DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restriction warranted at applicant’s initial time of filing for patent. 
Priority
This application is a CON, and applicant claim[s] domestic priority under 35 USC 120 to US application # 14706963, filed on 05/08/2015, now US PAT # 11025625
Information Disclosure Statement
Applicant filed NO information disclosure statement (IDS) at time of filing of the CON for patent. 
Drawings
Applicant’s drawings filed on 06/01/2021 have been inspected and are in compliance with MPEP 608.02. 
Specification
Applicant’s specification filed on 06/01/2021 has been considered, and is in compliance with MPEP 608.01. 
Claim Objections
Claim[s] 32 is objected to because of the following informalities:  this claim depends from cancelled claim 12. 
Appropriate correction is required.
Claim Interpretation – 35 USC 112th 6th or F
It is in the examiner’s opinion that claim[s] 20 – 42 do not invoke means for or step plus functional claim language. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim[s] 22 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
	The examiner points out that the claim limitation of: “……wherein performing the CAPTCHA process includes selecting the CAPTCHA based upon the client information,” of claim 22, inherently includes the actions of the claim limitation of: “performing captcha process based on the client information,” of base claim 20, line 4. 
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Appropriate action required. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim[s] 41 is rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 11 of U.S. Patent No. 10250629.
Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the patented subject matter in the following manner: 
	The operation of computer bot detection and human user access entail a determination if a client device has been identified as a bot based upon client information and a service policy residing in a database. The service policy is also utilized to determine if the client device is operating under control of a human user or operating autonomously based upon matching a captcha response to an expected captcha response.
	Also, see the table below for a side by side comparison. 
Pending US Application # 17/336176
US PAT # 10250629
41. A computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor of the computing device perform an access control process comprising:

receiving a service request from a client device;

extracting client information from the received service request;

determining if the client device has been identified as autonomously operated based upon the client information and a database; and

performing a CAPTCHA process based upon the client information and results of determining if the client device has been identified as autonomously operated.

11. A computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor module of the computing device perform a method comprising:

receiving, by a service gateway, a Service request from. a client device;

extracting, by the service gateway, client information from the received service request;

determining, by the service gateway, if the client device has been identified as a computer bot based upon the client information and a service policy,

selecting, by the service gateway, a captcha in response to the service request:

generating, by the service gateway, captcha instructions for the determined captcha,

generating, by the service gateway, an expected captcha response for the determined captcha:

sending, by the service gateway, the captcha instructions to the client device;

receiving, by the service gateway, a captcha response from the client device in response to the captcha instructions:

comparing, by the service gateway, the captcha response to the expected captcha response to determine a risk level associated with the client device operating autonomously;
and

if the client device has been identified as a computer bot, handling the
service request based upon whether the computer bot is a good computer bot;
and

if the client device has not been identified as a computer bot, handling the
service request based upon the risk level associated with the client device
operating autonomously.



Claim[s] 41 is rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 6 of U.S. Patent No. 10360365.
Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the patented subject matter in the following manner: 
	The operation of computer bot detection and human user access entail a determination if a client device has been identified as a bot based upon client information and a service policy residing in a database. The service policy is also utilized to determine if the client device is operating under control of a human user or operating autonomously based upon matching a captcha response to an expected captcha response.
Also, see the table below for a side by side comparison.
Pending US Application # 17/336176
US PAT # 10360365
41. A computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor of the computing device perform an access control process comprising:


receiving a service request from a client device;

extracting client information from the received service request;


determining if the client device has been identified as autonomously operated based upon the client information and a database; and

performing a CAPTCHA process based upon the client information and results of determining if the client device has been identified as autonomously operated.

