DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 09/30/2019. Claims 1-20 have been filed and are pending.

Priority
No priority has been claimed for this application.

Information Disclosure Statement
No IDS has been filed to this date.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are: the respective functional limitations in claims 1, 5 and 7-11 that are performed by the respective modules, i.e., non-structural generic place holders: authentication module, analyzer module and query module.
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Examiner’s Note on 35 USC § 101 Abstract Idea Analysis
Per 2019 Revised Patent Eligibility Guidance for Electrical Arts (2019 PEG):

Step 1: claims 1 and 12 are categorically subject matter eligible because they are directed to at least one of the four categories of invention, i.e., a system and a computer-implemented method respectively.

Step 2A – prong one: 
Per claim 1, it does not recite any limitation reasonably interpreted as falling under any of the groupings defined in the 2019 PEG, wherein the only applicable grouping pertinent to the analyzed limitations is “mental processes”. Limitations are not construed as “mental processes” because 
1) an authentication module that “maintain[s] a store of credentials for a set of users; receive[s] an authentication request from a requestor address;… transmit[s] an authentication failure response to the requestor address and record[s] a failure event in an event cache… selectively transmit[s] an authentication success response to the requestor address”, 2) an analyzer module that “analyze[s] events in the event cache to determine a number of identity-not-found failures corresponding to a first address; identify[s] a triggering event in response to the number of identity- not-found failures exceeding a predetermined threshold; and …add[s] the first address to a block list” and 3) a query module that “determine[s] whether the specified address is present in the block list; and …instruct[s] the authentication system to transmit the authentication failure response to the requestor address,
wherein the recited functions nonetheless require hardware or software implemented instructions that are NOT construed as mere “mental processes”.
As such, at the conclusion of step 2A first prong, claims 1-11 are patent eligible.

Per claim 12, limitations that are “positively” recited in the claim are method steps construed as “mental processes” because the broadest reasonable interpretation of said steps may be performed by an administrator, with the exception of “recording a failure event in an event cache”,  which is a computer system implemented step. As such, analysis moves on to the next step.
Step 2A – prong two:
Per claim 12, it recites an additional element, “recording a failure event in an event cache”, interpreted as NOT falling under any of the groupings defined in the 2019 PEG; however, this additional element does NOT integrate the recited abstract idea limitations into a practical application. As such, analysis moves on to the next step.

Step 2B:
Per claim 12, an administrator using recorded a failure event in an event cache to perform the recited method steps does NOT amount to significantly more because “said human-performed acts” are using a conventional generic computer-implemented operation that does not contribute to an inventive patent eligible concept. 
Claims 13-20 do not remedy the indicated deficiency and claims 12-20 are determined patent ineligible.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 1-4, 7, 10-14, 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Maxwell, US2019/0253451A1 in view of Kuperman, US2018/0278584A1 further in view of Kutner, US2020/0213334A1.

