Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a reply to the application filed on 06/30/2021, in which, claim(s) 2-21 are pending.
Claim(s) 1 is/are cancelled.
Claim(s) 2-21 is/are newly added.

When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/09/2021, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Drawings
The drawings filed on 06/14/2021 is/are accepted by The Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 

Claim(s) 2-21 is/are rejected on the ground of nonstatutory double patenting over claim(s) 1-20 of U.S. Patent No. 11,036,835 since the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter, as follows: Although the claims are not identical; however, they claimed the same invention with slightly different such as web script code instead of dynamic web content. It would have been obvious to one with ordinary skill in the art to modify the dynamic web content with web script code as it is commonly done using JavaScript.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim(s) 2-8 and 15-21 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim limitations “cause the system to perform operation comprising…” in claim 2 and 15 are limitations that invoke 35 U.S.C. 112, sixth paragraph. The written description only implicitly or inherently sets forth the corresponding structure, material, or acts that perform the claimed function.
Pursuant to 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181, applicant should:
(a)          Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112, sixth paragraph; or
(b)          Amend the written description of the specification such that it expressly recites the corresponding structure, material, or acts that perform the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c)           State on the record what corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function.
Dependent claim(s) 3-8 and 16-21 disclose the modules from claim 2 and 15, configured to perform additional features and thus is rejected under the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 2-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lelcuk et al. (Pub. No.: US 2016/0119304 A1; hereinafter Lelcuk) in view of Smith et al. (Pub. No.: US 2007/0208641 A1; hereinafter Smith).
Regarding claims 2, 9 and 15, Lelcuk discloses a server system, comprising:
a processor; and a non-transitory computer-readable medium having stored thereon instructions that are executable to cause the system to perform operations (para [0019] processor and memory to store instruction and executing) comprising:
receiving a request at the server system, wherein the request comprises a download request for a webpage to a user computing device, and wherein the request was issued using a web browser application executing on the user computing device (para [0010]-[0012],[0030]-[0040], Figs.1-2,4-7, "The server 220 maybe , but is not limited to, a web server, an application server, and the like"; "requests a redirected to the protected server"; the request is via browser);
transmitting, in response to the request, the webpage and an interceptor code that is included in web script code for the webpage, wherein the web script code for the webpage is configured to cause the web browser application executing on the user computing device to perform operations (para [0010]-[0012], [0030]-[0040), [0042]-[0044], Figs. 1-2, 4-7; "security system 150 intercepts requests (HTTP/HTTPS requests) generated by the client 110 and/or attack tool", “the security system 150 generates an authentication challenge that is difficult for the attack tool 140 to pass, but is not difficult for a legitimate client such as, e.g., client 110, running a web browser"; “the security system 150 intercepts a request directed to the server 120 and returns a response with a piece of JavaScript code");
generating an interceptor from the interceptor code, wherein the interceptor is configured to authenticate subsequent dynamic web content requests that update portions of the received webpage without refreshing an entirety of the webpage (para [0010]-[0012], [0030][0040], [0042]-[0044], Figs. 1-2, 4-7);
issuing, using the web script code, a dynamic web content request to the server system, wherein a response by the server system to the dynamic web content request is configured to update a portion of the webpage when received by the web browser application (para [0010]-[0012], [0030]-[0040], [0060],[0065]-"security system 250 is communicatively connected in-line with the server 220 (i.e., an in-line deployment). The security system 250 is configured to receive or otherwise intercept requests (HTTP/HTTPS requests) generated by the client 210 and/or by the attack tool 240. The requests are directed to the protected server"; "different challenge machines 270 can be utilized to generate different types of authentication challenges and/or different versions of the same type of authentication challenges. For example, a challenge machine 270 can generate a JavaScript challenge that requires a user input from a first type (e.g., moving a mouse), a challenge machine270 can generate JavaScript challenge that requires a user input from a second type (e.g., entering a CAPTCHA text), a challenge machine 270 can generate JavaScript challenge that only redirects the traffic to a different URL, and a challenge machine 270 can generate a polymorphic JavaScript challenge. In one embodiment, a single challenge machine 270 can generate different types of challenges”, “challenges are embedded in script code that can be executed by a legitimate client machine. The script code can be programmed to perform a page refresh or to allow redirection of the client to the URL of the protected server’);
in response to issuing the dynamic web content request, receiving a challenge from the server system (para [0010]-[0012], [0030]-[0040], [0060], Figs. 1-2, 4-7 receiving of the challenge); 
intercepting the challenge using the interceptor (para [0010]-[0012], [0030]-[0040], [0042]-[0044], Figs. 1-2, 4-7 "the security system 250 is configured to send a redirect script to the client 210 re directing the client's browser to one of the challenge machines 270. A redirect script may be realized as an AJAX call. The redirect script includes a set of parameters required to generate an authentication object by the challenge machine 270 to which the client is directed to");
rendering the challenge on a display of the user computing device (para [0010]-[0012], [0030]-[0040],[0042]-[0044], Figs. 1-2, 4-7 “the security system 150  intercepts a request directed to the server 120 and returns a response with a piece of JavaScript code. The client 110 or an attack tool 140 receiving the request should include a web browser that can parse and run the JavaScript code embedded in the response. Execution of the JavaScript code on the web browser causes either redirection to a different URL or the user to perform an action (such as providing an input, moving the mouse, and so on)"; “challenge machine 270 which the client is directed to challenges the unauthenticated client 210 using an authentication challenge. The authentication challenge used is the challenge that the respective challenge machine 270 is configured with upon successful! authentication, the unauthenticated client is forwarded to the protected server’); and 
transmitting a challenge reply to the server system; validating, by the server system, the challenge reply from the user computing device; and in response to the validating, the server system transmitting a dynamic web content response that updates the portion of the webpage (para [0051], Figs. 1-2, 4-7 “the challenge machine270 responds to the request of the client 210 by sending an authentication challenge to the client 210 to get the an authentication object generated by the machine 270. At 307, the client 210 sends a notification back to the machine 270 in response to the requested challenge. The notification may include, for example, an action (e.g., Mouse movement) that is required to pass the challenge"); (para [0052], [0065], Figs. 1-2, 4-7 "If the client 210 passes the challenge, at S308, the client 210 is redirected back to the original requested URL with an authentication object prepared by the challenge machine 270. At S309, upon the security system 250 receiving the authentication object from the client 210 and validation of such object, the client is marked as legitimate and subsequent requests coming from the client 210 will be forwarded to the protected server.”, “challenges are embedded in script code that can be executed by a legitimate client machine. The script code can be programmed to perform a page refresh or to allow redirection of the client to the URL of the protected server (original URL) and to send a notification call to the machine 270, if the client passes the challenges, such as the script code is JavaScript").
Lelcuk teaches optimizing segregation between human-operated clients and machine-operated clients accessing computing resources, comprises receiving, from a client, an authentication request, wherein the authentication request is received in response to a redirect request sent from a remote server to the client; dynamically selecting at least one authentication challenge from a plurality of different authentication challenges; sending the at least one generated authentication challenge to the client; determining whether a notification call is received from the client during a predefined time interval; and upon receiving the notification call during the predefined time interval, confirming that the client passes the authentication challenge, wherein a client that passes the authentication challenge is a human-operated client and refresh of the webpage. Lelcuk does not explicitly discloses updating portion of the webpage; however, in a related and analogous art, Smith teaches this feature.
In particular, Smith teaches a system capable of updating a portion of a webpage without re-loading the entire page, such as text, images, contents, etc.,. It would have been obvious before the effective filing date of the claimed invention to modify Lelcuk in view of Smith with the motivation to reduce graphics and bandwidth resources usage.

