DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims

This office action is in response to the preliminary amendment filed on 11/22/2021.
Claims 1-44 have been cancelled.
Claims 45-53 have been added.
Claims 45-53 are pending and have been examined.


Claim Objections
Claim 45 is objected to because of the following informalities:  In the last limitation of claim 45 it states “…the computational cost of required in producing the proof of work token…”  This is grammatically incorrect. The examiner believes that “of” should be removed. Appropriate correction is required.

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 45-53 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 29, 35, 36, 45, and 49 of U.S. Patent No. 11120469. Although the claims at issue are not identical, they are not patentably distinct from each other because all of the limitations found in claims 45-51 of the present application are found in claim 29 of parent application 11120469. Further, the limitations of claim 52 are found in claim 35 of parent application 11120469 and the limitations of claim 53 are found in claim 45 of parent application 1120469. Thus all of the claim limitations in the present application are found in the parent application.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 47 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 47 recites the limitation "the confidence score."  There is insufficient antecedent basis for this limitation in the claim. There is no prior mention of “a confidence score” and thus the limitation lacks antecedent basis. Further, claim 47 mentions “a confidence score” after “the confidence score” and thus it is unclear as to whether “a confidence score” is referring to the same confidence score referenced by “the confidence score.” The examiner recommends changing “the confidence score” to “a confidence score” and changing “a confidence score” to “the confidence score.”


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 45-47 and 50 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kitts et al (US 2008/0281606) in view of Jhingran et al (US 2017/0244709) in view of Pead (US 2018/0144153)

As per claim 45:

Kitts teaches A system of identifying a software robot performing auto generation of click events, the method comprising: the token server processor computationally determining whether the computing device is being operated at least in part by a computer implemented software robot that performs auto generation of click events  (paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)
Kitts does not expressly teach producing a proof of work token or providing the computational cost.
Jhingran teaches A token server processor from a computing device responding to a request from a computing device by sending a packet via a computer network requesting that the computing device produce a proof of work token  (paragraph [0022] In some implementations an application programming interface (API) service platform controls access to an API. In various embodiments, as described in this document, a “proof of work” is a type of mechanism in which an API provider receives, from a requestor device of an API function or call, a response to a computer authorization challenge in order to establish the requestor device's credentials. [0028] FIG. 3 is a diagram showing an embodiment of a system that uses a proof of work mechanism to permit access to APIs. In the example shown in FIG. 3, system 300 includes device 302, network 306, service server 308, backend server 310, and proof of work proxy server 312. [0046] Service server 308 is configured to receive a request to access an API from an application executing at a device (e.g., application 304 executing at device 302). The request to access an API may comprise a call for a particular function associated with an API. Service server 308 is configured to dynamically generate a computer authorization challenge or search among previously generated computer authorization challenges for a computer authorization challenge for which the difficulty of generating the corresponding response corresponds to the selected target computational cost associated with the API. In various embodiments, a computer authorization challenge comprises a proof of work challenge, which is a challenge that requires the challenge recipient to produce the correct response (e.g., a proof of work certificate) to the challenge through a period of computing (e.g., exhaustive or brute force searching for the correct solution to the problem in the challenge). In some embodiments, a response to a computer authorization challenge is sometimes referred to as a “proof of work certificate.” In various embodiments, the difficulty of generating the corresponding response corresponds to a predicted cost to be expended by a requestor in computing the correct response to the computer authorization challenge. For example, the service server 308 determines a computer authorization challenge that has an expected difficulty of generating the corresponding response that is the same as or within a tolerance of the selected target computational cost associated with the API. The service server 308 may select the computer authorization challenge for a particular API function call, all API function calls for the backend server 310 (e.g., an API itself), all API function calls associated with a particular entity, e.g., website or organization, or a combination of two or more of these. In some examples, the service server 308 may have a different computer authorization challenge for different API function calls. The service server 308 may be configured to generate and store the response to the selected computer authorization challenge.) the token server processor estimating the computational cost of the computing device required in producing the proof of work token by comparing the estimated computational cost of required by the computing device in producing the proof of work token with a threshold value  (paragraph [0042]  In some embodiments, the cost boundary (threshold value) comprises a desired maximum boundary and/or cost associated with a request for an API. For example, the cost boundary may be selected to be a lower value (greater than zero) as a technique to deter malicious requestors of the API (as it is assumed that malicious requestors are less willing to pay costs in mounting an attack). The cost boundary may be selected to be higher value (greater than zero and greater than a nominal value that is intended to primarily deter malicious requestors) as a technique to monetize the service provided by the API, as will be described in further detail below. [0044] In response to receiving the cost boundary, service server 308 is configured to select a target computational cost based at least in part on the cost boundary. In various embodiments, the target computational cost comprises the cost of computer resources that are predicted to be expended by a computer in computing a response to a proof of work-based computer authorization challenge. In various embodiments, the proof of work-based computer authorization challenge comprises a cryptographic challenge. Examples of computer resources include electricity consumed, memory used, and processing time. In some embodiments, the monetary value associated with the target computational cost may be set to be less than, equal to, or greater than the monetary value associated with the received cost boundary. For example, if the cost boundary were associated with the monetary value of $10, then the monetary value associated with the target computational cost may be set at $11.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include the proof or work token of Jhingran in order to prevent manipulation of data (paragraph [0002]) Further, using fraud detection methods of Jhingran is the use of a known technique used to improve similar devices/methods in the same way.
The combination does not expressly teach using a block chain.
Pead teaches a verification system  in communication with a blockchain computing system (paragraphs [0110] As described in connection with FIG. 8, in one or more embodiments, the digital verification system 102 automatically detects user transactions, creates transaction records, and adds the transaction records to the user's lifetime value blockchain.[0111] In some embodiments, the digital verification system 102 identifies a transaction having a known third-party provider identifier, but an unknown user identifier. In these embodiments, the digital verification system 102 creates a new lifetime value blockchain for the unknown user identifier. If at a later time, a user provides an alias that matches the unknown user identifier, the digital verification system 102 can associate the previously created blockchain with the user. In this manner, a user can add previously validated purchases information to their lifetime value blockchain after the time of the actual transaction.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include using a block chain as taught by Pead in order to track and store information about an individual (paragraph [0001]). Further, storing information about a user in a block chain is the use of a known technique used to improve similar devices/methods in the same way.

