DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see Remarks, filed 07/14/2022, with respect to the rejection(s) of independent claims 1, 9 and 17 under 35 USC § 103 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. 
The amendments to claim 9 and its dependent claims 10-16 to overcome the rejection under 35 USC § 101 have been fully considered, and found persuasive. Thus, the rejection of claim 9 and its dependent claims 10-16 under 35 USC § 101 is withdrawn.
Claim Objections
Claim 3, the sentence “correlate the or more mapping components” should read “correlate the one or more mapping components”.                       
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 9-10 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2018/0097828 A1 to Coskun, US-PGPUB No. 2008/0276319 A1 to Rittermann, and further in view of US-PGPUB No. 2015/0215325 A1 to Ogawa
Regarding claim 1:
Coskun discloses:
A computer-implemented method for identifying suspect Internet Protocol (IP) addresses (¶05: “… a method … for automatically determining malicious IP clusters …”), the method comprising: 
obtaining a set of login pairs comprising user identifiers and IP addresses used in attempts to login to a source (See Coskun ¶102: “… a data set of account access logs comprising IP addresses associated with access activity to a network account(s) or platform(s) are identified.”, and ¶104: “… the IP address and the anonymized account ID from each login event is utilized …”, see also Fig. 4 step 402”); 
determining that a particular IP cluster exceeds a threshold amount of IP addresses (see Coskun ¶107: “… engine 300 automatically determines clusters of IP addresses … a cluster of IP addresses at or below a threshold amount can be automatically ignored—e.g., removed from the determined clusters.”);  
designating each of the IP addresses within the particular IP cluster as a suspect IP address based on the particular IP cluster exceeding the threshold amount of IP addresses (see Coskun ¶37: “…  a determination is made regarding which IP clusters (and/or …  individual IP addresses in the clusters) are malicious. Such malicious determination can be based on which IP addresses/clusters are within the IP blacklist …”, and
¶107: “… a cluster of IP addresses at or below a threshold amount can be automatically ignored …”).
However, Coskun failed to explicitly disclose the following limitations taught by Rittermann:
 generating a first mapping (Rittermann, ¶86: “… obtaining first data …”)  from the set of login pairs (Rittermann, ¶81: “… user name login/IP address data …”) comprising a first plurality of mapping components, wherein each mapping component of the first plurality of mapping components comprises (Rittermann, ¶86: “… associates user names with individual IP addresses …”) one user identifier (Rittermann, ¶86: “… a user name …”) and one or more IP addresses corresponding to the user identifier (Rittermann, ¶86: “… individual IP addresses onto which the user names were logged in.”) (Rittermann, ¶86: “… a method performed by a computer system, for determining a user name likely to be associated with an attack, a configuration. The method includes obtaining first data which associates user names with individual IP addresses onto which the user names were logged in.”); 
generating a second mapping (Rittermann, ¶86: “… obtaining second data …”) from the set of login pairs (Rittermann, ¶81: “… user name login/IP address data …”) comprising a second plurality of mapping components, wherein each mapping component of the second plurality of mapping components (Rittermann, ¶86: “… associating the user names from the first data with the attacks … from the second data based on having the same IP address during a log-in.”) comprises one IP address (Rittermann, ¶86: “… the same IP address …”) and one or more user identifiers corresponding to the IP address (Rittermann, ¶86: “… the method includes associating the usernames from the first data with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in.”);
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Coskun to incorporate the functionality of the attack/configuration/vulnerability/user name correlator to associate user names with IP addresses and vice versa, as disclosed by Rittermann, such modification would allow the system to detect malicious users from login pairs, which comprises user identifiers and IP addresses, and help  determine which user name was logged on to that IP address during the time of the attack or vulnerability, and can indicate that user name (which was logged on that IP address) as being associated with the attack or vulnerability, and thus would provide the system with attack/vulnerability information to take appropriate actions to avoid malicious/suspicious activities.
