DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 04/23/2020.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


As per claims 11-20, the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because par 0034 discloses A user interface of the browser application may display a display 106 upon loading a webpage, par 0057 Browser 223 may connect to the Internet via network 216 and visit websites requesting content from various content servers such as content server 23. And par 0117 discloses code that processor firmware, moreover, the border interpretation of the a processor can be software as well as human (e.g. see par. 0097 of US 2008/0240253 A1, col. 2, ll. 65-66 of US 5,787,131, col. 10, ll. 52 of US 5,944,783, par. 0073 of US 2004/0044912 A1, or par. 0049 of US 2005/0091661 A1).  While it is noted that the instant specification does have support for processor to be a microprocessor.

As per claim 11, system does not includes any hardware.  Claim 1 is rejected under 35 U.S.C. 101 as directed to non-statutory subject matter of software, per se. The claim lack the necessary physical articles or objects to constitute a machine or manufacture within the meaning of 35 U.S.C. 101. In this case, applicant has claimed a rights object in a digital rights management in the preamble to these claims without reciting any hardware element in the body of the claim; this implies that Applicant is claiming a system of software, per se, lacking the hardware necessary to realize any of the underlying functionality. Therefore, claim 11 is directed to non-statutory subject matter as computer programs, per se. 
As per claims 12-20, those claims are rejected based on the rational set forth the claim 11.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Lee US 2019/0081958 in view of Kuperman et al US 2018/0278624 in view of Canning et al US 2015/0150110.