Kitts, Jhingran, and Pead teach the limitations of claim 45. As per claim 46:

Kitts further teaches wherein the token server processor computationally determining whether the computing device indicating a likelihood the computing device is being operated at least in part by a software robot  (paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)

Kitts, Jhingran, and Pead teach the limitations of claim 46. As per claim 47:

Kitts further teaches wherein the confidence score indicates the likelihood that the computing device is being operated at least in part by a computer implemented software robot that performs auto generation of click events further includes the token server processor determining a confidence score (paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)

Kitts, Jhingran, and Pead teach the limitations of claim 46. As per claim 50:

Kitts further teaches further including the token server processor denying the request from the computing device via the computer network if the confidence score is low, such that the computing device is likely to be operated at least in part by a software robot (paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)



Claim(s) 48, 49, 51, and 53 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kitts et al (US 2008/0281606) in view of Jhingran et al (US 2017/0244709) in view of Pead (US 2018/0144153) in view of Acar et al (US 2017/0155513)

Kitts, Jhingran, and Pead teach the limitations of claim 46. As per claim 48:

The combination does not include a confidence score based on a TPM.
Acar teaches wherein the in determining the confidence score, the token server processor determining whether the computing device includes a trusted platform module (TPM)  (paragraph [0015] Example apparatus and methods concern improving security for commerce performed using a personal device (e.g., smartphone, tablet). FIG. 1 illustrates an example environment in which a TPM protected device (e.g., smartphone 100) may operate. The smartphone 100 may interact with an account service 122 that provides information about a relationship between the smartphone 100, an account, and a TPM 130 in the smartphone 100. The account service 122 may provide user identification information and device identification information that may be cryptographically manipulated or protected by the TPM 130 in subsequent interactions with additional services. For example, the smartphone 100 may interact with an attestation service 124 and an endorsement service 126 that will provide attestation credentials (e.g., attestation certificate) or endorsement credentials (e.g., endorsement certificate). “Certificate” is used herein in its computer security context (e.g., certificate authority). The certificates may then be used to increase the confidence level of information provided by the smartphone 100 when acquiring transaction credentials (e.g., LUK). [0016] For example, the certificates, the tokens, and the public key may be evaluated. If a threshold level of confidence is achieved for the information provided by the smartphone 100, then a transaction credential (e.g., LUK) may be provided to the smartphone 100.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include increasing confidence based on the presence of TPM as taught by Acar in order to provide more secure devices (paragraph [0002]) and prevent impersonations of real purchasers (paragraph [0001]).

