Remarks
Claims 1-3, 5-7, 12, 14-18, 20-22, and 30-33 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 8/31/2022 have been fully considered but they are not persuasive.
Applicant alleges that “there is support for only one load parameter” in original claim 2, alleges that paragraph 44 states “Examples for such parameters include current load”, and “Therefore, there is support in the specification for the claim recitation that the determination is based only on the protected resource’s current computing load.”  To the contrary, the application as originally filed also bases the determination on the code that performs the determination, for example.  There is no instance in which “the protected resource’s current computing load” is the “only” thing that the determination is based on.  Indeed, the determination is also based on the received request, as another example, in every instance.  
Applicant discusses previous responses throughout this response.  All of Applicant’s previous arguments were fully responded to previously and need no further response.  
Applicant alleges “the morph instructions transform the credentials.  However, the morph instructions themselves are not taught or suggested to be polymorphic.  By contrast, the claim language specifically requires the script code itself to be at least one of polymorphic and obfuscated.  By contrast, the claim language specifically requires that the script code itself to be at least one of polymorphic and obfuscated”  Applicant goes on to allege “In other words, the credential morphing instructions of Hidayat define one or more credential-morphing operations which are configured to cause the client computer to update the credential over time if executed.  However, these credential morphing instructions are not polymorphic and so there is no script code as called for in the claim that is a polymorphic script code.”  However, paragraph 62, cited by Applicant, states “modifying the first set of instructions to produce a modified set of instructions”.  Therefore, the instructions are clearly polymorphic.  
Applicant then admits that “what is happening in paragraph 62 is that there is a first set of instructions that are intercepted and then modified to cause a credential to be included in the requests executed by the computer”.  The Examiner thanks Applicant for admitting that the code is polymorphic since it has multiple forms.  
Applicant then alleges “It appears that the Office Action fails to appreciate two things with regard to polymorphic.”  Applicant continues by alleging “First, what is required to be polymorphic is the script code itself, not the result of the code.  Thus, morphing the credentials is not sufficient to teach or suggest what is called for in the claim.”  However, Applicant has already admitted that the reference discloses “a first set of instructions that are intercepted and then modified to cause a credential to be included in the requests”.  Therefore, Applicant has already admitted that the code itself is being modified.  Furthermore, Applicant’s own application (e.g., paragraph 41) defines that “The polymorphism of the script code is realized by using a different new secret and different semantic phrase to reveal the secret”.  Therefore, the code itself is not necessarily modified by any polymorphism in the instant application.  In fact, the instant application defines that an example of polymorphism is simply met by using a different credential (e.g., secret or semantic phrase).  Therefore, Applicant has also admitted that the reference discloses this form of polymorphism in Applicant’s admission that Hidayat discloses “credential-morphing operations, which are configured to cause the client computer to update the credential over time if executed”.  The Examiner thanks Applicant for proving that Hidayat discloses polymorphism in 2 different ways.  
Applicant then alleges “Second, Polymorphic script code as recited in the claim is not merely that the script code is a modified version of an original set of instructions.  Rather, polymorphic script code has a specific and well known meaning in the art.”  Applicant then cites Wikipedia.  As Applicant must be well aware, Wikipedia may be modified by anyone at any time and is never a reliable source for information of any kind.  Furthermore, Applicant’s own specification refutes Applicant’s reliance on Wikipedia.  As explained above, paragraph 41 states “The polymorphism of the script code is realized by using a different new secret and different semantic phrase to reveal the secret”.  Therefore, Applicant has already proven that Applicant’s own alleged definition from Wikipedia is erroneous based on Applicant’s inconsistent allegations that “The polymorphism of the script code is realized by using a different new secret and different semantic phrase” and “Polymorphic script code as recited in the claim is not merely that the script code is a modified version of an original set of instructions”.  Indeed, the polymorphism of the application may be met simply by using a different new secret or semantic phrase to reveal the secret.  
Applicant alleges “there is no mention, based on a key word search, of obfuscating in Hidayat.”  The Examiner is unsure why Applicant would make an argument based on a keyword search.  The rejection already clearly explained how the argued subject matter of the code being at least one of polymorphic and obfuscated is met: “encrypted challenge/credential, different morph instructions, different timestamps, generation of a credential using a sent seed, etc., as examples”.  Verbatim words need not be used in the reference and the rejection clearly explained how it was met.  Therefore, Applicant’s allegation is erroneous.  