The combination of Coskun and Rittermann teaches:
generating a set of IP clusters (Coskun,¶107: “In Step 410, engine 300 automatically determines clusters of IP addresses …”) using the set of login pairs (Coskun, ¶102: “… Step 402 … a data set of account access logs comprising IP addresses associated with access activity to a network account(s) or platform(s) are identified.”) based on a correlation of one or more mapping components of the first mapping to one or more mapping components of the second mapping (Coskun, ¶103: “In Step 404, a graph of IP addresses is constructed based on the access activity of each IP address in the identified access log.”), 
However, the combination of Coskun and Rittermann does not explicitly disclose the following limitation taught by Ogawa:
wherein each IP cluster includes one or more IP addresses identified as related based on a user identifier being used to attempt to login to the source via multiple IP addresses (Ogawa, ¶21: “… if multiple IP addresses have been used to log into the same user account or use the same employee credentials. …”) or an IP address being used to attempt to login to the source via multiple user identifiers (Ogawa, ¶21: “… detecting suspicious actions based on evaluating whether the same IP address has been used to log into multiple different user accounts or use multiple employee credentials, or if multiple IP addresses have been used to log into the same user account or use the same employee credentials.”, see also Fig. 15);  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Coskun and Rittermann to incorporate the functionality of the active receiver module to monitor the activity of an IP address to determine if the activity of the IP address includes logging into a number of different accounts, or if different IP addresses attempt to access the same user account, and run a clustering algorithm to generate IP clusters as disclosed by Ogawa, such modification would allow to detect suspicious activities from login attempts and implement authentication procedures (multi-factor or challenge-response) as required.
Regarding claim 2:
The combination of Coskun, Rittermann and Ogawa discloses:
The computer-implemented method of claim 1, wherein the source comprises a website or an application (Coskun ¶34: “… attackers often use a group of IP addresses to log into compromised web accounts to carry out various malicious tasks.”, and ¶41: “A web-enabled mobile device may include a browser application that is configured to receive and to send web pages …”).
Regarding claim 3:
The combination of Coskun, Rittermann and Ogawa discloses: 
The computer-implemented method of claim 1, wherein the set of IP clusters is generated by: 
alternately traversing between the first mapping and the second mapping to correlate the or more mapping components of the first mapping to the one or more mapping components of the second mapping (Rittermann, ¶34: “The attack/configuration/vulnerability/user name correlator 131 can associate a user name from the first data, with an attack, or a configuration, or a vulnerability from the second data. The correlation can be made by referring, in the second data, to an attack, configuration, or vulnerability and IP address associated therewith, as well as the time of the attack, configuration, or vulnerability. Then, the correlator 131 can determine which user name was logged on to that IP address during the time of the attack, configuration or vulnerability; and the correlator 131 can indicate that user name (which was logged on that IP address) as being associated with the attack, configuration, or vulnerability from the second data. The correlator 131 can perform this association in reverse, that is, beginning with the attack, configuration, or vulnerability on an IP address, and can determine the user which was logged on that IP address at that time. The correlator 131 can perform this association repetitively, for example, when new attacks, configurations, or vulnerabilities are received in the first data, or when new users are received in the first data. The user name/attack/vulnerability/configuration association data 135 can store each user name from the first data, which was logged on that IP address, which was determined to be associated with the attack, configuration, or vulnerability from the second data, for example, as a list or addressable database.”).
The same motivation as applied to claim 1, with regards to Rittermann, applies to claim 3.
Regarding claim 4:
The combination of Coskun, Rittermann and Ogawa discloses:
4. The computer-implemented method of claim 1, wherein the threshold amount of IP addresses is predetermined as a number of IP addresses that indicates a botnet (Coskun ¶80: “Groups of IP addresses performing or associated with malicious activity may belong to compromised hosts (e.g., botnets) …  they often exhibit common traits specific to the group they are in … Such similarities allow organizations at the receiving end of a malicious activity to cluster these IP addresses together.”, and ¶97: “… the optimal threshold for proposed clustering scheme can be set, selected, determined or otherwise identified …”).  
Regarding claim 5: 
The combination of Coskun, Rittermann and Ogawa discloses:
5. The computer-implemented method of claim 1 further adding each of the IP addresses within the particular IP cluster to an IP blacklist (Coskun ¶03: “… systems and methods for accurately distinguishing malicious clusters of IP addresses from benign ones through implementation of an IP blacklist, which can be dynamically updated …”, and ¶127: “… to improve defenses is to block IP addresses in identified malicious clusters next time they come around, thereby turning malicious IP clusters into essentially an extended blacklist.”).
Regarding claim 6:
The combination of Coskun, Rittermann and Ogawa discloses:
The computer-implemented method of claim 5, wherein the IP blacklist is used to provide secure logins to the source (Coskun ¶129: “… a system which decides whether an incoming login attempt is suspicious or not, and provides additional authentication challenges to suspicious attempts, can additionally employ features associated with the labeled IP addresses/clusters from engine 300's results. Such features can include, but are not limited to, information indicating that the IP addresses/clusters are “is in a malicious cluster” or “fraction of blacklisted IP addresses in the cluster that IP address belongs to”, and the like.”). 