Kitts, Jhingran, Pead, and Acar teach the limitations of claim 48. As per claim 49:

Kitts further teaches further including the token server processor determining a confidence score indicating a likelihood the computing device is being operated at least in part by a software robot (paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)
Jhingran further teaches {determining whether a user is a bot based on}  (1) the estimated computational cost of the computing device required in producing the proof of work token (paragraph [0042]  In some embodiments, the cost boundary (threshold value) comprises a desired maximum boundary and/or cost associated with a request for an API. For example, the cost boundary may be selected to be a lower value (greater than zero) as a technique to deter malicious requestors of the API (as it is assumed that malicious requestors are less willing to pay costs in mounting an attack). The cost boundary may be selected to be higher value (greater than zero and greater than a nominal value that is intended to primarily deter malicious requestors) as a technique to monetize the service provided by the API, as will be described in further detail below. [0044] In response to receiving the cost boundary, service server 308 is configured to select a target computational cost based at least in part on the cost boundary. In various embodiments, the target computational cost comprises the cost of computer resources that are predicted to be expended by a computer in computing a response to a proof of work-based computer authorization challenge. In various embodiments, the proof of work-based computer authorization challenge comprises a cryptographic challenge. Examples of computer resources include electricity consumed, memory used, and processing time. In some embodiments, the monetary value associated with the target computational cost may be set to be less than, equal to, or greater than the monetary value associated with the received cost boundary. For example, if the cost boundary were associated with the monetary value of $10, then the monetary value associated with the target computational cost may be set at $11.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include consideration of the computational cost as taught by Jhingran in the confidence score of Kitts in order to in order to prevent manipulation of data (paragraph [0002]). Further, using fraud detection methods of Jhingran is the use of a known technique used to improve similar devices/methods in the same way.
Acar further teaches (ii) whether the computing device includes the trusted platform module (TPM) (paragraph [0015] Example apparatus and methods concern improving security for commerce performed using a personal device (e.g., smartphone, tablet). FIG. 1 illustrates an example environment in which a TPM protected device (e.g., smartphone 100) may operate. The smartphone 100 may interact with an account service 122 that provides information about a relationship between the smartphone 100, an account, and a TPM 130 in the smartphone 100. The account service 122 may provide user identification information and device identification information that may be cryptographically manipulated or protected by the TPM 130 in subsequent interactions with additional services. For example, the smartphone 100 may interact with an attestation service 124 and an endorsement service 126 that will provide attestation credentials (e.g., attestation certificate) or endorsement credentials (e.g., endorsement certificate). “Certificate” is used herein in its computer security context (e.g., certificate authority). The certificates may then be used to increase the confidence level of information provided by the smartphone 100 when acquiring transaction credentials (e.g., LUK). [0016] For example, the certificates, the tokens, and the public key may be evaluated. If a threshold level of confidence is achieved for the information provided by the smartphone 100, then a transaction credential (e.g., LUK) may be provided to the smartphone 100.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include increasing confidence based on a TPM as taught by Acar in order to provide more secure devices (paragraph [0002]) and prevent impersonations of real purchasers (paragraph [0001]).

