DETAILED ACTION
The following claims are pending in this office action: 1-21
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 03/24/2021 are accepted.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/24/2021 has been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, an initialed and dated copy of Applicant’s IDS form 1449 filed 03/24/2021 is attached to the instant Office action. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 8-14 do not fall within at least one of the four categories of patent eligible subject matter because, using the broadest reasonable interpretation, the claims are directed to software per se.  Claims 1-11 recites “a system for detecting an unapproved use of a computing device of a user, comprising: at least one processor”.  However, the specification of the instant application states “The system 200 … where some of the functionality of the system means is realized by software”. See para. 0027. Nothing in the specification limits the functionality claimed to be implemented by hardware processors instead of virtual/software processors.  The Examiner suggests that the Applicant change ln. 2 of claim 8 to “at least one hardware processor configured to:…”.
Claims 15-21 do not fall within at least one of the four categories of patent eligible subject matter because, using the broadest reasonable interpretation, the claims are directed to software per se.  Claims 15-21 recites “a non-transitory computer readable medium storing thereon computer executable instructions…”.  However, the specification of the instant application states “the computer readable storage medium can be a tangible device”.  See para. 0077.  Nothing in the specification limits the non-transitory computer readable medium to be non-transitory, but intangible software functions (computer readable medium) persisting in memory.  The Examiner suggests that the Applicant change the preamble of claim 15 to read “A non-transitory computer readable hardware memory storing thereon…”.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-10, 13-17, and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Stoletny (US Patent No. 10,599,834) (hereinafter “Stoletny”) in view of Hazay et al. (US Pub. 2019/0364057).

As per claim 1, Stoletny teaches a method for detecting an unapproved use of a computing device of a user, the method comprising: detecting, by a security application, a script executing in a browser on the computing device of the user; ([Stoletny, col. 6, ln. 7-10] “the user device 110 [the computing device of the user] having browser 114 executing a protected published webpage content 123 that has the ability to detect malicious code existing in internet advertisements [a script executing in a browser]”; [col. 9, ln. 21-23] “the malicious code 155 existing in a third party internet malicious creative 154 is detected by the executing protection code 182 [the security application] executed at 210”)
intercepting, by the security application, messages ([Stoletny, col. 6, ln. 22-25] “the sandbox 184 may be used by the code 182 to detect and/or intercept malicious code 155, such as immediate and/or deferred types of unwanted action [messages] requested by the malicious code 155”) being exchanged during an interaction of the script with a server, wherein the intercepted messages comprise at least one of messages sent from the script to the server ([col. 8, ln. 6-13] “The malicious actors or advertiser 150, however, will typically include additional pixels or calls to notify and track their own servers [an interaction with a server, and message sent from the script to the server] about how the malicious code is executed [of the script] on the user devices and collect additional data… code 182 may initialize various interceptors…) and from the server to the script; ([col. 12, ln. 14-23] “a second process for receiving and rendering ads is document.write 312, where content of the malicious creative 154 is received from an outside source [server, and an interaction] such as an ad server and then is written into a webpage using this document.write method … here, document.write interceptor 170 of executing protection code 182 will monitor for and intercept this process … to detect and intercept execution of code 155 [message] of the malicious creative 154 [script]”)
Stoletny does not clearly teach analyzing, by the security application, the intercepted messages to determine whether or not attributes of an unapproved use of resources of the computing device of the user are present; and detecting, by the security application, the unapproved use of the resources of the computing device of the user when at least one of said attributes is detected.
However, Hazay teaches analyzing, by the security application, the intercepted messages ([Hazay, para. 0028] “The Application Detection Unit 144 [a security application – see para. 0058: embodiments are implemented using code] may utilize one or more sub-units or modules to perform detection or identification [analysis] of the application or “app” or program that is associated with a packet or with a stream-of-packets [intercepted messages]”) to determine whether or not attributes ([para. 0029] “analyzing the network activity [attributes] of this particular end-user device… may enable the system to determine or to confirm whether this is … cryptocurrency mining activity”) of an unapproved use of resources of the computing device of the user are present; and ([para. 0016] “the cryptocurrency mining activity, typically through or within the web-browser on the end-user device, and by utilizing the processing power and the energy consumption [unapproved use of resources] of the end-user device for the benefit of a remote attacker”)
detecting, by the security application, the unapproved use of the resources of the computing device of the user when at least one of said attributes is detected. ([Hazay, para. 0030] “trigger(s) for detection of cryptocurrency mining bot activity [unapproved use of the resources] may be detection of … a specific end-user device started performing communications on the network [at least one of said attributes, as an attribute is network activity of the device] that are identified as being related to, or being part of, cryptocurrency mining operations”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stoletny with the teachings of Hazay to include analyzing, by the security application, the intercepted messages to determine whether or not attributes of an unapproved use of resources of the computing device of the user are present; and detecting, by the security application, the unapproved use of the resources of the computing device of the user when at least one of said attributes is detected.  One of ordinary skill in the art would have been motivated to make this modification because by analyzing network traffic [messages] methods may detect and/or pin-point the malicious website/web-server that caused the infection and the malicious command & control entities to perform remedial actions or correction actions or damage-reducing actions.  (Hazay, para. 0017; para. 0003)