6. A computing device for executing computing device executable instructions stored in computing storage module that when executed by a processor module of the computing device perform a method comprising:


receiving, by a service gateway, a Service request from a client device;


extracting, by the service gateway, client information from the received service request;


selecting, by the service gateway, a captcha based upon the client information and a client policy in response to the service request;

generating, by the service gateway, captcha instructions for the determined
captcha;

generating, by the service gateway, an expected captcha response for the
determined captcha;

sending, by the service gateway, the captcha instructions to the client device;

receiving, by the service gateway, a captcha response from the client device in response to the captcha instructions;

comparing, by the service gateway, the captcha response to the expected
captcha response to determine based on the service policy if the client device is operating under control of a user or operating autonomously; and

sending, by the service gateway, the service request to an appropriate server
device if the client device is operating under control of a user.



Claim[s] 41 is rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 9 of U.S. Patent No. 11025625. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the patented subject matter in the following manner: 
	The operation of computer bot detection and human user access entail a determination if a client device has been identified as a bot based upon client information and a service policy residing in a database. The service policy is also utilized to determine if the client device is operating under control of a human user or operating autonomously based upon matching a captcha response to an expected captcha response.
Also, see the table below for a side by side comparison.
Pending US Application # 17/336176
US PAT # 11025625
41. A computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor of the computing device perform an access control process comprising:

receiving a service request from a client device;

extracting client information from the received service request;


determining if the client device has been identified as autonomously operated based upon the client information and a database; and

performing a CAPTCHA process based upon the client information and results of determining if the client device has been identified as autonomously operated.

9. A computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor module of the computing device perform a method comprising:

receiving, by a service gateway, a service request from a client device;

extracting, by the service gateway, client information from the received service
request;

determining, by the service gateway, if the client device has been identified as a known computer bot based upon the client information and a bot database;

selecting, by the service gateway, a captcha in response to the service request, if the client device is not a known computer bot;

generating, by the service gateway, captcha instructions for the selected captcha;

generating, by the service gateway, an expected captcha response for the
determined captcha;

sending, by the service gateway, the captcha instructions to the client device;

receiving, by the service gateway, a captcha response from the client device in response to the captcha instructions;

comparing, by the service gateway, the captcha response to the expected captcha response to determine based on the service policy if the client device is operating under control of a human user or operating autonomously; and

sending, by the service gateway, the service request to an appropriate server
device if the client device:

is a known authorized computer bot; or

is operating under control of a human user and the client device is not a known
unauthorized computer bot.




Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 20 – 35, 38 - 41 is/are rejected under 35 U.S.C. 102(a)(2) as being taught by Clark et al. [US PGPUB # 2011/0029781].
As per claim 20. Clark does teach a method [Clark, paragraph: 0005, lines 1 – 5, Embodiments of a computer program product are described. In one embodiment, the computer program product includes a computer usable storage medium to store a computer readable program for implementing graduated difficulty for a human response test to differentiate between a human response and a computer response] comprising:
receiving a service request from a client device [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. ];
extracting client information from the received service request [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. 
Where at paragraph: 0037, lines 1 – 7, The algorithm 118 can take various forms to consider various testing criteria. Some examples of testing criteria include, but are not limited to, unique source identifiers [i.e. applicant’s client information] such as IP or MAC address, time durations between access requests, time durations between an access request and an access response, accuracy rate of a sequence of responses, as well as other testing criteria. ]; and
performing a CAPTCHA process based on the client information [Clark, paragraph: 0039, Once the spambot tester 116 identifies an access request as being from a spambot, rather than from a real person [i.e. applicant’s and results of determining if the client device has been identified as autonomously operated], the spambot tester 116 communicates information to the CAPTCHA controller 110 to identify the corresponding client computer 102. Subsequently, the CAPTCHA controller 110 can begin to increase the difficulty of the CAPTCHA tests which are presented to the user at the identified client computer 102. In this way, the CAPTCHA controller 110 can implement graduated CAPTCHA difficulty in response to identification of a client computer 102 that is presumably operated by a spambot [i.e. applicant’s performing a captcha process based upon client information], rather than a real person. Where at figure # 6, and paragraph: 0057, In the illustrated method 200, the CAPTCHA controller 110 receives 202 a CAPTCHA request from the CAPTCHA client 130. The CAPTCHA request includes or is otherwise associated with a source identifier [i.e. applicant’s client information] to identify the CAPTCHA client 130 as the source computing device.]. 
As per claim 21. Clark does teach the method according to Claim 20, wherein performing the CAPTCHA process is based upon a service policy [Clark, paragraph: 0002, In order to curtail or limit the amount of spam that can be posted to these forums, some sort of logical gatekeeper is typically employed to try to prevent the spambots from automatically accessing recipient information and/or posting spam. One common type of logical gatekeeper process is known as CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In essence, a CAPTCHA test requires a response that presumably cannot be generated by a computer. One common type of CAPTCHA test displays distorted letters which may be read by a human user, but are difficult for a computer to decipher. Hence, a correct response to the CAPTCHA test is assumed to be from a human, rather than a computer.]. 
As per claim 22. Clark does teach the method according to Claim 20, wherein performing the CAPTCHA process includes selecting the CAPTCHA based upon the client information [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. 
Where at paragraph: 0037, lines 1 – 7, The algorithm 118 can take various forms to consider various testing criteria. Some examples of testing criteria include, but are not limited to, unique source identifiers [i.e. applicant’s client information] such as IP or MAC address, time durations between access requests, time durations between an access request and an access response, accuracy rate of a sequence of responses, as well as other testing criteria [i.e. applicants CAPTCHA].].
As per claim 23. Clark does teach the method according to Claim 22, wherein selection of a feature of the CAPTCHA is based upon the client information [Clark, figure # 6, and paragraph: 0057, In the illustrated method 200, the CAPTCHA controller 110 receives 202 a CAPTCHA request from the CAPTCHA client 130. The CAPTCHA request includes or is otherwise associated with a source identifier [i.e. applicant’s client information] to identify the CAPTCHA client 130 as the source computing device. The CAPTCHA controller 110 then stores 204 the source identifier in the source identifier database 122 on the source identifier repository. Since this is the first CAPTCHA request from the CAPTCHA client 130, the CAPTCHA controller 110 sets 206 the level of difficulty for the CAPTCHA test to a default level of difficulty [i.e. applicant’s selection of a feature of the captcha]. The CAPTCHA controller 110 then initiates 208 the CAPTCHA test, through communication and coordination with the CAPTCHA client 130 on the client computer 102.]. 
