Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the Supplemental Amendment filed on 09/16/2022. 
In the instant amendment, claims 1,7-9 and 14-17 were amended; claim 19 is cancelled; claim 21 is new; claims 1, 9 and 17 are independent claims. Claims 1-18, 20 and 21 have been examined and are pending. 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/29/2022 has been entered.





Response to Arguments
Applicant’s arguments filed 09/16/2022 have been fully considered but they are not persuasive. 
Applicant argues on (page: 13) that the cited references do not disclose “sampling attributes of browsers that provided a same session token i.e. within a same session.” 
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., “sampling attributes”, “same session token”, “same session,”) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 
Further, the Examiner respectfully disagrees with the applicant. Thampy discloses in response to receiving credentials which are valid from a browser that is requesting access to a subscription [resource]; determining a score indicating a difference between two samples of browser attributes collected, the score being determined at least in part on (1) for a browser attribute, computing a difference between two values of the browser attribute in the two samples, [this is shown as a formula in [0168] and (2) computing a weighted combination [aggregate] of the differences between the values of the corresponding browser attributes in the two samples (this is shown as another formula in paragraph [0169]), determining based on the score whether the two samples of browser attributes collected were received from different browsers; detecting unauthorized resource usage [utilization] by an organization, wherein the unauthorized resource usage [utilization] includes sharing the particular session across a plurality of browsers; wherein detecting unauthorized resource use [utilization] by the organization includes determining that the two samples of browser attributes collected were received from different browsers; and responsive to determining unauthorized resource use [utilization] by the organization, performing a mitigation action, wherein the mitigation action is configured to alert a user; provide a recommendation to the user, and block/prevent [stop] the unauthorized resource use [utilization] (See Thampy, [0099], [0108], [0118], [0316], [0346], [0158], [0171]-[0173], [0168], [0169], [0191]-[0192], [0226], [0056]-[0057], [0053], [0144], [0171], [0073], [0177]-[0179], [0103], [0050], [0098], [0131]-[0132], [0134], [0193], [0100], [0243] & [0056]-[0057])
Bailey discloses a method and system to detect and prevent spoofing where a server issues a session token to the browser, wherein access to the resource is granted to browsers that provide the valid session token. Access to the resource is granted to browsers that provide valid session tokens. The browser is associated with the organization authorized to access the server [online system]. Two samples of browser attributes are collected at different times during a particular session (see Bailey, [0019], [0076], [0087], [0259], [0075], [0077], [0086], [0088], [0134], [0155], [0075], [0166], [0177] & [0256])

Applicant argues on (page: 13) that the cited references fail to explicitly disclose “wherein each sample of browser attributes has a type, wherein the different between the browser attribute in the two samples is determined using a distance metric associated with the type of browser attribute.” Applicant argues that the claimed distance in the cited prior art is the distance between two vectors representing attributes of browsers and not a physical location as taught by 
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., the claimed distance is the distance between two vectors representing attributes of browsers) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Further, the Examiner respectfully disagrees with the applicant. Thampy discloses a maximum distance associated with the type of browser attribute. Different types of activity data correspond to browser attributes (See Thampy, [0155] & [0199]). Applicant’s specification in paragraphs [0049]-[0050] describes that the distance metric is between browser attributes. Its not limited to vectors. The independent claims do not specify what a browser attribute is. 

Applicant argues on (page: 14) that the cited references do not disclose “determining a score indicating a difference between two samples of browser attributes taken at different times, the score determined at least in part on (1) for a browser attribute, computing a difference between two values of the browser attribute in the two samples, and (2) computing a weighted aggregate of the differences between the values of the corresponding browser attributes in the two samples; responsive to determining unauthorized resource utilization, performing a mitigation action, wherein the mitigation action is configured to alert a user, provide a recommendation to the user, or stop the unauthorized resource utilization.” 
The Examiner respectfully disagrees with the applicant. Thampy discloses in response to receiving credentials which are valid from a browser that is requesting access to a subscription [resource]; determining a score indicating a difference between two samples of browser attributes collected, the score being determined at least in part on (1) for a browser attribute, computing a difference between two values of the browser attribute in the two samples, [this is shown as a formula in [0168] and (2) computing a weighted combination [aggregate] of the differences between the values of the corresponding browser attributes in the two samples (this is shown as another formula in paragraph [0169]), determining based on the score whether the two samples of browser attributes collected were received from different browsers; detecting unauthorized resource usage [utilization] by an organization, wherein the unauthorized resource usage [utilization] includes sharing the particular session across a plurality of browsers; wherein detecting unauthorized resource use [utilization] by the organization includes determining that the two samples of browser attributes collected were received from different browsers; and responsive to determining unauthorized resource use [utilization] by the organization, performing a mitigation action, wherein the mitigation action is configured to alert a user; provide a recommendation to the user, and block/prevent [stop] the unauthorized resource use [utilization] (See Thampy, [0099], [0108], [0118], [0316], [0346], [0158], [0171]-[0173], [0168], [0169], [0191]-[0192], [0226], [0056]-[0057], [0053], [0144], [0171], [0073], [0177]-[0179], [0103], [0050], [0098], [0131]-[0132], [0134], [0193], [0100], [0243] & [0056]-[0057])
Bailey discloses a method and system to detect and prevent spoofing where a server issues a session token to the browser, wherein access to the resource is granted to browsers that provide the valid session token. Access to the resource is granted to browsers that provide valid session tokens. The browser is associated with the organization authorized to access the server [online system]. Two samples of browser attributes are collected at different times during a particular session (see Bailey, [0019], [0076], [0087], [0259], [0075], [0077], [0086], [0088], [0134], [0155], [0075], [0166], [0177] & [0256])