As per claim 2, Stoletny in view of Hazay teaches claim 1.  
Stoletny does not clearly teach analyzing, by the security application, the script, wherein the detection of the unapproved use of the resources is further based on the analysis of the script. 
However, Hazay teaches analyzing, by the security application, the script, wherein the detection of the unapproved use of the resources is further based on the analysis of the script. ([Hazay, para. 0035] “detection of cryptocurrency mining activity may be detected by the network probe(s) [activity that is analyzed by the application detection unit, and so by the security application – see para. 0027] … finding [analysis] a sequence of communications… For example…  various cryptocurrency mining protocols [script] …such as the Stratum protocol [example of a particular script]; also see para. 0037-0042 where portions of the script for unapproved use of the resources is disclosed including code for establishing the connection, code for notification of mining jobs, and code for submitting shares, and para. 0043 where examples of additional segments of scripts are disclosed) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stoletny with the teachings of Hazay to include analyzing, by the security application, the script, wherein the detection of the unapproved use of the resources is further based on the analysis of the script.  One of ordinary skill in the art would have been motivated to make this modification because conventional systems fail to … pin-point a malicious web-server that injects the cryptocurrency mining code, so this system, by utilizing the cryptocurrency mining protocol method/script detects the miner-server communication flow thereby pinpointing the server.  (Hazay, para. 0013; para. 0043)

As per claim 3, Stoletny in view of Hazay teaches claim 1.  
Stoletny also teaches wherein the unapproved use of the resources of the computing device of the user comprises using, by the script, the resources of the computing device for mining of cryptocurrency.  ([Stoletny, col. 11, ln. 6-17] “browser 114 loads or renders “malware” [using the resources] … code or content [by the script] may be malicious and … has the ability to mine cryptocurrency in the background”)

As per claim 6, Stoletny in view of Hazay teaches claim 1.  
Stoletny also teaches wherein the script being executed in the browser is detected using a plugin..  ([Stoletny, col. 6, ln. 44-50] “code 182 having or executing browser sandbox 186 which may be a … plugin executing malicious creative 154 with code 155. The sandbox 186 may be used by the code 182 to detect … malicious code 155”)

As per claim 7, Stoletny in view of Hazay teaches claim 1.  
Stoletny does not clearly teach wherein the intercepted messages comprise messages that are exchanged in accordance with a communication protocol over a TCP connection. 
However, Hazay teaches wherein the intercepted messages comprise messages that are exchanged in accordance with a communication protocol over a TCP connection. ([Hazay, para. 0088] “the analyzing [from packets intercepted/collected by network probes – see para. 0023] comprises analyzing of cellular data packets in TCP/IP format”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stoletny with the teachings of Hazay to include wherein the intercepted messages comprise messages that are exchanged in accordance with a communication protocol over a TCP connection.  One of ordinary skill in the art would have been motivated to make this modification because by analyzing network traffic [messages, and in this case, TCP messages] methods may detect and/or pin-point the malicious website/web-server that caused the infection and the malicious command & control entities to perform remedial actions or correction actions or damage-reducing actions.  (Hazay, para. 0017; para. 0003)

As per claim 8, Stoletny teaches a system for detecting an unapproved use of a computing device of a user, comprising: at least one processor.  ([Stoletny, col. 26, ln. 4-15] “The computing device 500 may be representative of any of the components of system 100, such as device 110. The computing device 500 may include software and/or hardware for providing functionality and features described herein. The computing device 500 may … include one or more …processors”)
The system claim comprises a processor that performs the steps of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 9, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 10, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 13, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 14, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

As per claim 15, Stoletny teaches a non-transitory computer readable medium storing thereon computer executable instructions for detecting an unapproved use of a computer device of a user. ([Stoletny, col. 26, ln. 23-24] “The computing device 500 has… storage 514 [a non-transitory computer readable medium]”; [col. 26, ln. 41-55] “the storage 514 provides non-volatile, bulk or long-term storage of data or instructions in the computing device 500, such as … code 182… and explicitly exclude transitory media”)
The non-transitory computer readable medium performs the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and is rejected with the same rational applied against claim 1.  

As per claim 16, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 17, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 20, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 21, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

Claims 4-5, 11-12, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Stoletny in view of Hazay as applied to claim 1, 8, and 15 above and further in view of Roy et al. (US Pub. 2020/0137084).  