As per claim 24. Clark does teach the method according to Claim 23, wherein the feature is a difficulty level associated with the CAPTCHA [ Clark, Figure # 3, and paragraph: 0044, lines 1 – 9, In the depicted embodiment, the CAPTCHA test database 120 includes a plurality of images (or other equivalent CAPTCHA test data) and corresponding difficulty indicators. For reference, the images are designated as IMAGE_1, IMAGE_2, . . . , and IMAGE_N, and the difficulty indicators are designated as DIFFICULTY_1, DIFFICULTY_2, . . . , DIFFICULTY_N. In some embodiments, the database structure 120 includes the actual images corresponding to the CAPTCHA tests].
As per claim 25. Clark does teach the method according to Claim 23, wherein the feature is a timing consideration associated with the CAPTCHA [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. 
Where at paragraph: 0037, lines 1 – 7, The algorithm 118 can take various forms to consider various testing criteria. Some examples of testing criteria include, but are not limited to, unique source identifiers such as IP or MAC address, time durations between access requests, time durations between an access request and an access response, accuracy rate of a sequence of responses, as well as other testing criteria [i.e. applicants specifying a CAPTCHA] ]. 
As per claim 26. Clark does teach the method according to Claim 23, wherein a feature of the CAPTCHA is based upon if the CAPTCHA has been used with a user of the client device previously [Clark, Figure # 4, and paragraph: 0050, lines 1 – 6, By storing source identifiers and corresponding timestamps in this manner, the CAPTCHA controller 110 may track the history of access requests for a specific client computer 102, or for all client computers, and use that historical data to determine whether the user at a given client computer 102 might be a spambot.]. 
As per claim 27. Clark does teach the method according to Claim 20, wherein the CAPTCHA process includes:
obtaining a selected CAPTCHA and corresponding instructions in response to the service request [Clark, Figure # 2, and paragraph: 0041, lines 4 – 13, In some embodiments, the display device 126 displays the browser interface 108 that is implemented via the CAPTCHA client 130 which runs on the client processing unit 124. In general, the CAPTCHA client 130 facilitates a CAPTCHA test, or session, on the client computer 102. In some embodiments, the CAPTCHA client 130 allows a user to submit an access request to the CAPTCHA controller 110 on the server 104, participate in a CAPTCHA test administered by the CAPTCHA controller 110];
sending the CAPTCHA and CAPTCHA instructions to the client device [Clark, Figure # 2, and paragraph: 0042, The client memory device 128 may store one or more CAPTCHA images 132, or other testing data (e.g., audio, text, applets, etc.), which are presented to the user via the CAPTCHA client 130 under the control of the CAPTCHA controller 110 on the server 104. The client memory device 128 also may store other data or instructions (e.g., program instructions) which may be referenced or invoked by the CAPTCHA client 130 during administration of a CAPTCHA test to the user];
receiving a response from the client device [Clark, Figure # 5, item # 148, and paragraph: 0054, lines 2 – 3, the CAPTCHA client 130 sends 148 a CAPTCHA response back to the CAPTCHA controller 110]; and
handling the service request based upon the response [Clark, Figure # 5, item # 150, and paragraph: 0054, lines 4 – 13, The CAPTCHA controller 110 then determines 150 whether the CAPTCHA response is correct for the CAPTCHA test that was administered and sends 152 an access response to the CAPTCHA client 130. The access response indicates whether or not the CAPTCHA client 130 is approved to access the requested data. Typically, if the CAPTCHA response is correct, then the CAPTCHA client 130 is granted access to the requested data. However, if the CAPTCHA response is incorrect, then the CAPTCHA client 130 is denied access to the requested data. The depicted process flow diagram 140 then ends, although communications between the CAPTCHA client 130 and the CAPTCHA controller 110 may continue in a similar manner as described above].
As per claim 28. Clark does teach the method according to Claim 27, wherein obtaining the selected CAPTCHA includes retrieving the CAPTCHA from a storage location [Clark, Figure # 2, and paragraph: 0042, The client memory device 128 may store one or more CAPTCHA images 132, or other testing data (e.g., audio, text, applets, etc.), which are presented to the user via the CAPTCHA client 130 under the control of the CAPTCHA controller 110 on the server 104. The client memory device 128 also may store other data or instructions (e.g., program instructions) which may be referenced or invoked by the CAPTCHA client 130 during administration of a CAPTCHA test to the user.]. 
As per claim 29. Clark does teach the method according to Claim 28, wherein the storage location is in a CAPTCHA database [Clark, Figure # 1, items: 112, 120 and paragraph: 0033, lines 1 – 6, In general, the CAPTCHA repository 112 stores a plurality of CAPTCHA tests 120, for example, in the form of a database structure or in another storage configuration. In a more general embodiment, the CAPTCHA repository 112 may be referred to as a test repository for storing human response tests. The CAPTCHA tests 120 may be any types of tests, including images, text, multimedia content, and so forth].
