DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Nunes (US 2021/0203690 A1).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hart (US 2017/0324758 A1) in view of McGrew (US 2016/0344768 A1) and Nunes (US 20210203690 A1).

Regarding claim 1, Hart discloses: A method for detecting unauthorized use of user credentials (e.g., Kerberos tickets in Hart) in a network (e.g., FIG. 1 of Hart) implementing an authentication protocol (e.g., Kerberos in Hart), the method comprising: 
uniquely identifying authentication certificates that are observed in the network; 
Refer to at least [0104]-[0105] and [0108] of Hart with respect to storing data identifying tickets in a repository, including a hash associated with the data.  
monitoring use of the identified authentication certificates in the network; 
Refer to at least [0056] of Hart with respect to collecting authentication messages from a computer network. 
determining a baseline profile of the identified authentication certificates during a learning period (e.g., [0211], [0244], and [0255] of Hart with respect to machine learning and a learning / training process concerning access tickets) based on the monitored use and properties of the identified authentication certificates; 
Refer to at least [0068], [0080], and [0180], and [0221] of Hart with respect to determined characteristics and behavior of known legitimate authentication messages / tickets. 
after the learning period (i.e., implementing the machine learning model / classifier), accessing a request to access a resource in the network, the request including a submitted authentication certificate; 
Refer to at least [0081] of Hart with respect to receiving data associated with a new authentication message. 
Refer to at least [0076] of Hart with respect to exemplary message contents, such as Kerberos tickets. 
generating a unique identifier for the submitted authentication certificate; 
Refer to at least [0082], [0107]-[0111], and [0179]-[0180] of Hart with respect to obtaining characteristics and behavior for the new authentication message. The characteristics would necessarily include identification information since that is used during the comparison steps. 
in response to determining that the [authentication message] is new: 
comparing the submitted authentication certificate to the baseline profile; 
generating an alert when the comparing indicates that a difference from the baseline profile exceeds a threshold; and 
Refer to at least [0084]-[0086], [0112], [0184]-[0185], and [0192]-[0196] of Hart with respect to analysis based on the characteristics and behavior, scoring, and alerting. See [0194] of Hart concerning a threshold. 
adding the submitted authentication certificate to the baseline profile when the difference from the baseline profile is within the threshold; 
Refer to at least [0107]-[0108] of Hart with respect to logging and mapping some or all authentication messages. 
Refer to at least [0270] and [0280] of Hart with respect to updating stored data. 
identifying a chain of connections associated with the unique identifier; and 
Refer to at least [0259] with respect to characteristics including identifiers of security services (e.g., the KDC) associated with issuing and/or implementing the ticket.
generating an alert when the identifying indicates that a source computer associated with the unique identifier is not found in the chain of connections.
Refer to at least [0078]-[0079], [0091], and [0111] of Hart with respect to the analysis including various metadata of the authentication message, as well as whether the ticket was actually issued by the KDC. 
Refer to at least [0112] of Hart with respect to an alert. 
Hart does not specify: comparison in response to determining that the unique identifier for the submitted authentication certificate is new. Hart further does not specify identifying a chain of connections in response to determining that the unique identifier for the submitted authentication certificate has previously been identified and is not included in the baseline profile; the baseline profile comprising properties of the identified authentication certificates for each associated certificate authority. However, Hart in view of McGrew discloses: comparison in response to determining that the unique identifier for the submitted authentication certificate is new; 
Refer to at least [0037]-[0038] of McGrew with respect to performing analysis on a suspect record based on its certificate thumbprint. 
identifying a chain of connections in response to determining that the unique identifier for the submitted authentication certificate has previously been identified and is not included in the baseline profile.
Refer to at least [0078]-[0083] of McGrew with respect to determining whether a fingerprint associated with a certificate is new, and performing heightened or relaxed analysis based on indicia of trustworthiness. The analysis may check a chain of trust associated with the certificate. 
The teachings of Hart and McGrew both relate to monitoring and analyzing the trustworthiness of authentication messages and certificates / tickets. Accordingly, they are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Hart to further include a specific ticket thumbprint for determining analysis of characteristics and behavior, as well as to include analysis of rich data (e.g., chain of trust and whitelists / blacklists) for identified suspect thumbprints, for at least the purpose of increasing an accuracy of the threat assessment (i.e., having more information for obtaining a more accurate result). 
Hart-McGrew does not specify: the baseline profile comprising properties of the identified authentication certificates for each associated certificate authority. However, Hart-McGrew in view of Nunes discloses: the baseline profile comprising properties of the identified authentication certificates for each associated certificate authority.
Refer to at least [0117] and [0119]-[0121] of Nunes with respect to certificate authority information as features for a machine learning profile associated with certificates. 
The teachings of Nunes likewise concern monitoring and analyzing certificate information, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Hart-McGrew to further include certificate authority feature data for at least the purpose of increasing an accuracy of the threat assessment (i.e., having more information for obtaining a more accurate result). 

Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Hart concerning the Kerberos protocol).

Regarding claim 3, Hart-McGrew-Nunes discloses: The method of claim 1, wherein the method is performed by an application or agent running in a domain controller of the network.
Refer to at least [0113] of Hart with respect to implementation via, e.g., a software module / agent on the KDC and/or other machines on the network.

Regarding claim 4, it is rejected for substantially the same reasons as claim 1 above (i.e., citations concerning hashing; it is further noted that at least [0036] of McGrew discloses the thumbprint as a unique hash code).

Regarding claim 5, Hart-McGrew-Nunes discloses: The method of claim 1, wherein the properties comprise one or more of a signature algorithm, a signature hash algorithm, a time period during which the certificate is valid, a public key size, a subject format, and certificate templates.
Refer to at least [0123], [0266], and [0277] of Hart with respect to ticket expiration as a characteristic. 

Regarding claim 6, it is rejected for substantially the same reasons as claim 5 above (e.g., [0107]-[0108] of Hart concerning monitoring authentication messages—in an embodiment, all messages are logged and ticket data mapped). 

Regarding independent claim 7, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claim 8, Hart-McGrew-Nunes discloses: The computing device of claim 7, wherein the baseline profile is generated using machine learning.
Refer to at least [0229], [0269], and [0280] of Hart with respect to machine learning associated with the analysis. 

Regarding claim 9, Hart-McGrew-Nunes discloses: The computing device of claim 7, wherein the authentication protocol is Kerberos and the request is a Kerberos Authentication Server (AS) request.
Refer to at least [0051] and [0077] of Hart with respect to KRB_AS_REQ. 

Regarding claim 10, Hart-McGrew-Nunes discloses: The computing device of claim 7, wherein the authentication protocol is Kerberos and the baseline profile is generated based on parsed Kerberos ticket-granting service (TGS) requests and data indicative of usage of remote desktop connections for a requested computer to a desired computer.
Refer to at least [0106] of Hart with respect to Kerberos REQ messages for RDP. 
Refer to at least [0076]-[0079] of Hart with respect to data extracted from authentication messages. 

Regarding claim 11, Hart-McGrew-Nunes discloses:  The computing device of claim 7, wherein the baseline profile is generated based on a number of uses of the identified authentication certificates.
Refer to at least [0124] of Hart with respect to analyzing subsequent usage of a TGT for determining forgery.

Regarding claim 12, Hart-McGrew-Nunes discloses: The computing device of claim 7, wherein the baseline profile is generated based on monitoring use of the identified authentication certificates in the network during a time window.
Refer to at least [0222] of Hart with respect to rules based on the time of day.
Refer to at least [0295]-[0300] and [0407] of Hart with respect to rules based on, e.g., client session times.

Regarding independent claim 13, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claim 14, Hart-McGrew-Nunes discloses: The computer-readable medium of claim 13, further comprising instructions which, when executed by the processor, cause the processor to monitor APIs configured to provide key-based authentication using digital certificates.
Refer to at least [0048], [0411], [0441], and [0447] of Hart with respect to monitoring APIs. 

Regarding claim 15, it is rejected for substantially the same reasons as claim 13 above (i.e., the citations to Hart concerning the log / mapping of authentication messages and/or tickets).

Regarding claims 16-18, they are substantially similar to claims 4-6 above, and are therefore likewise rejected.

Regarding claims 19-20, they are substantially similar to claims 9-10 above, and are therefore likewise rejected.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432