Regarding claims 3, 10 and 17, Lelcuk-smith combination discloses wherein the operations further comprise:
selecting the challenge from a challenge content store accessible to the server system (para [0010]-[0012], [0030]-[0040],[0042]-[0044], Figs. 1-2, 4-7 “the security system 150  intercepts a request directed to the server 120 and returns a response with a piece of JavaScript code. The client 110 or an attack tool 140 receiving the request should include a web browser that can parse and run the JavaScript code embedded in the response. Execution of the JavaScript code on the web browser causes either redirection to a different URL or the user to perform an action (such as providing an input, moving the mouse, and so on)"; “challenge machine 270 which the client is directed to challenges the unauthenticated client 210 using an authentication challenge. The authentication challenge used is the challenge that the respective challenge machine 270 is configured with upon successful! authentication, the unauthenticated client is forwarded to the protected server’).

Regarding claims 4, 11 and 18, Lelcuk-smith combination discloses wherein the selected challenge includes image content displayable to a user via the user computing device (CAPTCHA or image [Lelcuk; ¶5, 39]).

Regarding claims 5 and 20, Lelcuk-smith combination discloses wherein the selected challenge comprises a silent challenge that is not displayed to a user via the user computing device (CAPTCHA or image [Lelcuk; ¶5, 39]).

Regarding claims 6, 13 and 19, Lelcuk-smith combination discloses wherein the operations further comprise: selecting the challenge from the challenge content store by making a call via a computer network to a remote third party server corresponding to the challenge content store (making call or CAPTCHA features [Lelcuk; Abstract, ¶5, 18, 39]).

Regarding claims 7 and 14, Lelcuk-smith combination discloses wherein the dynamic web content request is an asynchronous JavaScript and extensible (AJAX) request (AJAX [Lelcuk; ¶43, 63]).

Regarding claim 8, Lelcuk-smith combination discloses wherein the interceptor code is in a JavaScript language (JavaScript language [Lelcuk; ¶10-12, 42-44, 65]).

Regarding claim 12, Lelcuk-smith combination discloses wherein the selected challenge comprises a computational challenge comprising an executable algorithm (algorithm used in CAPTCHA matching if similar via threshold and response time (CAPTCHA or image [Lelcuk; ¶5, 39]).

Regarding claim 16, Lelcuk-smith combination discloses wherein the challenge comprises a CAPTCHA challenge (CAPTCHA or image [Lelcuk; ¶5, 39]).

Regarding claim 21, Lelcuk-smith combination discloses wherein the challenge is in a Java Script Object Notation (JSON) format (JavaScript language [Lelcuk; ¶10-12, 42-44, 63, 65]).

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Conclusion
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998.  The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/DAO Q HO/Primary Examiner, Art Unit 2432