Applicant then alleges “However, the Office Action has not specifically identified what it believes in Hidayat to be polymorphic script code and what what it believes in Hidayat to be obfuscated script code.”  Applicant fails to tie this to reality by explaining just why Applicant believes this would have been a requirement.  Indeed, a rejection of “wherein the script code is at least one of polymorphic and obfuscated” need not identify both polymorphic and obfuscated codes or explain how each is different.  In fact, such a rejection only needs to reference (e.g., by citation to paragraphs within a reference) a single instance of a single one of these options.  
Applicant then appears to provide Applicant’s understanding of a portion of the rejection and alleges “This does not distinguish between the types of code nor particularly point to where there is polymorphic script code and where there is obfuscated script code.  Indeed, it is not clear if the Office Action is suggesting that Hidayat  shows only polymorphic script, only obfuscated script, or both.  This should be clearly pointed out in a next Office Action if an allowance is not forthcoming.”  A requirement for information is provided below requiring Applicant provide the requisite laws, rules, regulations, and MPEP citations that require that a rejection of a Markush group reject all members thereof and/or identify “where there is” each member thereof.  The Examiner notes that there is no such law, rule, regulation, or MPEP citation.  Further requirements for information are also presented below since it has been made clear that Applicant has performed a prior art search related to what Applicant believes the claimed invention includes.  
Applicant goes on to allege “Further in this regard, new claims 30-33 now require that the script code be one or the other separately, thus, for example, finding obfuscated code will not be suitable with regard to a claim to polymorphic code, and vice-versa.”  The Examiner thanks Applicant for realizing that Applicant’s above arguments were erroneous.  Indeed, if a claim requires a single option, such single option will be within any reference cited for this single option.  Along the same lines, claims with multiple options, not all of which are required, only need a single option.  As both polymorphic and obfuscated have been discussed ad nauseum supra, it is exceptionally clear that there are examples of how each is discussed in the references and no further explanation is required for either when either is brought up in the claims.  The Examiner thanks Applicant for allowing the prosecution record to be made perfectly clear with respect to examples of how these new claims are rejected prior to even having a rejection of these new claims written.  

Requirement for Information
Applicant and the assignee of this application are required under 37 CFR 1.105 to provide the following information that the examiner has determined is reasonably necessary to the examination of this application.  
In response to this requirement, please provide answers to each of the following interrogatories eliciting factual information:
What laws, rules, regulations, portions of the MPEP, and the like, require that a rejection of a Markush group reject all members thereof and/or identify “where there is” each member thereof.  
In response to this requirement, please provide a copy of each of the following items of art referred to in the response dated 8/31/2022:
There are at least 3 documents referenced on page 10 of the response dated 8/31/2022.  All of these must be provided and these must be the proper copies from the date that Applicant reviewed these documents in order to rely upon such.  
In response to this requirement, please state whether any search of prior art was performed.  If a search was performed, please state the citation for each prior art collection searched.  If any art retrieved from the search was considered material to demonstrating the knowledge of a person having ordinary skill in the art to the disclosed invention, please provide the citation for each piece of art considered and a copy of the art.  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-3, 5-7, 12, 14, 15, 30, and 31 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claim 1 states “wherein the determination is based only on the protected resource’s current computing load”.  However, the application as originally filed does not have basis for this determination being based only on the protected resource’s current computing load.  Claims 2-3, 5-7, 12, 14, 15, 30, and 31 are rejected at least based on their dependencies.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-7, 12, 14-18, 20-22, and 30-33 are rejected under 35 U.S.C. 103 as being unpatentable over Hidayat (U.S. Patent Application Publication 2016/0294796) in view of Feng (U.S. Patent Application Publication 2010/0031315).
Regarding Claim 1,
Hidayat discloses a method for detecting an access to a protected resource by headless browser bots, comprising:
Receiving a request from a client machine (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 87, 92, 107, 117-119, 125, 127, 140, 148, 162, 163, 176, 180 and associated figures; receiving a request from a client, for example);
Determining whether an AHBB challenge should be generated, wherein the determination is based only on the protected resource’s current value (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; determining when to generate a challenge, morphing instructions, or the like including Java script, which generate or change credential, seed from which to generate credential, credential parameters, encrypted parameters/credential, etc., as examples);
Generating the AHBB challenge only when the determination is that the AHBB challenge should be generated, wherein the AHBB challenge includes at least one  headless browser identifying characteristic that includes an object for processing at least script code (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; generating a challenge, morphing instructions, or the like including Java script, which generate or change credential, seed from which to generate credential, credential parameters, encrypted parameters/credential, etc., as examples);
Receiving a response to the AHBB challenge (Exemplary Citations: for example, Abstract, Paragraphs 61-66, 70, 72, 110-112, 125, 129, 130, 135, 138, 140, 147-153, 163, 176, 177, 180 and associated figures; receiving a response from the challenge, such as a request with the dynamic credential responsive to the challenge therein, for example);
Comparing the received response to at least one challenge requirement to determine a pass result or a fail result (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; validate credential and/or parameters, for example); and
Upon determining a pass result, granting the client machine access to the protected resource (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-183 and associated figures; allowing access to web page, for example, by forwarding request to server, for example);
Wherein generating the AHBB challenge further comprises (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures):
Identifying the at least one headless browser identifying characteristic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; bot cannot run JS, for example);
Generating a script code configured to check for the at least one headless browser identifying characteristic, wherein the script code is at least one of polymorphic and obfuscated (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; generating JS code, for example, encrypted challenge/credential, different morph instructions, different timestamps, generation of a credential using a sent seed, etc., as examples); and
Configuring the script code to return a fail result upon identification of at least one headless browser characteristic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; fail if JS can’t be executed, for example);
But does not explicitly disclose that the value is a computing load.  
