Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                                                                                                                          
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-6, 9, 11, 14-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) in view of Armstrong et al. – hereinafter Armstrong (US 2018/0083994)

As per claim 1, Sullivan discloses an authentication system comprising: 
an authentication module and (Col 4 lines 47-53; The proxy 106 comprises a processor 306 and HTTP proxy logic 304 that, when applied to the processor 306, provides HTTP proxy services, may also perform authentication of the HTTP client 104 as described herein.)
wherein the authentication module is configured to: determine order information of the web browser of the first entity, perform a comparison operation based on the order information of the first user and the order information of the first entity, and determine whether or not to allow the first entity to log in to the web property based on a result of the comparison operation. (Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the 
Sullivan fails to disclose a user history database storing order information of a first user, wherein the order information of the first user includes, for each login, among a plurality of times the first user logged in to a web property associated with the authentication system, at least one of:  an indication of an order of hypertext transfer protocol (HTTP) headers that were previously received at the authentication module from a web browser of the first user during the login and  an indication of an order of navigator object properties that were previously returned to the authentication module by a web browser of the first user during the login and receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user.  
a user history database storing order information of a first user, ([0031]; The information monitored includes the various fields in the HTTP request headers sent by the browser, including which fields are provided, the order that the fields are presented, which protocols, languages, tools, and other features the browser supports, and any other information in the HTTP headers that may be uniquely associated with the web browser; [0033] In this manner, all HTTP request and response traffic is passively monitored, and these static and dynamic behaviors are then mapped back to the actual web browsers under their respective User-Agent string and stored as attribute data points for later comparison.)
wherein the order information of the first user includes, for each login, among a plurality of times the first user logged in to a web property associated with the authentication system, at 
receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user, ([0038]; The lists of attributes for each user provide an abstract representation of the unique fingerprint of each user. In this example, each fingerprint contains N attributes. The attributes for users 1 and 3 are represented abstractly as triangle shapes, whereas the attributes for users 2 and 4 are represented as squares, and these similarities in attributes may be used to group the users accordingly.)
It would have been obvious before the effective filing date of the invention for the teachings of Sullivan to be modified so that the authorized client logic of Sullivan accesses the database which contains the order of the header of the previous sessions of the browser and the user credentials of the user when performing the authentication when the user attempts to access the resource.  This would have been beneficial as it been advantageous of detecting between a real browser and a forgery, which prevents exploitation by malicious individuals employing attack tools to access the service.  (Armstrong, [0002])



As per claim 5, Sullivan / Armstrong disclose the authentication system of claim 4.  Armstrong discloses wherein the authentication module is further configured such that the comparison operation includes at least one of:
determining whether the order of HTTP headers included in an HTTP request of the web browser of the first entity matches at least one of the orders of HTTP headers indicated by the order information of the first user and determining whether the order of navigator object properties of the web browser of the first entity matches at least one of the orders of navigator object properties indicated by the order information of the first user. (Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the request matches known header patterns of a client that is authorized to receive the requested content (and/or software). If there is a match with an authorized client, the request is validated at 705, and in response to the valid request, the content is provided at 706. A Otherwise the request is invalidated at 707, the content is not provided, and the method concludes at 708. A validated request is a request that has a form and content such that the server acts to fulfill the request. For example, a validated 

As per claims 6, 11, and 16, please see the discussion under claim 1 as similar logic applies.

As per claims 9, 14, and 19, please see the discussion under claim 4 as similar logic applies.

As per claim 15, please see the discussion under claim 5 as similar logic applies.

