DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 10/06/2020. Claims 1-14 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/22/2021 was filed before the mailing date of the office action on 06/15/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 8 is objected to because of the following informalities: Claim 8 is written as if it depends upon itself. For the purposes of examination, the examiner is assuming claim 8 is intended to be dependent on claim 7.                                                                                     Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 7, and 9-13 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160330220 to DULKIN and Lazarovitz hereinafter (DULKIN) in view of U.S. PGPub.No. 20160065565 to PLOTNIK et al. (hereinafter PLOTNIK).

Regarding claim 7, DULKIN discloses a method comprising: 
receiving an authentication request including a ticket (¶0066 “Authentication messages, also referred to herein as secure tickets, may be any messages exchanged between network entities in an authentication protocol. For example, in a computer network operating according to the Kerberos protocol, authentication messages may include any of KRB_AS_REQ, KRB_AS_REP, KRB_TGS_REQ, KRB_TGS_REP, KRB_AP_REQ, and KRB_AP_REQ messages”); 
decrypting the authentication request and the ticket (¶0220 “administrative server 1318 may be accessed by detection system 1302 to, for example, obtain data used in decryption of the encrypted portion of the security access ticket, in parsing the decrypted data, and/or in analyzing the parsed decrypted data, as described herein”);
 	extracting validation information from the authentication request including (i) a user security ID, (ii) a primary group identifier, and (iii) group membership data (¶0241 “The analysis may be performed by comparing the actual updated values obtained from the administrative server with corresponding values of the parsed decrypted data to identify inconsistencies”
“user information of an account of the client attempting to use the security access ticket to access a service of the service providing server. The user information may include, for example, logon credentials and/or group membership of the account. Other user information is possible as well”); 
extracting a principal name from the ticket (¶0232 “the Service Principal Name”; 
retrieving, from a domain controller, user information associated with the principal name (¶0248 “Principal Name: containing the name part of the client's principal identifier”), including (i) a user security ID, (ii) a user group identifier, and (iii) user group membership data (¶0241“user information of an account of the client attempting to use the security access ticket to access a service of the service providing server. The user information may include, for example, logon credentials and/or group membership of the account. Other user information is possible as well”);
 	comparing the validation information and the user information (¶0241 “The analysis may be performed by comparing the actual updated values obtained from the administrative server with corresponding values of the parsed decrypted data to identify inconsistencies”); wherein the actual updated values is interpreted as the validation information and corresponding values of the parsed decrypted data as the user information.
However, DULKIN does not explicitly disclose the following limitation taught by PLOTNIK: blocking the authentication request responsive to identifying at least one difference between the validation information and the user information 
PLOTNIK discloses blocking the authorization request if there is a discrepancy between the two sets of information (the retrieved authentication information and the extracted authorization information) in (Fig. 4 Step 416, ¶0058 “Step 416—If a discrepancy is found, then a security event alert is invoked, alerting the relevant entities (e.g. SD administrator, security administer and/or other systems or modules) within the system to block the authorization request or otherwise deal with the security event”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN in claim 7 to include blocking of authorization request if there is a discrepancy in two sets of information in Kerberos protocol as disclosed by PLOTNIK and be motivated in doing so because it prevents the use of an unauthorize ticket to gain access into the system.

Regarding claim 9, DULKIN in view of PLOTNIK discloses the method of claim 8. DULKIN further discloses wherein the at least one request time stamp includes each of the log on time, the log off time, the kick off time, the last successful log on time, the last failed log on time, and the password last set time (¶0268-¶0271) and (¶0294-¶0295).  

Regarding claim 10, DULKIN in view of PLOTNIK discloses the method of claim 7. DULKIN further discloses wherein the authentication request is a TGS-REQ request directed to the domain controller according to the Kerberos protocol and the ticket is a ticket granting ticket (¶0046 “The client may authenticate itself using, for example, a KRB_TGS_REQ message. The KRB_TGS_REQ message may include the TGT”).  
 
Regarding claim 11, DULKIN in view of PLOTNIK discloses the method of claim 10. DULKIN further discloses wherein decrypting the authentication request and the ticket further comprises: 
extracting, from the domain controller, a password hash for a user account associated with a key distribution service center account (¶0172 “In some embodiments, obtaining the decryption key may involve accessing a network resource to identify, from a plurality of detection keys, a suitable decryption key for decrypting the obtained encrypted data”); 
and decrypting the authentication request and the ticket with the password hash (¶0174 “At step 1206, in some embodiments, the encrypted data may be decrypted using the obtained decryption key, thereby generating decrypted data elements”).  