 	As per claim 1, Lee discloses a method for authenticated control of content delivery, comprising: 
 	receiving, by a server device (, i.e.  par 0003 domain name system (DNS), par 0042 a DNS server 340), a request for an item of content from a computing device ( fig.4, numeral 410 and  receive domain name system (DNS) queries, i.e. request, from those user devices,), the request comprising a security token associated with the computing device (par 0003  may alter those DNS queries to add information identifying the particular user device that originated the DNS queries. For example, the user-entered text address of “www.destination.com” may be edited “www.destination.com##userdeviceidentification, i.e. user device token, a security token , that has appended to the DNS query,see, numeral, 430 and 0042 The gateway 330 may generate the user device token, i.e. security token, by combining identification information of the gateway 330 with identification information of the computing device that transmitted the DNS request  and The user device token may comprise a Media Access Control (MAC)-address and a wide area network (WAN) (internet protocol) IP address associated with the gateway 330, and a user device ID and a local IP address associated with a client device) and  an identifier of a group of domains with which the security token is associated (abstract,  The DNS query may be compared to a list of domain names , i.e.  group of domains, associated with particular characteristics, i.e. an identifier of user device identifier/  the local IP address associated with a client device);  
 	identifying, by the server device, the group of domains from the identifier ( par 0033 The DNS server 340, i.e. the server device may comprise the policy enforcement manager. As such, the policy enforcement manager may have access to information determined by the threat analyzer. For example, the policy enforcement manager may have access to a stored listing of domains that the threat analyzer previously deemed suspicious, and a second stored listing, i.e. identifying, of user device, i.e. identifier, tokens associated with DNS queries for the domains , i.e. groups of domains);  
 preventing, by the server device, transmission of content to the computing device ( par 0094 The DNS server 340 may also instruct a router, such as the router 370, to quarantine the user device by preventing the user device from accessing the internet , i.e. transmission of content to the computing device, or other computing devices associated with the router).  
Lee does not explicitly discloses
  retrieving, by the server device, a security key associated with the group of domains(par 0016 request with the token with the API request and 0055. a developer may select, i.e. retrieving, an encryption scheme and/or keys, i.e. a security key, for encrypting and decrypting the information (e.g., tokens and/or hashes) sent by their authorization application 215. In an asymmetrical encryption key scheme, the authorization application 215 may include a public key for use by the SDK 225 to encrypt information such as tokens and hashes. In turn, the private key may be uploaded to the token service 310 within the proxy system and stored within the app key store 320. In this way, the app key store 320 may store private keys for decrypting information received from one or more different authorized applications 215 that was encrypted with corresponding public keys. and par 0057 ) to retrieve an encryption key (e.g., a private key) associated with the API).;
 decrypting, by the server device, a signature of the security token using the security key (par 0048  an encryption key to decrypt the token. And [0058] The token verifier 217 may query the token service 310 with the IP-token pair associated with an API request to determine whether an existing IP-token pair is stored within the whitelist 218 and token store 219 by the token service 310. In some example embodiments, where the token is encrypted, the token verifier 217 retrieves an encryption key (e.g., by querying the token service 310 with the destination API information) to decrypt the token and query the token service 310 with the decrypted token. In other example embodiments, the token verifier 217 may query the token service 310 with an encrypted token); 
identifying, by the server device, an authentication string associated with the security token ( par 0048 token verifier 217 may include a private key for decrypting information encrypted by the SDK 225 with a public encryption key. Once a token is decrypted, the token verifier 217 may perform a process similar to the SDK 225. For example, in a UID:Timestamp:Hash token format, the token verifier 217 may take the UID and timestamp, i.e. authentication string,  as inputs to a hashing function to generate a hash. In turn, the token verifier 217 may compare the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match); 
determining, by the server device, that the authentication string matches a server authentication string (par 0048 the token verifier 217 may compare, i.e. determining, the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match); 
responsive to the determination that the authentication string matches the server authentication string (par 0048 the token verifier 217 may compare, i.e. determining, the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match and whitelist), 
 identifying, by the server device, characteristics of the security token (par 0048  the token verifier 217 identify a matching token associated with the whitelisted IP to identify an existing IP-Token, i.e. characteristics of the security token, pair within the whitelist 218 and token store 219 to authenticate an API request),
 	 wherein the characteristics of the security token that the computing device is not associated with a malicious entity ( par 0087, event trace for authenticating 500C client access to an API of a host with a proxy, according to an example embodiment. FIG. 5C shows a non-malicious client 101, proxy 205, and host 145. Each of these may be a computing device as described with reference to FIGS. 1-4. The client 101 as shown includes an authorized application 215 which may include an SDK 225 for generating a token. Line 512 indicates that example steps (e.g., 501-511 of FIG. 5A) occurring prior to SDK 225 encrypting 513 a token presented in an API request 517 are hidden for clarity.[0088] The proxy 205 receives the API request including the token 517 and identifies 519 the request as a tokened request. The proxy 205 may check an IP whitelist and verified token store for an existing IP-Token pair of the client 101 IP address and token associated with the API request 517. Additionally, the proxy 205 may check the verified token store to see if the token was verified for another IP-Token combination); 
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, because doing so would provide a token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing ( abstract).
The combination does not explicitly disclose wherein the characteristics of the security token comprise a confidence score indicating a likelihood that the computing device; comparing, by the server device, the confidence score of the security token to a threshold; determining, by the server device, that the confidence score does not exceed the threshold; and responsive to the determination that the confidence score does not exceed the threshold.
However, Canning discloses wherein the characteristics of the security token comprise a confidence score indicating a likelihood that the computing device (fig.4, and Fig.5,  and par 0057 when resource server 120 receives access token 118, i.e. the security token, resource server 120 parses a fingerprint of client 102 and calls risk based engine 310 with the parsed fingerprint of client 102 and par 0058 risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412 and par 0064 0064] In the example, risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412 matches with current device fingerprint 514. In one example, risk based engine 310 may compare a calculated risk score with a risk table that includes ranges of scores, where one range of scores is designated as a "permit with obligation range" of scores that indicate a match probability between stored device fingerprint 412 and current device fingerprint 514 indicative of the access token being presented by a client that is most likely a client that is authorized to bear and present access token 118, however additional obligations are required before the client can access the protected data. In one example, a risk score that is within the "permit, with obligation, range" may indicate that there are differences between stored device fingerprint and current device fingerprint 514, but that the differences are not indicative of a misappropriation of access token 118.); 

