DETAILED ACTION
This communication responsive to the Application No. 16/731,506 filed on December 31,
2019. Claims 1-20 are pending and are directed towards METHOD AND SYSTEM FOR MONITORING FOR AND BLOCKING FRAUDULENT ATTEMPTS TO LOG INTO REMOTE SERVICES USING LIST VALIDATION ATTACKS.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The disclosure is objected to because of the following informalities: 
In the Spec, in many paragraphs (such as [0023], [0025], [0026], [0028]-[0030], [0032], [0035], [0041] and many others) the reference numbers of the following elements are not cited correctly:
Remote resource 130 should rather be 140.
Application server 120 should rather be 130. 
Remote resource authentication service 124 should rather be 134.
Login attempt data store 140 should rather be 150.   
Client-side application 132 should rather be 112.
In the Spec, para [0050] “At block 360” should rather be “At block 260”.
Appropriate correction is required.
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc. In particular, the phrase “Certain aspects of the present disclosure provide...” should be avoided.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claims 2-7, 9-14 and 19-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 2, 4-6, 9, 11-13 recites the limitation "the maximum number of login attempts".  There is insufficient antecedent basis for this limitation in the claim.
Claims 3, 4, 7, 10, 11, 14 recites the limitation "the maximum predicted distance".  There is insufficient antecedent basis for this limitation in the claim.
Claim 19 recites the limitation “wherein the first machine learning model is generated by: […] and training a machine learning model” which is vague and not clear. It is not understood whether the trained machine learning model is the same first machine learning model or a different model. 
Claim 20 recites the limitation “wherein the second machine learning model is generated by: […] and training a machine learning model” which is vague and not clear. It is not understood whether the trained machine learning model is the same second machine learning model or a different model. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-5 and 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov et al. US 2019/0384897 A1 (hereinafter “Urmanov”) in view of Boodaei US 2020/0134165 A1 (hereinafter “Boodaei”) and further in view of Yang US 9,148,424 (hereinafter “Yang”)

