Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is in response to the amendments filed 01/24/2022.  Claims 1, 2, 8, 9, 9, 15 and 16 have been amended.  Claims 1-20 are pending and have been considered below.

Priority
16730364, filed 12/30/2019 is a continuation of 15081184, filed 03/25/2016 ,now U.S. Patent #10523686 and having 1 RCE-type filing therein; 15081184 Claims Priority from Provisional Application 62138789, filed 03/26/2015.

Drawings
The drawings filed on 12/30/2019 are accepted.

Specification
The specification filed on 12/30/2019 is accepted.

Response to Arguments
Applicant's arguments with respect to the newly amended claims such as “ generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions that uniquely identifies each originator generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions that uniquely identifies each originator “, remarks pages 8-10 have been fully considered but they are not persuasive because:
Amaya et al teaches see par. 41, if the credentials used in such user login attempt coincide with any fake credential in the fake user database, such origin network location is added to an internal list of tainted connections.  Amaya et al further teaches see par.48-49 Preferably, adding an origin network location to the internal list of tainted connections is carried out by means of IP, geolocation, and/or persistent cookie injection. Each origin network location in the internal list of tainted connection is preferably associated with one or more of the pluralities of predefined websites that have been previously poisoned. [0060] The system monitors all user logins to the protected sites. Once a fake credential login is detected, the system marks the origin as suspicious (by several mechanisms, such as IP, geolocation, and persistent cookie injection). [0061] Whenever a legitimate user login is detected on a suspicious origin, the legitimate user is marked as compromised. The login attempt is redirected to a `system temporally out of service` page, and the protected site is informed of the compromised user so it can take further actions. Amaya et al further teaches se par.97. originating IP of the connection: Once some false credential data has been sent from a given IP, all the connections originating from the same IP are considered tainted.
Bajenov teaches see par.13 Furthermore, the source location of the login attempt using the known compromised login information can also be identified, and recorded by the website operator. In other words, login attempts (even a small number of attempts) from a common source location made using login information that is known compromised (e.g., appearing on list of known compromised login information) can be used to identify all login attempts from that common source location as suspicious, whether the attempt uses known compromised login information or not. [0014] In other examples, the source location of a suspicious login attempt is identified, recorded and used, in part, to determine whether the login attempt is suspicious. For example, if a login attempt originates from a source location that previously originated a login attempt using login information known to have been compromised, the login attempt may be subjected to additional security protocols to verify the legitimacy of the attempt. In further examples, these comparisons, and others, can be used as factors in the synthesis of a suspiciousness index that measures whether a login attempt is suspicious and whether access to the user account should be granted. Bajenov further teaches see par.32 As part of the synthesis of the suspicion index, the security manager 114 may receive login information and source location information identified by the authentication manager 212 and may analyze the information for suspicious characteristics. An example of a suspicious characteristic is, as described above, the number of login attempts made using different sets of login information originating from a single source location, e.g., netblock N1(A netblock is a set of internet protocol (IP) addresses that are grouped together), IP address A1, machine cookie C1, or geographic location G1. For example, if a source location has been an origin for at least one previous login attempt using login information known to have been compromised, then any subsequent login attempts from that source may be regarded as suspicious and subjected to additional security protocols. In another example, if multiple login attempts using different sets of login information have been made from a single source location or client device, it could indicate that a malicious party has obtained a list of compromised login information and is systematically attempting to access the user accounts associated with the compromised login information. Which meet the limitation of generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions that uniquely identifies each originator. Bajenov et al further teaches origination information comprises application information associated with one or more applications used by each originator to conduct the user interactions see par.11, 20, While the website 116 is depicted in FIG. 2, those skilled in the art will appreciate that the term “website” is used for brevity and includes mobile applications (“apps”) and other means of communicating through a communications network and is limited only to a website.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Amaya Calvo et al U.S. 2013/0212658 A1 in view of Truskovsky et al U.S. 2014/0337937 A1 in further view of Bajenov et al U.S. 2013/0254857 A1.
Claims 1, 8 and 15: Amaya Calvo et al teaches a method to facilitate securing web services from unauthorized access, an apparatus one or more computer-readable storage media; and program instructions stored on the one or more computer-readable storage media that, when executed by a computing system, direct the computing system to at least, One or more computer-readable storage media having program instructions stored thereon to facilitate securing web services from unauthorized access, the method comprising:
monitoring user interactions with a web service (par. 40, 66, 71, 84, 97, a real-time monitor connected between any possible user connection to such webpage and the service provider for real-time monitoring any user login attempts from any origin network location to the website);
generating sets of the user interactions per originator by grouping the user interactions per originator based on origination information associated with the user interactions that uniquely identifies each originator (par.41, 48-49, 60, if the credentials used in such user login attempt coincide with any fake credential in the fake user database, such origin network location is added to an internal list of tainted connections), comprising origination information comprises application  information associated with one or more applications used by each originator to conduct the user interactions with the web service that uniquely identify each originator (par.47-49. Each origin network location in the internal list of tainted connection is preferably associated with one or more of the pluralities of predefined websites that have been previously poisoned. The examiner notes that predefined website is used as source or originator for the fake credential);
comparing the credentials used to access the web service per originator with compromised credentials stored in a database to identify one or more user accounts of the web service associated with art originator that used the compromised credentials found in the database (par. 40, 95, for comparing the credentials used in such user login attempt with the set of fake credentials in the fake user database); and
