DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 have been filed by the Applicant, 5/17/2022.   The Applicant has amended claims 17-20.   Claims 1-20 have been examined.  This office action is Final.


Response to Amendments
Applicant's arguments filed 5/17/2022 have been fully considered but they are not persuasive. 
Claims 17-20 have been amended; and therefore, the claim objection is withdrawn.
On page 13 of the Applicant’s arguments the Applicant states that the prior art cited of Kutner in the office action cited Figure 2.  The Applicant argues that Figure 3 is more relevant as it pertains to the claims.  However, the Examiner did not site Figure 3 in the office action, for the sake of responding to the Applicant’s arguments fully, the Examiner will rely on the Figure 3 as discussed in the Applicant’s remarks.
On pages 12-15 of the Applicant’s arguments the Applicant argues, the order, and states that the independent claims have a specific order of A-B-C-D.  The Applicant points to Figure 6 of the Applicant’s specification as illustration of this order.
On page 17, of the Applicant’s arguments in regards to Figure 3, which was not cited by the Examiner in the previous office action dated 3/4/2022, the Applicant has attempted to label the order of Kutner’s Figure 3, A-B-C-D.  However, this is the Applicant’s view of Figure 3, which again was not used to cite the claim limitations in the previous office action.  Again, in order to respond fully to the Applicant’s argument, the Examiner will explain using Figure 3 of Kutner’s to address the Applicant’s arguments.  First, in regards to the Applicant’s independent claims, “detecting an identity attack in or against a monitored network”, Figure 3 #305 Monitor a plurality of login attempts from a plurality of websites in Kutner.  Second, in regards step (A) “determining that a credential used in a failed sign-in to a target account from a source location is a weak credential” in Figure 3 is #340 “user credentials associated with existing credentials in failed credential log”.   Third, in regards to step (B), “in response to the determining, updating a measure of weak credential failed sign-ins” in Figure 3, #345 “increment counter associated with existing credentials in log”.  Fourth, in regards to step (C) ascertaining that the updated measure satisfies an access restriction condition” in Figure 3 #355 “Count threshold or metric met for further action”.  Lastly, step (D) “in response to at least the ascertaining, initiating an access restriction”… in Figure 3 #360, “initiate at least one protection action based on determination that user credential is compromised”.
Thus, the Applicant’s arguments are moot, first the Examiner did not rely on Kutner’s Figure 3, and Second, the Applicant has mischaracterized Kutner’s Figure 3.  Thus, the Applicant’s argument on pages 17-19 in regards to the order is moot.
On page 19 of the Applicant’s argument, in regards to claim 8, the Applicant states that Ha does not disclose “method imposes an access restriction on access from the source location before a source location blocking threshold number of failed sign-ins has been directed from the source location”, because Ha discloses unsuccessful attempts, the Examiner asserts failed sign-ins (Ha: para. 0071).  
On page 19 of the Applicant’s argument, in regards to claim 11, the Applicant states that, “Kutner’s higher than average fail rate is not necessarily a majority”.  The Examiner asserts that this is not an adequate response, the Examiner views that the higher than average fail rate is a majority in Kutner (Kutner: para. 0060).  Kutner discloses higher than average frequency combined with higher than average fail rate can suggest an ongoing attack from an IP address, which is the source location (Kutner: para. 0060), this higher than average is the majority the Examiner asserts.
On page 19 of the Applicant’s argument, in regards to claim 12, the Applicant states “ascertaining that a majority”… , the Examiner has already explained the “majority”, Kutner discloses ascertaining a majority of the failed sign-ins towards the target account used one or more weak passphrases, the higher than average failed rate, the Examiner asserts is the majority (Kutner: para. 0020, 0022, 0059-0060).
On page 20 of the Applicant’s argument, in regards to claim 17, the Applicant states that, “Varnas does not mention a wrong username”.  If a username is used in a failed login attempt, the username is wrong, Varnas discloses a login failure includes one or more failed login attempts for one username (Varnas: para. 0013, 0044). 