 comparing, by the server device, the confidence score of the security token to a threshold (par 0058  risk based engine 310 may compare a calculated risk score with a risk table that includes ranges of scores, where one range of scores is designated as a "permit range" of scores that indicate a match probability between stored device fingerprint 412 and current device fingerprint 414 indicative of the access token being presented by a client that is authorized to bear and present access token 118. In the example illustrated, as illustrated at reference numeral 410, the calculated risk score is within the "permit range".); determining, by the server device, that the confidence score does not exceed the threshold (0059, and 0064,risk based engine 310 detects , i.e. determining, the risk score within the "permit range", i.e. threshold  ); and responsive to the determination that the confidence score does not exceed the threshold ( [0065] In the example, risk based engine 310 detects the risk score within the "permit, with obligation, range", as illustrated at reference numeral 510, and returns a permission response of permit, with obligation 518, as illustrated at reference numeral 516. Resource server 120 receives a permission response of permit, with obligation 518 and, manages a flow for requiring client 102 or another system to meet the obligation set either by resource server 120, risk based engine 310, or another entity, for a permit, with obligation response. In one example, an obligation set for the response of permit, with obligation 518 is an obligation for the presenting client to perform a one-time identity authentication. In the example, resource server 120, through redirection to authorization server 106 or directly with resource server 120, manages a one-time authentication flow 546 with client 102. In the example, response to resource 120 receiving an indication that client 102 has been authenticated through one-time authentication flow 546, and responsive to verifying access token 118 as an active, issued token, resource server 120 retrieves the requested selection of data from protected data 124  par 0070 risk based engine 310 detects the risk score within the "not within permit range", as illustrated at reference numeral 610, and returns a permission response of deny 618, as illustrated at reference numeral 616. When resource server 120 receives a permission response of deny 618, resource server 120 denies any access to data identified in access token 118, generates an error message 634, and sends error message 634 to client 240).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).


 	As per claim 2, Lee in view of Kuperman in view of Canning disclose the method of claim 1, Canning discloses
 	wherein the threshold is associated with the identification of the group of domains and wherein comparing the confidence score of the security token to the threshold ( par 0103 risk score table 910 may include a range of risk scores specified as a deny range 916, where if a calculated risk score falls within deny range 916, then risk based engine 114 returns a permission response of "deny" to the requesting endpoint. In addition, in the example, risk score table 910 may include destroy settings 918, which may be set along with deny range 916. In one example, destroy settings 918 may be a configurable to automatically set a destroy setting if a risk score falls within deny range 916 or within a particular portion of deny range 916. In another example, destroy settings 918 may be a configurable to automatically set a destroy setting if a particular risk score factor reaches a threshold level, if an access token continues to be presented and the risk score calculated falls within deny range 916 a threshold number of times, or other configurable settings. 
 )further comprises: 
 	responsive to the identification of the group of domains from the identifier ([0065] risk based engine 310 detects the risk score within the "permit, with obligation, range", as illustrated at reference numeral 510, and returns a permission response of permit, with obligation 518, as illustrated at reference numeral 516. Resource server 120 receives a permission response of permit, with obligation 518 and, manages a flow for requiring client 102 or another system to meet the obligation set either by resource server 120, risk based engine 310, or another entity, for a permit, with obligation response. In one example, an obligation set for the response of permit, with obligation 518 is an obligation for the presenting client to perform a one-time identity authentication ),
 	 identifying, by the server device, the threshold associated with the identification of the group of domains, and comparing the confidence score to the threshold ( par 0103 a risk score falls within deny range 916 or within a particular portion of deny range 916. In another example, destroy settings 918 may be a configurable to automatically set a destroy setting if a particular risk score factor reaches a threshold level, if an access token continues to be presented and the risk score calculated falls within deny range 916 a threshold number of times).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).