Regarding claim 12, DULKIN in view of PLOTNIK discloses the method of claim 7. DULKIN further discloses wherein the authentication request is an AP-REQ request directed to a domain server according to the Kerberos protocol and the ticket is a ticket granting service ticket (¶0047 “the client may provide the ST to the target service, which in turn may provide access to the client. The client may provide the ST to the target service using, for example, a KRB_AP_REQ message. The KRB_AP_REQ message may include the ST”).  
  
Regarding claim 13, DULKIN in view of PLOTNIK discloses the method of claim 12. DULKIN further discloses wherein decrypting the authentication request and the ticket further comprises: 
extracting, from the domain controller, a password hash associated with the domain server (¶0199 “The decryption key may be obtained, for example, from the KDC, an administrative server, and/or a data repository”); 
and decrypting the authentication request and the ticket with the password hash (¶0200 “The method 1230, in some embodiments, includes at step 1236 decrypting the encrypted portion of the Kerberos ticket. The encrypted portion may be decrypted using, for example, the decryption key obtained in step 1234”).  



Claim(s) 1-6, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20160330220 to DULKIN and Lazarovitz hereinafter (DULKIN) in view of U.S. PGPub.No. 20160065565 to PLOTNIK et al. (hereinafter PLOTNIK) and further in view of U.S. Pat. No. 6732179 to BROWN et al. (hereinafter BROWN).
 
Regarding claim 1, DULKIN discloses a method comprising: 
 	receiving an authentication request including a ticket (¶0066 “Authentication messages, also referred to herein as secure tickets, may be any messages exchanged between network entities in an authentication protocol. For example, in a computer network operating according to the Kerberos protocol, authentication messages may include any of KRB_AS_REQ, KRB_AS_REP, KRB_TGS_REQ, KRB_TGS_REP, KRB_AP_REQ, and KRB_AP_REQ messages”); 
decrypting the authentication request and the ticket (¶0220 “administrative server 1318 may be accessed by detection system 1302 to, for example, obtain data used in decryption of the encrypted portion of the security access ticket, in parsing the decrypted data, and/or in analyzing the parsed decrypted data, as described herein”); 
extracting a validity start time and a validity end time from the ticket (¶0250 “Kerberos Time field: specifies, for example, one or more of: the start time after which the ticket is valid, end time containing the expiration time after which the ticket will no longer be honored”); 
calculating a validity period based on the validity start time and the validity end time (¶0239 “As another example, the value of the start time field minus the value of the end time field may be according to the value defined for ticket lifetime by the implementation of the protocol”);
comparing the validity period to the domain validity period (¶0239 “in some embodiments the analyzing may involve comparing a lifetime value of the security access ticket (e.g., stored in data repository 1324) to valid ticket lifetimes as defined by the implementation of the computer network authentication protocol installed on authentication system 1312 that supposedly issued the security access ticket”); 
However, DULKIN does not explicitly disclose the following limitation taught by PLOTNIK: and blocking the authentication request responsive to determining that the validity period differs from the domain validity period.
PLOTNIK discloses blocking the authorization request if there is a discrepancy between the two sets of information (the retrieved authentication information and the extracted authorization information) in (Fig. 4 Step 416, ¶0058 “Step 416—If a discrepancy is found, then a security event alert is invoked, alerting the relevant entities (e.g. SD administrator, security administer and/or other systems or modules) within the system to block the authorization request or otherwise deal with the security event”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN in claim 7 to include blocking of authorization request if there is a discrepancy in two sets of information in Kerberos protocol as disclosed by PLOTNIK and be motivated in doing so because it prevents the use of an unauthorize ticket to gain access into the system.

	However, DULKIN in view of PLOTNIK does not explicitly disclose the following limitation disclosed by BROWN: retrieving a domain validity period from a domain controller;
BROWN discloses the concept of gateway server (GS) which construct a ticket which comprises among other information duration or time span when the ticket is valid (validity period) (BROWN Column 11, lines 59-63 “the GS 416 preferably constructs 620 the ticket. As shown in FIG. 8, the ticket 800 preferably includes the Box ID 810 of the client 112 requesting the ticket, a version number 812, an expiration date 814 (or duration when the ticket is valid)” Thus the gateway server plays the role of the domain controller or the KDC that issue tickets.
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN and PLOTNIK in claim 1 to include the concept of construct tickets with validity period or time span as disclosed by BROWN and be motivated in doing so because it enables the server to restrict access to network resources available on the user computer system-BROWN column 1, lines 22-24.   

Regarding claim 2, DULKIN in view of PLOTNIK and further in view of BROWN discloses the method of claim 1. DULKIN further discloses wherein the authentication request is a TGS-REQ request directed to the domain controller according to the Kerberos protocol and the ticket is a ticket granting ticket (¶0046 “The client may authenticate itself using, for example, a KRB_TGS_REQ message. The KRB_TGS_REQ message may include the TGT”).  