Per claim 1, Maxwell discloses an authentication system comprising: an authentication module configured to: 
maintain a store of credentials for a set of users (The authentic account credentials can be stored in a memory on the remote server device 140, in a memory on an account management device 130 in communication with the remote server device 140, or any combination thereof – Maxwell: par. 0026 – Note: wherein in each attempt to access the web services, the devices send, with each request, user-provided account credentials (e.g., an account identifier and associated password) to the remote server device 140, or components thereof, for cross-checking and verification with authentic account credentials); 
receive an authentication request from a requestor address (a request to access the web services that is received by the one or more remote server devices 140.  The login attempt can include the account credentials and/or login data associated with the request.  The login data is, essentially, metadata that may include, for instance, timestamps associated with the request received by the one or more remote server devices 140, a network address (e.g., IP address) associated with the sending device of the received request, or other form of identifying data associated with the received request or sending device thereof – Maxwell: par. 0027 – Note: account credential and/or login data is equivalent to “identity specified by credentials provided from the requestor address”); 
Maxwell is not relied on disclose but Kuperman discloses in response to an identity specified by credentials provided from the requestor address not being found in the store of credentials, transmit an authentication failure response to the requestor address (If the authenticator 210 identifies that the IP address associated with an API request is not whitelisted, and a token is not presented in association with the API request…the API request cannot be (or is not) authenticated for passing onto the host 145--the authenticator may challenge the client… For example, the authenticator 210 may reply with a non-standard HTTP response (e.g., 418 HTTP response or other).  The non-standard HTTP response may include special HTTP headers, specific HTLM, JSON or XML text – Kuperman: par. 0046 – Note: challenging the client, e.g., HTTP 401 “Unauthorized”, is equivalent to “an authentication failure response”) and in view of Kuperman, Maxwell further discloses record a failure event in an event cache (the failed login records can be generated and provided by the one or more remote server devices 140 of FIG. 1…The failed login records obtained for analysis can be associated with one or more account identifiers, in that the failed login records obtained for analysis are associated with one particular account identifier or a group of account identifiers – Maxwell: par. 0046 – Note: failed login records is equivalent to “a failure event in an event cache”), wherein the failure event indicates the requestor address and indicates an identity-not-found failure mode (the authenticator 210 passes the token presented with the re-attempted (or subsequent) API request received from the client in response to the challenge to the token verifier 217 for verification to determine whether the API request can be passed to the host 145 (and/or to permit the opening of a Web Socket for access to the host 145 API) – Kuperman: par. 0046 – Note: the state/opportunity to re-attempt the API request, for example to give the client a chance to correct a misspelled credential is equivalent to “an identity not-found failure mode); and 
in response to the provided credentials matching selected credentials in the store of credentials, selectively transmit an authentication success response to the requestor address (In response to the successful verification, the authenticator 210 passes the API request to the host 145 and/or may open a Web Socket for API requests to open a Web Socket for host 145 API access – Kuperman: par. 0060-0061 – Note: opening a Web Socket for host API access is an authentication success response provided to the requester address);
analyzer module configured to: 
analyze events in the event cache to determine a number of identity-not-found failures corresponding to a first address (The authenticator 210 may identify when a client (e.g., by IP address) has failed a threshold number of API request challenges – Kuperman: par. 0047);
identify a triggering event in response to the number of identity- not-found failures exceeding a predetermined threshold (…a threshold number of API requests are received from the client IP address with no token (or valid token) having been presented, and … the authenticator 210 may determine when a client has reached the threshold number of allowed API request attempts without successful authentication) – Kuperman: par. 0047); and 
in response to the triggering event, add the first address to a block list (the authenticator 210 may determine when a client has reached the threshold number of allowed API request attempts without successful authentication and block the client by adding the IP address of the client to the blacklist – Kuperman: par. 0047); and 
a query module configured to, in response to a query from the authentication module for 
specified address: determine whether the specified address is present in the block list (the blacklist 208 stores blocked IP addresses responsive to instructions received from the proxy 305.  Thus, in embodiments where the token service 310 maintains a blacklist 208, the authenticator 210 may determine whether the source IP address and/or destination IP address of a received request matches any IP address stored in the blacklist 208 prior to any token processing – Kuperman: par. 0067).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell in view of Kuperman to include in response to an identity specified by credentials provided from the requestor address not being found in the store of credentials, transmit an authentication failure response to the requestor address and record a failure event in an event cache, wherein the failure event indicates the requestor address and indicates an identity-not-found failure mode; and in response to the provided credentials matching selected credentials in the store of credentials, selectively transmit an authentication success response to the requestor address; an analyzer module configured to: analyze events in the event cache to determine a number of identity-not-found failures corresponding to a first address; identify a triggering event in response to the number of identity- not-found failures exceeding a predetermined threshold; and in response to the triggering event, add the first address to a block list; and a query module configured to, in response to a query from the authentication module for specified address: determine whether the specified address is present in the block list.
One of ordinary skill in the art would have been motivated because it would allow “determine when a client has reached the threshold number of allowed API request attempts without successful authentication” – Kuperman: par. 0047 and “to immediately discard API requests associated with blocked IP addressed in response to a match” – Kuperman: par. 0067.
Although it is known and not novel to “in response to the specified address being present in the block list, instruct the authentication system to transmit the authentication failure response to the requestor address”, since Maxwell or Kuperman are not relied on to expressly disclose the limitation, Kutner is relied on explicitly discloses in response to the specified address being present in the block list, instruct the authentication system to transmit the authentication failure response to the requestor address (In response to determining that a particular user credential 230 is compromised, a set of action rules 256 may be implemented and enforced by the credential analysis engine 212 (e.g., by the threshold analyzer 216).  The action rules 256 may be a set of rules and actions to be taken in response to a detected comprised credential.  The actions may include, but are not limited to,…notifying one or more users associated with the credentials (e.g., by linking a user name to one or more other accounts – Kutner: par. 0044).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell-Kuperman further in view of Kutner to include in response to the specified address being present in the block list, instruct the authentication system to transmit the authentication failure response to the requestor address.
One of ordinary skill in the art would have been motivated because it would allow “force or request the user to change those credentials, and other actions” – Kutner: par. 0028, so that “attempted logins at those sites can be stopped immediately, and necessary actions performed in order to avoid potential intrusions” – Kutner: par. 0044.

