DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation is: "attempt detector configured to" in claims 1 and 9.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof, see specification [para.0038-0039,0043-0049].
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 9-11, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON (US-20200280573-A1), in view of BAJENOV (US-9942220-B2), hereinafter JOHNSON-BAJENOV.
Regrading claim 1, JOHNSON teaches “A system, comprising: at least one web server configured to receive and process a plurality of access attempts from a plurality of user devices over a network, ([JOHNSON, Paragraph 0022] “Server system 120 may be any computing device configured to provide access to electronic resources. This can include providing web content, in various embodiments, as well as access to functionality provided a web client (or via other protocols, including but not limited to SSH, FTP, database and/or API connections, etc.).”) ([JOHNSON, Paragraph 0043] “In some embodiments, previously-received indications of previous access attempts may include, for ones of a plurality of users, a user identifier corresponding to a user account associated with the access attempt.”) and to provide access attempt information corresponding to the plurality of access attempts to a storage, ([JOHNSON, Paragraph 0042] “Access attempts can be logged and aggregated from disparate data sources to build profiles of particular users and/or groups of users.”) wherein access attempt information for each respective access attempt comprises an access signature corresponding to the respective access attempt; ([JOHNSON, Paragraph 0043] “Access attempts can include a device identifier corresponding to a particular device used to attempt access, such as an IP address, a device name, a MAC address, a unique hardware fingerprint derived from multiple hardware and/or software characteristics of a machine, etc. Access attempts may have a specific time and/or time period associated with the access attempt, or an access location associated with the access attempt (e.g. work location, home location, extranet vs intranet, geographical location, location within a particular building such as floor 3, west door, etc.).”) the storage, wherein the storage is configured to store the access attempt information corresponding to the plurality of access attempts; ([JOHNSON, Paragraph 0040] “There are many different types of actions that may be considered an access attempt. All such access attempts may be logged by one or more systems (e.g. by a local operating system, intrusion detection system, firewall, network storage device, etc.). Both successful and unsuccessful attempts may be logged, which can be in real-time and/or in batch records. All such data may be forwarded to EDCS 160 for analysis.”) and a suspicious access attempt detector configured to: obtain the access attempt information corresponding to the plurality of access attempts from the storage; ([JOHNSON, Paragraph 0035] “In operation 310, EDCS 160 receives a particular access indication of a particular access attempt to an electronic resource by a particular user, according to various embodiments. The access indication may be in the form of data sent to EDCS (e.g. data originating at data sources 202 and possibly processed via ingestion queue 204 and normalization module 206).”) …. and output a result of the detection. ([JOHNSON, Paragraph 0030] “For example, mitigation decision engine 210 might suspend access to an electronic or physical resource, implement an IP-blocking or traffic throttling scheme, increase logging for a particular system or group of systems, generate an alert for human review, or take any other number of actions.”).
However, JOHNSON does not teach “analyze the access attempt information corresponding to the plurality of access attempts to detect suspicious access attempts out of the plurality of access attempts, wherein analyzing the access attempt information is based on respective access signatures corresponding to the plurality of access attempts;”.
In analogous teaching, BAJENOV teaches “analyze the access attempt information corresponding to the plurality of access attempts to detect suspicious access attempts out of the plurality of access attempts, wherein analyzing the access attempt information is based on respective access signatures corresponding to the plurality of access attempts;” ([BAJENOV, Column 6 lines 40-53] “As part of the synthesis of the suspicion index, the security manager 114 may receive login information and source location information identified by the authentication manager 212 and may analyze the information for suspicious characteristics. An example of a suspicious characteristic is, as described above, the number of login attempts made using different sets of login information originating from a single source location, e.g., netblock N1, IP address A1, machine cookie C1, or geographic location G1. For example, if a source location has been an origin for at least one previous login attempt using login information known to have been compromised, then any subsequent login attempts from that source may be regarded as suspicious and subjected to additional security protocols.”).
Thus, given the teaching of BAJENOV, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of security manager to detect suspicious access attempts as taught by BAJENOV into the teaching of a system to receive and process access attempts as taught by JOHNSON. One of ordinary skill in the art would have been motivated to do so because BAJENOV recognizes the importance of preventing unauthorized access  ([BAJENOV, Column 1 lines 40- 45] “To limit the effect of a security breach, a website may implement security systems and methods to determine whether a user session is legitimate and whether the user session has been initiated by an unauthorized person using illegitimately obtained login information.”).