Examiner Notes
The Applicant has provided a definition of “weak credential”.  The Examiner notes on paragraph [00202] page 39 of the Applicant’s specification, the definition of “weak credential”. “Weak credential” as defined by the Applicant states a credential that is compromised or structurally weak or both”.  Therefore, for the purposes of applying art, and based on the Applicant’s definition, a weak credential is a credential that is compromised.  It is also noted that the definition includes “or” which is a Boolean operator that gives value to at least one.
Claims 16-20, claim “A computer-readable storage medium”.  The Applicant states in para 0026, page 6 of the Applicant’s specification that a computer readable storage medium is not a signal per se.  Further, the Applicant states on page 36 paragraphs 00168-00169, that the computer readable storage is not a signal per se.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 1-2, 4-6, 9-14, 16, and 18-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kutner (2020/0213334).
As per claim 1, Kutner discloses an attack detection system (Kutner: See Fig. 2, an attack detection system) which is configured for automatic detection of an identity attack and for initiating an automatic defense against the identity attack, the system comprising (Kutner: para. 0009, automatic detection of an identity attack and for initiating an automatic defense against the identity attack (i.e. automatic defense (i.e. automatically initiating protection action)): 
a digital memory (Kutner: See Fig. 2 #224 memory); 
a processor in operable communication with the memory (Kutner: See Fig. 2, #206 processor in operable communication with the memory #224), the processor configured to perform steps for detecting an identity attack in or against a monitored network (Kutner: para. 0004, 0030, detecting an identity attack by identifying attacks through monitoring of user credential login attempts across a network, the attacks are in a monitored network), the steps including 
(a) determining that a credential used in a failed sign-in to a target account from a source location is a weak credential (Kutner: para. 0021, 0039-0040, and 0042, determining that a credential used in a filed login attempt (i.e. failed sign-in) to a target account from a source location (i.e. IP address) is compromised)), 
(b) in response to the determining, updating a measure of weak credential failed sign-ins (Kutner: para. 0004, 0006, updating a measure includes updating (incrementing) counter which track the number of failed sign-ins using the weak credential (i.e. compromised credential), 
(c) ascertaining that the updated measure satisfies an access restriction condition (Kutner: para. 0006, ascertaining that a count of failed sign-ins directed to the target account (i.e. website) reached a restriction condition (i.e. threshold)), and 
            (d) in response to at least the ascertaining, initiating an access restriction on at least one of the target account and the source location (Kutner: para. 0026, ascertaining, initiating an access restriction (i.e. protective action) on an account, only one needs to be required according to the claim; the access restriction is blocking the account), whereby the system enhances cybersecurity by detecting behavior which indicates an identity attack and by initiating an access restriction in response to the behavior (Kutner: See Fig. 2, para. 0020, 0030, #200 system enhances cybersecurity by detecting behavior (i.e. login attempts) which indicates an attack and by initiating an access restriction in response to the behavior), and wherein said detecting is based on at least both noting sign-in failure and determining credential weakness (Kutner: para. 0007-0009, and 0030, detecting behavior (i.e. login attempts) using credentials which indicates an identity attack by searched failed credential log for match, the detecting is based on sign-in failure and determining credential weakness by searched failed login logs/list) . 
     As per claim 2, Kutner discloses the system of claim 1.  Kutner further discloses wherein the measure of weak credential failed sign-ins comprises at least one of the following: a measure based on a count of weak passphrase failed sign-ins directed to the target account; a measure based on a count of weak passphrase failed sign-ins directed from the source location; a measure based on a count of weak passphrase failed sign-ins directed from the source location when the source location is familiar in that the source location has been previously associated with an authorized user of the target account; a measure based on a count of weak passphrase failed sign-ins directed from the source location when the source location is unfamiliar in that the source location has not been previously associated with an authorized user of the target account; a measure based on a count of weak passphrase failed sign-ins directed to any of a predefined set of accounts that includes the target account; or a measure based on a count of weak passphrase failed sign-ins directed from any of a predefined set of locations that includes the source location; a measure based on a count of wrong username failed sign-ins directed to the target account; a measure based on a count of wrong username failed sign-ins directed from the source location; a measure based on a count of wrong username failed sign-ins directed from the source location when the source location is familiar in that the source location has been previously associated with an authorized user of the target account; a measure based on a count of wrong username failed sign-ins directed from the source location when the source location is unfamiliar in that the source location has not been previously associated with an authorized user of the target account; a measure based on a count of wrong username failed sign-ins directed to any of a predefined set of accounts that includes the target account; a measure based on a count of wrong username failed sign-ins directed from any of a predefined set of locations that includes the source location; or a measure of an increase in weak credential failed sign-ins (Kutner: para. 0004-0006, and 0059, this claim only requires one because of “at least one of”, Kutner discloses a measure based on a count of weak passphrase failed sign-ins directed to the target account).
     As per claim 4, Kutner discloses the system of claim 1.  Kutner further discloses comprising a list of compromised passphrases, and wherein determining that a passphrase used in a failed sign-in to a target account from a source location is a weak passphrase includes searching the list of compromised passphrases (Kutner: para. 0020, 0041, 0046, 0055, list of compromised passphrases (i.e. failed credential logs) used in fail sign-in to a target account from a source location is a weak passphrase (i.e. compromised password)). 
     As per claim 5, Kutner discloses the system of claim 1.  Kutner further discloses wherein the attack detection system resides in the monitored network (Kutner: See Fig. 2, attack detection system (#202 Centralized Authentication Risk Evaluation System) resides in the monitored network)). 
     As per claim 6, Kutner discloses an attack detection method for enhancing cybersecurity, comprising:   
     determining that a passphrase used in a failed sign-in to a target account from a source location is a weak credential (Kutner: para. 0039-0040, 0042, 0046, 0055, determining that a credential used in a filed login attempt (i.e. failed sign-in) to a target account from a source location (i.e. IP address) is compromised); 
     in response to the determining, updating a measure of weak credential failed sign-ins (Kutner: para. 0004, 0006, updating a measure includes updating (incrementing) counter which track the number of failed sign-ins using the weak credential (i.e. compromised credential);  
     ascertaining that the updated measure satisfies an access restriction condition (Kutner: para. 0006, ascertaining that a count of failed sign-ins directed to the target account reached a restriction condition (i.e. threshold)); 
     in response to at least the ascertaining, imposing an access restriction on at least one of the target account and the source location (Kutner: para. 0026, ascertaining, initiating an access restriction (i.e. protective action) on an account, only one needs to be required according to the claim; the access restriction is blocking the account); 
     whereby the method enhances cybersecurity by detecting behavior which indicates an identity attack and by imposing an access restriction in response to the behavior (Kutner: See Fig. 2, para. 0020, 0030, #200 system enhances cybersecurity by detecting behavior (i.e. login attempts) which indicates an attack and by initiating an access restriction in response to the behavior), and wherein said detecting is based on at least both noting sign-in failure and determining credential weakness (Kutner: para. 0007-0009, and 0030, detecting behavior (i.e. login attempts) using credentials which indicates an identity attack by searched failed credential log for match, the detecting is based on sign-in failure and determining credential weakness by searched failed login logs/list). 
     As per claim 9, Kutner discloses the method of claim 6.  Kutner further discloses wherein the credential includes a passphrase and determining that the credential is a weak credential comprises at least one of the following: testing strength of the passphrase based on at least passphrase length; testing strength of the passphrase based on at least passphrase complexity; or searching a list of compromised passphrases (Kutner: para. 0007, 0020, 0222, only one is required with the “at least one” Kutner discloses searching a list of compromised passphrases, because a list of known compromised set of credentials (i.e. compromised passwords) is searched to compared with the credential that was attempted by the user). 
     As per claim 10, Kutner discloses the method of claim 6.  Kutner further discloses wherein imposing the access restriction comprises at least one of the following: locking the target account; requiring an additional authentication for access to the target account; or blocking an IP address at the source location (Kutner: para. 0044, only one needs to be disclosed as per the phrase, “at least one”, Kutner discloses locking the target account). 
     As per claim 11, Kutner discloses the method of claim 6.  Kutner further discloses wherein ascertaining that the updated measure satisfies an access restriction condition comprises ascertaining that a majority of the failed sign-ins coming from the source location used one or more weak passphrases (Kutner: para.  0059-0060, source location (i.e. IP address)). 
     As per claim 12, Kutner discloses the method of claim 6.  Kutner further discloses wherein ascertaining that the updated measure satisfies an access restriction condition (Kutner: para. 0006, 0009, ascertaining that the updated measure satisfies an access restriction condition (i.e. protective action)) a count of failed sign-ins directed to the target account (i.e. website) reached a restriction condition (i.e. threshold)) comprises ascertaining that a majority of the failed sign-ins towards the target account used one or more weak passphrases (Kutner: para. 0020, 0022, 0059, weak passphrase (i.e. compromised password)). 

