Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 9/21/2021. Claims 1 and 13 are independents. Claim 13 is amended. Claims 1-20 are currently pending.

Response To Arguments
Applicant argues on pp.10-11 of Remarks that Nandakumar does not disclose the claimed "password-protected resources." And “The passwords or biometrics are not used to protect a resource, but only to authorize a transaction. Thus, Nandakumar fails to disclose at least this element”. 
Examiner respectfully disagrees. Applicant argues password-protected resource while the claim does not show what resource is. The claim is broad using term password-protected resource. Examiner reasonably interpret ledger/blockchain transaction as resource that proving service that recording transactions. At the same time, applicant argues that the password-protected resource is not disclosed by the reference. Applicant agrees that the transaction is password-protected but the resource is not. Nandakumar in para. 0025 disclose a ledger is a sequenced, tamper-resistant record of all state transitions of a blockchain. State transitions may result from chaincode invocations (i.e., transactions) submitted by participating parties ( e.g., client nodes, ordering nodes, endorser nodes, peer nodes, etc.). A transaction may result in a 
	Applicant argues that because Nandakumar fails to disclose the claimed password-protected resource, it fails to disclose another password protected resource. Examiner explained that Nandakumar discloses the claimed password-protected resource as show in Nandakumar as above.
	Applicant argument regarding another password protected resource appear to be directed to the limitation of  the smart contract taking the automated protective action with another of the plurality of password-protected resource . However, as noted in the  office action, George teaches smart contract taking the automated protective action with another of the plurality of password-protected resources (para.0039, user 102 may have to access a different ledger, such as by contacting one or more entity 112 and notifying them that user device 104 may be, or has been, compromised. In one embodiment, all records in the ledger are modified to block access to their associated resource. Para. 0041, the blocking occurs without human intervention or action).

Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4, 8, 12-16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Nandakumar et al. (US 20200014528 A1), hereinafter Nandakumar, in view of George et al. (US 20200220886 A1), hereinafter George.

Regarding claims 1 and 13, Nandakumar teaches a method for smart contract- based detection of authentication attacks, comprising:
in an information processing apparatus (FIG 5B and para. 0066, smart contract configuration among contracting parties and a mediating server configured to enforce
the smart contract terms on the blockchain) comprising at least one computer processor (FIG 6 and para. 0068, processor):
receiving an identification of a plurality of password-protected resources from an account holder (FIG. 2 and 4, para. 0040, The processor 104... [of blockchain nodes 102 and 202]... join a blockchain 106. The blockchain 106 may be managed by one or more devices on a decentralized network... create on the blockchain 106 the smart contract 110 defining authentication parameters for an authentication of an end-user. Since there are plurality of blockchain nodes joining the blockchain, therefore identification of the blockchain nodes need to be present in order to differentiate different nodes);
receiving a rule (para. 0057, the processor 104 may create on the blockchain the smart contract defining authentication parameters for an authentication of an end-user) identifying an automated protective action to be taken in response to a failed login attempt with one of password-protected resources (FIG. 4B and para. 0063, the system can prevent the transaction or the authentication server may rejects the transaction 
receiving, at a distributed ledger, a notification of a login attempt with one of the plurality of password-protected resources (FIG. 4A and 4B, para. 0057, the processor 104 may record an authentication log produced by the authentication challenge into a metadata of a transaction payload... and a result of the authentication attempt (e.g., success/failure for passwords, score/confidence reported by the underlying biometrics system. Para. 0062, number of mistrials and a time taken for each mistrial);
a smart contract or self-executing code executed by the information processing apparatus (FIG. 58 and para. 0008, execute the smart contract to perform the authentication of the end-user associated with a transaction based on the authentication parameters by generating an authentication challenge for the transaction) determining that the login attempt meets the rule (FIG. 4B and para. 0058, processor 104 may analyze the recorded authentication logs 111 by applying a machine learning algorithm to identify anomalous patterns in the recorded authentication logs 111. Para. 0063, The system can start with default policies such as, for example, authentication from home/office in the morning and two unsuccessful attempts allowed etc.);
the smart contract or self-executing code taking the automated protective action with the one of the plurality of password-protected resources (FIG 5B and para. 0063, If the system detects that it is under attack (based on the above analysis), the system can prevent the transaction or the authentication server may rejects the transaction when it 
the smart contract or self-executing code committing the automated protective action to the distributed ledger (FIG 2B and para. 0052, The blocks of the transaction are delivered from the ordering node 284 to all peer nodes 281- 283 on the channel. The transactions 294 within the block are validated to ensure any endorsement policy is fulfilled and to ensure that there have been no changes to ledger state for read set variables since the read set was generated by the transaction execution. Transactions in the block are tagged as being valid or invalid. Furthermore, in step 295 each peer node 281-283 appends the block to the channel's chain, and for each valid transaction the write sets are committed to current state database. An event is emitted, to notify the client application that the transaction (invocation) has been immutably appended to the chain, as well as to notify whether the transaction was validated or invalidated).
Nandakumar does not explicitly disclose the smart contract taking the automated protective action with another of the plurality of password-protected resources.
However, in an analogous art, George teaches the smart contract taking the automated protective action with another of the plurality of password-protected resources (para.0039, user 102 may have to access a different ledger, such as by contacting one or more entity 112 and notifying them that user device 104 may be, or has been, compromised. In one embodiment, all records in the ledger are modified to block access to their associated resource. Para. 0041, the blocking occurs without human intervention or action).