Regarding claim 3, DULKIN in view of PLOTNIK and further in view of BROWN discloses the method of claim 2. DULKIN further discloses wherein decrypting the authentication request and the ticket further comprises:
 	extracting, from the domain controller, a password hash for a key distribution service center account (¶0172 “In some embodiments, obtaining the decryption key may involve accessing a network resource to identify, from a plurality of detection keys, a suitable decryption key for decrypting the obtained encrypted data”); 
and decrypting the authentication request and the ticket with the password hash (¶0174 “At step 1206, in some embodiments, the encrypted data may be decrypted using the obtained decryption key, thereby generating decrypted data elements”).  

Regarding claim 4, DULKIN in view of PLOTNIK and further in view of BROWN discloses the method of claim 1. DULKIN further discloses wherein the authentication request is an AP-REQ request directed to a domain server according to the Kerberos protocol and the ticket is a ticket granting service ticket (¶0047 “the client may provide the ST to the target service, which in turn may provide access to the client. The client may provide the ST to the target service using, for example, a KRB_AP_REQ message. The KRB_AP_REQ message may include the ST”).  

Regarding claim 5, DULKIN in view of PLOTNIK and further in view of BROWN discloses the method of claim 4. DULKIN further discloses wherein decrypting the authentication request and the ticket further comprises: 
extracting, from the domain controller, a password hash associated with a key distribution service center account (¶0199 “The decryption key may be obtained, for example, from the KDC, an administrative server, and/or a data repository”); 
and decrypting the authentication request and the ticket with the password hash (¶0200 “The method 1230, in some embodiments, includes at step 1236 decrypting the encrypted portion of the Kerberos ticket. The encrypted portion may be decrypted using, for example, the decryption key obtained in step 1234”).  

Regarding claim 6, DULKIN in view of PLOTNIK and further in view of BROWN discloses the method of claim 1. DULKIN further discloses wherein blocking the authentication request includes one or more of denying the authentication request, alerting a user to the authentication request, presenting a multi-factor authentication challenge, and requesting additional information regarding network traffic of a computing device associated with the authentication request from a domain controller.
 DULKIN discloses issuing an alert in response to detecting malicious activity in (¶0106 “The method 400, in some embodiments, includes step 408 of, in response to detecting potentially malicious activity, issuing an alert. The alert may be, for example, a message provided to, for instance, an administrator, such as a pop-up message on a graphical user interface for presentation to the administrator, or a message otherwise communicated to the administrator”).  

Regarding claim 14, DULKIN discloses a method comprising: 
receiving an authentication request including a ticket (¶0066 “Authentication messages, also referred to herein as secure tickets, may be any messages exchanged between network entities in an authentication protocol. For example, in a computer network operating according to the Kerberos protocol, authentication messages may include any of KRB_AS_REQ, KRB_AS_REP, KRB_TGS_REQ, KRB_TGS_REP, KRB_AP_REQ, and KRB_AP_REQ messages”); 
decrypting the authentication request and the ticket (¶0220 “administrative server 1318 may be accessed by detection system 1302 to, for example, obtain data used in decryption of the encrypted portion of the security access ticket, in parsing the decrypted data, and/or in analyzing the parsed decrypted data, as described herein”);
extracting a validity start time, a validity end time, and a principal name from the ticket (¶0250 “Kerberos Time field: specifies, for example, one or more of: the start time after which the ticket is valid, end time containing the expiration time after which the ticket will no longer be honored”); 
calculating a validity period based on the validity start time and the validity end time (¶0239 “As another example, the value of the start time field minus the value of the end time field may be according to the value defined for ticket lifetime by the implementation of the protocol”); 
extracting validation information from the authentication request including (i) a user security ID, (ii) a primary group identifier, and (iii) group membership data (¶0241 “The analysis may be performed by comparing the actual updated values obtained from the administrative server with corresponding values of the parsed decrypted data to identify inconsistencies”
“user information of an account of the client attempting to use the security access ticket to access a service of the service providing server. The user information may include, for example, logon credentials and/or group membership of the account. Other user information is possible as well”);  
retrieving, from a domain controller, a domain validity period and user information associated with the principal name, including (i) a user security ID, (ii) a user group identifier, and (iii) user group membership data (¶0248 “Principal Name: containing the name part of the client's principal identifier”), including (i) a user security ID, (ii) a user group identifier, and (iii) user group membership data (¶0241“user information of an account of the client attempting to use the security access ticket to access a service of the service providing server. The user information may include, for example, logon credentials and/or group membership of the account. Other user information is possible as well”);
comparing the validation information and the user information (¶0241 “The analysis may be performed by comparing the actual updated values obtained from the administrative server with corresponding values of the parsed decrypted data to identify inconsistencies”); wherein the actual updated values is interpreted as the validation information and corresponding values of the parsed decrypted data as the user information; 
However, DULKIN does not explicitly disclose the following limitation taught by PLOTNIK: and blocking the authentication request responsive to (i) determining that the validity period is greater than the domain validity period and/or (ii) identifying at least one difference between the validation information and the user information  
PLOTNIK discloses blocking the authorization request if there is a discrepancy between the two sets of information (the retrieved authentication information and the extracted authorization information) in (Fig. 4 Step 416, ¶0058 “Step 416—If a discrepancy is found, then a security event alert is invoked, alerting the relevant entities (e.g. SD administrator, security administer and/or other systems or modules) within the system to block the authorization request or otherwise deal with the security event”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN in claim 7 to include blocking of authorization request if there is a discrepancy in two sets of information in Kerberos protocol as disclosed by PLOTNIK and be motivated in doing so because it prevents the use of an unauthorize ticket to gain access into the system.