     As per claim 13, Kutner discloses the method of claim 6.  Kutner further discloses wherein determining that the credential is a weak credential comprises at least one of the following: searching a list of compromised passphrases which includes passphrases harvested from attempts to sign-in to the monitored network; or searching a list of compromised passphrases which includes passphrases harvested from attempts to sign-in to one or more networks other than the monitored network or from attempts to sign-in to an unspecified network (Kutner: para. 0007, 0020, and 0222, only one needs to be disclosed, “at least one”, searching a list of compromised passphrases which includes passphrases harvested from attempts to sign-in to the monitored network). 
     As per claim 14, Kutner discloses the method of claim 6.  Kutner further discloses wherein imposing an access restriction comprises restricting access attempts that come from inside the monitored network (Kutner: See Fig. 2, 0004, 0030, and 0058, access restriction (i.e. protective action) restricting access attempts that come from inside the monitored network). 
     As per claim 16, Kutner discloses a computer-readable storage medium configured with data and instructions which upon execution by a processor cause a computing system to perform an attack detection method for enhancing cloud cybersecurity, the method comprising: 
     determining that a credential used in a failed sign-in to a target account in a cloud computing environment (Kutner: para. 0032, 0035, the centralized authentication risk evaluation system #202 may be a cloud-based system) from a source location is a weak credential (Kutner: para. 0021, 0039-0040, and 0042, determining that a credential used in a filed login attempt (i.e. failed sign-in) to a target account from a source location (i.e. IP address) is compromised); 
     in response to the determining, updating a measure of weak credential failed sign-ins (Kutner: para. 0004, 0006, updating a measure includes updating (incrementing) counter which track the number of failed sign-ins using the weak credential (i.e. compromised credential);   
     ascertaining that the updated measure satisfies an access restriction condition (Kutner: para. 0006, ascertaining that a count of failed sign-ins directed to the target account (i.e. website) reached a restriction condition (i.e. threshold)); and 
     in response to at least the ascertaining, initiating an access restriction on at least one of the target account and the source location (Kutner: para. 0026, ascertaining, initiating an access restriction (i.e. protective action) on an account, only one needs to be required according to the claim; the access restriction is blocking the account); 
     whereby the system enhances cybersecurity by detecting behavior which indicates an identity attack and by initiating an access restriction in response to the behavior (Kutner: See Fig. 2, para. 0020, 0030, #200 system enhances cybersecurity by detecting behavior (i.e. login attempts) which indicates an attack and by initiating an access restriction in response to the behavior), and wherein said detecting is based on at least both noting sign-in failure and determining credential weakness (Kutner: para. 0007-0009, and 0030, detecting behavior (i.e. login attempts) using credentials which indicates an identity attack by searched failed credential log for match, the detecting is based on sign-in failure and determining credential weakness by searched failed login logs/list).  
     As per claim 18, Kutner discloses the storage medium of claim 16.  Kutner further discloses wherein the credential includes a passphrase and determining that the credential is a weak credential comprises finding at least one of the following in the passphrase: repetition of a character, or repetition of a string (Kutner: para. 0020, 0041, only one needs to be disclosed as per “at least one”; Kutner discloses repetition of a string, discloses credentials password1 vs. password2, repetition of a string, both containing “password”). 
     As per claim 19, Kutner discloses the storage medium of claim 16.  Kutner further discloses wherein updating the measure comprises: updating account counters which track the number of failed sign-ins with weak passphrases for each of a plurality of respective accounts (Kutner: para. 0018, 0042, updating account counters (i.e. incrementing counter)); and updating IP address counters which track the number of failed sign-ins with weak passphrases for each of a plurality of IP addresses (Kutner: para. 0042, and 0060, updating IP address counter (i.e. incrementing counter track the number of failed credentials used in failed attempts for IP address). 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Jakobsson (2016/0350528).