Kitts, Jhingran, Pead, and Acar teach the limitations of claim 48. As per claim 51:

Kitts teaches wherein the confidence score is determined to be low if at least a plurality are determined  ((paragraph [0007] Embodiments of the present invention relate to computerized methods and systems for identifying automated click fraud programs. Upon receiving a request for presentation of a web page, the probability that the user is robotic vs. human is determined, at least in part, based upon the nature of the request. The determined probability, along with historic behavior related to the requesting user, if available, is used to determine a score that may be utilized to select advertisements for presentation to the user. If the score indicates a high likelihood that the user is robotic, an advertisement designed to solicit user behavior known to be associated with robots may be selected to confirm the suspicion. Alternatively, if the likelihood that the user is robotic is high enough, advertisement presentation may be largely suppressed. If, on the other hand, the score indicates a high likelihood that the user is human, a standard advertisement and/or an advertisement designed to solicit user feedback related to advertisements and/or publishers may be selected. [0052] In the illustrated embodiment, the feedback advertisement includes a user-validation query component 236 and a survey component 238. The user-validation query component 236 is configured to provide a user-validation query upon selection of a feedback advertisement prompt (FIG. 11), wherein user indicia is returned upon determining whether the user-validation query is satisfied. In one embodiment, the user-validation query is a Turing test, wherein a distorted alphanumeric string and text entry area are presented such that the distorted alphanumeric string must be transcribed therein. In another embodiment, a passport login may be required, wherein input of a successful login by the requesting user satisfies this style of user-validation query. Although two embodiments are described, the present invention contemplates any test, query, or user interface that is helpful in distinguishing between a human user and robotic user as being an acceptable configuration of the user-validation query. [0053] If the user-validation query is satisfied, a survey may be presented, e.g., utilizing the survey component 238. Alternatively, if the survey is not satisfied, then the survey is not presented. However, in either of these instances, the IP address of the user and status of whether the user-validation query is satisfied is sent as user indicia of a human user or robotic user to the probability determining module 224. Accordingly, the user indicia generated from the user-validation query component 238 is useful to help provide examples of requests that are likely from a human user or robotic user.)
 Jhingran further teaches {determining whether a user is a bot based on}  (i) the estimated computational cost of the computing device required in producing the proof of work token exceeds the threshold value (paragraph [0042]  In some embodiments, the cost boundary (threshold value) comprises a desired maximum boundary and/or cost associated with a request for an API. For example, the cost boundary may be selected to be a lower value (greater than zero) as a technique to deter malicious requestors of the API (as it is assumed that malicious requestors are less willing to pay costs in mounting an attack). The cost boundary may be selected to be higher value (greater than zero and greater than a nominal value that is intended to primarily deter malicious requestors) as a technique to monetize the service provided by the API, as will be described in further detail below. [0044] In response to receiving the cost boundary, service server 308 is configured to select a target computational cost based at least in part on the cost boundary. In various embodiments, the target computational cost comprises the cost of computer resources that are predicted to be expended by a computer in computing a response to a proof of work-based computer authorization challenge. In various embodiments, the proof of work-based computer authorization challenge comprises a cryptographic challenge. Examples of computer resources include electricity consumed, memory used, and processing time. In some embodiments, the monetary value associated with the target computational cost may be set to be less than, equal to, or greater than the monetary value associated with the received cost boundary. For example, if the cost boundary were associated with the monetary value of $10, then the monetary value associated with the target computational cost may be set at $11.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include consideration of the computational cost as taught by Jhingran in the confidence score of Kitts in order to in order to prevent manipulation of data (paragraph [0002]). Further, using fraud detection methods of Jhingran is the use of a known technique used to improve similar devices/methods in the same way.
Acar further teaches or (ii) the computing device does not include the trusted platform module (TPM). (paragraph [0015] Example apparatus and methods concern improving security for commerce performed using a personal device (e.g., smartphone, tablet). FIG. 1 illustrates an example environment in which a TPM protected device (e.g., smartphone 100) may operate. The smartphone 100 may interact with an account service 122 that provides information about a relationship between the smartphone 100, an account, and a TPM 130 in the smartphone 100. The account service 122 may provide user identification information and device identification information that may be cryptographically manipulated or protected by the TPM 130 in subsequent interactions with additional services. For example, the smartphone 100 may interact with an attestation service 124 and an endorsement service 126 that will provide attestation credentials (e.g., attestation certificate) or endorsement credentials (e.g., endorsement certificate). “Certificate” is used herein in its computer security context (e.g., certificate authority). The certificates may then be used to increase the confidence level of information provided by the smartphone 100 when acquiring transaction credentials (e.g., LUK). [0016] For example, the certificates, the tokens, and the public key may be evaluated. If a threshold level of confidence is achieved for the information provided by the smartphone 100, then a transaction credential (e.g., LUK) may be provided to the smartphone 100.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include increasing confidence based on a TPM as taught by Acar in order to provide more secure devices (paragraph [0002]) and prevent impersonations of real purchasers (paragraph [0001]).