 	As per clam 3, Lee in view of Kuperman in view of Canning discloses the method of claim 1, Lee discloses a server associated with the group of domains responsive to identifications of browsing activity of the computing device on a website associated with at least one domain of the group of domains ([0063] At step 450, the gateway 330 may receive, from the DNS server 340, a response to the DNS query via the transmission 345. The gateway 330 may receive an IP address associated with the DNS query. If the DNS query comprised a request for the IP address associated with "www.comcast.com," the gateway 330 may receive, from the DNS server 340, 69.252.80.75 (the IP address corresponding to www.comcast.com). This may allow the user to begin browsing the COMCAST.TM. website).  
   	Lee in view of Kuperman fails to disclose wherein the confidence score is calculated by a server associated the computing device.
 	However, Canning discloses wherein the confidence score is calculated by a server associated the computing device ( fig.4, and Fig.5,  and par 0057 when resource server 120 receives access token 118, i.e. the security token, resource server 120 parses a fingerprint of client 102 and calls risk based engine 310 with the parsed fingerprint of client 102 and par 0058 risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).


 	As per claim 4, Lee in view of Kuperman in view of Canning discloses The method of claim 3, Lee discloses  wherein the identifications of browsing activity comprise a creation of an account on the website, a number of logins to the website, a number of visits to the website, a number of interactions on the website, or a previous instance of authenticated communication ([0063] At step 450, the gateway 330 may receive, from the DNS server 340, a response to the DNS query via the transmission 345. The gateway 330 may receive an IP address associated with the DNS query. If the DNS query comprised a request for the IP address associated with "www.comcast.com," the gateway 330 may receive, from the DNS server 340, 69.252.80.75 (the IP address corresponding to www.comcast.com). This may allow the user to begin browsing the COMCAST.TM. website).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).
As per claim 11, Lee discloses a server device for authenticated control of content delivery, comprising: 
 	a network interface in communication with a first client device of a plurality of client devices (par 0018  The network interface 108 may include the corresponding circuitry needed to communicate on the external networks) ; and -52-WO 2021/045726PCT/US2019/049332 a processor (par 0020    computer executable instructions to cause a processor to perform), configured to:
 	receiving, by a server device (, i.e.  par 0003 domain name system (DNS), par 0042 a DNS server 340), a request for an item of content from a computing device ( fig.4, numeral 410 and  receive domain name system (DNS) queries, i.e. request, from those user devices,), the request comprising a security token associated with the computing device (par 0003  may alter those DNS queries to add information identifying the particular user device that originated the DNS queries. For example, the user-entered text address of “www.destination.com” may be edited “www.destination.com##userdeviceidentification, i.e. user device token, a security token , that has appended to the DNS query,see, numeral, 430 and 0042 The gateway 330 may generate the user device token, i.e. security token, by combining identification information of the gateway 330 with identification information of the computing device that transmitted the DNS request  and The user device token may comprise a Media Access Control (MAC)-address and a wide area network (WAN) (internet protocol) IP address associated with the gateway 330, and a user device ID and a local IP address associated with a client device) and  an identifier of a group of domains with which the security token is associated (abstract,  The DNS query may be compared to a list of domain names , i.e.  group of domains, associated with particular characteristics, i.e. an identifier of user device identifier/  the local IP address associated with a client device);  
 	identifying, by the server device, the group of domains from the identifier ( par 0033 The DNS server 340, i.e. the server device may comprise the policy enforcement manager. As such, the policy enforcement manager may have access to information determined by the threat analyzer. For example, the policy enforcement manager may have access to a stored listing of domains that the threat analyzer previously deemed suspicious, and a second stored listing, i.e. identifying, of user device, i.e. identifier, tokens associated with DNS queries for the domains , i.e. groups of domains);  
 preventing, by the server device, transmission of content to the computing device ( par 0094 The DNS server 340 may also instruct a router, such as the router 370, to quarantine the user device by preventing the user device from accessing the internet , i.e. transmission of content to the computing device, or other computing devices associated with the router).  
Lee does not explicitly discloses
 	  retrieving, by the server device, a security key associated with the group of domains(par 0016 request with the token with the API request and 0055. a developer may select, i.e. retrieving, an encryption scheme and/or keys, i.e. a security key, for encrypting and decrypting the information (e.g., tokens and/or hashes) sent by their authorization application 215. In an asymmetrical encryption key scheme, the authorization application 215 may include a public key for use by the SDK 225 to encrypt information such as tokens and hashes. In turn, the private key may be uploaded to the token service 310 within the proxy system and stored within the app key store 320. In this way, the app key store 320 may store private keys for decrypting information received from one or more different authorized applications 215 that was encrypted with corresponding public keys. and par 0057 ) to retrieve an encryption key (e.g., a private key) associated with the API).;
 decrypting, by the server device, a signature of the security token using the security key (par 0048  an encryption key to decrypt the token. And [0058] The token verifier 217 may query the token service 310 with the IP-token pair associated with an API request to determine whether an existing IP-token pair is stored within the whitelist 218 and token store 219 by the token service 310. In some example embodiments, where the token is encrypted, the token verifier 217 retrieves an encryption key (e.g., by querying the token service 310 with the destination API information) to decrypt the token and query the token service 310 with the decrypted token. In other example embodiments, the token verifier 217 may query the token service 310 with an encrypted token); 