As per claim 30. Clark does teach the method according to Claim 27, wherein obtaining the selected CAPTCHA includes generating a CAPTCHA [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. ].
As per claim 31. Clark does teach the method according to Claim 27, wherein obtaining the selected CAPTCHA includes specifying a CAPTCHA [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. 
Where at paragraph: 0037, lines 1 – 7, The algorithm 118 can take various forms to consider various testing criteria. Some examples of testing criteria include, but are not limited to, unique source identifiers [i.e. applicant’s client information] such as IP or MAC address, time durations between access requests, time durations between an access request and an access response, accuracy rate of a sequence of responses, as well as other testing criteria [i.e. applicants specifying a CAPTCHA].].
As per claim 32. Clark does teach the method according to Claim 12, wherein specifying a CAPTCHA includes an indication of the location where the CAPTCHA can be accessed [Clark, paragraph: 0044, In the depicted embodiment, the CAPTCHA test database 120 includes a plurality of images (or other equivalent CAPTCHA test data) and corresponding difficulty indicators………….In some embodiments, the database structure 120 includes the actual images corresponding to the CAPTCHA tests. Alternatively, the database structure 120 may include memory addresses to indicate the location of the images, which may be stored locally on the client memory device 128 of the client computer 102, on the CAPTCHA repository 112 coupled to the server 104, or on another electronic memory device].
As per claim 33. Clark does teach the method according to Claim 32, wherein performing the CAPTCHA process includes sending the service request to a server device if the client device is operating under control of a human user [Clark, paragraph: 0038, In this example of the algorithm 118, the source identifier [i.e. applicant’s client information] associated with the requesting user is identified as a spambot if any of the four criteria are met. The first criterion determines if the source identifier is the same as a source identifier from a previous request within a specified time duration, Th1. The second criterion determines whether the time between access requests is faster than a specified threshold, Th2. The third criterion determines whether the time between access requests is more consistent than anticipated from a human user. The fourth criterion determines whether the response time is faster than a specified threshold, Th3. If any of these criteria are met, then the source identifier associated with the access request is identified as being from a spambot. Otherwise, a default status may be maintained to indicate that the source identifier is presumed to be associated with a real person. 
Where at paragraph: 0054, After receiving the CAPTCHA test from the CAPTCHA controller 110, the CAPTCHA client 130 sends 148 a CAPTCHA response back to the CAPTCHA controller 110. The CAPTCHA controller 110 then determines 150 whether the CAPTCHA response is correct for the CAPTCHA test that was administered and sends 152 an access response to the CAPTCHA client 130. The access response indicates whether or not the CAPTCHA client 130 is approved to access the requested data. Typically, if the CAPTCHA response is correct, then the CAPTCHA client 130 is granted access to the requested data. However, if the CAPTCHA response is incorrect, then the CAPTCHA client 130 is denied access to the requested data. The depicted process flow diagram 140 then ends, although communications between the CAPTCHA client 130 and the CAPTCHA controller 110 may continue in a similar manner as described above].
As per claim 34. Clark does teach the method according to Claim 20, wherein performing the CAPTCHA process includes determining if the client device is autonomously operated based upon the client information and a database [Clark, paragraph: 0038, In this example of the algorithm 118, the source identifier [i.e. applicant’s client information] associated with the requesting user is identified as a spambot if any of the four criteria are met. The first criterion determines if the source identifier is the same as a source identifier from a previous request within a specified time duration, Th1. The second criterion determines whether the time between access requests is faster than a specified threshold, Th2. The third criterion determines whether the time between access requests is more consistent than anticipated from a human user. The fourth criterion determines whether the response time is faster than a specified threshold, Th3. If any of these criteria are met, then the source identifier associated with the access request is identified as being from a spambot. Otherwise, a default status may be maintained to indicate that the source identifier is presumed to be associated with a real person. Where at paragraph: 0034, lines 1 – 6, The source identification repository 114 [i.e. applicant’s and a database] stores a plurality of source identifiers 122 which uniquely identify client computers 102 that request a CAPTCHA test from the server 104. The source identifiers 122 stored in the source identification repository 114 may be any type of source identification or characteristic. 