applying security measures for at least the one or more user accounts of the web service associated with the originator that used the compromised credentials found in the database (par. 42, 61, 105-107, if there is any other login attempt of a user from an origin network location in said list of tainted connections, said user access request is refused, even when it is using real credentials and such user is redirected to a pre-established webpage not enabling such user to access the web service).
Amaya Calvo et al fails to teach, however Truskovsky et al in a similar field of endeavor teaches: 
processing the sets of the user interactions that are grouped per originator to identify credentials used to access the web service per originator (par.28-30, the monitoring comprises recording an identity of each of the plurality of credentials accessed within the period).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Amaya Calvo et al with the additional features of Truskovsky et al in order to provide the ability for detecting unauthorized access to credentials of a credential store on a computing device, as suggested by Truskovsky et al abstract.
The combination does not explicitly teach website to be an application, however Bajenov et al in a similar field of endeavor teaches 
origination information comprises application  information associated with one or more applications used by each originator to conduct the user interactions with the web service that uniquely identify each originator (par.11-14, 20, 32, While the website 116 is depicted in FIG. 2, those skilled in the art will appreciate that the term “website” is used for brevity and includes mobile applications (“apps”) and other means of communicating through a communications network and is limited only to a website) 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Amaya Calvo et al with the additional features of Bajenov et al in order to provide the ability to preventing unauthorized account access using compromised login credentials, as suggested by Bajenov et al par.1.
Claims 2, 9 and 16:   the combination teaches:
 	blocking the originator from access to web service responsive to determining that the originator used more than one of the compromised credentials stored in the database to attempt to access the one or more user accounts of the web service (Amaya Calvo et al par. 41-42, Truskovsky et al, par.107, 117-118, Bajenov et al par.12-13, 38, Fig.3).
 The same motivation to modify Amaya Calvo et al in view of Truskovsky et al applied to claim 1 above applies.
Claim 3, 10 and 17: the combination teaches:
 	 wherein applying the security measures for at least the one or more user accounts of the web service associated with the originator comprises increasing a level of authentication required for the one or more user accounts to access the web service (Bajenov et al, par.35-37).
The same motivation to modify Amaya Calvo et al in view of Bajenov et al applied to claim 1 above applies.
Claims 4, 11 and 18: the combination teaches:
 	wherein applying the security measures for at least the one or more user accounts of the web service associated with the originator comprises blocking access to the web service for all access attempts associated with the originator (Bajenov et al par.38).
The same motivation to modify Amaya Calvo et al in view of Bajenov et al applied to claim 1 above applies.
Claims 5, 12 and 19:    the combination teaches:
 wherein applying the security measures for at least the one or more user accounts of the web service associated with the originator comprises sending automatic password reset notifications to owners of the one or more user accounts (Truskovsky et al par.108-114).
The same motivation to modify Amaya Calvo et al in view of Truskovsky et al applied to claim 1 above applies.
Claims 6, 13 and 20: the combination teaches:
 	determining other user accounts of the web service having passwords found in a same credential data source as the compromised credentials used by the one or more user accounts associated with the originator that used the compromised credentials (Bajenov et al, Fig. 4, par.39-40, 42), and
responsively sending automatic password reset notifications to owners of the other user accounts (Truskovsky et al, par.108-114).
The same motivation to modify Amaya Calvo et al in view of Truskovsky et al applied to claim 1 above applies.
The same motivation to modify Amaya Calvo et al in view of Bajenov et al applied to claim 1 above applies.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Amaya Calvo et al U.S. 2013/0212658 A1 in view of Truskovsky et al U.S. 2014/0337937 A1 in further view of Bajenov et al U.S. 2013/0254857 A1 and Mathes et al U.S. 8,695,097 B1.
Claims 7 and 14:    the combination fails to teach, however Mathes et al in a similar field of endeavor teaches: 
comprising receiving a credential query transmitted from an authorized user of the web service (col.6, lines 20-55),
 	responsively comparing legitimate credentials of the authorized user received in the credential query with the compromised credentials in the database (col.6, lines 20-55), and 
transferring a notification for delivery' to the authorized user that indicates whether or not the legitimate credentials of the authorized user appear in the database of compromised credentials (col.6, lines 20-55).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Bajenov et al with the additional features of Mathes et al in order to provide the ability for detecting and preventing computer fraud, as suggested by Mathes et al col.2, lines 5- 30.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
McGeehan et al U.S. 2010/0211996 A1 teaches User sessions are authenticated based on locations associated with a user account used for sending a request for creating a session. Examples of locations of a source of a request include a geographical location, a network address, or a machine cookie associated with a device sending the request. Locations of the request are compared with stored safe locations associated with the user account and a suspiciousness index is determined for the session. The level of authentication required for the session is determined based on the suspiciousness index. Locations are associated with a reputation based on past history of sessions originating from the locations. A location associated with a history of creating suspicious session is considered an unsafe location. Reputation of the location originating the session is used to determine the level of authentication required for the session.
Maxwell et al U.S. 2017/0214712 A1 teaches systems and methods are disclosed for analyzing a plurality of failed login records that correspond to failed login attempts detected by a computing system, to identify suspicious patterns of activity that can facilitate the supplementation of password blacklists for improving account security. To accomplish the foregoing, failed login records that include information associated with failed login attempts are obtained for analysis. The failed login records are analyzed to identify a set of failed login records that show initial characteristics of a suspicious pattern of activity. The information included in the set of failed login records are further analyzed to determine whether a suspicious pattern of activity is actually present. When a suspicious pattern of activity is identified in the set of failed login records, the passwords used in the failed login attempts are stored in password blacklists associated with the account identifier(s) with which the passwords were used. 
Irving JR. et al U.S. 2016/0087964 A1 teaches a credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Wednesday, May 25, 2022
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436