As per claim 4, Stoletny in view of Hazay teaches claim 1.  
Stoletny also teaches wherein the attribute of the unapproved use of the resources of the computing device of the user comprises at least one of: an attribute based on a content of a website opened using the browser, wherein the opening of the websites resulted in the execution of the script; ([Stoletny, col. 8, ln. 36-44] “a user requested protected publisher webpage is received and executed [opened, and opening of the website], such as by … the browser”… “The webpage may be or include content 123 …. [which] has call 127 [resulted in execution of the script] … for the malicious creative 154… having malicious code 155 [an attribute of the unapproved use of the resources] existing in the malicious creative)
an attribute based on a category of a web site opened using the browser, wherein the opening of the website resulted in the execution of the script. ([Stoletny, col. 19, ln. 55-59] “code 182 may proxy [opening] cross-origin iframes [the web site/page, opened using a browser as taught above] and scripts [opening the website results in execution of the script as taught above] … and then build a dynamic iframe [an attribute based on a web site/page] … blacklist [based on a category]”)
Stoletny does not clearly teach an attribute associated with the script obtaining an obfuscated code; an attribute associated with the script obtaining a code in a BASE64 format; an attribute based on a predetermined sequence of bytes or strings being detected in the intercepted messages; an attribute based on a category of the external server from which the script received the obfuscated code; and an attribute based on a category of a web site opened using the browser, wherein the opening of the website resulted in the execution of the script.
However, Hazay teaches an attribute based on a predetermined sequence of bytes or strings being detected in the intercepted messages.  ([Hazay, para. 0035] “detection of cryptocurrency mining activity may be detected by the…sequence of communications [a sequence of bytes or strings, and intercepted messages – see para. 0023]…such as the Stratum protocol [predetermined as the protocol is selected beforehand]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stoletny with the teachings of Hazay to include an attribute based on a predetermined sequence of bytes or strings being detected in the intercepted messages.  One of ordinary skill in the art would have been motivated to make this modification because by analyzing network traffic [messages, and in this case, sequence of bytes or strings] methods may detect and/or pin-point the malicious website/web-server that caused the infection and the malicious command & control entities to perform remedial actions or correction actions or damage-reducing actions.  (Hazay, para. 0017; para. 0003)
Stoletny in view of Hazay does not clearly teach an attribute associated with the script obtaining an obfuscated code; an attribute associated with the script obtaining a code in a BASE64 format; an attribute based on a predetermined sequence of bytes or strings being detected in the intercepted messages; an attribute based on a category of the external server from which the script received the obfuscated code.
However, Roy teaches an attribute associated with the script obtaining an obfuscated code; ([Roy, para. 0077] “the copied logs are scanned to check for access patterns matching attack vectors”; [para. 0078] “bits and pieces of the malicious code may be spread across any number of different requests [obfuscated]… the detection of such code elements [an attribute associated with the script]”)
an attribute associated with the script obtaining a code in a BASE64 format; ([Roy, para. 0077] “the copied logs are scanned to check for access patterns matching attack vectors”; [para. 0092] checking the attack vector includes checking for a base64decode signature [the attribute - see para. 0042: “the hacker may embed base64 encoded code”])
an attribute based on a category of the external server from which the script received the obfuscated code.  ([Roy, para. 0069] “the blacklist [a category] may store listings of source IP addresses known … to be not safe [of the external server – the hacker is a client server 105C: see para. 0020 and Fig. 1]; [para. 0095] “a hacker is attempting to mask [obfuscate] the attack … through sporadic access requests that include small portions of malicious code [from which the script received the code])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stoletny in view of Hazay with the teachings of Roy to include an attribute associated with the script obtaining an obfuscated code; an attribute associated with the script obtaining a code in a BASE64 format; an attribute based on a predetermined sequence of bytes or strings being detected in the intercepted messages; an attribute based on a category of the external server from which the script received the obfuscated code.  One of ordinary skill in the art would have been motivated to make this modification because hackers can be creative and embed innocuous looking [or obfuscated] code in base64 encoded formats, and such attacks can be thwarted by scanning or evidence of such an attack.  (Roy, para. 0088)

As per claim 5, Stoletny in view of Hazay and further in view of Roy teaches claim 4.  
Stoletny also teaches wherein the category of the website is obtained from a cloud network-based security service.  ([Stoletny, col. 20, ln. 7-13] “the blacklist [the category of the website] … may be something that is maintained on a server at CDN 138 [cloud network-based security service as storage is cloud based – see col 26, ln. 48-50; security service as it provides the service of the security blacklist] and sent… from the CDN to each of browser 114 executing on of content 123”)

As per claim 11, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 12, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 18, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 19, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 5.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Zasadzinski et al. (US Pub. 2020/0034530) teaches a security application that, when a browser triggers a web application, determines metric values of the web application and whether the web application is exploitive by the security application examining the code block associated with the web application.  
Mandal et al. (US Pub. 2021/0097186) discloses identifying a scripted process for security analysis, examining the messages/parameters associated with the scripted process, computing a sum associated with the parameters, and detecting a malicious activity if the sum is above a threshold.  
Rashid et al. “The browsers strike back: countering cryptojacking and parasitic miners on the web;” IEEE Conference on Computer Communications; April 29, 2019; pg. 703-711 discloses using hardware performance counters to classify between normal user behavior and cryptocurrency mining behavior in order to detect a hidden mining script, where obfuscated scripts are de-obfuscated as one of the attributes associated with the unapproved use of resources, and base64 is a technique of obfuscation.   
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493