As per claim 3, Kutner discloses the system of claim 1.  
Kutner discloses a failed sign-in (Kutner: para. 0020, failed login attempts (i.e. failed sign-in).
Kutner does not explicitly disclose comprising a passphrase strength testing code which upon execution tests passphrase strength and which is configured to test proposed passphrases submitted by authorized users of accounts in the monitored network, and wherein determining that a passphrase used in a failed sign-in to a target account from a source location is a weak passphrase includes executing the passphrase strength testing code. 
However, analogous art of Jakobsson discloses a passphrase strength testing code which upon execution tests passphrase strength (Jakobsson: para. 0023, passphrase strength testing code (i.e. password checkers), that test the strength of password) and which is configured to test proposed passphrases submitted by authorized users of accounts in the monitored network (Jakobsson: para. 0043, proposed passwords submitted by authorized users of accounts, such as a user that already has an account with a service provider), and wherein determining that a passphrase used to a target account from a source location is a weak passphrase includes executing the passphrase strength testing code (Jakobsson: para. 0023, 0045-0046, old password is used in failed sign-in to a target account from a source location is a weak password includes executing the password checker).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jakobsson with the system/method of Kutner to include a passphrase strength testing code which upon execution tests passphrase strength and which is configured to test proposed passphrases submitted by authorized users of accounts in the monitored network, and wherein determining that a passphrase used to a target account from a source location is a weak passphrase includes executing the passphrase strength testing code.
One would have been motivated to use a passphrase strength testing code which test the passphrase strength it is important for a user to select or change a password that is strong, as opposed to weak, that is not easily determined by others (Jakobsson: para. 0005).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Gupta (8,302,187).