Regarding claim 9, JOHNSON-BAJENOV teaches all limitations of claim 1. JOHNSON further teaches “wherein the suspicious access attempt detector is further configured to cause one or more responsive operations to be executed, wherein the one or more responsive operations include notifying one or more users regarding possible user account compromise.” ([JOHNSON, Paragraph 30] “For example, mitigation decision engine 210 might suspend access to an electronic or physical resource, implement an IP-blocking or traffic throttling scheme, increase logging for a particular system or group of systems, generate an alert for human review, or take any other number of actions.”).

Regarding claim 10, JOHNSON-BAJENOV teaches all limitations of claim 9. JOHNSON further teaches “wherein the one or more responsive operations further include disabling or deleting one or more user accounts.” ([JOHNSON, Paragraph 0061] “mitigation actions could include rate-limiting the user, disabling access entirely, and/or notifying IT personnel, security personnel, and/or management personnel. Likewise, after the mitigation action, stakeholders could be contacted to solicit feedback on whether the mitigation action was proper or not, resulting in updates to the mitigation model”).

Regarding claim 11, this claim defines a method claim that corresponds to system claim 1. Therefore, claim 11 is rejected with the same rational as in the rejection of claim 1. JOHNSON further teaches “access attempt corresponds to a user device communicating with a network device over a communication network” ([JOHNSON, Paragraph 0062] “For example, if a user device is consuming too much bandwidth on a network (e.g., the access attempt being the use of network resources)”) ([JOHNSON, paragraph 0022] “Network 150 may comprise all or a portion of the Internet.”).

Regarding claim 16, this claim defines an article of manufacture comprising a non-transitory computer readable medium claim that corresponds to system claim 1. Furthermore, this claim recites similarly to claim 11. Therefore, claim 16 is rejected with the same rational as in the rejection of claims 1 and 11.


Claims 2, 5, 12, 14 and 17, 19 are rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON- BAJENOV, in view of REVERTE (US-20200228565-A1), hereinafter JOHNSON-BAJENOV-REVERTE.
Regarding claims 2, 12, and 17,  JOHNSON-BAJENOV teach all limitations of claims 1, 11 and 16. JOHNSON further teaches “wherein the access attempt information for each respective access attempt further comprises an IP address corresponding to the respective access attempt;” ([JOHNSON, Paragraph 0043] “Access attempts can include a device identifier corresponding to a particular device used to attempt access, such as an IP address, a device name, a MAC address, a unique hardware fingerprint derived from multiple hardware and/or software characteristics of a machine, etc.”) …. and applying a filter based on a number of unique access attempts corresponding to a respective access signature) ([JOHNSON, Paragraph 0055] “The results produced by running an access indication through a trained ML model may indicate how anomalous a particular access attempt is. By collecting massive amounts of data and then using this data to facilitate a model training process, the ML model can make a judgment as to whether an access attempt is anomalous in a way that would be impossible for a rules-based security system and/or human analysis.”) ([JOHNSON, Paragraph 0056] “Turning to operation 340 of FIG. 3, EDCS 160 identifies one or more access anomalies related to an electronic resource that has had an access attempt, according to some embodiments. These access anomalies may be identified based on results of processing an access indication through user behavior model 230 and/or system access model 240.”). 
However, JOHNSON-BAJENOV does not teach “and wherein analyzing the access attempt information further comprises: applying a filter based on a number of unique access signatures corresponding to a respective IP address;”.
In analogous teaching REVERTE teaches “and wherein analyzing the access attempt information further comprises: applying a filter based on a number of unique access signatures corresponding to a respective IP address;” ([REVERTE, Paragraph 0013 ] “Advantageously, in instances where multiple hosts communicate with a server from a shared IP address, certain embodiments of the present disclosure can be used to identify which hosts of the multiple hosts are unique (e.g., by evaluating the uptime of each host, which may be a reliable indicator for differentiating hosts). Further, the unique hosts and their corresponding interactions with a real-time data exchange system can be evaluated to determine whether or not each host is operated by a bot. For hosts detected to be operated by a bot, the real-time data exchange system can automatically block content delivery to the detected bot users in conjunction with the bot users' requests to access webpages.”).
Thus, given the teaching of REVERTE, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of unique access attempts from a single IP address as taught by REVERTE into the teaching of a system to receive and process access attempts as taught by JOHNSON-BAJENOV. One of ordinary skill in the art would have been motivated to do so because REVERTE recognizes the importance of reducing fraudulent activity ([REVERTE, ABSTRACT] “For instance, classifying hosts as bots, and subsequently mitigating or blocking traffic from the hosts classified as bots can be advantageous in real-time data exchange systems. In a real-time data exchange system, data can be exchanged between a server and a target host in real-time when the target host accesses a webpage. Inhibiting data communication between servers and hosts operated by bot scripts can reduce fraudulent activity.”).

