [0007], “The invention introduces a new way to detect the major click fraud based on the collaboration between server side log and client side log. Those two log structure is innovative to detect software clicks. And furthermore, this system can stop click fraud in real time” [Emphasis added.]; [0008], “The click fraud detection methods will identify click fraud based on the two set log data. And a fraudulent score will be given to each web request” [Emphasis added.]; FIG. 6(b), [0057], “The log data includes a tracking ID, Client IP, Client User Agent, Visited Page, Referrer Source, Time Stamp and two Cookies, a Session Cookie and a Permanent Cookie” [Emphasis added.]; [0061], “We added two extra cookies and a tracking ID besides the RFC header for tracing purpose. A permanent cookie is the cookie we implant to client computer with expire date 1 year and a session cookie will be expired whenever the client close the connection session. We use those two cookies to identify client computers.” [Emphasis added.] where the click fraud detection provided by the fraud score (entropy score) is based on the two set log data that includes the session cookie that keeps track of the plurality of client sessions being considered for collecting the client side log.).

Per claim 3 (dependent on claim 2):

Ge ‘821 discloses: The system of claim 2, wherein the plurality of web browser sessions occur within a predetermined period of time ([0057], “The log data includes a tracking ID, Client IP, Client User Agent, Visited Page, Referrer Source, Time Stamp and two Cookies, a Session Cookie and a Permanent Cookie” [Emphasis added.]; FIG. 6(b), [0079], “*810 The real javascript tracking code is sending to the page. This step is optional. FIG. 6(b) is an exemplary real tracking code used in this system.
var theUrl001 = "http://www.clickfraudresearch.com/track.asp";
queryString00I1+= "&cookies="+ escape(cookies);
…
queryString001 += "&pc="+ permCookies;
…
Interval001 = new Date().getTime() – iniTime001;
…
theUrl001 += "&iv="+ interval001;
” [Emphasis added.] where the Javascript tracking code running on the client session shows that the plurality of client sessions tracked by the cookies can occur within the predetermined time interval bounded by the iniTime001 and time stamp).

Per claim 5 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
The system of claim 4, wherein identifying the anomalous behavior for the second web browser session includes generating and transmitting an alert reporting the anomalous behavior (FIG. 8, [0076], “If the score is higher than a threshold, the request is fraud. A warning page is generated 824. The javascript code is displayed in FIG. 6” [Emphasis added.]).

Per claim 6 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 4, wherein identifying the anomalous behavior for the second web browser session includes terminating the second web browser session with the client computing device ([0009], “The filter program running on web servers with filter program accomplishes multiple tasks. First the filter sends server side parameters to database GFD. The database GFD logs the server side parameters and sends the fraudulent score back to the filter. The filter will block the client if the fraudulent score is higher than a threshold. If the client web request is normal, the filter will add tracking code to the web page and render the web page to client” [Emphasis added.]).

Per claim 8 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 7, wherein identifying the anomalous behavior includes: determining a respective anomaly level for each of a plurality of web browser characteristics; and determining a risk score reflecting a degree of the anomalous behavior for the second web browser session based on the plurality of anomaly levels for the plurality of web browser characteristics ([0082], “The fraud score is our fraudulent detection system output, which is the function of request's                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                        
                             
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” [Emphasis added.] where the fraud score Sv (risk score) is calculated by considering a different score increase [Symbol font/0x44] (respective anomaly level) for the diverse parameters (web browser characteristic) such as the IP, user agent, cookie or user activities etc. whereby the respective fraud score  increase is added to the fraud score Sv as FIG. 9).

Per claim 11 (dependent on claim 8):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 8, wherein the risk score is based on: a first anomaly level for a first web browser characteristic from the plurality of web browser characteristics that is determined based on: a first degree of change of the first web browser characteristic and a first entropy score for the first web browser characteristic; and a second anomaly level for a second web browser characteristic from the plurality of web browser characteristics that is determined based on: a second degree of change of the second web browser characteristic and a second entropy score for the second web browser characteristic ([0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user activities and other non significant parameters S=f (IP, R, U, C, T, A, TrID, O) …” [emphasis Added.]; FIG. 9, [0083], “                        
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” [Emphasis added.] where the plurality of fraud score 

Per claim 12 (dependent on claim 11):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 11, wherein the first degree of change of the first web browser characteristic is different from the second degree of change of the second web browser characteristic ([0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user activities and other non significant parameters S=f (IP, R, U, C, T, A, TrID, O) …” [emphasis Added.]; FIG. 9, [0083], “                        
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” [Emphasis added.] where the plurality of fraud score Sv (entropy score) for each different parameter such as such as the IP, user agent, cookie or user activities etc. are given as “Sv = Sv + [Symbol font/0x44]” in which [Symbol font/0x44] is a different score increase (degree of change) for the parameters as FIG. 9).