            As per claim 7, Kutner discloses the method of claim 6.  
            Kutner does not explicitly disclose wherein the method imposes an access restriction on access to the target account before an account lockout threshold number of failed sign-ins has been directed to the target account. 
            However, analogous art of Gupta discloses wherein the method imposes an access restriction on access to the target account before an account lockout threshold number of failed sign-ins has been directed to the target account (Gupta: col. 2, lines 29-67, and col. 7, lines 6-15, imposes an access restriction (i.e. warning threshold) on access to the target account before an account lockout threshold number). 
           Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gupta with the system/method of Kutner to include the method imposes an access restriction on access to the target account before an account lockout threshold number of failed sign-ins has been directed to the target account.
           One would have motivated to impose an access restriction on access to the target account before an account lockout threshold number of failed sign-ins has been directed to the target account, because this would mitigate susceptibility to large-scale lockout attacks (Gupta: col. 7, lines 12-16).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Ha et al. (2012/0226579).
            As per claim 8, Kutner discloses the method of claim 6.
Kutner does not explicitly disclose wherein the method imposes an access restriction on access from the source location before a source location blocking threshold number of failed sign-ins has been directed from the source location. 
However, analogous art of Ha discloses wherein the method imposes an access restriction on access from the source location before a source location blocking threshold number of failed sign-ins has been directed from the source location (Ha: para. 0052, 0071, access restriction on access from the IP address (i.e. source location) before an IP address blocking threshold number of failed sign-ins has been directed, because the database is searched to see if the IP address is fraudulent).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Ha with the system/method of Kutner to include imposes an access restriction on access from the source location before a source location blocking threshold number of failed sign-ins has been directed from the source location.
One would have been motivated imposes an access restriction on access from the source location before a source location blocking threshold number of failed sign-ins has been directed from the source location, because this is an efficient method that looks in the database to identify the source location, thus allowing an access restriction to be implemented quickly (Ha: para. 0052). 

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Kerametlian et al. (2017/0208075).
            As per claim 15, Kutner discloses the method of claim 6. 
Kutner does not explicitly disclose wherein updating a measure of weak passphrase failed sign-ins comprises: updating a familiar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more familiar locations; and updating an unfamiliar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more unfamiliar locations; wherein a location is familiar when the location has been previously associated with an authorized user of the target account, and otherwise the location is unfamiliar.
However, analogous art of Kerametlian discloses updating a measure of weak passphrase failed sign-ins comprises: updating a familiar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more familiar locations (Kerametlian: para. 0009-0010, and 0032, updating a measure of weak passwords (i.e. updating includes incrementing) to the target account which came from one or more familiar locations (i.e. familiar locations, such as geographic location from which the system has observed successful user logins in the past); and updating an unfamiliar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more unfamiliar locations; wherein a location is familiar when the location has been previously associated with an authorized user of the target account, and otherwise the location is unfamiliar (Kerametlian: para. 0009-0010, 0021, 0023, updating an unfamiliar location attempt count of weak passwords came from unfamiliar locations).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kerametlian with the system/method of Kutner to include updating a measure of weak passphrase failed sign-ins comprises: updating a familiar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more familiar locations; and updating an unfamiliar location attempt count of weak passphrase failed sign-ins to the target account which came from one or more unfamiliar locations; wherein a location is familiar when the location has been previously associated with an authorized user of the target account, and otherwise the location is unfamiliar.
One would have been motivated to use two counters, because this is an efficient method that applies login request from different origins this provides smart password analysis (Kerametlian: para. 0046).  