Per claim 12, it recites an authentication method comprising: 
maintaining a store of credentials for a set of users (The authentic account credentials can be stored in a memory on the remote server device 140, in a memory on an account management device 130 in communication with the remote server device 140, or any combination thereof – Maxwell: par. 0026 – Note: wherein in each attempt to access the web services, the devices send, with each request, user-provided account credentials (e.g., an account identifier and associated password) to the remote server device 140, or components thereof, for cross-checking and verification with authentic account credentials); 
receiving an authentication request from a requestor address (a request to access the web services that is received by the one or more remote server devices 140.  The login attempt can include the account credentials and/or login data associated with the request.  The login data is, essentially, metadata that may include, for instance, timestamps associated with the request received by the one or more remote server devices 140, a network address (e.g., IP address) associated with the sending device of the received request, or other form of identifying data associated with the received request or sending device thereof – Maxwell: par. 0027); 
Maxwell is not relied on disclose but Kuperman discloses in response to an identity specified by credentials provided from the requestor address not being found in the store of credentials, transmitting an authentication failure response to the requestor address (If the authenticator 210 identifies that the IP address associated with an API request is not whitelisted, and a token is not presented in association with the API request…the API request cannot be (or is not) authenticated for passing onto the host 145--the authenticator may challenge the client… For example, the authenticator 210 may reply with a non-standard HTTP response (e.g., 418 HTTP response or other).  The non-standard HTTP response may include special HTTP headers, specific HTLM, JSON or XML text – Kuperman: par. 0046) and in view of Kuperman, Maxwell further discloses recording a failure event in an event cache (the failed login records can be generated and provided by the one or more remote server devices 140 of FIG. 1…The failed login records obtained for analysis can be associated with one or more account identifiers, in that the failed login records obtained for analysis are associated with one particular account identifier or a group of account identifiers – Maxwell: par. 0046), wherein the failure event indicates the requestor address and indicates an identity-not-found failure mode (the authenticator 210 passes the token presented with the re-attempted (or subsequent) API request received from the client in response to the challenge to the token verifier 217 for verification to determine whether the API request can be passed to the host 145 (and/or to permit the opening of a Web Socket for access to the host 145 API) – Kuperman: par. 0046 – Note: the state to re-attempt the API request, for example to give the client a chance to correct a misspelled credential is equivalent to “an identity not-found failure mode); 
in response to the provided credentials matching selected credentials in the store of credentials, selectively transmitting an authentication success response to the requestor address (In response to the successful verification, the authenticator 210 passes the API request to the host 145 and/or may open a Web Socket for API requests to open a Web Socket for host 145 API access – Kuperman: par. 0060-0061 – Note: opening a Web Socket for host API access is an authentication success response provided to the requester address);
In view of Kuperman, Maxwell further discloses analyzing events in the event cache to determine a number of identity-not- found failures corresponding to a first address (An initial analysis of the obtained failed login records can include examining all sets of password data, all failed login data, or a combination thereof, from the failed login records, to identify a set of failed login records … The set of failed login records identified by way of this initial analysis is referred to herein as the "identified set" – Maxwell: par. 0047 – Note: The login data that corresponds to a failed login attempt (hereinafter referred to as the "failed login data") can include a location reference (e.g., an IP address corresponding to the origin of the failed login attempt) and/or a temporal reference (e.g., a timestamp corresponding to a time that the failed login attempt was received or detected) – par. 0046); 
identifying a triggering event in response to the number of identity-not- found failures exceeding a predetermined threshold (when the authenticator 210 challenges an unauthorized application 117, the unauthorized application 117 may not know how to deal with the challenge.  Should the unauthorized application 117 retry the API request or attempt a different API request, a challenge is again presented, which perpetually fails the API requests originating from the unauthorized application 117.  The authenticator 210 may identify when a client (e.g., by IP address) has failed a threshold number of API request challenges, e.g., when a threshold number of API requests are received from the client IP address with no token (or valid token) having been presented, and block that client by IP address (e.g., in a blacklist 208).  Thus, the authenticator 210 may determine when a client has reached the threshold number of allowed API request attempts without successful authentication) – Kuperman: par. 0047); 
in response to the triggering event, adding the first address to a block list (the authenticator 210 may determine when a client has reached the threshold number of allowed API request attempts without successful authentication and block the client by adding the IP address of the client to the blacklist – Kuperman: par. 0047); 
in response to a query for a specified address: determining whether the specified address is present in the block list (the blacklist 208 stores blocked IP addresses responsive to instructions received from the proxy 305.  Thus, in embodiments where the token service 310 maintains a blacklist 208, the authenticator 210 may determine whether the source IP address and/or destination IP address of a received request matches any IP address stored in the blacklist 208 prior to any token processing – Kuperman: par. 0067); and 
Although it is known and not novel to “in response to the specified address being present in the block list, instruct the authentication system to transmit the authentication failure response to the requestor address”, since Maxwell or Kuperman are not relied on to expressly disclose the limitation, Kutner is relied on explicitly discloses in response to the specified address being present in the block list, instructing the authentication method to transmit the authentication failure response to the requestor address (In response to determining that a particular user credential 230 is compromised, a set of action rules 256 may be implemented and enforced by the credential analysis engine 212 (e.g., by the threshold analyzer 216).  The action rules 256 may be a set of rules and actions to be taken in response to a detected comprised credential.  The actions may include, but are not limited to,…notifying one or more users associated with the credentials (e.g., by linking a user name to one or more other accounts – Kutner: par. 0044).
Therefore, claim 12 is rejected based on the same analysis and motivations to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 13, Maxwell, Kuperman and Kutner disclose features of claims 1 and 12 wherein: the provided credentials include a username and a hash of a password (Note: hashed versions of the username and password are provided to/shared between websites); and the username specifies the identity for the provided credentials (two or more sites agree to share some metadata about login attempts they see, which can include hashed versions of the username and password and an indication if the attempt was successful or failed, and if the account associated with the attempted sign in exists or does not exist on that website.  Using this shared backend system and its association with a network of websites, or alternatively the shared metadata, information about failed and successful login attempts may be shared to identify potential credential stuffing attacks…Initially, website A 102 receives the credential set 101 and submits them.  Website A 102 has delegated its authentication procedures to authentication manager 110, which can be a registration as a service (RaaS)-based system or similar component where credentials are stored, and shares the received credentials as shown by (1) – Kutner: par. 0018 and 0022).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell-Kuperman further in view of Kutner to include the provided credentials include a username and a hash of a password; and the username specifies the identity for the provided credentials.
One of ordinary skill in the art would have been motivated because it would allow “to identify ongoing credential stuffing attacks and take appropriate security measures to block said attacks” and to determine “whether a predefined or dynamically determined number of attempts using a same or similar credential set over multiple sites within a certain period of time have been attempted and have failed, then related accounts can be locked, notifications can be generated, and additional information can be obtained, all in order to stop the attack from continuing further” – Kutner: par. 0048.