Feng, however, discloses receiving a request from a client machine (Exemplary Citations: for example, Abstract, Paragraphs 57, 68, 69, 84, and associated figures; request, for example);
Determining whether a challenge should be generated, wherein the determination is based only on the protected resource’s current computing load (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; determining whether to send the client a challenge (e.g., low, medium, or high difficulty), from client’s current load on server, parameters in the request, etc., as examples);
Generating the challenge only when the determination is that the challenge should be generated, wherein the challenge includes at least one  headless browser identifying characteristic that includes an object for processing at least script code (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; generate low, medium, high, etc., challenge, for example);
Receiving a response to the AHBB challenge (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; response with answer, for example);
Comparing the received response to at least one challenge requirement to determine a pass result or a fail result (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; check answer as well as other parameters, such as proof of work or the like, for example); and
Upon determining a pass result, granting the client machine access to the protected resource (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; allow access if answer and/other parameters are correct, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the challenge-answer based protection techniques of Feng into the authentication and security system of Hidayat in order to allow the system to provide additional different types of challenges, to change the difficulty of a challenge depending on current circumstances, to allow for different levels of difficulty based on load the client has placed on the system or is placing on the system, and/or to increase security in the system.  
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 2,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the determination is further based on at least one risk parameter (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 70, 92, 104, 105, 110, 117-119, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; public or private resource being accessed, for example).  
Regarding Claim 3,
Hidayat as modified by Feng discloses the method of claim 2, in addition, Hidayat discloses that each of the at least one risk parameter is any of: a list of known malicious entities, a list of trusted clients and associated IP addresses, a reputation score per IP address, a reputation score per geographic region, an application layer parameter, a client unique ID token, a client affiliation, a parameter from an authentication service, a geo analysis, a type of the protected resource, and an indication of an ongoing attack (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 70, 92, 104, 105, 110, 117-119, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 5,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the fail result is determined at least when the response is not received within a predetermined time interval (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; credential only valid for a certain period of time, for example).  
Regarding Claim 6,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses generating a new challenge based on a predefined escalation policy, when the fail result is determined (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; treat a request without a valid credential as a first request, for example).  
Regarding Claim 7,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that a web browser of the client machine is granted access to the protected resource for a predefined period of time, wherein the predefined period of time is set by an aging timer (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; valid period for access/expiration of credential, for example).  
Regarding Claim 12,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the script code is at least in JavaScript (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 14,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the AHBB challenge further requires a human interaction (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; response/request based on user input from displayed object, for example).  