As per claims 1 and 8, Urmanov teaches a method for monitoring for fraudulent login attempts to remote services through an application (a system that detects a username guessing attack. Urmanov, para [0006]), comprising: 
receiving a request to connect an application to a remote service, the request comprising a user identifier, a username and a password (the system receives authentication events. Urmanov, para [0041]) (one rule can be used to represent all authentication events, which originate from the same user, use the same IP address, and request access to a specific computing resource. Urmanov, para [0029]) (a user provides user credentials 302, which include a username 304 and a password 306. Urmanov, para [0042]); 
incrementing a login attempt counter tracking a number of attempts by a user associated with the user identifier to connect the application to one or more remote services (if the number of valid usernames is one or less. Urmanov, para [0044]) (if the number of valid usernames is greater than one. Urmanov, para [0045]) [which indicate a counter being incremented to detect the number of valid usernames or valid login attempt]; and 
based on determining that the login attempt counter exceeds a threshold number of login attempts: comparing the username included in the request to a username included in a previous request by the user to connect the application to the remote service (the system analyzes the formation in several stages. In a first stage, all usernames in the formation are validated against a current username directory to determine the number of formation members with valid usernames (step 404). If there exist two or more valid usernames, the formation is rejected. This is a first rejection (step 408) […] On the other hand, if none of the formation members has a valid username, the system checks if at least one formation member has a close match to a valid username. Urmanov, para [0036]-[0037]), and 
based on determining that the username included in the request is different from the username included in the previous request: calculating a distance between the username included in the request and the username included in the previous request (a pairwise edit distance can be computed among usernames for all pairs or members in the formation, and the minimum, average and maximum of such edit distances can be computed. Note that a number of different “string distance” metrics can be used as the edit distance, such as the Levenshtein distance, or a custom string distance, which is engineered to measure the differences among variations of the same username. The computed statistics then are converted into the username similarity score, which indicates how likely it is that a set of usernames represents variations of the same username. Urmanov, para [0037]) (the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. Urmanov, para [0044]), and 
taking one or more actions to process the request to connect the application to the remote service based on determining whether the calculated distance between the username included in the request and the username included in the previous request exceeds a threshold distance (If the username similarity score exceeds a threshold value, the system reports a potential username guessing attack. Urmanov, para [0044]). 
Urmanov does not explicitly teach the threshold number of login attempts being determined based on a predictive model trained to predict the threshold number of login attempts based on a training data set of numbers of login attempts correlated with indications of fraudulent or non-fraudulent activity. 
However, Yang discloses the threshold number of login attempts being determined based on a predictive model trained to predict the threshold number of login attempts based on a training data set of numbers of login attempts correlated with indications of fraudulent or non-fraudulent activity (The threshold values X, Y, and Z may be determined by an operator selection, using training data, using a feedback system during operation to identify initial values and update the values during operation, or using any combination of these along with any other such threshold selection operation. Yang, Col. 8 lines 1-6) (Once analysis module 166 gathers the relevant previous login history data from history module 164 in operation 206, operation 208 then involves using this information with the information from the login request in determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold. The credential security threshold may be a value set by system 130 design, by an adjustable value of system 130 settings, or by an automated system that may use feedback from false positives and false negatives identified later to update the threshold value in a feedback loop. Yang, Col. 6 lines 38-48)( implement an edit distance analysis as follows: (A) given N login requests that are ordered by timestamps, compute TotalEditDistance=SUM(edit distance of username i and username i+1) for i=1 to N-1 (1) and TotalUsernameLength=SUM(length of username i) for i=1 to N (2) where N is the total number of login requests from the same IP address within a threshold time period. Yang, Col. 7 lines 9-19)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Urmanov in view of Yang. One would be motivated to do so, to increase the accuracy and the security of the system by adjusting the threshold of the total number of login attempts. (Yang, Col. 6 lines 9-19).
Urmanov does not explicitly teach the threshold distance being determined based on a predictive model trained to predict the threshold distance based on a training data set of distances between usernames in successive login attempts correlated with indications of fraudulent or non-fraudulent activity. 
However, Boodaei teaches the threshold distance being determined based on a predictive model trained to predict the threshold distance based on a training data set of distances between usernames in successive login attempts correlated with indications of fraudulent or non-fraudulent activity (Generating the statistical analytics for the authentication processes may allow dynamically adjusting the security policy associated with the secure service to fine tune one or more of the threshold values according to the typical patterns and/or characteristic(s) identified by analyzing a very large number of authentication processes conducted by a plurality of users. Boodaei, para [0023]) (statistical analytics are generated based on analysis of data collected and/or generated during analysis of a plurality of authentication processes conducted by a plurality of users, in particular based on analysis of the pattern(s) and characteristic(s) detected during the plurality of authentication processes as typical to the legitimate users. Moreover, the security policy associated with the secure service, specifically one or more of the risk score assigned values and/or thresholds values may be updated and/or adjusted according to the generated analytics. Boodaei, para [0042]-[0048])(the risk evaluator 222 calculates the Levenshtein distance between the incorrect authentication credentials provided in the current failed access attempt and each of the previously provided incorrect authentication credentials. Boodaei, para [0089]).
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Boodaei and apply it on usernames. One would be motivated to do so, to increase the security of the system and the accuracy of the prediction by adjusting the threshold distance value. (Boodaei, para [0042]).