Per claim 3, Maxwell, Kuperman and Kutner disclose the authentication system of claim 1, wherein the number of identity-not- found failures related to the first address is restricted to those occurring in a predetermined period of time prior to the analysis (the token verifier 217 may include a TTL setting for verifying only current tokens.  For example, the token verifier 217 may only verify a token if it is current, e.g., generated within the past 1-5 minutes or 5-60 seconds based on token timestamp compared to current time at the proxy 205, depending on the embodiment – Kuperman: par. 0050).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell in view of Kuperman to include wherein the number of identity-not- found failures related to the first address is restricted to those occurring in a predetermined period of time prior to the analysis.
One of ordinary skill in the art would have been motivated because it would allow to include a Time to Live (TTL) and/or request limit for the IP address and/or IP-token pair “to facilitate purging of the IP address from the whitelist or IP-Token pair from the token store” – Kuperman: par. 0064.
Furthermore, Kutner discloses wherein the number of identity-not- found failures related to the first address is restricted to those occurring in a predetermined period of time prior to the analysis (certain failure or attempt thresholds may be monitored to determine if such thresholds are exceeded, such as whether a predefined or dynamically determined number of attempts using a same or similar credential set over multiple sites within a certain period of time have been attempted and have failed – Kutner: par. 0018).
The same motivation to modify Maxwell-Kuperman further in view of Kutner applied to claim 2 above applies here.

