DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 12/21/2020. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/21/2021 and 3/25/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 6-7, 13-14 and 19-20 are objected to because of the following informalities: 
Claims 6-7, 13-14 and 19-20 recite “wherein setting the strength of the challenge-response problem for use with the login attempt is further based on…” There is insufficient antecedent basis for this limitation “the strength” in the claims.
Claims 6-7, 13-14 and 19-20 recite “wherein setting the strength of the challenge-response problem for use with the login attempt is further based on…” and “wherein the instructions from the non-transitory memory further cause the system to perform operations comprising determining a type of application for which the login is attempted, wherein setting the strength of the challenge-response problem for use with the login attempt is further based first login request” and “second login request” in claim 1 8, and 15; therefore, it is recommended to specify which login is referred to in claims 6-7, 13-14 and 19-20.
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4-5 and 7-8 of U.S. Patent No. 10872136. Although the claims at issue are not identical, they are not patentably distinct from each other because claims of the 10872136 contain every element of claims of the instant application. Application claims 1-20 are anticipated by the patent claims 1, 4-5 and 7-8.

A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a 35 patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Instant Application No. 17129451
US patent 10872136


1. A system for authenticating a user, comprising:
a non-transitory memory storing instructions; and
one or more hardware processors coupled to the non-transitory memory and configured to execute the instructions to cause the system to perform operations comprising:
















detecting a denial of a first login request for logging into an account by a computing device;


receiving, from the computing device, a second login request for logging into the account;

determining a reputation score for the second login request based on the denial of the first login request;

setting a number of terms for a challenge-response problem based on the determined reputation score;


configuring the challenge-response problem to use the set number of terms;

sending the challenge-response problem to 
authorizing the second login request in response to verifying a second login credential and a solution to the challenge-response problem received from the computing device.


Similar rationale applies to claim 8 and 15.

a non-transitory memory storing instructions; and
one or more hardware processors coupled to the non-transitory memory and configured to execute the instructions to cause the system to perform operations comprising:
receiving, from a computing device, a first login request for logging into an account;
retrieving an identity profile associated with the computing device;
determining a first reputation score for the first login request based on the identity profile;
determining a first number of terms for a first challenge-response problem based on the first reputation score, wherein the first challenge-response problem comprises a first NP-complete problem;
configuring the first challenge-response problem to use the first number of terms determined based on the first reputation score;
sending the first challenge-response problem to the computing device;
denying the first login request based on at least one of a first login credential or a first solution to the first challenge-response problem received from the computing device;
subsequent to denying the first login request, receiving, from the computing device, a second login request for logging in to the account;
determining a second reputation score for the second login request based on the first reputation score and a determination that the first login request has been denied;
determining a second number of terms for a second challenge-response problem based on the second reputation score, wherein the second challenge-response problem comprises a second NP-complete problem;
configuring the second challenge-response problem to use the second number of terms determined based on the second reputation score;
sending the second challenge-response 
authorizing the second login request in response to verifying a second login credential and a second solution to the second challenge-response problem received from the computing device.



Similar rationale applies to claim 9 and 16.
1. 
determining a second number of terms for a second challenge-response problem based on the second reputation score, wherein the second challenge-response problem comprises a second NP-complete problem;
3. The system of claim 1, wherein the denial of the first login request is based on at least one of an entry of incorrect credentials or an incorrect solution to a previous challenge-response problem received from the computing device.


Similar rationale applies to claim 10 and 17.
1.
denying the first login request based on at least one of a first login credential or a first solution to the first challenge-response problem received from the computing device;
4. The system of claim 1, wherein the computing device has an associated identity profile that includes historical data of logins of the computing device, the historical data including internet protocol (IP) addresses associated with the computing device, types of transactions conducted by the computing device, and a log of login attempts made through the computing device.


Similar rationale applies to claim 11 and 18.
4. The system of claim 1, wherein the identity profile includes data representing past login attempts made through the computing device.
5. The system of claim 1, wherein the identity profile includes an internet protocol (IP) address associated with the computing device and types of transactions conducted by the computing device.
5. The system of claim 4, wherein the reputation score for the second login request is further determined based on the identity profile.


