Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                                                                                                                       
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 11, 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) in view of Armstrong et al. – hereinafter Armstrong (US 2018/0083994)

As per claim 1, Sullivan discloses an authentication system comprising: 
an authentication module and (Col 4 lines 47-53; The proxy 106 comprises a processor 306 and HTTP proxy logic 304 that, when applied to the processor 306, provides HTTP proxy services, may also perform authentication of the HTTP client 104 as described herein.)
wherein the authentication module is configured to: determine order information of the web browser of the first entity, perform a comparison operation based on the order information of the first user and the order information of the first entity, and determine whether or not to allow the first entity to log in to the web property based on a result of the comparison operation. (Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the request matches known header patterns of a client that is authorized to receive the requested 
Sullivan fails to disclose a user history database storing order information of a first user, wherein the order information of the first user includes, for each login, among a plurality of times the first user logged in to a web property associated with the authentication system, at least one of:  an indication of an order of hypertext transfer protocol (HTTP) headers that were previously received at the authentication module from a web browser of the first user during the login and  an indication of an order of navigator object properties that were previously returned to the authentication module by a web browser of the first user during the login and receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user.  
Armstrong discloses a user history database storing order information of a first user, ([0024],  “Further, the attribute data points could indicate user behavior observed when a particular client 101 accesses the web service provided by web server 130, such as the timing of clicks, keystrokes, and other user inputs, page navigations, page scrolling, content requests, and the like.; [0031]; The information monitored includes the various fields in the HTTP request headers sent by the browser, including which fields are provided, the order that the fields are presented, which protocols, languages, tools, and other features the browser supports, and any other information in the HTTP headers that may be uniquely associated with the web browser; [0033] In this manner, all HTTP request and response traffic is passively monitored, and these static and dynamic behaviors are then mapped back to the actual web browsers under their respective User-Agent string and stored as attribute data points for later comparison.)

receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user, ([0038]; The lists of attributes for each user provide an abstract representation of the unique fingerprint of each user. In this example, each fingerprint contains N attributes. The attributes for users 1 and 3 are represented abstractly as triangle shapes, whereas the attributes for users 2 and 4 are represented as squares, and these similarities in attributes may be used to group the users accordingly.)
It would have been obvious before the effective filing date of the invention for the teachings of Sullivan to be modified so that the authorized client logic of Sullivan accesses the database which contains the order of the header of the previous sessions of the browser and the user credentials of the user when performing the authentication when the user attempts to access the resource.  This would have been beneficial as it been advantageous of detecting 

As per claim 4, Sullivan / Armstrong disclose the authentication system of claim 1, and Sullivan discloses wherein the order information of the web browser of the first entity includes at least one of: an indication of an order of HTTP headers included in an HTTP request of the web browser of the first entity and an indication of an order of navigator object properties of the web browser of the first entity. (Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the request matches known header patterns of a client that is authorized to receive the requested content (and/or software). If there is a match with an authorized client, the request is validated at 705, and in response to the valid request, the content is provided at 706.)

As per claim 5, Sullivan / Armstrong disclose the authentication system of claim 4.  Sullivan discloses wherein the authentication module is further configured such that the comparison operation includes at least one of:
determining whether the order of HTTP headers included in an HTTP request of the web browser of the first entity matches at least one of the orders of HTTP headers indicated by the order information of the first user and determining whether the order of navigator object properties of the web browser of the first entity matches at least one of the orders of navigator object properties indicated by the order information of the first user. (Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the request matches known header patterns of a client that is authorized to receive the requested content (and/or software). If there is a match with an authorized client, the request is validated at 705, and in response to the valid 

As per claims 11, please see the discussion under claim 1 as similar logic applies.

As per claims 14, please see the discussion under claim 4 as similar logic applies.

As per claim 15, please see the discussion under claim 5 as similar logic applies.

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) / Armstrong (US 2018/0083994) further in view of Van De Poel (US 9,032,098)

As per claim 2, Sullivan / Armstrong disclose the authentication system of claim 1.  Sullivan discloses send to the authentication module navigator object property information indicating the order of the properties of the navigator object of the web browser of the first entity. ((Col 5 lines 41-56; At 702 the request information is provided to a server. At 704 a check is made to determine whether header types and/or header order and/or header content of the request matches known header patterns of a client that is authorized to receive the requested content (and/or software). If there is a match with an authorized client, the request is validated at 705, and in response to the valid request, the content is provided at 706. A Otherwise the request is invalidated at 707, the content is not provided, and the method concludes at 708. A validated request is a request that has a form and content such that the server acts to fulfill the 
 Armstrong store each read navigator object property in a data object in the same order in which the properties exist in the navigator object. ([0031]; The information monitored includes the various fields in the HTTP request headers sent by the browser, including which fields are provided, the order that the fields are presented, which protocols, languages, tools, and other features the browser supports, and any other information in the HTTP headers that may be uniquely associated with the web browser; [0033] In this manner, all HTTP request and response traffic is passively monitored, and these static and dynamic behaviors are then mapped back to the actual web browsers under their respective User-Agent string and stored as attribute data points for later comparison.)
The combination of Sullivan/ Armstrong fails to disclose wherein the authentication module is further configured to: receive an HTTP request from the web browser of the first entity and respond to the HTTP request by sending to the web browser of the first entity a hypertext markup language (HTML) document defining a webpage, wherein the HTML document includes code for causing the web browser of the first entity to send to the authentication module navigator object property information indicating an order of properties of a navigator object of the web browser of the first entity.
	Van De Poel discloses wherein the authentication module is further configured to: receive an HTTP request from the web browser of the first entity and respond to the HTTP request by sending to the web browser of the first entity a hypertext markup language (HTML) document defining a webpage, wherein the HTML document includes code for causing the web browser of the first entity to   walk a navigator object of the web browser by reading each property of the navigator object, store each read navigator object property in a data object in which the properties exist in the navigator object.   ([0038] The router receives the request, step 
It would have been obvious before the effective filing date of the invention for the combined teachings of Sullivan / Armstrong to be modified so that the authentication module sends a webpage which includes the code to read and send and store the authentication model navigator object property information indicating an same order of properties of a navigator object of the web browser of the first entity.  It would have obvious for the navigator object that is sent in the teachings of Van De Poel to be an order of the navigator object as this is combinable with the teachings of Armstrong and Sullivan which relates to the order of the fields which are presented in the HTTP requests which are associated with the characteristics of the web browser when the user is accessing the service.  The motivation would have been to easily retrieve information from a device without requiring any configuration and installation at the device. (Van De Poel, [0010])   