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Varnavas et al (2021/0152571).

             As per claim 17, Kutner discloses the computer-readable storage medium of claim 16.
             Kutner does not explicitly disclose wherein the credential includes a username and the method comprises: determining that the username used in a failed sign-in to a target account in a cloud computing environment from a source location is a wrong username; in response to the determining, updating a measure of wrong username failed sign-ins; and wherein initiating the access restriction is at least partially in response to the measure of wrong username failed sign-ins.
	However, analogous art of Varnavas discloses wherein the credential includes a username and the method comprises: determining that the username used in a failed sign-in to a target account in a cloud computing environment from a source location is a wrong username; in response to the determining, updating a measure of wrong username failed sign-ins; and wherein initiating the access restriction is at least partially in response to the measure of wrong username failed sign-ins (Varnavas: para. 0013, 0042-0044, updating a measure (i.e. counting), wrong username failed login attempts (i.e. failed sign-ins).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Varnavas with the system/method of Kutner to include the credential includes a username and the method comprises: determining that the username used in a failed sign-in to a target account in a cloud computing environment from a source location is a wrong username; in response to the determining, updating a measure of wrong username failed sign-ins; and wherein initiating the access restriction is at least partially in response to the measure of wrong username failed sign-ins.
One would have been motivated to determine that a username used in a failed sign-in, updating a measure, and initiating an access restriction, thus security incidents can be detected such as password spraying or credential stuffing (Varnavas: para. 0002).  


Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Kutner (2020/0213334) in view of Cross et al (2015/0242603).

As per claim 20, Kutner discloses the computer-readable storage medium of claim 16.
Kutner does not explicitly disclose wherein ascertaining that the updated measure satisfies an access restriction condition comprises at least one of the following: ascertaining that a count of failed sign-ins directed to the target account has reached an account restriction threshold, when the account restriction threshold is no greater than seventy percent of an account lockout threshold that is not based on any passphrase weakness determination; or ascertaining that a count of failed sign-ins directed from the source location has reached a source location restriction threshold, when the source location restriction threshold is no greater than sixty percent of a source location blocking threshold that is not based on any passphrase weakness determination.
However, analogous art of Cross discloses wherein ascertaining that the updated measure satisfies an access restriction condition comprises at least one of the following: ascertaining that a count of failed sign-ins directed to the target account has reached an account restriction threshold, when the account restriction threshold is no greater than seventy percent of an account lockout threshold that is not based on any passphrase weakness determination; or ascertaining that a count of failed sign-ins directed from the source location has reached a source location restriction threshold, when the source location restriction threshold is no greater than sixty percent of a source location blocking threshold that is not based on any passphrase weakness determination (Cross: para. 0003, 0010, discloses “at least one” and “or”, Cross discloses ascertaining that the updated measure satisfies an access restriction condition comprises: ascertaining that a count of failed sign-ins directed to the target account has reached an account restriction threshold, when the account restriction threshold is no greater than seventy percent of an account lockout threshold that is not based on any passphrase weakness determination, discloses a threshold percentage of 50%).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Cross with the system/method of Kutner to include ascertaining that the updated measure satisfies an access restriction condition comprises at least one of the following: ascertaining that a count of failed sign-ins directed to the target account has reached an account restriction threshold, when the account restriction threshold is no greater than seventy percent of an account lockout threshold that is not based on any passphrase weakness determination.
     	One would have been motivated to ascertaining that the updated measure satisfies an access restriction condition comprises at least one of the following: ascertaining that a count of failed sign-ins directed to the target account has reached an account restriction threshold, when the account restriction threshold is no greater than seventy percent of an account lockout threshold that is not based on any passphrase weakness determination in order to reduce unauthorized account access lockout by determining a quality of an unauthorized account access attempt (Cross: para. 0002). 


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 
5/31/2022                                                                                                                                                                                                /J.E.J/Examiner, Art Unit 2439               

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439