However, DULKIN in view of PLOTNIK does not explicitly disclose the following limitation disclosed by BROWN: retrieving a domain validity period from a domain controller;
BROWN discloses the concept of gateway server (GS) which construct a ticket which comprises among other information duration or time span when the ticket is valid (validity period) (BROWN Column 11, lines 59-63 “the GS 416 preferably constructs 620 the ticket. As shown in FIG. 8, the ticket 800 preferably includes the Box ID 810 of the client 112 requesting the ticket, a version number 812, an expiration date 814 (or duration when the ticket is valid)” Thus the gateway server plays the role of the domain controller or the KDC that issue tickets.
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN and PLOTNIK in claim 1 to include the concept of construct tickets with validity period or time span as disclosed by BROWN and be motivated in doing so because it enables the server to restrict access to network resources available on the user computer system-BROWN column 1, lines 22-24.  

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20160330220 to DULKIN and LSZAROVITZ hereinafter (DULKIN) in view of U.S. PGPub.No. 20160065565 to PLOTNIK et al. (hereinafter PLOTNIK) and further in view of U.S. Pat. No. 7730137 to TOOMEY Christopher (hereinafter TOOMEY)

Regarding claim 8, DULKIN in view of PLOTNIK discloses the method of claim 7. DULKIN further discloses “further comprising: 
extracting at least one request time stamp including one or more of a log on time, a log off time, a kick off time, a last successful log on time, a last failed log on time, and a password last set time (DULKIN ¶0268-¶0271);   
However, DULKIN does not explicitly disclose the following limitation taught by PLOTNIK: and blocking the authentication request:  
PLOTNIK discloses blocking the authorization request if there is a discrepancy between the two sets of information (the retrieved authentication information and the extracted authorization information) in (Fig. 4 Step 416, ¶0058 “Step 416—If a discrepancy is found, then a security event alert is invoked, alerting the relevant entities (e.g. SD administrator, security administer and/or other systems or modules) within the system to block the authorization request or otherwise deal with the security event”).
 Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN in claim 7 to include blocking of authorization request if there is a discrepancy in two sets of information in Kerberos protocol as disclosed by PLOTNIK and be motivated in doing so because it prevents the use of an unauthorize ticket to gain access into the system.

 However, DULKIN in view of PLOTNIK does not explicitly disclose the following limitation taught by TOOMEY:
 comparing the request time stamp to a corresponding default time stamp value; 
and
determining that the request time stamp matches the corresponding default time stamp value; 
TOOMEY discloses comparing the included time stamp from the ticket to the time stamp as it is stored when the ticket’s validity is determined in (Coln. 2 lines 1-7 “A time stamp may be stored, the time stamp being of an electronic message that was most recently sent for the entity. Generating the ticket may involve including in the ticket the time stamp as it is stored when the ticket is generated. Determining whether the ticket is valid may include comparing the included time stamp from the ticket to the time stamp as it is stored when the ticket’s validity is determined”).
 	TOOMEY discloses comparing the determined time stamp with the time stamp in the ticket by the email service provider to determine the validity of the ticket (TOOMEY, Coln. 6, lines 6-14 “The email service provider compares the determined time stamp with the time stamp in the ticket. If the two time stamps are the same, then the ticket is considered to be valid and the email service provider approves the email message for sending to the intended recipients. However, if the two time stamps are not the same, then the ticket is considered to be invalid and the email service provider may refuse to approve or may delay approving the email message for sending to the intended recipients”). 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of DULKIN and PLOTNIK in claim 7 to include the concept of comparing time stamps in the tickets with the stored time stamps for the tickets as disclosed by TOOMEY and be motivated in doing so because it enables the email service provider to validate the tickets associated with the electronic message before sending the message to the recipient thereby restricting the volume of outgoing email in the system- TOOMEY abstract in part.   
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. PGPub No. 20020049912, 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        
/PONNOREAY PICH/Primary Examiner, Art Unit 2495