Regarding claims 2 and 14, the combination of Nandakumar and George teaches all of the limitations of claims 1 and 13, as described above. George further teaches wherein the password-protected resources (FIG 1 and para. 0037, ledger 108 and each of ledger 116 are protected with appropriate safeguards to avoid, and hopefully prevent, unauthorized access. For example, passwords, encryption, two-part authentication, and/or other means may be utilized to ensure only the authorized parties obtain access) comprise at least two of a financial account, a social media account, an email account, and a merchant account (FIG 1 and para. 0036, entity 112, which may be one or more enterprises, contact centers, companies, financial institutions, service providers, government agencies, schools or universities, third-parties, etc.).
Therefore, it would have been obvious to one of ordinary skill In the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar and George because once one login or credential is compromised, other restricted resources are at a greater risk of being compromised (George para. 0003).
 
Regarding claims 3 and 15, the combination of Nandakumar and George teaches all of the limitations of claims 1 and 13, as described above. George further teaches wherein the password-protected resources (FIG 1 and para. 0037, ledger 108 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar and George because once one login or credential is compromised, other restricted resources are at a greater risk of being compromised (George para. 0003).

Regarding claims 4 and 16, the combination of Nandakumar and George teaches all of the limitations of claims 1 and 13, as described above. Nandakumar further teaches wherein the rule identifies a number of failed login attempts (para. 0062, number of mistrials and a time taken for each mistrial) before the automated protective action is taken (FIG 5B and para. 0063, If the system detects that it is under attack (based on the above analysis), the system can prevent the transaction or the authentication server may rejects the transaction when it is informed of the outlier nature, its scores or time zone, or time taken for the authentication).
 
Regarding claim 8, the combination of Nandakumar and George teaches all of the limitations of claim 1, as described above. Nandakumar further teaches wherein the automated protective action is based on a prior automated protective action taken with 

Regarding claims 12 and 20, the combination of Nandakumar and George teaches all of the limitations of claims 1 and 13, as described above. George further teaches wherein the password-protected resources with which the automated protective action is taken is based on the type of password-protected resources for which the notification was received (para. 0050, a value of credential 408 (e.g., "credential 1"} may indicate that SIM card #12345 has been, or may be, compromised. Accordingly, resources that may be accessed by a party with the SIM card, such as the particular resource in resource indicia 208 of record 402C, record 402E, etc. is at risk and, if not already, should have a value of their respective status 210 indicating "blocked." However, record 4028 having a value of credential 408 (e.g., "credential 2"} is a different credential (e.g., password, voiceprint signature, personal identification number, private key, etc.) or other credential that Is known to be unobtainable, even by a party 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar and George because once one login or credential is compromised, other restricted resources are at a greater risk of being compromised (George para. 0003).

Regarding claim 19, the combination of Nandakumar and George teaches all of the limitations of claim 13, as described above. Nandakumar further teaches wherein the type of login attempt comprises at least one of a username/password login attempt or a biometric login attempt (para. 0057, an authentication factor (e.g., password, token, biometric, etc.) used in each element of an authentication sequence).

Claims 5-7, 9-11, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Nandakumar In view of George, as applied to the claims above, further in view of Tussy ( US 20190213312 A1).