Where at paragraph: 0039, Once the spambot tester 116 identifies an access request as being from a spambot, rather than from a real person, the spambot tester 116 communicates information to the CAPTCHA controller 110 to identify the corresponding client computer 102. Subsequently, the CAPTCHA controller 110 can begin to increase the difficulty of the CAPTCHA tests which are presented to the user at the identified client computer 102. In this way, the CAPTCHA controller 110 can implement graduated CAPTCHA difficulty in response to identification of a client computer 102 that is presumably operated by a spambot, rather than a real person.].
As per claim 35. Clark does teach the method according to Claim 20, wherein performing the CAPTCHA process includes declining the service request to a server device if the client device is operating autonomously [Clark, paragraph: 0051, In another embodiment, the CAPTCHA controller 110 ultimately may determine that the identified client computer 102 should be denied access, regardless of the success rate with the CAPTCHA tests. In this example, the CAPTCHA controller 110 may stop initiating CAPTCHA tests for the identified source computing device (i.e., client computer) on a permanently basis, for a specified amount of time, or until some other user-defined condition(s) is satisfied.].
As per claim 38. Clark does teach the method according to Claim 20, wherein the CAPTCHA process includes determining if the client device has been identified as a bot based upon the client information and a bot database [Clark, paragraph: 0038, In this example of the algorithm 118, the source identifier [i.e. applicant’s client information] associated with the requesting user is identified as a spambot if any of the four criteria are met. The first criterion determines if the source identifier is the same as a source identifier from a previous request within a specified time duration, Th1. The second criterion determines whether the time between access requests is faster than a specified threshold, Th2. The third criterion determines whether the time between access requests is more consistent than anticipated from a human user. The fourth criterion determines whether the response time is faster than a specified threshold, Th3. If any of these criteria are met, then the source identifier associated with the access request is identified as being from a spambot. Otherwise, a default status may be maintained to indicate that the source identifier is presumed to be associated with a real person. Where at paragraph: 0034, lines 1 – 6, The source identification repository 114 [i.e. applicant’s and a bot database] stores a plurality of source identifiers 122 which uniquely identify client computers 102 that request a CAPTCHA test from the server 104. The source identifiers 122 stored in the source identification repository 114 may be any type of source identification or characteristic ].
As per claim 39. Clark does teach the method according to Claim 20, wherein performing the CAPTCHA process includes:
generating an expected response [Clark, Figure # 5, paragraph: 0054, lines 4 – 7, The CAPTCHA controller 110 then determines 150 whether the CAPTCHA response is correct for the CAPTCHA test that was administered and sends 152 an access response to the CAPTCHA client 130.];
receiving the response [Clark, Figure # 5, item # 148, and paragraph: 0054, lines 2 – 3, the CAPTCHA client 130 sends 148 a CAPTCHA response back to the CAPTCHA controller 110]; and
comparing the response to the expected response to determine if the client device is operating under control of a human user [Clark, Figure # 5, item # 150, and paragraph: 0054, lines 4 – 13, The CAPTCHA controller 110 then determines 150 whether the CAPTCHA response is correct for the CAPTCHA test that was administered and sends 152 an access response to the CAPTCHA client 130. The access response indicates whether or not the CAPTCHA client 130 is approved to access the requested data. Typically, if the CAPTCHA response is correct, then the CAPTCHA client 130 is granted access to the requested data. However, if the CAPTCHA response is incorrect, then the CAPTCHA client 130 is denied access to the requested data. The depicted process flow diagram 140 then ends, although communications between the CAPTCHA client 130 and the CAPTCHA controller 110 may continue in a similar manner as described above.]. 
As per claim 40. Clark does teach the method according to Claim 39, wherein generating an expected CAPTCHA response is based upon the client information [Clark, figure # 6, and paragraph: 0057, In the illustrated method 200, the CAPTCHA controller 110 receives 202 a CAPTCHA request from the CAPTCHA client 130. The CAPTCHA request includes or is otherwise associated with a source identifier [i.e. applicant’s client information] to identify the CAPTCHA client 130 as the source computing device. The CAPTCHA controller 110 then stores 204 the source identifier in the source identifier database 122 on the source identifier repository. Since this is the first CAPTCHA request from the CAPTCHA client 130, the CAPTCHA controller 110 sets 206 the level of difficulty for the CAPTCHA test to a default level of difficulty. The CAPTCHA controller 110 then initiates 208 the CAPTCHA test [i.e. applicant’s generating an expected captcha response], through communication and coordination with the CAPTCHA client 130 on the client computer 102.]. 