d.	Applicant's arguments (page: 14): Additionally, as to the dependent claims
2-8, 10-16, 18 and 20 the Applicant argues that the claims are dependent directly or indirectly from a respective one of claims of independent claims 1, 9 and 17, and are therefore distinguished from the cited art at least by virtue OR allowable at least based on of their additionally recited patentable subject matter.


The Examiner disagrees with the Applicants. The Examiner respectfully
submits that the dependent claims 2-8, 10-16, 18 and 20 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to the claims 2-8, 10-16, 18 and 20. Therefore, in view of the above reasons, the Examiner maintains the rejection with the cited prior art references.

Therefore, in view of the above reasons the Examiner maintains the rejection. 


Claim Rejections - 35 USC § 103
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


7.	Claims 1-4, 9-12, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) and further in view of Bailey et al (“Bailey,” US 20170070533). 

Regarding claim 1, Thampy discloses a computer implemented method for detecting unauthorized resource utilization, the method comprising:
in response to receiving valid credentials from a browser that is requesting access to a resource, (Thampy, [0099] describes using a tenant’s account credentials to log into cloud application services to retrieve activity data concerning user accounts that are associated with the tenant account; [0108], authorization may be provided by a token such as using credentials such as username and password; [0118] describes the connection must be authenticated [validated] using login credentials; [0316] describes using a web browser; [0346] describes a request for access to a subscription [resource])
determining a score indicating a difference between the two samples of browser attributes collected, (Thampy, [0158] & [0171]-[0173] describes determining a score indicating a difference between two samples of browser attributes taken a different times)
the score determined at least in part on (1) for a browser attribute, computing a difference between two values of the browser attribute in the two samples, (Thampy, [0168] describes the score determined at least in part on (1) for a browser attribute, computing a difference between two values of the browser attribute in two samples)
and (2) computing a weighted aggregate of the differences between the values of the corresponding browser attributes in the two samples; (Thampy, [0169], describes and (2) computing a weighted combination [aggregate] of the differences between the values of the corresponding browser attributes in the two samples)
determining based on the score whether the two samples of browser attributes collected were received from different browsers; (Thampy, [0158], [0168]-[0169] & [0171]-[0173] describes determining based on the score whether the two samples of browser attributes were received from different browsers; [0191]-[0192], [0226] describes a session) and
detecting unauthorized resource utilization by the organization, wherein unauthorized resource utilization by the organization, wherein unauthorized resource utilization includes sharing the particular session across a plurality of browsers, (Bailey, [0056]-[0057], [0053], [0144] & [0171] describes detecting unauthorized resource utilization by the organization, wherein unauthorized resource utilization by the organization, wherein unauthorized resource utilization includes sharing the particular session across a plurality of browsers)
wherein detecting unauthorized resource utilization by the organization includes determining that the two samples of browser attributes collected were received from different browsers; (Thampy, [0073], [0158] & [0171]-[0173] describes determining unauthorized resource use responsive to determining that the two samples of browser attributes were received from different browsers) and
responsive to determining unauthorized resource utilization by the organization, performing a mitigation action, (Thampy, [0177]-[0179] describe determining unauthorized resource use, performing a remediation action)
wherein the mitigation action is configured to alert a user, (Thampy, [0103], wherein the remediation [mitigation action] is configured to alert a user)
provide a recommendation to the user, (Thampy, [0050], [0098], [0131]-[0132], describe provide a recommendation to the user; also see [0134], [0193])
 or stop the unauthorized resource utilization (Thampy, [0100], [0243], [0056], [0057] or blocking/preventing [stopping] the unauthorized resource utilization)
Thampy fails to explicitly disclose issuing, by an online system, a session token to the browser, wherein access to the resource is granted to browsers that provide valid session tokens, the browser associated with the organization authorized to access the online system; collecting at least two samples of browser attributes at different times during a particular session; during the particular session. 
However, in an analogous art, Bailey discloses disclose issuing, by an online system, a session token to the browser, wherein access to the resource is granted to browsers that provide valid session tokens, (Bailey, [0087], describes a server generating a session token and providing it to a client device by way of a browser; [0259], online system)
wherein access to the resource is granted to browsers that provide valid session tokens; (Bailey, [0075] describes when a user logs in with a secure web server, a web browser executing on the user’s client device may be granted a session token, which authorizes the web browser to access a secure portion of a web site hosted by the web server (e.g. a web site of a financial institution). The web browser may be required to provide that session token along with every request subsequently sent to the web server (e.g. a request for a web page, a request to commit an action, etc) to identify to the server that the request is a legitimate request from the client device; [0077], [0086] and [0088] describe using a plurality of session tokens that have to be valid to be used)
the browser associated with the organization authorized to access the online system; (Bailey, [0134], [0155] & [0075], describes the browser associated with the organization authorized to access the online system). 
collecting at least two samples of browser attributes at different times during a particular session (Bailey, [0166], [0177] & [0256], describes collecting at least two samples of browser attributes such as screen resolution, local time zone, browser plugin availability, and language at different times during a particular session)
during the particular session (Bailey, [0166], [0177], [0256] and [0075] describe during the particular session)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bailey with the method/system of Thampy to include issuing a session token to the browser, wherein access to the resource is granted to browsers that provide valid session tokens; for each of a plurality of the session tokens: collecting samples of browser attributes from one or more browsers in a session for that session token; during the particular session. One would have been motivated to detect and prevent spoofing (Bailey, [0019] & [0076]).   

