DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 16/363673 filed on 09/28/2020. 
The Applicant has elected species 2, claims 13-18, without traverse for prosecution.
Claims 13-18 have been examined and are pending in this application. 

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 09/28/2020, 01/21/2022 and 08/26/2022, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Election/Restrictions
A telephone call was made to Attorney Gregory Maurer (Reg. No. 43781, phone number (503) 226-7391) on October 27, 2022 requesting an oral election to the below restriction requirement.  The Applicant has elected species 2, claims 13-18, without traverse for prosecution
This application contains claims directed to the following patentably distinct species: 
Species 1:  claims 1-12 are drawn to figure 1 (See, paragraphs 0017-0024 of the original specification).
Species 2:  claims 13-18 are drawn to figure 3 (See, paragraph 0032 of the original specification).
Species 3:  claims 19-20 are drawn to figure 6 (See, paragraphs 0042-0044 of the original specification).

The species are independent or distinct because each of the various disclosed species details mutual exclusive characteristic of: 
Species 1:  A method of securing an application in which an enhanced authentication token indicates that a session request is malicious.
Species 2:  A method of securing an application in which an encrypted enhanced authentication token is decrypted, and an application clone session is established in place of a requested session.
Species 3:  A method where the signature of the enhanced authentication token indicates establishment of an application clone session.
In addition, these species are not obvious variants of each other based on the current record.

Applicant is required under 35 U.S.C. 121 to elect a single disclosed species, or a single grouping of patentably indistinct species, for prosecution on the merits to which the claims shall be restricted if no generic claim is finally held to be allowable. Currently, there is no generic claim. 
There is a search and/or examination burden for the patentably distinct species as set forth above because one or more the following reason(s) apply: 
 The species or groupings of patentably indistinct species have acquired a separate status in the art in view of their different classification.
The species or groupings of patentably indistinct species have acquired a separate status in the art due to their recognized divergent subject matter.
The species or groupings of patentably indistinct species require a different field of search (e.g., searching different classes /subclasses or electronic resources, or employing different search strategies or search queries).

Applicant is advised that the reply to this requirement to be complete must include (i)an election of a species or a grouping of patentably indistinct species to be examined
even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected species or grouping of patentably indistinct species, including any claims subsequently added. An argument that a claim is allowable or that all claims are generic is considered nonresponsive unless accompanied by an election.
The election may be made with or without traverse. To preserve a right to petition, the
election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the election of species requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable on the elected species or grouping of patentably indistinct species.
Should applicant traverse on the ground that the species, or groupings of patentably indistinct species from which election is required, are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing them to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the species unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103(a) of the other species.
Upon the allowance of a generic claim, applicant will be entitled to consideration of claims to additional species which depend from or otherwise require all the limitations of an allowable generic claim as provided by 37 CFR 1.141. 
During a telephone conversation with Gregory Maurer on October 27, 2022 a provisional election was made without traverse to prosecute the invention of Species 2, claims 13-18. Affirmation of this election must be made by applicant in replying to this Office Action. Claims 1-12 and 19-20 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Palanisamy (US 2015/0312038) in view of Dykes et al. (“Dykes,” US 2019/0312860).

Regarding claim 13: Palanisamy  discloses a system, comprising:
a processor; and
one or more computer-readable storage media storing computer- readable instructions that, when executed by the processor, perform operations comprising:
at a proxy, receiving an enhanced authentication token for a session request for an application; the session request corresponding to an application account (Palanisamy: ¶0016 enhance the security of storing a token on a communication device. A token is a substitute for sensitive information and can be provided in place of the sensitive information when the sensitive information is transmitted or used; ¶0042 the sensitive information or token issued by token server 102 can be encrypted by token server 102 [] the token issued by token server 102 in response to a token request can be encrypted with a session key generated by token server 102; ¶0022 the token may be used in place of the real account identifier to conduct access the account); and
decrypting encrypted information in the enhanced authentication token (Palanisamy: ¶0048 when application 212 accesses sensitive information data store 216 to retrieve and use the sensitive information or token stored therein (e.g., to conduct a transaction), application 216 may invoke cryptography module 214 to decrypt the session key that is used to encrypt the stored sensitive information or token).
Palanisamy does not explicitly disclose upon determining that the decrypted information indicates that the session request is malicious, establishing an application clone session in place of the requested session, wherein the application clone session includes at least some alternative data in place of data associated with the application account.
However, Dykes discloses upon determining that the decrypted information indicates that the session request is malicious, establishing an application clone session in place of the requested session, wherein the application clone session includes at least some alternative data in place of data associated with the application account (Dykes: ¶0127 in response to a security incident, the policy enforcement manager creates a deception honeypot and redirects the suspicious connection session to the deception honeypot. A deception honeypot is a service that appears to implement the same service application instance function but without actually performing the tasks; ¶0103 the network security system [] interact with the user or with the system administrator in the event of detected security incident; ¶0125 a network security incident [] receives a notification of a security policy violation or a security incident (302)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dykes with the system/method of Palanisamy to include establishing an application clone session in place of the requested session.
One would have been motivated to providing network security and dynamic access control using run-time contextual information and/or implementing policy enforcement actions (Dykes: ¶0002).