Claims 2, 7, 12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) / Armstrong (US 2018/0083994) further in view of Van De Poel (US 9,032,098)

As per claim 2, Sullivan / Armstrong disclose the authentication system of claim 1.  The combination of Sullivan/ Armstrong fails to disclose wherein the authentication module is further configured to: receive an HTTP request from the web browser of the first entity and respond to the HTTP request by sending to the web browser of the first entity a hypertext markup language (HTML) document defining a webpage, wherein the HTML document includes code for causing the web browser of the first entity to send to the authentication module navigator object property information indicating an order of properties of a navigator object of the web browser of the first entity.
	Van De Poel discloses wherein the authentication module is further configured to: receive an HTTP request from the web browser of the first entity and respond to the HTTP 
It would have been obvious before the effective filing date of the invention for the combined teachings of Sullivan / Armstrong to be modified so that the authentication module sends a webpage which includes the code to send the authentication model navigator object property information indicating an order of properties of a navigator object of the web browser of the first entity.  It would have obvious for the navigator object that is sent in the teachings of Van De Poel to be an order of the navigator object as this is combinable with the teachings of Armstrong and Sullivan which relates to the order of the fields which are presented in the HTTP requests which are associated with the characteristics of the web browser when the user is accessing the service.  The motivation would have been to easily retrieve information from a device without requiring any configuration and installation at the device. (Van De Poel, [0010])   

.

Claims 3, 8, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) / Armstrong (US 2018/0083994) further in view of Goldfarb et al. – hereinafter Goldfarb (US 2017/0346830)

As per claim 3, Sullivan / Armstrong disclose the authentication system of claim 1.  The combination of Sullivan / Armstrong fails to teach wherein the authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses wherein the authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user ([0044]; In some embodiments, user interface elements by which a captcha is presented or by which a second factor in two-factor authentication is entered is passed through to the client computing device 14, and some embodiments may then relay a response from the user, or update a mirror of a web browser state in the headless browser 52 based on user responses return to the intermediary server 26 in accordance with the techniques described below.)
It would have been obvious for the combined teachings of Sullivan / Armstrong to be modified so that a captcha to be presented after the validation request of the order of the headers is compared with the authorized client logic which is retrieved from the databases.  The 

As per claims 8, 13 and 18, please see the discussion under claim 3 as similar logic applies.

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) / Armstrong (US 2018/0083994) further in view of Weldon (US 10,715,539)

As per claim 10, Sullivan/ Armstrong disclose the authentication system of claim 9.  Sullivan fails to disclose wherein the authentication module is further configured such that the comparison operation includes at least one of: determining whether a browser type, from among the plurality of browser types, that corresponds to the order of HTTP headers included in an HTTP request of the web browser of the first entity matches a browser type identified by a user
agent HTTP header of the web browser of the first entity or a user agent property
of the navigator object properties of the web browser of the first entity and determining whether a browser type, from among the plurality of browser types, that corresponds to the order of navigator object properties of the web browser of the first entity matches a browser type identified by the user agent HTTP header of the web browser of the first entity or the user agent property of the navigator object properties of the web browser of the first entity.
Weldon discloses wherein the authentication module is further configured such that the comparison operation includes at least one of: 
determining whether a browser type, from among the plurality of browser types, that corresponds to the order of HTTP headers included in an HTTP request of the web browser of the first entity matches a browser type identified by a user agent HTTP header of the web 
determining whether a browser type, from among the plurality of browser types, that corresponds to the order of navigator object properties of the web browser of the first entity matches a browser type identified by the user agent HTTP header of the web browser of the first entity or the user agent property of the navigator object properties of the web browser of the first entity.  (Col 2 lines 43-54; The method requires identifying a signature or correct version of an HTTP request for each type of web browser and to use these correct versions to compare to incoming HTTP request to determine if it matches the correct version. Each web browser has its own signature manner in handling HTTP request headers. Web browsers include, for example, Internet Explorer, FIREFOX, OPERA, CHROME, MOZILLA, NETSCAPE, SAFARI, and others. The present method includes determining for each of these web browsers a correct order of appearance of the headers in a HTTP request and the correct content of each of the headers to define a correct HTTP request.)
	It would have been obvious before the effective filing date of the invention for the teachings of Sullivan / Armstrong to be modified so that the authentication modules to determine if the order of the HTTP headers from the request match a correct version for a type of web browser.  The motivation would have been to detect and protect against fraudster who attempt malicious acts. (Col 1 lines 24-44)

	As per claim 20, please see the discussion under claim 10 as similar logic applies.


Conclusion
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure.  See PTO-892 form.
Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free). 

/Chirag R Patel/
Primary Examiner, Art Unit 2454