As per claim 41. Clark does teach a computing device for executing computing device executable instructions stored in a computing storage module that when executed by a processor of the computing device perform an access control process [Clark, paragraph: 0005, lines 1 – 11, Embodiments of a computer program product are described. In one embodiment, the computer program product includes a computer usable storage medium to store a computer readable program for implementing graduated difficulty for a human response test to differentiate between a human response and a computer response. The computer readable program, when executed on a computer, causes the computer to perform operations. The operations include initiating a first human response test with a designated level of difficulty at a source computing device in response to a first test request.] comprising:
receiving a service request from a client device [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot.];
extracting client information from the received service request [Clark, paragraph: 0035, lines 1 – 4, The CAPTCHA controller 110 includes a spambot tester 116. In general, the spambot tester 116 implements functionality to test whether the access request from the client computer 102 is from a real person or a spambot. 
Where at paragraph: 0036, lines 1 – 3, In one embodiment, the spambot tester 116 implements an algorithm 118 to take into consideration one or more of the testing criteria. 
Where at paragraph: 0037, lines 1 – 7, The algorithm 118 can take various forms to consider various testing criteria. Some examples of testing criteria include, but are not limited to, unique source identifiers [i.e. applicant’s client information] such as IP or MAC address, time durations between access requests, time durations between an access request and an access response, accuracy rate of a sequence of responses, as well as other testing criteria.];
determining if the client device has been identified as autonomously operated based upon the client information and a database [Clark, paragraph: 0038, In this example of the algorithm 118, the source identifier [i.e. applicant’s client information] associated with the requesting user is identified as a spambot if any of the four criteria are met. The first criterion determines if the source identifier is the same as a source identifier from a previous request within a specified time duration, Th1. The second criterion determines whether the time between access requests is faster than a specified threshold, Th2. The third criterion determines whether the time between access requests is more consistent than anticipated from a human user. The fourth criterion determines whether the response time is faster than a specified threshold, Th3. If any of these criteria are met, then the source identifier associated with the access request is identified as being from a spambot. Otherwise, a default status may be maintained to indicate that the source identifier is presumed to be associated with a real person. Where at paragraph: 0034, lines 1 – 6, The source identification repository 114 [i.e. applicant’s and a database] stores a plurality of source identifiers 122 which uniquely identify client computers 102 that request a CAPTCHA test from the server 104. The source identifiers 122 stored in the source identification repository 114 may be any type of source identification or characteristic.]; and
performing a CAPTCHA process based upon the client information and results of determining if the client device has been identified as autonomously operated [Clark, paragraph: 0039, Once the spambot tester 116 identifies an access request as being from a spambot, rather than from a real person [i.e. applicant’s and results of determining if the client device has been identified as autonomously operated], the spambot tester 116 communicates information to the CAPTCHA controller 110 to identify the corresponding client computer 102. Subsequently, the CAPTCHA controller 110 can begin to increase the difficulty of the CAPTCHA tests which are presented to the user at the identified client computer 102. In this way, the CAPTCHA controller 110 can implement graduated CAPTCHA difficulty in response to identification of a client computer 102 that is presumably operated by a spambot [i.e. applicant’s performing a captcha process based upon client information], rather than a real person. Where at figure # 6, and paragraph: 0057, In the illustrated method 200, the CAPTCHA controller 110 receives 202 a CAPTCHA request from the CAPTCHA client 130. The CAPTCHA request includes or is otherwise associated with a source identifier [i.e. applicant’s client information] to identify the CAPTCHA client 130 as the source computing device.]. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim(s) 36, 37, 42 is/are rejected under 35 U.S.C. 103 as being unpatentable over Clark et al. [US PGPUB # 2011/0029781] in view of Sherstinsky et al. [US PAT # 7899867]