As per claims 2 and 9, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8. Urmanov does not explicitly teach that the method further comprising: based on determining that the login attempt counter is less than the maximum number of login attempts predicted to correspond to legitimate login activity in the application, executing the request to connect the application to the remote service without calculating a distance between the username in the request and the username in the previous request, wherein the login attempt counter tracks a total number of login attempts performed by a user over a total amount of time the user has used the application. 
However, Yang teaches based on determining that the login attempt counter is less than the maximum number of login attempts predicted to correspond to legitimate login activity in the application, executing the request to connect the application to the remote service without calculating a distance between the username in the request and the username in the previous request, wherein the login attempt counter tracks a total number of login attempts performed by a user over a total amount of time the user has used the application (operation 208 then involves using this information with the information from the login request in determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold. […], the threshold value is selected to prevent IP addresses shared by multiple users 106 or repeated login attempts from one or more users 106 attempting to remember a password from generating excessive numbers of false positives. Operation 210 then involves determining that a number of usernames associated with the total number of login requests is above a username threshold [which implies that if the total number of logins attempts below the threshold, no need for calculating the distance (which is the default case for successful login in any system)]. Such a username threshold prevents typos of attempts by a user 106 to log-in with multiple similar usernames from triggering a false positive security event. In certain embodiments, multiple failed login attempts may occur with different but very similar usernames. Yang, Col. 6 lines 40-59 see also, Col. 7 lines 56-67).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, for the obvious reason of allowing access to the remote resources when the number of login attempts is below the threshold value. 

As per claims 3 and 10, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8, wherein: the calculated distance between the username in the request and the username in the previous request exceeds the maximum predicted distance, and the taking one or more actions to process the request comprises dropping the request such that the request to connect the application with the remote service is not forwarded to the remote service for execution (the username similarity score is a function of a string distance between usernames in the formation. If the username similarity score exceeds a threshold value, the system reports a potential username guessing attack. Urmanov, para [0006]) (detecting guided username guessing attacks as early as possible to prevent unauthorized accesses to online resources. Urmanov, para [0005]).

As per claims 4 and 11, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8, wherein: 
the calculated distance between the username in the request and the username in the previous request is less than the maximum predicted distance (If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username. Urmanov, para [0037]); 
determining that the request corresponds to legitimate activity based on determining that the login attempt counter exceeds the maximum number of login attempts predicted to correspond to legitimate login activity in the application but that the calculated distance between the username in the request and the username in the previous request is less than the maximum predicted distance (if the number of valid usernames is one or less [which implies that the number of invalid usernames during the login attempts exceed the threshold], the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. Urmanov, para [0006]) (If the similarity score exceeds the threshold, the system reports the cluster as possibly containing a username guessing attack, If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username. Urmanov, para [0037]); and 
the taking one or more actions to process the request comprises authenticating with the remote service based on the username and password in the request based on the determination that the request corresponds to legitimate activity (If the similarity score exceeds the threshold, the system reports the cluster as possibly containing a username guessing attack, If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username [which implies that the request is processed based on valid username and password]. Urmanov, para [0037]).

As per claims 5 and 12, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8, further comprising: 
based on a determination that the username in the request and the username in the previous request are identical (If the similarity score does not exceed the threshold [which could be zero, corresponding to identical usernames], it is likely that a legitimate user has simply mistyped their username. Urmanov, para [0037]): 
determining that the request corresponds to legitimate activity based on determining that the login attempt counter exceeds the maximum number of login attempts predicted to correspond to legitimate login activity in the application but that the username in the request and the username in the previous request are identical (if the number of valid usernames is one or less [which implies that the number of invalid usernames during the login attempts exceed the threshold], the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. Urmanov, para [0006]) (If the similarity score exceeds the threshold, the system reports the cluster as possibly containing a username guessing attack, If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username. Urmanov, para [0037]), and 
authenticating with the remote service based on the username and password in the request based on the determination that the request corresponds to legitimate activity (If the similarity score exceeds the threshold, the system reports the cluster as possibly containing a username guessing attack, If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username [which implies that the request is processed based on valid username and password]. Urmanov, para [0037]).