Per claim 4, Maxwell, Kuperman and Kutner disclose the authentication system of claim 3 wherein, in view of Kuperman and Kutner, Maxwell further discloses the predetermined threshold and the predetermined period of time are configurable by an administrator (the suspicious pattern identification component 232 can be configured to determine a number of failed login records that have temporal references falling within a "short" duration threshold that is predefined programmatically or by a system administrator – Maxwell: par. 0055).

Per claims 7 and 17, Maxwell, Kuperman and Kutner disclose features of claims 1 and 12, wherein the authentication module is configured to, in response to the provided credentials matching the selected credentials, record a success event in the event cache, wherein the success event includes the identity (If the token verifier 217 verifies the token, the authenticator 210 passes the API request to the host 145.  The token verifier 217 may whitelist the IP address associated with a verified token by adding it to the whitelist 218… the whitelist 218 includes a token store 219.  Accordingly, when the token verifier 217 verifies a token, the token verifier may store the token in the token store 219 in association with the IP address associated with the API request within the whitelist 21 – Kuperman: par. 0044-0045). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell in view of Kuperman to include wherein the authentication module is configured to, in response to the provided credentials matching the selected credentials, record a success event in the event cache, wherein the success event includes the identity.
One of ordinary skill in the art would have been motivated because it would allow to “minimize average processing time taken by the proxy 205 for each request as only some require the full token verification process” – Kuperman: par. 0045.

Per claims 10 and 19, Maxwell, Kuperman and Kutner disclose features of claims 1 and 12 wherein: 
the authentication module is configured to, in response to the identity specified by the provided credentials being found in the store of credentials (the authenticator 210 only passes the API request to the host 145 when the IP address is whitelisted (e.g., a token was previously verified for the IP address) and the API request also includes a token (e.g., the client presents the token with each API request…the token verifier 217 need not fully verify the token on every request when a token-IP pair exists in a whitelist 218 including a token store 219) – Kuperman: par. 0044-0045) but the provided credentials failing to match any of the store of credentials (Should the IP-token pair associated with the API request not match an existing IP-token pair within the whitelist 218 and token store 219, the token verifier 217 may then proceed with the full verification process – Kuperman: par. 0045), transmit the authentication failure response to the requestor address (If the authenticator 210 identifies that the IP address associated with an API request is not whitelisted, and a token is not presented in association with the API request, or token verification fails…the authenticator may challenge the client – Kuperman: par. 0046) and record the failure event in an event cache, wherein the failure event indicates the requestor address and indicates a credential failure mode (The token service 310 may return a true/false response (e.g., Boolean or other indicator) for the IP-token pair query and additionally indicate true/false whether the token exists in the token store (e.g., is associated with a different IP address).  If the token exists in the token store, but is associated with a different IP address (e.g., false:true response), the token verifier 217 may not verify the token.  The token verifier 217 provides the verification result (e.g., not verified/false) to the authenticator 210.  In response to the failed verification, the authenticator 210 may challenge the client as per an HTTP response challenge methods described herein) – Kuperman: par. 0059 – Note: Token-IP associations are cached by the token service, wherein disassociation id detected by token verifier and “not verified/false” mode/result is provided); and 
the analyzer module is configured to: analyze events in the event cache to determine a number of total failures corresponding to the first address (The authenticator 210 may identify when a client (e.g., by IP address) has failed a threshold number of API request challenges, e.g., … the authenticator 210 may determine when a client has reached the threshold number of allowed API request attempts without successful authentication – Kuperman: par. 0047 – Note: first threshold is total number of allowed API re-attempts); and 
identify the triggering event in response to the number of total failures exceeding a second predetermined threshold (the token verifier 217 may check a timestamp of a token against a current time (correcting for any time difference) to check the age of the token.  If the timestamp is not approximately current (within a threshold) with the current time of the token verifier 217, the token verifier 217 may fail verification of the token (e.g., token has expired) – Kuperman: par. 0048 – Note: a second threshold current/approximately current (i.e., within some defined threshold) of the token verifier).
The same motivation to modify Maxwell in view of Kuperman applied to claim 1 above applies here.