Regarding claim 5, the combination of Nandakumar and George teaches all of the limitations of claim 1, as described above.
The combination of Nandakumar and George does not explicitly disclose wherein the automated protective action comprises locking the plurality of password-protected resources. However, in an analogous art, Tussy teaches wherein the automated protective action comprises locking the plurality of password-protected resources(para. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar George and Tussy because once it would further enhance the security of the system (Tussy para. 0145).

Regarding claim 6, the combination of Nandakumar and George teaches all of the limitations of claim 1, as described above.
The combination of Nandakumar and George does not explicitly disclose wherein the automated protective action comprises requiring elevated authentication to login to any of the plurality of password-protected resources. However, in an analogous art, Tussy teaches wherein the automated protective action comprises requiring elevated authentication to login to any of the plurality of password-protected resources (para. 0129, the server 120 may allow three consecutive failed login attempts before requiring a user name and password).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar, George and Tussy because it would further enhance the security of the system Tussy para. 0145).

Regarding claim 7, the combination of Nandakumar and George teaches all of the limitations of claim 1, as described above.
The combination of Nandakumar and George does not explicitly disclose wherein the automated protective action comprises notifying the account holder. However, in an analogous art, Tussy teaches wherein the automated protective action comprises notifying the account holder (para. 0145, if a user unsuccessfully attempts to login via the authentication system a predetermined number of times, such as three times for example, then the authentication system locks the account and sends an email to the email address informing the user of the unsuccessful login attempts).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar George and Tussy because once it would further enhance the security of the system (Tussy para. 0145).

Regarding claims 9 and 18, the combination of Nandakumar and George teaches all of the limitations of claims 1 and 13, as described above. Nandakumar further teaches wherein the notification of the login attempt (FIG. 4A and 4B, para. 0057, the processor 104 may record an authentication log produced by the authentication challenge into a metadata of a transaction payload) comprises a number of login attempts (para. 0062, number of mistrials and a time taken for each mistrial), success or failure of the login attempt (FIG. 4A and 4B, para. 0057, a result of the authentication attempt (e.g., success/failure for passwords, score/confidence reported by the underlying biometrics system), a location of the login attempt (para. 0061. place 
The combination of Nandakumar and George does not explicitly disclose an IP address of the login attempt, and transaction particulars associated with the login attempt. However, in an analogous art, Tussy teaches an IP address of the login attempt (para. 0239, a criminal that has stolen a credit card and attempts to use the card from a distant location (as compared to the retail location) is unable to complete a transaction because the user's phone is not at the location of the retail establishment. IP addresses may also be used to determine location}, and transaction particulars associated with the login attempt (para. 0039, financial transaction amount, number of financial transactions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar, George and Tussy because once it would further enhance the security of the system (Tussy para. 0145).

Regarding claim 10, the combination of Nandakumar, George and Tussy teaches all of the limitations of claim 9, as described above. Tus further teaches wherein the transaction particulars comprises at least one of a merchant identifier, a transaction amount, and a type of good/service (para. 0145, if a user unsuccessfully attempts to login via the authentication system a predetermined number of times, such 
Therefore, it would have been obvious to one of ordinary skill In the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar George and Tussy because once it would further enhance the security of the system (Tussy para. 0145).

Regarding claim 11, the combination of Nandakumar, George and Tussy teaches all of the limitations of claim 9, as described above. Nandakumar further teaches wherein the type of login attempt comprises at least one of a username/password login attempt or a biometric login attempt (para. 0057, an authentication factor (e.g., password, token, biometric, etc.) used in each element of an authentication sequence).
Regarding claim 17, the combination of Nandakumar and George teaches all of the limitations of claim 13, as described above.
The combination of Nandakumar and George does not explicitly disclose wherein the automated protective action comprises at least one of locking the plurality of password-protected resources, requiring elevated authentication to login to any of the plurality of password-protected resources, and notifying the account holder. However, in an analogous art, Tussy teaches wherein the automated protective action comprises at least one of locking the plurality of password-protected resources, requiring elevated authentication to login to any of the plurality of password-protected resources (para. 0129, the server 120 may allow three consecutive failed login attempts before requiring 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Nandakumar George and Tussy because It would further enhance the security of the system (Tuss., para. 0145).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437