Regarding claim 2, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy further discloses wherein a weight for a browser attribute is determined based on historical values of the browser attribute collected over a past time interval, (Thampy, [0158] & [0171]-[0173] describes wherein a weight for a browser attribute is determined based on historical values of the browser attribute collected over a past time interval)

Regarding claim 3, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy further discloses wherein weight for a browser attribute is determined based on a frequency of distribution of values of the browser attribute over a past time interval, (Thampy, [0158] & [0171]-[0173] describes wherein weight for a browser attribute is determined based on the number [frequency] of distribution values of the browser attribute over a past time interval). 

Regarding claim 4, Thampy and Bailey disclose the computer implemented method of claim 1.  
Thampy further discloses wherein each sample of browser attributes has a type, 
wherein the difference between the browser attribute in the two samples is determined using a distance metric associated with the type of the browser attribute (Thampy, [0155] describes a maximum distance associated with the type of the browser attribute; [0119] describes different types of activity data which corresponds to browser attributes)

Regarding claim 9, claim 9 is directed to a non-transitory computer readable storage medium. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale.

Regarding claim 10, claim 10 is directed to the non-transitory computer readable storage medium of claim 9. Claim 10 is similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 11, claim 11 is directed to the non-transitory computer readable storage medium of claim 9. Claim 11 is similar in scope to claim 3 and is therefore rejected under similar rationale.

Regarding claim 12, claim 12 is directed to the non-transitory computer readable storage medium of claim 9. Claim 12 is similar in scope to claim 4 and is therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to a computer system. Claim 17 is similar in scope to claim 1 and is therefore rejected under similar rationale.

Regarding claim 18, claim 18 is directed to the computer system of claim 17. Claim 18 is similar in scope to claim 4 and is therefore rejected under similar rationale.

8.	Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Ting et al (“Ting,” US 20160142443). 

Regarding claim 5, Thampy and Bailey disclose the computer implemented method of claim 1.  
Thampy and Bailey fail to explicitly disclose wherein the mitigation action comprises one or more of: invalidating the session token; requiring user to re-authenticate; or logging user out.
However, in an analogous art, Ting discloses wherein the mitigation action comprises one or more of: 
invalidating the session token; 
requiring user to re-authenticate; (Ting, [0026], these basic alternatives can be parsed more finely or defined in a more granular fashion. For example, the last time the user was authenticated on one or more devices may also be important: the longer the elapsed time from the last-known user authentication to one of the devices, the less meaningful the presence of that device is to corroboration; hence, if too much time has passed, the user may be required to re-authenticate in order to keep or promote to a higher level of confidence)
or logging user out.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ting with the method/system of Thampy and Bailey to include wherein the mitigation action comprises one or more of: invalidating the session token; requiring user to re-authenticate; or logging user out. One would have been motivated to keep or promote a higher level of confidence for authentication (Ting, [0026]). 