Claim(s) 6-7, 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov in view of Boodaei and further in view of Yang and further in view of Banerjee et al. US 2010/0186088 A1 (hereinafter “Banerjee”)

As per claims 6 and 13, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8. Urmanov teaches obtaining, from an application log, a historical connection request data set, each connection request in the historical connection request data set including at least user identifier information, username information, and remote service identification information (The entire authentication history of a user can be represented by a rule set comprising rules corresponding to the user's authentication attempts. For example, given the authentication events for users UA and UB, which appear in Table 1 A(time=t1; username=UA; address=IP1; resource=R1; status=S). Urmanov, para [0030] and Table 1); 
Urmanov does not explicitly teach wherein the maximum number of login attempts predicted to correspond to legitimate login activity in the application is determined by: generating a training data set by augmenting the obtained historical connection request data set with information about requests to connect an application to remote services known to be fraudulent; and training a machine learning model based on the training data set to predict a maximum number of attempts to connect the application to the remote service that corresponds to legitimate login activity.
However, Yang teaches wherein the maximum number of login attempts predicted to correspond to legitimate login activity in the application is determined by: obtaining, from an application log, a historical connection request data set (Once analysis module 166 gathers the relevant previous login history data from history module 164 in operation 206, operation 208 then involves using this information with the information from the login request in determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold. The credential security threshold may be a value set by system 130 design, by an adjustable value of system 130 settings, or by an automated system that may use feedback from false positives and false negatives identified later to update the threshold value in a feedback loop. Yang, Col. 6 lines 38-48); 
generating a training data set by augmenting the obtained historical connection request data set with information about requests to connect an application to remote services known to be fraudulent (The login request data may be used with the history data in analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. Yang, Col. 6 lines 25-32) (The threshold values X, Y, and Z may be determined by an operator selection, using training data, using a feedback system during operation to identify initial values and update the values during operation, or using any combination of these along with any other such threshold selection operation. Yang, Col. 8 lines 1-6).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, to increase the accuracy and the security of the system by adjusting the threshold of the total number of login attempts using current and historical data. (Yang, Col. 6 lines 9-19).
Urmanov does not explicitly teach training a machine learning model based on the training data set to predict a maximum number of attempts to connect the application to the remote service that corresponds to legitimate login activity.
However, using the machine learning to predict thresholds and threat scores is well known in the art. Banerjee teaches training a machine learning model based on the training data set to predict a maximum number of attempts to connect the application to the remote service that corresponds to legitimate login activity (The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest), which are trained on spatio-temporal profiles of a set of good and bad sites. The updated score is reported to the decision logic module 204. The spatio-temporal module score process 600 includes processing any feedback 604 received, and using the feedback to adjust analysis and update the threat score. Banerjee, para [0121]) (The present system is tunable and adaptive. It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user. Banerjee, para [0153])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Banerjee. One would be motivated to do so, to continuously improve on the accuracy of the system and customize it to the needs of the user. (Banerjee, para [0153]).

As per claims 7 and 14, Urmanov, Yang and Boodaei teach the method of Claims 1 and 8. Urmanov does not explicitly teach wherein the maximum predicted distance between usernames in successive requests that corresponds to legitimate login activity in the application is determined by: generating a training data set of distances between usernames included successive login attempts associated with a user identifier in the application; augmenting the training data set with information about requests to connect an application to remote services known to be fraudulent. 
However, Yang teaches wherein the maximum predicted distance between usernames in successive requests that corresponds to legitimate login activity in the application is determined by: generating a training data set of distances between usernames included successive login attempts associated with a user identifier in the application (The threshold values X, Y, and Z [the edit distance ratio threshold] may be determined by an operator selection, using training data, using a feedback system during operation to identify initial values and update the values during operation, or using any combination of these along with any other such threshold selection operation. Yang, Col. 8 lines 1-6); 
augmenting the training data set with information about requests to connect an application to remote services known to be fraudulent (The login request data may be used with the history data in analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. Yang, Col. 6 lines 25-32).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, to increase the accuracy and the security of the system by adjusting the threshold of the total number of login attempts using current and historical data. (Yang, Col. 6 lines 9-19).
Urmanov does not explicitly teach training a machine learning model based on the augmented training data set to predict a maximum distance between usernames included in successive requests that corresponds to legitimate login activity.
However, using the machine learning to predict thresholds and threat scores is well known in the art. Banerjee teaches training a machine learning model based on the augmented training data set to predict a maximum distance between usernames included in successive requests that corresponds to legitimate login activity (The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest), which are trained on spatio-temporal profiles of a set of good and bad sites. The updated score is reported to the decision logic module 204. The spatio-temporal module score process 600 includes processing any feedback 604 received, and using the feedback to adjust analysis and update the threat score. Banerjee, para [0121]) (The present system is tunable and adaptive. It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user. Banerjee, para [0153])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Banerjee. One would be motivated to do so, to continuously improve on the accuracy of the system and customize it to the needs of the user. (Banerjee, para [0153]).