Regarding claims 5, 14, and 19, JOHNSON-BAJENOV-REVERTE teach all limitations of claims 2, 12, and 17. REVERTE further teaches “wherein analyzing the access attempt information further comprises: determining a number of unique access signatures corresponding to each IP address; ([REVERTE, PARAGRAPH 0041] “Advantageously, the “device uptime” of a host can be used to individually identify multiple hosts that share the same IP address (e.g., due to the natural randomness of hosts being rebooted across a network). Further, the “device uptime” can be used in first-party cookie caching to generate unique identifiers, despite host power-off events that would reset the “device uptime” and would otherwise lead to a reset of the unique identifier. Certain metadata (e.g., IP address, browser version, uptime, etc.) may be generated or extracted based on interactions with a host.”) and wherein applying the filter based on a number of unique access signatures corresponding to a respective IP address prevents access attempts corresponding to IP addresses for which there are a number of unique access signatures greater than or equal to a threshold number from being detected as suspicious access attempts. ([REVERTE, Paragraph 0044] “For example, host classification system can determine whether the uptime value included in the network packet headers from user device 110 are below a threshold (e.g., a short threshold of one second). If the uptime value is below the threshold, host classification system 130 may determine that user device 110 is likely operated by a bot script, whereas, if user device 110 is above a different threshold (e.g., a long threshold of 15 minutes), host classification system 130 may determine that the user device 110 is likely operated by a human.”).
The same motivation to modify JOHNSON-BAJENOV with REVERTE as in the rejection of claim 2 applies. 