Regarding claim 9: 
The combination of Coskun, Rittermann and Ogawa disclose: 
enhancing login security for a subsequent login attempt made in association with an IP address of the IP cluster based on the determination that the IP cluster exceeds the threshold amount of IP addresses (Coskun ¶129: “… a system which decides whether an incoming login attempt is suspicious or not, and provides additional authentication challenges to suspicious attempts, can additionally employ features associated with the labeled IP addresses/clusters …”). 
In addition to the above limitation, claim 9 recites substantially the same limitations as claim 1 in the form of a computer- readable media having a plurality of executable instructions to execute the corresponding method, therefore, it is rejected under the same rationale.
Regarding claim 10: 
Claim 10 recites substantially the same limitations as claim 3 in the form of a computer- readable media having a plurality of executable instructions to execute the corresponding method, therefore, it is rejected under the same rationale.
Regarding claims 15 and 16: 
Claims 15 and 16 recite substantially the same limitations as claims 5 and 4, respectively, in the form of a computer- readable media having a plurality of executable instructions to execute the corresponding method, therefore, they are rejected under the same rationale.
Regarding claims 17 and 19:
Claims 17 and 19 recite substantially the same limitations as claims 1 and 6, respectively, in the form of a computer- readable storage media having instructions stored thereon to execute the corresponding method, therefore, it is rejected under the same rationale. 
Regarding claims 18:
Claim 18 recites substantially the same limitation as one of the limitations under claim 9 (enhancing login security for a subsequent login attempt …), in the form of a computer- readable storage media having instructions stored thereon to execute the corresponding method, therefore, it is rejected under the same rationale.
Claims 7-8, 13-14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Coskun, Rittermann, Ogawa, and further in view of US-PGPUB No. 20100186066 A1to Pollard
 Regarding claim 7:
The combination of Coskun, Rittermann and Ogawa discloses: 
 The computer-implemented method of claim 1 further comprising: 
detecting a subsequent login attempt made via one of the suspect IP addresses (Coskun ¶129: “… a system which decides whether an incoming login attempt is suspicious or not, and provides additional authentication challenges to suspicious attempts …”); 
However, the combination of Coskun, Rittermann and Ogawa does not explicitly disclose the following limitation taught by Pollard:
and initiating a multi-factor authentication based on the subsequent login attempt being made via the one of the suspect IP addresses. (Pollard ¶117: “Various known and/or proprietary authentication techniques are contemplated, including the use of digital certificates, password-oriented approaches (e.g., one-time passwords, PIN numbers), challenge-response architectures, multi-factor authentication (e.g., utilizing biometrics), etc.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Coskun, Rittermann and Ogawa to incorporate the functionality of the authentication engine which provides functions for authenticating or otherwise establishing the identity of the various components and/or systems, and implement known and/or proprietary authentication techniques  as disclosed by Pollard, such modification would provide additional layer of security to protect the system from malicious login attempts.  
Regarding claim 8: 
The combination of Coskun, Rittermann and Ogawa discloses:
The computer-implemented method of claim 1 further comprising: 
 detecting a subsequent login attempt made via one of the suspect IP addresses (see Coskun ¶129: “… a system which decides whether an incoming login attempt is suspicious or not, and provides additional authentication challenges to suspicious attempts …”); 
However, the combination of Coskun, Rittermann and Ogawa fails to explicitly disclose the following limitation taught by Pollard:
initiating a challenge-response authentication based on the subsequent login attempt being made via the one of the suspect IP addresses (Pollard ¶117: “Various known and/or proprietary authentication techniques are contemplated, including the use of digital certificates, password-oriented approaches (e.g., one-time passwords, PIN numbers), challenge-response architectures, multi-factor authentication (e.g., utilizing biometrics), etc.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Coskun, Rittermann and Ogawa to incorporate the functionality of the authentication engine which provides functions for authenticating or otherwise establishing the identity of the various components and/or systems, and implement known and/or proprietary authentication techniques  as disclosed by Pollard, such modification would provide additional layer of security to protect the system from malicious login attempts.  