Regarding Claim 16,
Hidayat discloses a system for detecting an access to a protected resource by headless browser bots, comprising:
A processing system (Exemplary Citations: for example, Figure 8 and associate written description);
A memory connected to the processing system and configured to contain a plurality of instructions that when executed by the processing system configure the system to (Exemplary Citations: for example, Figure 8 and associate written description):
Receive a request from a client machine (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 87, 92, 107, 117-119, 125, 127, 140, 148, 162, 163, 176, 180 and associated figures; receiving a request from a client, for example);
Determine whether an AHBB challenge should be generated, wherein the determination is based on at least one parameter related to a current value of the protected resource (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; determining when to generate a challenge, morphing instructions, or the like including Java script, which generate or change credential, seed from which to generate credential, credential parameters, encrypted parameters/credential, etc., as examples);
Generate the AHBB challenge only when the determination is that the AHBB challenge should be generated, wherein the AHBB challenge includes at least one headless browser identifying characteristic that includes an object for processing at least script code (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; generating a challenge, morphing instructions, or the like including Java script, which generate or change credential, seed from which to generate credential, credential parameters, encrypted parameters/credential, etc., as examples);
Receive a response to the AHBB challenge (Exemplary Citations: for example, Abstract, Paragraphs 61-66, 70, 72, 110-112, 125, 129, 130, 135, 138, 140, 147-153, 163, 176, 177, 180 and associated figures; receiving a response from the challenge, such as a request with the dynamic credential responsive to the challenge therein, for example);
Compare the response to at least one challenge requirement to determine a pass result or a fail result (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; validate credential and/or parameters, for example); and
Grant the client machine access to the protected resource, upon determining a pass result (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-183 and associated figures; allowing access to web page, for example, by forwarding request to server, for example);
Identify the at least one headless browser identifying characteristic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; bot cannot run JS, for example);
Generate a script code configured to check for the at least one headless browser identifying characteristic, wherein the script code is at least one of: polymorphic, and obfuscated (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; generating JS code, for example, encrypted challenge/credential, different morph instructions, different timestamps, generation of a credential using a sent seed, etc., as examples); and
Configure the script code to return the fail result upon identification of at least one headless browser characteristic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; fail if JS can’t be executed, for example);
But does not appear to explicitly disclose that the parameter is an overall load parameter and the value is a computing load.  
Feng, however, discloses receive a request from a client machine (Exemplary Citations: for example, Abstract, Paragraphs 57, 68, 69, 84, and associated figures; request, for example);
Determine whether a challenge should be generated, wherein the determination is based on at least one load parameter related to a current computing load of the protected resource (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; determining whether to send the client a challenge (e.g., low, medium, or high difficulty), from client’s current and/or historical load on server, parameters in the request, etc., as examples);
Generate the challenge only when the determination is that the challenge should be generated, wherein the challenge includes at least one headless browser identifying characteristic that includes an object for processing at least script code (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; generate low, medium, high, etc., challenge, for example);
Receive a response to the challenge (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; response with answer, for example);
Compare the response to at least one challenge requirement to determine a pass result or a fail result (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; check answer as well as other parameters, such as proof of work or the like, for example); and
Grant the client machine access to the protected resource, upon determining a pass result (Exemplary Citations: for example, Abstract, Paragraphs 53, 56-61, 63, 64, 66-72, 78, 79, 82, 85, 95, 104-106, and associated figures; allow access if answer and/other parameters are correct, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the challenge-answer based protection techniques of Feng into the authentication and security system of Hidayat in order to allow the system to provide additional different types of challenges, to change the difficulty of a challenge depending on current circumstances, to allow for different levels of difficulty based on load the client has placed on the system or is placing on the system, and/or to increase security in the system.  
Regarding Claim 17,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that the system is further configured to wherein the determination is further based on at least one risk parameter (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 70, 92, 104, 105, 110, 117-119, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures; public or private resource being accessed, for example).  
Regarding Claim 18,
Hidayat as modified by Feng discloses the system of claim 17, in addition, Hidayat discloses that each of the at least one risk parameter is any of a list of known malicious clients, a list of trusted clients and associated IP addresses, a reputation score per IP address, a reputation score per geographic region, an application layer parameter, a client unique ID token, a client affiliation, a parameter from an authentication service, a geo analysis, a type of the protected resource, and an indication of an ongoing attack (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 70, 92, 104, 105, 110, 117-119, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 20,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that the fail result is determined at least when the response is not received in a predetermined time interval (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; credential only valid for a certain period of time, for example).  
Regarding Claim 21,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that the system is further configured to generate a new challenge based on a predefined escalation policy, upon determining the fail result (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; treat a request without a valid credential as a first request, for example).  
Regarding Claim 22,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that a web browser of the client machine is granted access to the protected resource for a predefined period of time, wherein the predefined period of time is set by an aging timer (Exemplary Citations: for example, Abstract, Paragraphs 63, 65, 72, 108-113, 125, 135, 149-158, 177-180 and associated figures; valid period for access/expiration of credential, for example).  
Regarding Claim 30,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the script code is polymorphic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 31,
Hidayat as modified by Feng discloses the method of claim 1, in addition, Hidayat discloses that the script code is obfuscated (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 32,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that the script code is polymorphic (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  
Regarding Claim 33,
Hidayat as modified by Feng discloses the system of claim 16, in addition, Hidayat discloses that the script code is obfuscated (Exemplary Citations: for example, Abstract, Paragraphs 61, 62, 65, 66, 69, 70, 81-83, 92, 104, 105, 110, 129-132, 138, 142, 143, 158, 162, 167, 169, 174, 180 and associated figures).  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432