Claims 3, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON- BAJENOV-REVERTE, in view of ROY (US-20200137084-A1), hereinafter JOHNSON-BAJENOV-REVERTRE-ROY.
Regarding claims 3, 13, and 18, JOHNSON-BAJENOV-REVERTE teach all limitation of 2, 12, and 17. However, JOHNSON- BAJENOV-REVERTRE does not teach “wherein analyzing the access attempt information further comprises: applying a trust-based filter to prevent access attempts corresponding to trusted IP addresses from being detected as suspicious access attempts.”.
 In analogous teaching, ROY teaches “wherein analyzing the access attempt information further comprises: applying a trust-based filter to prevent access attempts corresponding to trusted IP addresses from being detected as suspicious access attempts.” ([ROY, Paragraph 0069] “The whitelist may store listings of source IP addresses known to be safe or not malicious, access patterns determined to be not malicious, packet signatures known to be not malicious, or combinations of these.”) ([ROY, Paragraph 0093] “More particularly, access requests made to the web files that originate from or are associated with source IP addresses on a whitelist may be excluded from a detailed or deeper review and check. Access requests made to the web files that originate from or are associated with source IP addresses not on the whitelist may be subject to the detailed review.”).
Thus, given the teaching of ROY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of trust filters as taught by REVERTE into the teaching of a system to receive and process access attempts as taught by JOHNSON-BAJENOV-REVERTE. One of ordinary skill in the art would have been motivated to do so because ROY recognizes the importance of increasing security to prevent attacks ([ROY, Paragraph 0004] “There is a continuing demand and need for an intelligent monitoring system that allows an organization to limit code exposure and that can effectively protect against known attack patterns and learn new attack patterns.”).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON-BAJENOV-REVERTRE-ROY, in view of YAO (CN-104065644-A).
Regarding claim 4, JOHNSON-BAJENOV-REVERTE-ROY teach all limitations of claim 3. ROY further teaches “The system according to claim 3, wherein the trust-based filter is applied before applying the filter based on a number of unique access signatures corresponding to a respective IP address,” ([ROY, Paragraph 0094] “In a specific embodiment, there is a method for protecting against attacks to web files hosted on a web server, the web server having a service processor that is independent of a central processing unit (CPU) of the web server, the method comprising: requesting, by the service processor, that logs associated with the web files be copied to a shared storage accessible by the service processor and the CPU, the logs comprising entries storing access requests made to the web files between a first time and a second time; filtering the entries to identify first and second subsets of access requests, the first subset of access requests having associated source IP addresses listed on a whitelist, and the second subset of access requests having associated source IP addresses not listed on the whitelist; and flagging the access requests of the second subset for further review”) ([ROY, Paragraph 0100] “The learning block may store data or information about suspicious packets in internal data structures 750. The data or information stored may include packet detail and state information such as a packet signature, source IP address, arrival timestamp, header details, payload, various parts of the corresponding access request, and so forth. A packet may be deemed suspicious when, for example, the corresponding access request appears to be attempting access to sensitive files”).
The same motivation to modify JOHNSON-BAJENOV-REVERTRE with ROY as in the rejection of claim 3, applies. 
However, JOHNSON-BAJENOV-REVERTE-ROY does not teach “and the filter based on a number of unique access signatures corresponding to a respective IP address is applied before applying the filter based on a number of unique access attempts corresponding to a respective access signature.”.
In analogous teaching YAO teaches “and the filter based on a number of unique access signatures corresponding to a respective IP address is applied before applying the filter based on a number of unique access attempts corresponding to a respective access signature.” ([YAO, Paragraph 71] “Particularly, as shown in Figure 2, in step 201, the source IP in IP solicited message can be mated with blacklist, if source IP mates with the arbitrary source IP in blacklist, can export analysis result for " coupling "; If source IP does not mate with the arbitrary source IP in blacklist, can enter step S201 with the nearest visiting frequency of Statistic Source IP and can compare with source IP visiting frequency threshold value, if exceed source IP visiting frequency threshold value, can export analysis result for " exceeding threshold value "; If do not exceed source IP visiting frequency threshold value, can enter step S203 to extract HTTP header and can compare with HTTP header frequency threshold value from IP solicited message; If exceed HTTP header frequency threshold value, can export analysis result for " exceeding threshold value "; If do not exceed HTTP header frequency threshold value, can enter step S204 so that the request content in IP solicited message is mated with intrusion feature database; If the match is successful for request content and feature database, can export analysis result for " coupling ", otherwise can export analysis result for " normally ".”).
Thus, given the teaching of YAO, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of filtering first based on an IP address and then filtering based on access signatures as taught by YAO into the teaching of a system to receive and process access attempts as taught by JOHNSON-BAJENOV-REVERTE-ROY. One of ordinary skill in the art would have been motivated to do so because YAO recognizes the importance of preventing network attacks ([YAO, Paragraph  2] “The same with other network elements on network, CDN system node subjects to network attack equally, thereby the provided service quality decline consequence of denial of service even is completely provided. For this reason, identify and and then prevent for the attack of CDN node being very important for the application of this network technology.”).

Claims 6, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON-BAJENOV-REVERTE, in view of CASABURI (JP-2019134465-A).
Regarding claims 6, 15, and 20, JOHNSON-BAJENOV-REVERTE teach all limitations of claims 2, 12, and 17. However, JOHNSON further teaches “wherein analyzing the access attempt information further comprises: determining a number of unique access attempts corresponding to each access signature;” ([JOHNSON, Paragraph 0055] “The results produced by running an access indication through a trained ML model may indicate how anomalous a particular access attempt is. By collecting massive amounts of data and then using this data to facilitate a model training process, the ML model can make a judgment as to whether an access attempt is anomalous in a way that would be impossible for a rules-based security system and/or human analysis.”) ([JOHNSON, Paragraph 0043] “Access attempts can include a device identifier corresponding to a particular device used to attempt access, such as an IP address, a device name, a MAC address, a unique hardware fingerprint derived from multiple hardware and/or software characteristics of a machine, etc.”). 
However, JOHNSON-BAJENOV-REVERTE does not teach “and wherein applying the filter based on a number of unique access attempts corresponding to a respective access signature prevents access attempts corresponding to access signatures for which there are a number of unique access attempts less than a threshold number from being detected as suspicious access attempts.”.
In analogous teaching CASABURI teaches “and wherein applying the filter based on a number of unique access attempts corresponding to a respective access signature prevents access attempts corresponding to access signatures for which there are a number of unique access attempts less than a threshold number from being detected as suspicious access attempts.” ([CASABURI, Paragraph 59] “As used herein, the phrase “rapid continuous network access attempts” generally refers to network access attempts greater than a threshold number that are initiated within a certain amount of time. Rapid consecutive network access attempts may indicate that a user not authorized to access the network is trying to access the network with force. In these embodiments, the determination module 108 may determine that an attempt to access the network 204 is associated with a threshold number of different MAC addresses. In response, the determination module 108 may cause the network 204 to at least in part due to the signal profile 214 being detected in connection with a plurality of past access attempts involving MAC addresses having different threshold numbers. It may be determined that an access attempt to may be malicious. ”).
Thus, given the teaching of CASABURI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of analyzing access signatures relating to access attempts as taught by CASABURI into the teaching of a system to receive and process access attempts as taught by JOHNSON-BAJENOV-REVERTE. One of ordinary skill in the art would have been motivated to do so because CASABURI recognizes the need to prevent network intrusion. ([CASABURI, Paragraph 1] “Thus, the present disclosure identifies and addresses the need for further improved systems and methods for protecting against unauthorized network intrusion.”).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON-BAJENOV-REVERTE, in view of SOHUM (US-20190333102-A1), hereinafter JOHNSON-BAJENOV-REVERTE-SOHUM.