Claim(s) 15 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov in view of Banerjee 

As per claim 15 Urmanov teaches a method for monitoring for fraudulent login attempts to remote services through an application (a system that detects a username guessing attack. Urmanov, para [0006]), comprising: 
receiving a request to connect an application to a remote service, the request comprising a user identifier, a username and a password (the system receives authentication events. Urmanov, para [0041]) (one rule can be used to represent all authentication events, which originate from the same user, use the same IP address, and request access to a specific computing resource. Urmanov, para [0029]) (a user provides user credentials 302, which include a username 304 and a password 306. Urmanov, para [0042]); 
incrementing a login attempt counter tracking a number of attempts by a user associated with the user identifier to connect the application to one or more remote services (if the number of valid usernames is one or less. Urmanov, para [0044]) (if the number of valid usernames is greater than one. Urmanov, para [0045]) [which indicate a counter being incremented to detect the number of valid usernames or valid login attempt]; and 
taking one or more actions to process the request based on predictions generated by a first model trained to predict whether a value of the login attempt counter is indicative of potentially fraudulent activity and a second model trained to predict whether a difference between the username in the request and a username in a previous request is indicative of fraudulent activity (the system analyzes the formation in several stages. In a first stage, all usernames in the formation are validated against a current username directory to determine the number of formation members with valid usernames (step 404). If there exist two or more valid usernames, the formation is rejected. This is a first rejection (step 408) […] On the other hand, if none of the formation members has a valid username, the system checks if at least one formation member has a close match to a valid username. Urmanov, para [0036]-[0037]), (a pairwise edit distance can be computed among usernames for all pairs or members in the formation, and the minimum, average and maximum of such edit distances can be computed. Note that a number of different “string distance” metrics can be used as the edit distance, such as the Levenshtein distance, or a custom string distance, which is engineered to measure the differences among variations of the same username. The computed statistics then are converted into the username similarity score, which indicates how likely it is that a set of usernames represents variations of the same username. Urmanov, para [0037]) (the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. Urmanov, para [0044]).
Urmanov does not explicitly teach first/second machine learning model to predict a value indicative of potentially fraudulent activity.
However, using the machine learning to predict thresholds and threat scores is well known in the art. Banerjee teaches first/second machine learning model to predict a value indicative of potentially fraudulent activity (The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest), which are trained on spatio-temporal profiles of a set of good and bad sites. The updated score is reported to the decision logic module 204. The spatio-temporal module score process 600 includes processing any feedback 604 received, and using the feedback to adjust analysis and update the threat score. Banerjee, para [0121]) (The present system is tunable and adaptive. It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user. Banerjee, para [0153])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Banerjee. One would be motivated to do so, to continuously improve on the accuracy of the system and customize it to the needs of the user. (Banerjee, para [0153]).