Similar rationale applies to claim 12 and 18.
1. 
determining a first reputation score for the first login request based on the identity profile;
6. The system of claim 1, wherein the instructions from the non-transitory memory further cause the system to perform operations comprising determining a computing power of the computing device,



Similar rationale applies to claim 13 and 19.

determining a computing power of the computing device,
wherein the first number of terms for the 

wherein setting the strength of the challenge-response problem for use with the login attempt is further based on the determined type of application.


Similar rationale applies to claim 14 and 20.
8. The system of claim 1, wherein the operations further comprise:
determining a type of application that generated the first login request, wherein the first number of terms for the first challenge-response problem is determined further based on the determined type of application.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 3, 6, 8, 10, 13, 15, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US 9202038 B1) in view of Bajenov (US 20130254857 A1).

Regarding claim 1, Allen teaches a system for authenticating a user, comprising:
a non-transitory memory storing instructions; and (Col 13, lines 30-31: non-transitory storage media or memory media; Col 12, lines 46-47: system memory [820] may be configured to store instructions and data accessible by processor(s) [810])
one or more hardware processors coupled to the non-transitory memory and configured to execute the instructions to cause the system to perform operations comprising: (Col 12, lines 28-34: one or more processors [810a, 810b, and/or 810n]… coupled to a system memory [820]….; Col 14, lines 7-8: a computer readable storage medium configured to store program instructions and data; and, Col 12, line 39: ….capable of executing instructions)
receiving, from the computing device, a second login request for logging into the account; (Fig. 1, Col 2, line 25: login service [110] may receive the login request…. line 31: computer device [102]; Fig. 4, Col 7, lines 5-6: a request for access to a resource associated with a password)
determining a reputation score for the second login request based on certain criteria; (Col 2, lines 40-41: the login service [110] may have access to a previously stored password associated with computer user [101]; Col 2, lines 47-48: the login service [110] may independently score the riskiness of the stored password)
setting a number of terms for a challenge-response problem based on the determined reputation score; (Col. 1, line 67; Col 2, lines 1-7: a requestor may receive from the risk-based authentication service a randomly generated proof-of-work challenge expressed at a base strength that can be increased based on the riskiness score; the base strength may correspond to a base complexity level or an initial complexity level for the proof-of-work challenge; the requestor may execute or evaluate the risk function based on one or more factors associated with the access attempt)
configuring the challenge-response problem to use the set number of terms; (Col 2, lines 35-
sending the challenge-response problem to the computing device; and (Col 2, lines 37-39: the computer user [101] may, using computing device [102], solve the adjusted proof-of-work challenge and send the solution and the entered password to the login service [110])
authorizing the second login request in response to verifying a second login credential and a solution to the challenge-response problem received from the computing device. (Col 2, lines 50-55: based on the risk score independently determined by the login service [110], the login service [110] may determine the appropriate strength level of the proof-of-work challenge and validate the received solution; the login service [110] may also authenticate computer user [101] using the selected password)

Allen teaches determining a reputation score for the second login request based on certain criteria, but does not explicitly teach detecting a denial of a first login request for logging into an account by a computing device and certain criteria being the denial of the first login request. This aspect of the claim is identified as a difference.
However, Bajenov in an analogous art explicitly teaches
detecting a denial of a first login request for logging into an account by a computing device; ([0033] determine if, for example, the information is known to have been compromised, or if submitted login information is associated with a previous suspicious login attempt [analogous to claim limitation “denial of first login request”].)
determining a reputation score for the second login request based on the denial of the first login request. ([0033, 0036-0038] FIG. 3, to evaluate the legitimacy of a login attempt, to optionally determine the suspicion index, and to take action based on the foregoing. At step 304, the login information to be evaluated is received. The submitted login information is evaluated at heuristics meta-step 308, at which either or both of steps 312 and/or 316 may be performed. At step 312, the submitted login information is compared to information recorded within the suspicious login information database 220 to determine if, for example, the information is known to have been compromised, or if submitted login information is associated with a previous suspicious login attempt. At step 316, the source of the login information, supplied by the session manager 216 as explained above, is compared to information recorded within the suspicious login information database 220. Upon determining the suspiciousness of the login information and/or the source at heuristics meta-step 308 and identifying the location of the login attempt and recording it at step 324, a suspicion index [analogous to claim limitation “reputation score”] is calculated at step 336. At step 340 an additional security challenge may be provided to the user as a means of overcoming the suspicious characteristics associated with the login information and/or the source of the login information. The success or failure of the authentication procedure is determined at step 344, at which access to the user account is either granted at step 320 or denied at step 348.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “risk based authentication” concept of Allen, and the “preventing unauthorized account access” approach of Bajenov. One of ordinary skill in the art would have been motivated to perform such a modification for preventing unauthorized account access by allowing for authentication of user login information based on information associated with a user login attempt (Bajenov [0004, 0033]).