Regarding claim 13:
 Claim 13 recites substantially the same limitation as one of the limitations under claim 7 (“initiating a multi-factor authentication…”), in the form of a computer- readable media having a plurality of executable instructions to execute the corresponding method, therefore, it is rejected under the same rationale. 
Regarding claim 14:
Claim 14 recites substantially the same limitation as one of the limitations under claim 8 (“initiating a challenge-response authentication…”), in the form of a computer- readable media having a plurality of executable instructions to execute the corresponding method, therefore, it is rejected under the same rationale.
Regarding claim 20:
Claim 20 recites substantially the same limitation as the partial combination of claims 7 (“initiating a multi-factor authentication…”) and 8 (“initiating a challenge-response authentication…”), in the form of a computing system comprising a non-transitory computer- readable storage media having instructions stored thereon to execute the corresponding method, therefore, it is rejected under the same rationale. 
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Coskun, Rittermann, Ogawa, and further in view of US-PGPUB No. 2020/0112562 A1to Hearty et al. (hereinafter “Hearty”)
Regarding claim 11: 
The combination of Coskun, Rittermann and Ogawa disclose the one or more non-transitory computer-readable media of claim 9, but fails to explicitly disclose the following limitation taught by Hearty: 
wherein the third IP address is in a first IP cluster with the first IP address and is in a second IP cluster with the second IP address (Hearty, ¶57: “FIG. 8 illustrates a diagram 800 of IP address clusters. … Each of the IP address clusters 805-830 includes one or more, and often a plurality, of IP addresses that are associated with one another. … the fifth IP address cluster 825 and the sixth IP address cluster 830 are connected to one another by a common IP address 840.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Coskun, Rittermann and Ogawa to incorporate the functionality of the system to identify individual IP clusters by filtering out IP addresses that are heavily connected and determine if an IP address belongs to two or more clusters, as disclosed by Hearty, such modification would allow the system to identify similar clusters and merge those similar clusters into a cluster, thus reducing the number of clusters and get the expected benefits of fewer clusters, such as  increased performance, while determining suspicious login activities.  
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Coskun, Rittermann, Ogawa, and further in view of US-PGPUB No. 20120084860 A1to Cao et al. (hereinafter Cao)
Regarding claim12:
The combination of Coskun, Rittermann and Ogawa disclose the one or more non-transitory computer-readable media of claim 9, but fails to explicitly disclose the following limitation taught by Cao: 
wherein the third IP address is in a first IP cluster with the first IP address and is in a second IP cluster with the second IP address, and wherein the first IP cluster and the second IP cluster are aggregated to generate the IP cluster based on the third IP address being in the first IP cluster and the second IP cluster (Cao ¶77: “… clusters are agglomerated (or "merged") using the similarity metric of Equation (1), to find the greatest similarity between … domain names queried by an IP address in the first cluster and … domain names queried by an IP address in the second cluster to which the IP address in the first cluster is the most similar … the two clusters found to have the greatest similarity based on Equation (1) are combined to form one larger cluster (also referred to as a hierarchical grouping).”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Coskun, Rittermann and Ogawa to incorporate the functionality of the agglomerative hierarchical clustering (AHC)-method which implements a co-clustering algorithm for IP addresses and domain names to generate multi-level hierarchical groupings (i.e., clusters) of IP addresses in a graph based on similarities between domain names queried by the IP addresses. as disclosed by Cao, such modification would allow to determine similarities between IP addresses and generate IP clusters, and aggregate clusters based on similarities, thus reducing the number of clusters and get the expected benefits of fewer clusters, such as increased performance, while determining suspicious login activities.  
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Oro Garcia et al.  (US-PGPUB No. 2012/0167210 A1)- disclosed a system and a method for determining the reliability of blacklists and the likelihood of botnet infection of a given IP address that corresponds to an Internet host.
Murphy (US-PGPUB No. 2018/0097840 A1)- disclosed techniques for detection of compromised credentials as a network service and to protect networks from unauthorized access while permitting authorized communications to pass through a firewall.
Hayman et al. (US-PGPUB No. 2020/0074439 A1)- disclosed a method which obtains a login history comprising a plurality of timestamps and a plurality of internet protocol (IP) addresses corresponding to a plurality of logins by a user and determines a plurality of clusters for the plurality of coordinates based on distances between the plurality of coordinates.
Herbert (USPAT 11032315 B2)- disclosed an intrusion detection system that monitors a computing system for suspicious activity.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        /DANIEL B POTRATZ/Primary Examiner, Art Unit 2491