DETAILED ACTION
Claims 1-20 are pending in this application. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/26/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 9-12, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) and further in view of Bailey et al (“Bailey,” US 20170070533). 

Regarding claim 1, Thampy discloses a computer implemented method for monitoring resource utilization, the method comprising:
in response to receiving valid credentials from a browser that is requesting access to a resource, (Thampy, [0099] describes using a tenant’s account credentials to log into cloud application services to retrieve activity data concerning user accounts that are associated with the tenant account; [0108], authorization may be provided by a token such as using credentials such as username and password; [0118] describes the connection must be authenticated [validated] using login credentials; [0316] describes using a web browser; [0346] describes a request for access to a subscription [resource])
wherein the samples of browser attributes are collected at different times during the session; (Thampy, [0158] & [0171]-[0173] describes wherein samples of browser attributes are collected at different times during the session)
determining a score indicating a difference between two samples of browser attributes taken at different times, (Thampy, [0158] & [0171]-[0173] describes determining a score indicating a difference between two samples of browser attributes taken a different times)
the score determined at least in part on a weighted aggregate of differences between the browser attributes in the two samples; (Thampy, [0158] & [0171]-[0173] describes a score determined at least in part on a weighted aggregate of differences between the browser attributes in the two samples)
determining based on the score whether the two samples of browser attributes were received from different browsers; (Thampy, [0158] & [0171]-[0173] describes determining based on the score whether the two samples of browser attributes were received from different browsers) and
detecting unauthorized resource utilization responsive to determining that the two samples of browser attributes were received from different browsers; (Thampy, [0158] & [0171]-[0173] describes determining unauthorized resource use responsive to determining that the two samples of browser attributes were received from different browsers) 
and
responsive to determining unauthorized resource utilization, performing a mitigation action, (Thampy, [0177]-[0179] describe determining unauthorized resource use, performing a remediation action)
Thampy fails to explicitly disclose issuing a session token to the browser, wherein access to the resource is granted to browsers that provide valid session tokens; for each of a plurality of the session tokens: collecting samples of browser attributes from one or more browsers in a session for that session token. 
However, in an analogous art, Bailey discloses issuing a session token to the browser, (Bailey, [0087], describes a server generating a session token and providing it to a client device by way of a browser)
wherein access to the resource is granted to browsers that provide valid session tokens; (Bailey, [0075] describes when a user logs in with a secure web server, a web browser executing on the user’s client device may be granted a session token, which authorizes the web browser to access a secure portion of a web site hosted by the web server (e.g. a web site of a financial institution). The web browser may be required to provide that session token along with every request subsequently sent to the web server (e.g. a request for a web page, a request to commit an action, etc) to identify to the server that the request is a legitimate request from the client device; [0077], [0086] and [0088] describe using a plurality of session tokens that have to be valid to be used)
for each of a plurality of the session tokens: (Bailey, [0077], [0086] and [0088] describe using a plurality of session tokens that have to be valid to be used)
collecting samples of browser attributes from one or more browsers in a session for that session token, (Bailey, [0039]-[0040] & [0166] describes collecting samples of browser attributes such as operation system types; screen resolution, local time zone, browser plugin availability and language from one or more browsers in a session for that session token [0077], [0086] and [0088] describe using a plurality of session tokens that have to be valid to be used)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bailey with the method/system of Thampy to include issuing a session token to the browser, wherein access to the resource is granted to browsers that provide valid session tokens; for each of a plurality of the session tokens: collecting samples of browser attributes from one or more browsers in a session for that session token. One would have been motivated to detect and prevent spoofing (Bailey, [0019] & [0076]).   

Regarding claim 2, Thampy and Bailey disclose the computer implemented method of claim 1. 
(Thampy, [0158] & [0171]-[0173] describes wherein a weight for a browser attribute is determined based on historical values of the browser attribute collected over a past time interval)

Regarding claim 3, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy further discloses wherein weight for a browser attribute is determined based on a frequency of distribution of values of the browser attribute over a past time interval, (Thampy, [0158] & [0171]-[0173] describes wherein weight for a browser attribute is determined based on the number [frequency] of distribution values of the browser attribute over a past time interval). 

Regarding claim 4, Thampy and Bailey disclose the computer implemented method of claim 1.  
Thampy further discloses wherein each sample of browser attributes has a type, 
wherein the difference between the browser attribute in the two samples is determined using a distance metric associated with the type of the browser attribute (Thampy, [0155] describes a maximum distance associated with the type of the browser attribute; [0119] describes different types of activity data which corresponds to browser attributes)

Regarding claim 9, claim 9 is directed to a non-transitory computer readable storage medium. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale.

Regarding claim 10, claim 10 is directed to the non-transitory computer readable storage medium of claim 9. Claim 10 is similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 11, claim 11 is directed to the non-transitory computer readable storage medium of claim 9. Claim 11 is similar in scope to claim 3 and is therefore rejected under similar rationale.

Regarding claim 12, claim 12 is directed to the non-transitory computer readable storage medium of claim 9. Claim 12 is similar in scope to claim 4 and is therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to a computer system. Claim 17 is similar in scope to claim 1 and is therefore rejected under similar rationale.