As per claim 17, Urmanov and Banerjee teach the method of Claim 15, wherein the taking one or more actions to process the request comprises attempting to authenticate with the remote service using the username and password identified in the request based on a prediction by the first machine learning model that the value of the login attempt counter indicates that the request corresponds to potentially fraudulent activity and a prediction by the second machine learning model that the difference between the username in the request and a username in a previous request corresponds to legitimate activity (if the number of valid usernames is one or less [which implies that the number of invalid usernames during the login attempts exceed the threshold], the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. Urmanov, para [0006]) (If the similarity score exceeds the threshold, the system reports the cluster as possibly containing a username guessing attack, If the similarity score does not exceed the threshold, it is likely that a legitimate user has simply mistyped their username. Urmanov, para [0037]).

As per claim 18, Urmanov and Banerjee teach the method of Claim 15, wherein the taking one or more actions to process the request comprises dropping the request to connect the application with the remote service based on a prediction by the first machine learning model that the value of the login attempt counter indicates that the request corresponds to potentially fraudulent activity and a prediction by the second machine learning model that the difference between the username in the request and a username in a previous request corresponds to fraudulent activity ((if the number of valid usernames is one or less [which implies that the number of invalid usernames during the login attempts exceed the threshold], the system computes a username similarity score for authentication events in the formation, wherein the username similarity score is a function of a string distance between usernames in the formation. If the username similarity score exceeds a threshold value, the system reports a potential username guessing attack. Urmanov, para [0006]) (detecting guided username guessing attacks as early as possible to prevent unauthorized accesses to online resources. Urmanov, para [0005]).

Claim(s) 16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov in view of Banerjee and further in view of Yang

As per claim 16, Urmanov and Banerjee teach the method of Claim 15. Urmanov does not explicitly teach wherein the taking one or more actions to process the request comprises attempting to authenticate with the remote service using the username and password identified in the request based on a prediction machine learning model that the value of the login attempt counter indicates that the request corresponds to legitimate activity.
However, Yang teaches wherein the taking one or more actions to process the request comprises attempting to authenticate with the remote service using the username and password identified in the request based on a prediction machine learning model that the value of the login attempt counter indicates that the request corresponds to legitimate activity (operation 208 then involves using this information with the information from the login request in determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold. […], the threshold value is selected to prevent IP addresses shared by multiple users 106 or repeated login attempts from one or more users 106 attempting to remember a password from generating excessive numbers of false positives. Operation 210 then involves determining that a number of usernames associated with the total number of login requests is above a username threshold [which implies that if the total number of logins attempts below the threshold, the user is authenticated and no need for calculating the distance (which is the default case for successful login in any system)]. Such a username threshold prevents typos of attempts by a user 106 to log-in with multiple similar usernames from triggering a false positive security event. In certain embodiments, multiple failed login attempts may occur with different but very similar usernames. Yang, Col. 6 lines 40-59 see also, Col. 7 lines 56-67).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, for the obvious reason of allowing access to the remote resources when the number of login attempts is below the threshold value. 