identifying, by the server device, an authentication string associated with the security token ( par 0048 token verifier 217 may include a private key for decrypting information encrypted by the SDK 225 with a public encryption key. Once a token is decrypted, the token verifier 217 may perform a process similar to the SDK 225. For example, in a UID:Timestamp:Hash token format, the token verifier 217 may take the UID and timestamp, i.e. authentication string,  as inputs to a hashing function to generate a hash. In turn, the token verifier 217 may compare the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match); 
 	determining, by the server device, that the authentication string matches a server authentication string (par 0048 the token verifier 217 may compare, i.e. determining, the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match); 
 	responsive to the determination that the authentication string matches the server authentication string (par 0048 the token verifier 217 may compare, i.e. determining, the generated hash (e.g., generated with a same hashing function as the SDK 225) with the hash within the token and verify the token if the hash matches, or fail verification of the token if the hashes do not match and whitelist), 
 identifying, by the server device, characteristics of the security token (par 0048  the token verifier 217 identify a matching token associated with the whitelisted IP to identify an existing IP-Token, i.e. characteristics of the security token, pair within the whitelist 218 and token store 219 to authenticate an API request),
 	 wherein the characteristics of the security token that the computing device is not associated with a malicious entity ( par 0087, event trace for authenticating 500C client access to an API of a host with a proxy, according to an example embodiment. FIG. 5C shows a non-malicious client 101, proxy 205, and host 145. Each of these may be a computing device as described with reference to FIGS. 1-4. The client 101 as shown includes an authorized application 215 which may include an SDK 225 for generating a token. Line 512 indicates that example steps (e.g., 501-511 of FIG. 5A) occurring prior to SDK 225 encrypting 513 a token presented in an API request 517 are hidden for clarity.[0088] The proxy 205 receives the API request including the token 517 and identifies 519 the request as a tokened request. The proxy 205 may check an IP whitelist and verified token store for an existing IP-Token pair of the client 101 IP address and token associated with the API request 517. Additionally, the proxy 205 may check the verified token store to see if the token was verified for another IP-Token combination); 
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of Kuperman, because doing so would provide a token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing ( abstract).
 	The combination does not explicitly disclose wherein the characteristics of the security token comprise a confidence score indicating a likelihood that the computing device; comparing, by the server device, the confidence score of the security token to a threshold; determining, by the server device, that the confidence score does not exceed the threshold; and responsive to the determination that the confidence score does not exceed the threshold.
 	However, Canning discloses wherein the characteristics of the security token comprise a confidence score indicating a likelihood that the computing device (fig.4, and Fig.5,  and par 0057 when resource server 120 receives access token 118, i.e. the security token, resource server 120 parses a fingerprint of client 102 and calls risk based engine 310 with the parsed fingerprint of client 102 and par 0058 risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412 and par 0064 0064] In the example, risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412 matches with current device fingerprint 514. In one example, risk based engine 310 may compare a calculated risk score with a risk table that includes ranges of scores, where one range of scores is designated as a "permit with obligation range" of scores that indicate a match probability between stored device fingerprint 412 and current device fingerprint 514 indicative of the access token being presented by a client that is most likely a client that is authorized to bear and present access token 118, however additional obligations are required before the client can access the protected data. In one example, a risk score that is within the "permit, with obligation, range" may indicate that there are differences between stored device fingerprint and current device fingerprint 514, but that the differences are not indicative of a misappropriation of access token 118.);  
 	 comparing, by the server device, the confidence score of the security token to a threshold (par 0058  risk based engine 310 may compare a calculated risk score with a risk table that includes ranges of scores, where one range of scores is designated as a "permit range" of scores that indicate a match probability between stored device fingerprint 412 and current device fingerprint 414 indicative of the access token being presented by a client that is authorized to bear and present access token 118. In the example illustrated, as illustrated at reference numeral 410, the calculated risk score is within the "permit range".); determining, by the server device, that the confidence score does not exceed the threshold (0059, and 0064,risk based engine 310 detects , i.e. determining, the risk score within the "permit range", i.e. threshold  ); and responsive to the determination that the confidence score does not exceed the threshold ( [0065] In the example, risk based engine 310 detects the risk score within the "permit, with obligation, range", as illustrated at reference numeral 510, and returns a permission response of permit, with obligation 518, as illustrated at reference numeral 516. Resource server 120 receives a permission response of permit, with obligation 518 and, manages a flow for requiring client 102 or another system to meet the obligation set either by resource server 120, risk based engine 310, or another entity, for a permit, with obligation response. In one example, an obligation set for the response of permit, with obligation 518 is an obligation for the presenting client to perform a one-time identity authentication. In the example, resource server 120, through redirection to authorization server 106 or directly with resource server 120, manages a one-time authentication flow 546 with client 102. In the example, response to resource 120 receiving an indication that client 102 has been authenticated through one-time authentication flow 546, and responsive to verifying access token 118 as an active, issued token, resource server 120 retrieves the requested selection of data from protected data 124  par 0070 risk based engine 310 detects the risk score within the "not within permit range", as illustrated at reference numeral 610, and returns a permission response of deny 618, as illustrated at reference numeral 616. When resource server 120 receives a permission response of deny 618, resource server 120 denies any access to data identified in access token 118, generates an error message 634, and sends error message 634 to client 240).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).
 