As per claim 12, please see the discussion under claim 2 as similar logic applies.

s 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sullivan (US 7,971,264) / Armstrong (US 2018/0083994) further in view of Goldfarb (US 2017/0346830)
	
As per claim 3, Sullivan / Armstrong disclose the authentication system of claim 1.  The combination of Sullivan / Armstrong fails to teach wherein the authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses wherein the authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user, based on the result of the comparison operation.  Goldfarb discloses authentication module is further configured to request one or more authentication factors from the first entity, in addition to the credentials of the first user ([0044]; In some embodiments, user interface elements by which a captcha is presented or by which a second factor in two-factor authentication is entered is passed through to the client computing device 14, and some embodiments may then relay a response from the user, or update a mirror of a web browser state in the headless browser 52 based on user responses return to the intermediary server 26 in accordance with the techniques described below.)
It would have been obvious for the combined teachings of Sullivan / Armstrong to be modified so that a captcha to be presented after the validation request of the order of the headers is compared with the authorized client logic which is retrieved from the databases.  The advantages of implementing two factor authentication on a captcha request is to protect against bots or malicious users from abusing online services and prevent against DDOS attacks on the web servers.

.

Allowable Subject Matter
Claims 6-10 and 16-20 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:  The closest prior art which relate to Sullivan and Armstrong, as in the body of the rejections teaches the concepts of the authentication with the user credentials based on the attributes of the user behavior and matching the order of the navigation object of the user.  Van De Poel is related to 2-factor authentication and captcha which is well known in the art.  Although the references teaches portion of the prior art which related to authentication of user credentials,  matching order of the navigation objects of the user and multi-factor authentication, the combination of the references fail to teach the authentication process in the level of granularity as claimed when viewing the claims as whole.  More specifically, a review of the prior art fails to render obvious, “wherein the authentication module is configured to: receive, from a web browser of a first entity attempting to log in to a web property, first credentials of a first user, perform a first determination operation including determining whether the first credentials are correct, and determine order information of the web browser of the first entity, and wherein the authentication module is further configured to, based on a result of the first determination operation perform a comparison operation based on the reference order information and the order information of the first entity, request one or more authentication factors from the first entity, different from the first credentials of the first user, based on the result of the comparison operation, and determine whether or not to allow the first entity to log in to the web property based on the one or more authentication factors and a result of the comparison operation.”



Response to Arguments
Applicant's arguments filed December 15, 2021 have been fully considered but they are not persuasive.

Applicants argue that the Office Action asserts that paragraphs [0031] and [0033] of Armstrong teach the recited user history database. However, paragraph [0031] and [0033] do not appear to teach a user history database. Paragraphs [0031] and [0033] do not appear to discuss users at all, much less “order information of a first user,” wherein “the order information of the first user includes, for each login, among a plurality of times the first user logged in to a web property associated with the authentication system, at least one of: an indication of an order of hypertext transfer protocol (HTTP) headers ... and an indication of an order of navigator object properties . . .” For at least these reasons, Applicants respectfully submit the combination of Sullivan and Anderson has not been shown to teach or suggest each of the features of claim 1, as is required to maintain the present obviousness rejection of claim 1, or any claims depending therefrom, under §103.
	Examiner shows that Sullivan extracts the header types, header order and/or header content of the request and compares it with a known header pattern of the client. The teachings of Sullivan and Armstrong are combination as it would have been obvious for the known header patterns of Sullivan to be stored in a user history dataset as Armstrong monitors the HTTP headers sent by a browser of the user and maps it back to the actual web browser under the user-agent string and store this as a data point for later comparison as taught by Armstrong.  Armstrong monitors the attributes that are related to the user as Armstrong discloses per [0024] that it determines the attribute data point associated with user behavior for the each web session and also stores the attributes of the order pattern of the user-agent of the  navigator object for the browser in a user database for later comparison to be used in the comparison process to determine whether to authenticate the user as taught by the teachings of Sullivan. 


Applicants argue that the cited references fail to teach the amended limitations of claim 6, “based on “a result of the first determination operation” and “perform a comparison operation based on the reference order information and the order information of the first entity” and “request one or more authentication factors from the first entity, different from the first credentials of the first user, based on the result of the comparison operation,” where the first determination operation includes “determining whether the first credentials are correct,” as amended claim 6 recites.

Please see above discussion for the amended limitations.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure.  See PTO-892 form.
Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free). 

/Chirag R Patel/
Primary Examiner, Art Unit 2454