Regarding claim 18: Palanisamy in view of Dykes discloses the system of claim 13.
Palanisamy further discloses wherein application session requests and corresponding authentication tokens are received through the proxy and provided by the proxy to the application (Palanisamy: fig. 5; ¶0071 token request computer 504 [] forward the request as token request 554 to token server 502; ¶0073 token request computer 504 may then send the encrypted token [] to communication device 520 in response 558).


Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Palanisamy (US 2015/0312038) in view of Dykes et al. (“Dykes,” US 2019/0312860) and Fan (US 2019/0319946).

Regarding claim 14: Palanisamy in view of Dykes discloses the system of claim 13.
Palanisamy in view of Dykes does not explicitly disclose wherein the enhanced authentication token is generated by an identity provider.
However, Fan discloses wherein the enhanced authentication token is generated by an identity provider (Fan: ¶0052 the access token 242 [] may be generated by anyone of the different types of identity providers 240).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Fan with the system/method of Palanisamy and Dykes to include the enhanced authentication token is generated by an identity provider.
One would have been motivated to providing authentication of a user operating a computing device requesting access to a service provider to determine if the user of the computing device has permission to access desired services (Fan: ¶0005).

Claims 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Palanisamy (US 2015/0312038) in view of Dykes et al. (“Dykes,” US 2019/0312860), Fan (US 2019/0319946) and Herbert (US 2012/0042364).

Regarding claim 15: Palanisamy in view of Dykes and Fan discloses the system of claim 14.
Palanisamy further discloses wherein the identity provider includes and encrypts information in the enhanced authentication token (Palanisamy: ¶0042 the sensitive information or token issued by token server 102 can be encrypted by token server 102).
Palanisamy in view of Dykes and Fan does not explicitly disclose indicating that the session request is malicious upon determining that the session request includes a valid -2[ -username and a password that matches a false password in a stored group of false passwords.
However, Herbert discloses indicating that the session request is malicious upon determining that the session request includes a valid -2[ -username and a password that matches a false password in a stored group of false passwords (Herbert: ¶0070 the log-in attempt may be determined to be potentially unauthorized, based on the receipt of at least one false password (210) [] the attack detector 130 may be configured to consider receipt of the false password [] and to associate the false password with the actual password stored in the password repository 124; ¶0025 in conjunction with the operations of the password manager 116, a false password generator 118 may be configured to generate or otherwise provide potential false passwords to be associated with the actual password associated with the user 104).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Herbert with the system/method of Palanisamy, Dykes and Fan to include the session request includes a valid -2[ -username and a password that matches a false password.
One would have been motivated to providing computer security for authenticating or otherwise securing user access to a computer or to a specific computing resource (Herbert: ¶0002).

Regarding claim 16: Palanisamy in view of Dykes, Fan and Herbert discloses the system of claim 15.
Herbert further discloses wherein the stored group of false passwords includes one or more of: a default password, an administrator password, a password associated with the valid username for other accounts, a compromised password, a password based on user identification information, a previously used password for the valid username, or a modified version of a previously used password for the username (Herbert: ¶0027 a unique user name and associated password to be associated with the user profile within the application 106).
The motivation is the same that of claim 15 above.

Regarding claim 17: Palanisamy in view of Dykes, Fan and Herbert discloses the system of claim 16.
Herbert further discloses wherein the operations further comprise providing a new false password to the identity provider reflecting a password change performed in the application clone session (Herbert: ¶0022 the password system 102 may redirect the provider of the false password, i.e., the user of the hostile computing system 108, to a honey pot system 114).
The motivation is the same that of claim 15 above.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439   



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439