Kitts, Jhingran, Pead, and Acar teach the limitations of claim 48. As per claim 53:


Jhingran further teaches further including increasing the confidence score further includes determining that the computing device has a sufficient amount of CPU resources required to complete a proof of work calculation (paragraph [0042]  In some embodiments, the cost boundary (threshold value) comprises a desired maximum boundary and/or cost associated with a request for an API. For example, the cost boundary may be selected to be a lower value (greater than zero) as a technique to deter malicious requestors of the API (as it is assumed that malicious requestors are less willing to pay costs in mounting an attack). The cost boundary may be selected to be higher value (greater than zero and greater than a nominal value that is intended to primarily deter malicious requestors) as a technique to monetize the service provided by the API, as will be described in further detail below. [0044] In response to receiving the cost boundary, service server 308 is configured to select a target computational cost based at least in part on the cost boundary. In various embodiments, the target computational cost comprises the cost of computer resources that are predicted to be expended by a computer in computing a response to a proof of work-based computer authorization challenge. In various embodiments, the proof of work-based computer authorization challenge comprises a cryptographic challenge. Examples of computer resources include electricity consumed, memory used, and processing time. In some embodiments, the monetary value associated with the target computational cost may be set to be less than, equal to, or greater than the monetary value associated with the received cost boundary. For example, if the cost boundary were associated with the monetary value of $10, then the monetary value associated with the target computational cost may be set at $11.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include consideration of the computational cost as taught by Jhingran in the confidence score of Kitts in order to in order to prevent manipulation of data (paragraph [0002]). Further, using fraud detection methods of Jhingran is the use of a known technique used to improve similar devices/methods in the same way.

Claim(s) 52 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kitts et al (US 2008/0281606) in view of Jhingran et al (US 2017/0244709) in view of Pead (US 2018/0144153) in view of Acar et al (US 2017/0155513)  in view of Wan et al (US 2014/0379902)


Kitts, Jhingran, Pead, and Acar teach the limitations of claim 48. As per claim 52:
The combination does not expressly teach taking into account whether a device is a new machine.
Wan teaches wherein the confidence score is determined by taking into account whether the computing device is a new machine without saved cookies (paragraph [0022] Another signal is a so-called newbie signal that identifies a requestor device with characteristics that are new or have little history of making requests to the type of site involved. This newbie signal involves comparing requestor device characteristics to a history of requests made at numerous, independently operating web sites. In one cookie-free implementation, a requestor device does not have a unique identifier. Nonetheless, it has at least one IP address, a browser identifier and an operating system identifier. As further explained below, request collection across hundreds of independently operating web sites generates a request history database that can be used to score a requestor device reputation as newbie, well-recognized or in between. Thus for example, the first time a user with a new device on a new network accesses a website it would be viewed as a newbie, 20 accesses and a day or two later it might not.)
It would have been obvious to one of ordinary skill in the art at the time of filing the invention to include determining whether a user was new as taught by Wan in order to provide defensive mechanisms to detect, divert, and otherwise defeat unwelcome and hostile traffic (paragraph [0006]). Further, identifying new machines is the use of a known technique used to improve similar devices/methods in the same way.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER STROUD whose telephone number is (571)272-7930. The examiner can normally be reached Mon. - Fri. 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Abdi can be reached on 571-272-6702. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/C.S/Examiner, Art Unit 3688                                                                                                                                                                                                        
/KAMBIZ ABDI/Supervisory Patent Examiner, Art Unit 3688