Regarding claim 3, Allen in view of Bajenov teaches all the features with respect to claim 1, as wherein the denial of the first login request is based on at least one of an entry of incorrect credentials or an incorrect solution to a previous challenge-response problem received from the computing device. ([Bajenov 0037-0038] At step 340 an additional security challenge may be provided to the user as a means of overcoming the suspicious characteristics associated with the login information and/or the source of the login information. The success or failure of the authentication procedure is determined at step 344, at which access to the user account is either granted at step 320 or denied at step 348 (additional challenge passed? No).)

Regarding claim 6, Allen in view of Bajenov teaches all the features with respect to claim 1, as outlined above. The combination further teaches determining a computing power of the computing device, wherein setting the strength of the challenge-response problem for use with the login attempt is further based on the determined computing power. (Allen Col. 13, lines 37-38: computing device [800]…; Col. 2, lines 52-53: the login service [110] …determine the appropriate strength level of the proof-of-work challenge; Col. 6, lines 24-37: the risk function [200] may include a schedule specifying the distribution of adjustment factors amongst various adjustable parameters; for instance, the schedule may include an oracle parameter that controls the ratio of work required to produce a solution to the work required to verify a solution; the schedule may include an effort parameter that controls the ratio of the rate at which special-purpose hardware can produce a solution to the rate at which general-purpose hardware can produce a solution; for each increment of adjustment the schedule may specify whether the increment should be applied to the oracle parameter or to the effort parameter; and the login service [110] may construct the schedule based on security factors and user experience concerns for passwords of various strengths). Here Allen takes rate at which special-purpose/general-purpose hardware can produce a solution (analogous to claim limitation “computing power”) into consideration to determine the appropriate strength level of the proof-of-work challenge.

Regarding claims 8, 10, 13, 15, 17 and 19, the scope of the claims are similar to that of claims 1, 3 and 6 respectively. Accordingly, the claims are rejected using a similar rationale.

Claim 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US 9202038 B1) in view of Bajenov (US 20130254857 A1) and Massierer (“Provably Secure Cryptographic Hash Functions”, Dec 2006, listed in IDS).

Regarding claim 2, Allen in view of Bajenov teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the challenge-response problem is an NP-complete problem. This aspect of the claim is identified as a difference.
However, Massierer in an analogous art explicitly teaches
wherein the challenge-response problem is an NP-complete problem. ([p.41, “4.2 The Subset Sum Hash Function”] One natural construction that has recently been proven to achieve higher order UOWHF security is the subset sum hash function. It is based on the well-known NP-complete subset sum problem.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “risk based authentication” concept of Allen, and the “NP-complete subset sum problem” approach of Massierer. One of ordinary skill in the art would have been motivated to perform such a modification for efficiency and security. Since computing subset sums only involves addition, these schemes are much more efficient than schemes based on the intractability of number theoretic problems such as factoring and discrete logarithms, which involve multiplication or even exponentiation. In addition, none of these schemes have been proven to be as secure as subset (Massierer [p.42]).

Regarding claims 9 and 16, the scope of the claims are similar to that of claim 2, respectively. Accordingly, the claims are rejected using a similar rationale.

Claim 4-5, 7, 11-12, 14, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Allen (US 9202038 B1) in view of Bajenov (US 20130254857 A1) and Alperovitch (US 20080175266 A1).