Regarding claim 7, JOHNSON-BAJENOV-REVERTE teach all limitations of claim 2, However JOHNSON-BAJENOV-REVERTE does not teach “wherein applying the filter based on a number of unique access attempts corresponding to a respective access signature further comprises applying a filter based on a number of IP addresses corresponding to the respective access signature.”.
In analogous teaching SOHUM teaches “wherein applying the filter based on a number of unique access attempts corresponding to a respective access signature further comprises applying a filter based on a number of IP addresses corresponding to the respective access signature.” ([SOHUM, Paragraph 0043] “The fraud detection system 160 may immediately block the device IDs or IP addresses through which the fraud is being performed. In an embodiment of the present disclosure, the fraud detection system 160 utilizes the first set of data and the second set of data to determine the online advertisement fraud and commerce fraud.”) ([SOHUM, Paragraph 0036] “The first set of data is data associated with gyroscope sensor, accelerometer sensor, device ID data, IP address data, Bluetooth data, network data, touch sensor data, 3D sensor data, location data, and motion data. In an example, the first set of data may include device IDs, IP address and the like along with data collected from the plurality of device sensors 156 a for each device of the plurality of devices 154.”).
Thus, given the teaching of SOHUM, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of filtering based on IP addresses corresponding to access signatures as taught by SOHUM into the teaching of a system to receive and process access attempts as taught by JOHNSON-BAJENOV-REVERTE. One of ordinary skill in the art would have been motivated to do so because recognizes the importance of removing and detecting traffic originating from bots ([SOHUM, Paragraph 0002] “application installs are not driven by humans at all and instead by bots. There is a consistent need to stop publishers from performing such types of click fraud and transaction fraud.”).

35.	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over JOHNSON-BAJENOV-REVERTE-SOHUM, in view of ROY (US-20200137084-A1).
Regarding claim 8, JOHNSON-BAJENOV-REVERTE-SOHUM teach all limitations of claim 7. Furthermore, this claim recites some features similar to those in claim 6 therefore claim 8 is rejected with a similar rational as in the rejection of claim 6. However, JOHNSON-BAJENOV-REVERTE-SOHUM does not teach “and further prevents access   attempts corresponding to access signatures for which at least one IP address does not appear in at least a threshold number unique access attempts from being detected as suspicious access attempts”.
In analogous teaching ROY teaches “and further prevents access attempts corresponding to access signatures for which at least one IP address does not appear in at least a threshold number unique access attempts from being detected as suspicious access attempts.” ([ ROY, Paragraph 0140] “the information comprising a signature associated with a suspicious packet, an Internet Protocol (IP) address source associated with the suspicious packet, and a time indicating when the suspicious packet arrived; updating a counter indicating a number of times a packet with the signature of the suspicious packet was received; forwarding the suspicious packet to the web server when the counter is below a threshold; not forwarding the suspicious packet to the web server when the counter is above the threshold;”).
The same motivation to modify JOHNSON- BAJENOV-REVERTE with ROY, as in the rejection of claim 3, applies. 

The prior art made record and not relied upon is considered pertinent to applicant’s disclosure.
RATHOD (US-20160241576-A1) discloses comparing one or more incoming access requests to a corresponding threshold in order to detect an anomaly. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434             

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434