 	 As per claim 12, Lee in view of Kuperman in view of Canning disclose The server device of claim 11, Canning discloses
 	wherein the threshold is associated with the identification of the group of domains and wherein comparing the confidence score of the security token to the threshold ( par 0103 risk score table 910 may include a range of risk scores specified as a deny range 916, where if a calculated risk score falls within deny range 916, then risk based engine 114 returns a permission response of "deny" to the requesting endpoint. In addition, in the example, risk score table 910 may include destroy settings 918, which may be set along with deny range 916. In one example, destroy settings 918 may be a configurable to automatically set a destroy setting if a risk score falls within deny range 916 or within a particular portion of deny range 916. In another example, destroy settings 918 may be a configurable to automatically set a destroy setting if a particular risk score factor reaches a threshold level, if an access token continues to be presented and the risk score calculated falls within deny range 916 a threshold number of times, or other configurable settings. 
 )further comprises: 
 	responsive to the identification of the group of domains from the identifier ([0065] risk based engine 310 detects the risk score within the "permit, with obligation, range", as illustrated at reference numeral 510, and returns a permission response of permit, with obligation 518, as illustrated at reference numeral 516. Resource server 120 receives a permission response of permit, with obligation 518 and, manages a flow for requiring client 102 or another system to meet the obligation set either by resource server 120, risk based engine 310, or another entity, for a permit, with obligation response. In one example, an obligation set for the response of permit, with obligation 518 is an obligation for the presenting client to perform a one-time identity authentication ),
 	 identifying, by the server device, the threshold associated with the identification of the group of domains, and comparing the confidence score to the threshold ( par 0103 a risk score falls within deny range 916 or within a particular portion of deny range 916. In another example, destroy settings 918 may be a configurable to automatically set a destroy setting if a particular risk score factor reaches a threshold level, if an access token continues to be presented and the risk score calculated falls within deny range 916 a threshold number of times).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).