Regarding claim 13, claim 13 is directed to the non-transitory computer readable storage medium of claim 9. Claim 13 is similar in scope to claim 5 and is therefore rejected under similar rationale.

9.	Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Puertas Calvo et al (Puertas Calvo, US 20200412717).  

Regarding claim 6, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy and Bailey fail to explicitly disclose further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); 
and wherein unauthorized resource utilization is detected responsive to determining that the two sample browser attributes are from browsers of the same organization.
However, in an analogous art, Puertas Calvo discloses further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); (Puertas Calvo, [0028], Risk assessment engine 106 is configured to perform several functions. For example, risk assessment engine 106 may be configured to perform behavior tracking, where certain authentication-related features and/or characteristics of a plurality of users are tracked. Such characteristics may be stored in activity store 104. Activity store 104 may store an entry for each user being tracked. Each entry of a user may comprise a list of authentication features associated with the user. Examples of authentication features include, but are not limited to, IP-related features (e.g., an IP address utilized during an authentication process, an autonomous system number (ASN), which indicates the organization that owns the IP [same organization])
and wherein unauthorized resource utilization is detected responsive to determining that the two sample browser attributes are from browsers of the same organization, (Puertas Calvo, [0028], Risk assessment engine 106 is configured to perform several functions. For example, risk assessment engine 106 may be configured to perform behavior tracking, where certain authentication-related features and/or characteristics of a plurality of users are tracked. Such characteristics may be stored in activity store 104. Activity store 104 may store an entry for each user being tracked. Each entry of a user may comprise a list of authentication features associated with the user. Examples of authentication features include, but are not limited to, IP-related features (e.g., an IP address utilized during an authentication process, an autonomous system number (ASN), which indicates the organization that owns the IP [same organization])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Puertas Calvo with the method/system of Thampy and Bailey to include further comprising: determining that the browser attributes are from browsers of the same organization if the two sample browser attributes have matching browser attributes representing one or more of internet protocol (IP) address or autonomous system number (ASN); and wherein unauthorized resource utilization is detected responsive to determining that the two sample browser attributes are from browsers of the same organization. One would have been motivated to provide faster offline detection of compromised authentication credentials (Puertas Calvo, [0002]). 

Regarding claim 14, claim 14 is directed to the non-transitory computer readable storage medium of claim 9. Claim 14 is similar in scope to claim 6 and is therefore rejected under similar rationale.

Regarding claim 20, claim 20 is directed to the computer system of claim 17. Claim 20 is similar in scope to claim 6 and is therefore rejected under similar rationale.



10.	Claims 7, 15 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Thayer et al (“Thayer,” US 20180278725). 

Regarding claim 7, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy and Bailey fail to explicitly disclose wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant.
However, in an analogous art, Thayer discloses wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant, (Thayer, [0025] and FIG 4 describe where the online system is a multi-tenant system comprising determining that the same browser attributes are from browsers of the same tenant)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thayer with the method/system of Thampy and Bailey to include wherein the online system is a multi-tenant system, further comprising; determining that the sample browser attributes are from browsers of the same tenant. One would have been motivated to convert a single-tenant application for multi-tenant use (Thayer, [0001]). 

Regarding claim 15, claim 15 is directed to the non-transitory computer readable storage medium of claim 9. Claim 15 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Regarding claim 21, claim 21 is directed to the computer system of claim 17. Claim 21 is similar in scope to claim 7 and is therefore rejected under similar rationale.

11.	Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al (“Thampy,” US 20190068627) in view of Bailey et al (“Bailey,” US 20170070533) and further in view of Verma et al (“Verma,” US 20190336867). 

Regarding claim 8, Thampy and Bailey disclose the computer implemented method of claim 1. 
Thampy further discloses wherein the weighted aggregate assigns (Thampy, Thampy, [0158] & [0171]-[0173])
Thampy and Bailey fail to explicitly disclose wherein the weighted aggregate assigns high weight to browser attributes representing (1) platform of the client device running the browser or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser or (2) plugins of the browser.
However, in an analogous art, Verma discloses high weight to browser attributes representing 
(1) platform of the client device running the browser 
or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser 
or (2) plugins of the browser, (Verma, [0036] & [0065] describes assigning a higher weight to plugins of the browser). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Verma with the method/system of Thampy and Bailey to include high weight to browser attributes representing (1) platform of the client device running the browser or (2) CPU Class of the client device running the browser compared to browser attributes representing (1) user agent of the browser or (2) plugins of the browser. One would have been motivated to provide a multiplexed data stream based on weight (Verma, [0065]).

Regarding claim 16, claim 16 is directed to the non-transitory computer readable storage medium of claim 9. Claim 16 is similar in scope to claim 8 and is therefore rejected under similar rationale.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439    


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439