Per claims 11 and 20, Maxwell, Kuperman and Kutner disclose features of claims 1 and 12. Maxwell or Kuperman is not relied on to disclose but Kutner discloses wherein the analyzer module is configured to reduce the predetermined threshold for the first address in response to the first address having been previously blocked (After each addition to the failed credential logs 226, whether as a new user credential 230 or an incremented attempt count 232, one or more threshold rules 250 may be evaluated to determine whether a particular user credential 230 is determined to be likely compromised…The rules 250 may define a number of attempts with the credentials 230 (e.g., after 5 failed attempts), a proportion or statistical determination of failed attempts vs.  successful attempts with credentials, a number of failed attempts at different sites within a period of time, or any other suitable threshold or metric… those alternative rules can take priority over any general rules, and can increase or decrease the amount of failures or associated threshold required to determine whether a particular set of credentials are compromised – Kutner: par. 0042 and 0043).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell-Kuperman further in view of Kutner to include wherein the analyzer module is configured to reduce the predetermined threshold for the first address in response to the first address having been previously blocked.
One of ordinary skill in the art would have been motivated because it would allow “to perform the corresponding analysis as to whether a particular user credential 230 is compromised based on the threshold rules 250 or other more specific rules” – Kutner: par. 0043.  

Per claim 14, Maxwell, Kuperman and Kutner disclose the authentication method of claim 12 wherein: the number of identity-not-found failures related to the first address is restricted to those occurring in a predetermined period of time prior to the analysis (the token verifier 217 may include a TTL setting for verifying only current tokens.  For example, the token verifier 217 may only verify a token if it is current, e.g., generated within the past 1-5 minutes or 5-60 seconds based on token timestamp compared to current time at the proxy 205, depending on the embodiment – Kuperman: par. 0050) and in view of Kuperman, Maxwell further discloses the predetermined threshold and the predetermined period of time are configurable by an administrator (the suspicious pattern identification component 232 can be configured to determine a number of failed login records that have temporal references falling within a "short" duration threshold that is predefined programmatically or by a system administrator – Maxwell: par. 0055).
The same motivation to modify Maxwell in view of Kuperman applied to claim 3 above applies here.

2.	Claims 5-6 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Maxwell, US2019/0253451A1, Kuperman, US2018/0278584A1 and Kutner, US2020/0213334A1 as applied to claims 1 and 12 above, and further in view of Hotchkiss, US2015/0288715A1.

Per claims 5 and 15, Maxwell, Kuperman and Kutner disclose features of claims 1 and 12.  Maxwell, Kuperman and Kutner is not relied on to disclose but Hotchkiss discloses wherein the analyzer module is configured to: specify an expiration time when adding the first address to the block list (the IP address is maintained on the blacklist for a predetermined time period – Hotchkiss: par. 0058); and in response to the expiration time being reached, remove the first address from the block list (…and at step 498 of the method the IP address is removed from the blacklist following expiration of the time period – Hotchkiss: par. 0058).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell, Kuperman and Kutner further in view of Hotchkiss to include wherein the analyzer module is configured to: specify an expiration time when adding the first address to the block list.
One of ordinary skill in the art would have been motivated because it would allow to prevent “users who are potentially valid but have been the subject of a botnet infection from being permanently prevented from logging into the website in the future” – Hotchkiss: par. 0058.

Per claims 6 and 16, Maxwell, Kuperman, Kutner and Hotckkiss disclose features of claims 5 and 15 wherein the expiration time is based on a sum of a time of the triggering event and a configurable block length (a token…is current [if], e.g., generated within the past 1-5 minutes or 5-60 seconds based on token timestamp compared to current time at the proxy 205, depending on the embodiment… the whitelist 218 may purge IPs from the whitelist after 30-60 seconds or 1-5 minutes, or other TTL duration, depending on the embodiment – Kuperman: par. 0050 – Note: setting expiry time of a generated record based on 1-5 minutes or 5-60 seconds prior and/or after the current/generation time).
Per KSR, MPEP 2141, “[c]ombining prior art elements according to known methods to yield predictable results” is obvious to try. As such, the whitelist record expiration time as disclosed by Kuperman renders “the expiration time is based on a sum of a time of the triggering event and a configurable block length” obvious because it yields predictable/similar results for a triggered event as instantly claimed.
Additionally, the same motivation to modify Maxwell in view of Kuperman applied to claim 3 above applies here.