 	As per claim 13, Lee in view of Kuperman in view of Canning disclose The server device of claim 11, Lee discloses a server associated with the group of domains responsive to identifications of browsing activity of the computing device on a website associated with at least one domain of the group of domains ([0063] At step 450, the gateway 330 may receive, from the DNS server 340, a response to the DNS query via the transmission 345. The gateway 330 may receive an IP address associated with the DNS query. If the DNS query comprised a request for the IP address associated with "www.comcast.com," the gateway 330 may receive, from the DNS server 340, 69.252.80.75 (the IP address corresponding to www.comcast.com). This may allow the user to begin browsing the COMCAST.TM. website).  
   	Lee in view of Kuperman fails to disclose wherein the confidence score is calculated by a server associated the computing device.
 	However, Canning discloses wherein the confidence score is calculated by a server associated the computing device ( fig.4, and Fig.5,  and par 0057 when resource server 120 receives access token 118, i.e. the security token, resource server 120 parses a fingerprint of client 102 and calls risk based engine 310 with the parsed fingerprint of client 102 and par 0058 risk based engine 310 accesses one or more risk score factors and calculates a risk score indicating the probability that stored device fingerprint 412).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).

 	As per claim 14, Lee in view of Kuperman in view of Canning disclose the server device of claim 13, Lee discloses  wherein the identifications of browsing activity comprise a creation of an account on the website, a number of logins to the website, a number of visits to the website, a number of interactions on the website, or a previous instance of authenticated communication ([0063] At step 450, the gateway 330 may receive, from the DNS server 340, a response to the DNS query via the transmission 345. The gateway 330 may receive an IP address associated with the DNS query. If the DNS query comprised a request for the IP address associated with "www.comcast.com," the gateway 330 may receive, from the DNS server 340, 69.252.80.75 (the IP address corresponding to www.comcast.com). This may allow the user to begin browsing the COMCAST.TM. Website).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, because doing so would provide  identify the access token as potentially misappropriated based on the comparison of the device fingerprint of the request to the previously stored device fingerprint to protect the malicious user( par 0008).



Claims 9-10 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee US 2019/0081958 in view of Kuperman et al US 2018/0278624 in view of Canning et al US 2015/0150110.

 	As per claim 9, Lee in view of Kuperman in view of Canning discloses the method of claim 8, Lee discloses a security key is associated with the domains,  but the combination fails to disclose wherein the second security key is associated with a subgroup of the group of domains, and wherein the subgroup of the group of domains is associated with a plurality of computing devices that are associated with a domain of the group of domains.  
 	 	However, Yang discloses wherein the second security key is associated with a subgroup of the group of domains (0011 distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains. ), and wherein the subgroup of the group of domains is associated with a plurality of computing devices that are associated with a domain of the group of domains ( par 0031 a device belonging to a highest-level security domain divides an encoding/decoding program and a symmetric key to be distributed to lower-level security domains as many as the number of the lower-level security domains).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, based on the teaching of  distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains of Yang, because doing so would provide  symmetric key are respectively divided into pieces as many as the number N of lower-level security domain for faster encryption performing( par 0028).
 