As per claim 36. Clark does teach what is taught in the rejection of claim above. 
Clark does not teach clearly the method according to Claim 20, wherein performing the CAPTCHA process includes declining the service request to a server device if the client device is a bad or unauthorized bot. 
However, Sherstinsky does teach the method according to Claim 20, wherein performing the CAPTCHA process includes declining the service request to a server device if the client device is a bad or unauthorized bot [Figure # 7, col. 14, lines 66 – 67, and col. 15, lines 1 – 12, If a response IM is sent, challenge response analyzer 712 reviews the response and determines if the response IM satisfies an answer that is expected from the response. In one embodiment, receiving a response IM for the challenge IM may be sufficient to allow the initial IM sent to be forwarded to its destination (intended recipient). Or, a question may have been asked, to which an answer may be required. For example, a personal question related to the destination username may be sent. Also, the message may ask a user to type in a word or phrase that is shown on the screen. The response IM is then analyzed to determine if the response IM has the correct answer required. If a response is not received or the answer to the response IM is not correct, the initial IM received is blocked]. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Clark and Sherstinsky in order for the controlling of the access request of a service/resource of a server implemented human response tests thru captcha controller by a requesting client or potential spambot of Clark to include real – time response test monitoring of the received response of Sherstinsky. This would allow for a highly dynamic monitoring system that adjusts to changes in the response from a would be spambot or requesting client. See col. 11, lines 53 – 67, col. 12, lines 1 – 7 and col. 14, lines 42 – 49 of Sherstinsky. 
As per claim 37. Clark as modified does teach the method according to Claim 20, wherein performing the CAPTCHA process includes sending the service request to a server device if the client device is a good or authorized bot [Sherstinsky, col. 14, lines 24 – 33, Users who are explicitly added to a configurable contact list (or configurable contact lists) in IM Module 106 may also be allowed. For example, friends of a corporation, opted in software agents/ bots that are considered legitimate and/or useful by the organization may be included in a contact list in database 706. Thus, not all IM messages from bots may be challenged if they are deemed useful or allowable. Users who are explicitly given challenge/response keys (e.g., opted in software agents/bots that are considered legitimate or used by the organization) may be allowed].
As per claim 42. Clark as modified does teach a computing device of Claim 41, wherein performing the CAPTCHA process includes: forwarding the service request if the client devise is determined to be a good bot [Sherstinsky, col. 14, lines 24 – 33, Users who are explicitly added to a configurable contact list (or configurable contact lists) in IM Module 106 may also be allowed. For example, friends of a corporation, opted in software agents/ bots that are considered legitimate and/or useful by the organization may be included in a contact list in database 706. Thus, not all IM messages from bots may be challenged if they are deemed useful or allowable. Users who are explicitly given challenge/response keys (e.g., opted in software agents/bots that are considered legitimate or used by the organization) may be allowed], and declining the service request if the client devise is determined to be a bad bot [Sherstinsky, Figure # 7, col. 14, lines 66 – 67, and col. 15, lines 1 – 12, If a response IM is sent, challenge response analyzer 712 reviews the response and determines if the response IM satisfies an answer that is expected from the response. In one embodiment, receiving a response IM for the challenge IM may be sufficient to allow the initial IM sent to be forwarded to its destination (intended recipient). Or, a question may have been asked, to which an answer may be required. For example, a personal question related to the destination username may be sent. Also, the message may ask a user to type in a word or phrase that is shown on the screen. The response IM is then analyzed to determine if the response IM has the correct answer required. If a response is not received or the answer to the response IM is not correct, the initial IM received is blocked]. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Burciu et al., who does teach a computer-facilitated service receives a request, from a user client, to access a site provided by the service. The service may obtain, from the request, identifying information, which may be used to identify prior activity of the user client. This prior activity is used to determine whether the user client is to be provided with an interstitial user interface component, which may be configured to cause the user client to provide additional information about the client and to be successfully completable by an automated agent or other automated process. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434