Regarding claim 4, Allen in view of Bajenov teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the computing device has an associated identity profile that includes historical data of logins of the computing device. (Allen Col 2, lines 40-44: the login service [110] may have access to a previously stored password associated with computer user [101], or a password that has been previously established and associated with the computer user [101] and that is accessible to the login service [110]). But the combination does not teach the historical data including internet protocol (IP) addresses associated with the computing device, types of transactions conducted by the computing device, and a log of login attempts made through the computing device. This aspect of the claim is identified as a difference.
However, Alperovitch in an analogous art explicitly teaches
the historical data including internet protocol (IP) addresses associated with the computing device, types of transactions conducted by the computing device, and a log of login attempts made through the computing device. (para 0082: At step 1100 the operational scenario collects data from various login attempts [analogous to claim limitation “a log of login attempts”]. The collected data can include IP address associated with the login attempt, time of the login attempt, number of login a-b to collect information about the entities 300 a-c sending and receiving messages, including, transmission patterns, volume, or whether the entity has a tendency to send certain kinds of message (e.g., legitimate messages, spam, virus, bulk mail, etc.), among many others” (¶37), “data can be collected from communications 330 a-c (e.g., e-mail) typically include some identifiers and attributes of the entity that originated the communication” (¶39), and “reputation systems can be applied to identifying fraud in financial transactions. The reputation system can raise the risk score of a transaction depending on the reputation of the transaction originator or the data in the actual transaction (source, destination, amount, etc)” (¶89).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “risk based authentication” concept of Allen, and the “collection of data for authentication analysis” approach of Alperovitch. One of ordinary skill in the art would have been motivated to perform such a modification that the collected data is then analyzed to derive statistical information of the login attempts; the login attempt can then be compared with the statistical information in the database before the user may be authenticated; and a reputation associated with the entity originating the login attempt can be derived and used to determine whether to allow the login (Alperovitch [0082-0085]).

Regarding claim 5, Allen in view of Bajenov and Alperovitch teaches all the features with respect to claim 4, as outlined above. The combination further teaches wherein the reputation score for the second login request is further determined based on the identity profile. ([Alperovitch 0045] Reputation can thus be assigned to those identifiers based on their overall behavioral and historical patterns as well as their relationship to other identifiers, such as the relationship of IPs sending messages and URLs included in those messages. The individual identifier reputations can be aggregated into a single reputation (risk score) for the entity that is associated with those identifiers.)

Regarding claim 7, Allen in view of Bajenov teaches all the features with respect to claim 1, as outlined above. Allen in view of Bajenov and Alperovitch further teaches determining a type of application for which the login is attempted, wherein setting the strength of the challenge-response problem for use with the login attempt is further based on the determined type of application. ([Allen Col. 2, lines 50-54] Based on the risk score independently determined by the login service 110, the login service 110 may determine the appropriate strength level of the proof-of-work challenge and validate the received solution. [Alperovitch 0089] reputation systems can be applied to identifying fraud in financial transactions. The reputation system can raise the risk score of a transaction depending on the reputation of the transaction originator or the data in the actual transaction (source, destination, amount, etc).). Here reference Allen discloses determining strength of challenge based on risk score. Reference Alperovitch discloses determining risk score based on transaction type/data (analogous to claim imitation “application type”). Therefore, the combination discloses the entire limitation.

Regarding claims 11-12, 14, 18 and 20, the scope of the claims are similar to that of claims 4-5 and 7 respectively. Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
CN 112153052 A, "Method and system for monitoring database collision attack", by Liu, teaches acquiring request information; determining a request type based on the request information; wherein the request types include a login request and a non-login request; under the condition that the request type is a login request, acquiring a network address based on the request information; and determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address to login the target server in a preset time period.
US 20200412717 A1, "Systems and methods for real-time detection of compromised authentication credentials", by Puertas Calvo, teaches real-time compromise detection based on behavioral analytics. The detection runs in real-time, during user authentication, for example, with respect to a resource. The probability that the authentication is coming from a compromised account is assessed. The features of the current authentication are compared with the features from past authentications of the user. After comparison, a match score is generated. The match score is indicative of the similarity of the authentication to the user's history of authentication. This score is then discretized into risk levels based on the empirical probability of compromise based on known past compromised user authentications. The risk levels may be used to detect whether user authentication is occurring via compromised credentials.
US 20110225625 A1, "Dynamic authentication of a user", by Wolfson, teaches a policy module configured to receive data indicating risk factors associated with users of the system; update risk levels for the users by applying the data to risk factor rules; and provide .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 

/HAN YANG/Examiner, Art Unit 2493