3.	Claims 8-9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Maxwell, US2019/0253451A1, Kuperman, US2018/0278584A1 and Kutner, US2020/0213334A1 as applied to claims 7 and 17 above, and further in view of Kurian, US2019/0166128A1.

Per claim 8, Maxwell, Kuperman and Kutner disclose the authentication system of claim 7 wherein: 
the failure event indicates the identity (the failed login records can be generated and provided by the one or more remote server devices 140 of FIG. 1…The failed login records obtained for analysis can be associated with one or more account identifiers, in that the failed login records obtained for analysis are associated with one particular account identifier or a group of account identifiers – Maxwell: par. 0046); and 
the analyzer module is configured to: 
analyze events in the event cache to determine a number of unique identities presented by the first address (The analysis may … include and/or involve detecting presence of data…The detected data may correspond to the identification data. The analysis may be configured to detect the presence of one or more than one minimum threshold of identifying information – Kurian: par. 0038-0039 and Table 1– Note: one or more than one of distinct identity data detected in the analysis, example unique identity data are biometric data or SSN); and 
selectively identify the triggering event in response to the number of unique identities exceeding a second predetermined threshold (cataloging, into the blacklist database, one or more of identification data associated with the blacklist correspondent address… The threshold may require a predetermined number(s) of identifying data. For example, the threshold may require the sender to submit at least two identifying data elements, such as a pin, a passcode and a birthplace.  Alternatively, or additionally, the threshold may require, e.g., at least one of personally identifiable information (PII) such as full name, PIN and/or biometric data, and at least two of additional identifying information, such as a birthdate, birthplace and/or geographical indicator(s) – Kurian: par. 0035-0040 – Note: a second threshold is the required number of distinct identity data which).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Maxwell-Kuperman-Kutner further in view of Kurian to include the failure event indicates the identity; and the analyzer module is configured to: analyze events in the event cache to determine a number of unique identities presented by the first address; and selectively identify the triggering event in response to the number of unique identities exceeding a second predetermined threshold.
One of ordinary skill in the art would have been motivated because it would allow “for reliably authenticating and verifying an identity of a sender of an electronic communication” – Kurian: par. 0005, by “determining that a required threshold of a predetermined minimum amount of identifying data is included in the email” and then “determining that the predetermined minimum amount of identifying data included in the email is authenticated” – Kurian: par. 0147.

Per claims 9 and 18, Maxwell, Kuperman-Kutner and Kurian disclose features of claims 8 and 17 wherein the analyzer module is configured to: 
analyze events in the event cache to determine a number of unique identities presented by the first address within a predetermined time period (If the predetermined amount of time has lapsed, the data reader may attempt to collect biometric data again from the user (step 1106)…The attempt may be triggered by the time interval passing without any interaction by the user with the system and/or GUI.  The attempt may be triggered by the time interval passing without any keystrokes by the user… The collected data may again be authenticated (step 1108) in order to enable the user to continue accessing the account – Kurian: par. 0213-0214 – Note: continuous authentication would allow comparing the cached/stored biometric with a newly collected after a predetermined time has elapsed); and 
identify the triggering event in response to the number of unique identities within the predetermined time period exceeding the second predetermined threshold (the submitted biometric data may be analyzed… The analysis may evaluate if the submitted data matches the previously submitted biometric data. The analysis may evaluate if the submitted data matches the previously submitted username.  The analysis may determine if the submitted data matches stored data associated with one or more of the sender and/or recipient addresses…If authentication of the submitted data fails, the communication may be blocked from delivery to the recipient (step 1122) – Kurian: par. 0217-0218 – Note: the stored “association” of a threshold number of verified identifying data, e.g., both the user name and the biometric, is required for a successful authentication).
The same motivation to modify Maxwell-Kuperman-Kutner further in view of Kurian applied to claim 8 above applies here.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Fry (US2015/018021A1) discloses an account manager sending one or more error messages when an account management error occurs due to for example, attempting to transfer credit to a contractual account, attempting to access an inactive or non-existing account, attempting to transfer less than a minimum threshold amount of credit, an authorization failure, etc..

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at  http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494