As per claim 19, Urmanov and Banerjee teach the method of Claim 15. Urmanov teaches obtaining, from an application log, a historical connection request data set, each connection request in the historical connection request data set including at least user identifier information, username information, and remote service identification information (The entire authentication history of a user can be represented by a rule set comprising rules corresponding to the user's authentication attempts. For example, given the authentication events for users UA and UB, which appear in Table 1 A(time=t1; username=UA; address=IP1; resource=R1; status=S). Urmanov, para [0030] and Table 1); 
Urmanov does not explicitly teach wherein the first machine learning model is generated by: generating a training data set by augmenting the obtained historical connection request data set with information about requests to connect an application to remote services known to be fraudulent.
However, Yang teaches generating a training data set by augmenting the obtained historical connection request data set with information about requests to connect an application to remote services known to be fraudulent (Once analysis module 166 gathers the relevant previous login history data from history module 164 in operation 206, operation 208 then involves using this information with the information from the login request in determining that a total number of login requests from the first IP address within the threshold time period is above a credential security threshold. The credential security threshold may be a value set by system 130 design, by an adjustable value of system 130 settings, or by an automated system that may use feedback from false positives and false negatives identified later to update the threshold value in a feedback loop. Yang, Col. 6 lines 38-48) (The login request data may be used with the history data in analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. Yang, Col. 6 lines 25-32) (The threshold values X, Y, and Z may be determined by an operator selection, using training data, using a feedback system during operation to identify initial values and update the values during operation, or using any combination of these along with any other such threshold selection operation. Yang, Col. 8 lines 1-6).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, to increase the accuracy and the security of the system by adjusting the threshold of the total number of login attempts using current and historical data. (Yang, Col. 6 lines 9-19).
Urmanov does not explicitly teach training a machine learning model based on the training data set to predict a maximum number of attempts to connect the application to the remote service that corresponds to legitimate login activity.
However, using the machine learning to predict thresholds and threat scores is well known in the art. Banerjee teaches training a machine learning model based on the training data set to predict a maximum number of attempts to connect the application to the remote service that corresponds to legitimate login activity (The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest), which are trained on spatio-temporal profiles of a set of good and bad sites. The updated score is reported to the decision logic module 204. The spatio-temporal module score process 600 includes processing any feedback 604 received, and using the feedback to adjust analysis and update the threat score. Banerjee, para [0121]) (The present system is tunable and adaptive. It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user. Banerjee, para [0153])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Banerjee. One would be motivated to do so, to continuously improve on the accuracy of the system and customize it to the needs of the user. (Banerjee, para [0153]).

As per claim 20, Urmanov and Banerjee teach the method of Claim 15. Urmanov does not explicitly teach wherein the second machine learning model is generated by: generating a training data set of distances between usernames included successive login attempts associated with a user identifier in the application; augmenting the training data set with information about requests to connect an application to remote services known to be fraudulent.
However Yang teaches wherein the second machine learning model is generated by: generating a training data set of distances between usernames included successive login attempts associated with a user identifier in the application (The threshold values X, Y, and Z [the edit distance ratio threshold] may be determined by an operator selection, using training data, using a feedback system during operation to identify initial values and update the values during operation, or using any combination of these along with any other such threshold selection operation. Yang, Col. 8 lines 1-6);
augmenting the training data set with information about requests to connect an application to remote services known to be fraudulent (The login request data may be used with the history data in analyzing a login history comprising login request data for the server computer to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. Yang, Col. 6 lines 25-32).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Yang. One would be motivated to do so, to increase the accuracy and the security of the system by adjusting the threshold of the total number of login attempts using current and historical data. (Yang, Col. 6 lines 9-19).
Urmanov does not explicitly teach training a machine learning model based on the augmented training data set to predict a maximum distance between usernames included in successive requests that corresponds to legitimate login activity.
However, using the machine learning to predict thresholds and threat scores is well known in the art. Banerjee teaches training a machine learning model based on the augmented training data set to predict a maximum distance between usernames included in successive requests that corresponds to legitimate login activity (The module updates its threat score 603 calculation according to any of the many machine learning algorithms (Bayesian Networks, Support Vector Machines, decisions trees, decision forest), which are trained on spatio-temporal profiles of a set of good and bad sites. The updated score is reported to the decision logic module 204. The spatio-temporal module score process 600 includes processing any feedback 604 received, and using the feedback to adjust analysis and update the threat score. Banerjee, para [0121]) (The present system is tunable and adaptive. It uses a variety of thresholds and parameters that are tunable. It can evolve using machine learning algorithms and user input over a period of time to continuously improve on the accuracy of the system and customize it to the needs of the user. Banerjee, para [0153])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Urmanov in view of Banerjee. One would be motivated to do so, to continuously improve on the accuracy of the system and customize it to the needs of the user. (Banerjee, para [0153]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
A. Kaidi US 2020/0396239 A1 directed to security risk evaluation for user accounts.
B. Domenikos et al. US 2010/0293090 A1 directed to systems for determining fraud probability scores and identity health scores.
C. Israel et al. US 2018/0302430 A1 directed to system for detecting creation of malicious new user accounts by an attacker. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492