 	As per claim 10, Lee in view of Kuperman in view of Canning discloses the method of claim 8, 
 	 The combination fails to disclose wherein the second security key is associated with the computing device.  
  	 However, Yang discloses wherein the second security key is associated with the computing device (domains (0011 distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices, i.e. computing device,  belonging to the lower-level security domains.  ).  
 	
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, based on the teaching of  distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains of Yang, because doing so would provide  symmetric key are respectively divided into pieces as many as the number N of lower-level security domain for faster encryption performing( par 0028).

 	As per claim 19, Lee in view of Kuperman in view of Canning discloses The server device of claim 18, Lee discloses a security key is associated with the domains,  but the combination fails to disclose wherein the second security key is associated with a subgroup of the group of domains, and wherein the subgroup of the group of domains is associated with a plurality of computing devices that are associated with a domain of the group of domains.  
 	 	However, Yang discloses wherein the second security key is associated with a subgroup of the group of domains (0011 distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains. ), and wherein the subgroup of the group of domains is associated with a plurality of computing devices that are associated with a domain of the group of domains ( par 0031 a device belonging to a highest-level security domain divides an encoding/decoding program and a symmetric key to be distributed to lower-level security domains as many as the number of the lower-level security domains).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, based on the teaching of  distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains of Yang, because doing so would provide  symmetric key are respectively divided into pieces as many as the number N of lower-level security domain for faster encryption performing( par 0028).

 	As per claim 20, Lee in view of Kuperman in view of Canning discloses the server device of claim 18, the combination fails to disclose wherein the second security key is associated with the computing device.  
  	 However, Yang discloses wherein the second security key is associated with the computing device (domains (0011 distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices, i.e. computing device,  belonging to the lower-level security domains ).  
 	
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of identifying malware with domain name queries of Lee, based on the teaching of identifying the whitelisted-IP address of kuperman, based on the teaching of  determining the risk score of the access token of device fingerprint of Canning, based on the teaching of  distributing the divided encoding/decoding program pieces and the symmetric key pieces, i.e. the second security key,  to devices belonging to the lower-level security domains of Yang, because doing so would provide  symmetric key are respectively divided into pieces as many as the number N of lower-level security domain for faster encryption performing( par 0028).


  	

 	Examiner’s statement of reason of allowance

The following is an examiner's statement of reasons for allowance: In interpreting the claims, in light of the Specification and the applicant's amendments filed on 04/23/2020, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
 	The present relates to a method of receiving a request for an item of content from a computing device, the request comprising a security token associated with the com-putting device and an identifier of a group of domains, identifying the group of domains from the identifier, and retrieving a security key associated with the group of domains. The method further includes decrypting a signature of the security token, identifying an authentication string, determining that the authentication string matches a server authentication string, and identifying characteristics of the security token. The characteristics of the security token include a confidence score. The method further includes comparing the confidence score of the security token to a threshold, determining that the confidence score does not exceed the threshold, and preventing transmission of content to the computing device. 
 	All the above closest prior art fails to disclose dependent claims 5-8 and 15-20, recite the uniquely distinct features combining with the all the independent claim respectively.

However, the prior art of record, either individually or in a reasonable combination, fails to disclose or suggest the underline limitations when in combination with the remaining limitations currently recited in the dependent claims 5-8 and 15-18. In addition, updated search also did not yield any new applicable prior art with respect to the underlined limitations.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Quinlan US 7,877,493 discloses storing in the apparatus a secret string; wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer; receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer, wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string; wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer; in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by: computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, and determining that the validation is successful if the first authentication code and the second authentication code match; only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer; wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496