Per claim 13 (dependent on claim 11):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 11, wherein the first entropy score is different from the second entropy score ([0082], “The fraud score is our fraudulent detection system output, which is the function of request's IP, referrer source, user agent, permanent cookie, page view time length, user                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    is the fraud score increase if the count of an ip exceeds the threshold. For example, if Count ip threshold=100, and the count of the same ip during the past 24 hours greater than 100, the fraud score will increase                         
                            
                                
                                    ∆
                                
                                
                                    i
                                    p
                                
                            
                        
                    ” [Emphasis added.] where the plurality of fraud score Sv (entropy score) for each different parameter such as such as the IP, user agent, cookie or user activities etc. are given as “Sv = Sv + [Symbol font/0x44]” in which [Symbol font/0x44] is a different score increase (degree of change) for the parameters as FIG. 9. The plurality of fraud score Sv (entropy score) will be different for each parameter due to the difference of [Symbol font/0x44]).

Per claim 14 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 1, wherein the web browser characteristic is associated with a categorical component, and wherein the categorical component is: a hardware component of the client computing device, or a software component of the client computing device ([0008], “A searchable database (Global Fraudulent Database, GFD) stores the real-time traffic parameters: the server side log, client side log and a fraud score report data … Client side log is the data from client browser … When a client loads a web page, the tracking code will execute on client computer and send client side parameters to the database. The client side log parameters include (a) static parameters: tracking ID, client IP, client user agent, visited page, referrer source, cookies, time stamp, computer display settings, browser settings, page title and (b) dynamic parameters: mouse over activity, mouse click, and scroll bar movement, key strobe, page view time length and clicked link” [Emphasis added.]).

Per claim 15 (dependent on claim 1):

Ge ‘821 discloses: The system of claim 1, wherein the web browser characteristic is associated with a numerical component ([0008], “A searchable database (Global Fraudulent Database, GFD) stores the real-time traffic parameters: the server side log, client side log and a fraud score report data … Client side log is the data from client browser … When a client loads a web page, the tracking code will execute on client computer and send client side parameters to the database. The client side log parameters include (a) static parameters: tracking ID, client IP, client user agent, visited page, referrer source, cookies, time stamp, computer display settings, browser settings, page title and (b) dynamic parameters: mouse over activity, mouse click, and scroll bar movement, key strobe, page view time length and clicked link” [Emphasis added.]).

Per claim 16 (dependent on claim 1):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Ge ‘821 discloses: The system of claim 1, wherein the web browser characteristic is associated with a textual component ([0008], “A searchable database (Global Fraudulent Database, GFD) stores the real-time traffic parameters: the server side log, client side log and a fraud score report data … Client side log is the data from client browser … When a client loads a web page, the tracking code will execute on client computer and send client side parameters to the database. The client side log parameters include (a) static parameters: tracking ID, client IP, client user agent, visited page, referrer source, cookies, time stamp, computer display settings, browser settings, page title and (b) dynamic parameters: mouse over activity, mouse click, and scroll bar movement, key strobe, page view time 

Per claim 17 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 19 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Claim(s) 9-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ge ‘821 in view of Chiles ‘738 and Rehak ‘890  as applied to claim 8 above, and further in view of Kupreev et al., US-20180103043-A1 (hereinafter “Kupreev ‘043”).
Per claim 9 (dependent on claim 8):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 does not disclose but Kupreev ‘043 discloses: The system of claim 8, wherein identifying the anomalous behavior includes adding a web browser characteristic to the plurality of web browser characteristics prior to determining the anomaly levels for the plurality of web browser characteristics ([0006], “obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by identifying at least one malicious element of the tested web page based on results of the comparison” [Emphasis added.]; [0031], “A cluster may include a set of allowable values of the coordinates of vectors for a strictly defined element or group of elements in N-dimensional space … FIG. 2 shows an example of the cluster 210'. In an example, an element may be assigned to a certain cluster if the value of a distance (in FIG. 2, "d") from the N-dimensional vector of the element to the nearest N-dimensional vector of an element of the given cluster is less than the maximum allowable (threshold value of the distance [ d'])” [Emphasis added.] where the respective element (web browser characteristic) of the web page is included or excluded in the cluster for the statistical modeling in order to identify whether they are malicious or not (anomaly level) by changing the threshold value of the distance.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 with the statistical model of the N-dimensional vector which corresponds to the malicious elements of the tested webpage as taught by Kupreev ‘043 because it would enhance the security for a web client without the secure working of a user or installing additional software since it is able to elaborate each web element based on the statistical modeling [0005].

Per claim 10 (dependent on claim 8):
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
Ge ‘821 in view of Chiles ‘738 and Rehak ‘890 does not disclose but Kupreev ‘043 discloses: The system of claim 8, wherein identifying the anomalous behavior includes removing a web browser characteristic from the plurality of web browser characteristics prior to determining the anomaly levels for the plurality of web browser characteristics ([0006], “obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by measuring the distance of the N-dimensional vector of the element and centers of all clusters of the statistical model; and identifying at least one malicious element of the tested web page based on results of the comparison” [Emphasis added.]; [0031], “A cluster may include a set of allowable values of the coordinates of vectors for a strictly defined element or group of elements in N-dimensional space … FIG. 2 shows an example of the cluster 210'. In an example, an element may be assigned to a certain cluster if the value of a distance (in FIG. 2, "d") from the N-dimensional vector of the element to the nearest N-dimensional vector of an element of the given cluster is less than the maximum allowable (threshold value of the distance [ d'])” [Emphasis added.] where the respective element (web browser characteristic) of the web page is included or excluded in the cluster for the statistical modeling in order to identify whether they are malicious or not (anomaly level) by changing the threshold value of the distance.).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491