Regarding claim 18, claim 18 is directed to the computer system of claim 17. Claim 18 is similar in scope to claim 4 and is therefore rejected under similar rationale.

Claims 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Ting et al (“Ting,” US 20160142443). 

Regarding claim 5, Thampy and Bailey disclose the computer implemented method of claim 1.  
Thampy and Bailey fail to explicitly disclose wherein the mitigation action comprises one or more of: invalidating the session token; requiring user to re-authenticate; or logging user out.
However, in an analogous art, Ting discloses wherein the mitigation action comprises one or more of: 
invalidating the session token; 
requiring user to re-authenticate; (Ting, [0026], these basic alternatives can be parsed more finely or defined in a more granular fashion. For example, the last time the user was authenticated on one or more devices may also be important: the longer the elapsed time from the last-known user authentication to one of the devices, the less meaningful the presence of that device is to corroboration; hence, if too much time has passed, the user may be required to re-authenticate in order to keep or promote to a higher level of confidence)
or logging user out.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ting with the method/system of Thampy and Bailey to include wherein the mitigation action 

Regarding claim 13, claim 13 is directed to the non-transitory computer readable storage medium of claim 9. Claim 13 is similar in scope to claim 5 and is therefore rejected under similar rationale.

Regarding claim 19, claim 19 is directed to the computer system of claim 17. Claim 19 is similar in scope to claim 5 and is therefore rejected under similar rationale.

Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Puertas Calvo et al (Puertas Calvo, US 20200412717).  

Regarding claim 6, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy and Bailey fail to explicitly disclose further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); 

However, in an analogous art, Puertas Calvo discloses further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); (Puertas Calvo, [0028], Risk assessment engine 106 is configured to perform several functions. For example, risk assessment engine 106 may be configured to perform behavior tracking, where certain authentication-related features and/or characteristics of a plurality of users are tracked. Such characteristics may be stored in activity store 104. Activity store 104 may store an entry for each user being tracked. Each entry of a user may comprise a list of authentication features associated with the user. Examples of authentication features include, but are not limited to, IP-related features (e.g., an IP address utilized during an authentication process, an autonomous system number (ASN), which indicates the organization that owns the IP [same organization])
and wherein unauthorized resource utilization is detected responsive to determining that the two sample browser attributes are from browsers of the same organization, (Puertas Calvo, [0028], Risk assessment engine 106 is configured to perform several functions. For example, risk assessment engine 106 may be configured to perform behavior tracking, where certain authentication-related features and/or characteristics of a plurality of users are tracked. Such characteristics may be stored in activity store 104. Activity store 104 may store an entry for each user being tracked. Each entry of a user may comprise a list of authentication features associated with the user. Examples of authentication features include, but are not limited to, IP-related features (e.g., an IP address utilized during an authentication process, an autonomous system number (ASN), which indicates the organization that owns the IP [same organization])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Puertas Calvo with the method/system of Thampy and Bailey to include further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); and wherein unauthorized resource utilization is detected responsive to determining that the two sample browser attributes are from browsers of the same organization. One would have been motivated to provide faster offline detection of compromised authentication credentials (Puertas Calvo, [0002]). 

Regarding claim 14, claim 14 is directed to the non-transitory computer readable storage medium of claim 9. Claim 14 is similar in scope to claim 6 and is therefore rejected under similar rationale.

Regarding claim 20, claim 20 is directed to the computer system of claim 17. Claim 20 is similar in scope to claim 6 and is therefore rejected under similar rationale.

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Thayer et al (“Thayer,” US 20180278725). 

Regarding claim 7, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy and Bailey fail to explicitly disclose wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant.
However, in an analogous art, Thayer discloses wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant, (Thayer, [0025] and FIG 4 describe where the online system is a multi-tenant system comprising determining that the same browser attributes are from browsers of the same tenant)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thayer with the method/system of Thampy and Bailey to include wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant. One would have been motivated to convert a single-tenant application for multi-tenant use (Thayer, [0001]). 

Regarding claim 15, claim 15 is directed to the non-transitory computer readable storage medium of claim 9. Claim 15 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Verma et al (“Verma,” US 20190336867). 

Regarding claim 8, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy further discloses wherein the weighted aggregate assigns (Thampy, Thampy, [0158] & [0171]-[0173])
Thampy and Bailey fail to explicitly disclose wherein the weighted aggregate assigns high weight to browser attributes representing (1) platform of the client device running the browser or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser or (2) plugins of the browser.
However, in an analogous art, Verma discloses high weight to browser attributes representing 
(1) platform of the client device running the browser 
or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser 
(Verma, [0036] & [0065] describes assigning a higher weight to plugins of the browser). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Verma with the method/system of Thampy and Bailey to include high weight to browser attributes representing (1) platform of the client device running the browser or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser or (2) plugins of the browser. One would have been motivated to provide a multiplexed data stream based on weight (Verma, [0065]).

Regarding claim 16, claim 16 is directed to the non-transitory computer readable storage medium of claim 9. Claim 16 is similar in scope to claim 8 and is therefore rejected under similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES J WILCOX/Examiner, Art Unit 2439                                                                                                                                                                                                        
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439