DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 10/10/2022.
Claims 37, 40-47 have been examined.

Response to Arguments
Examiner’s rejection of claims 41, 44 and 47 under 35 U.S.C. 112 is withdrawn in light of the applicant’s amendments of the claims. 
Applicant's arguments filed on 10/10/2022 have been fully considered but they are not persuasive. As per the applicant’s arguments that prior arts of record fail to teach: “a first cloud service” and “a second cloud service”, the examiner respectfully disagrees. The applicant stated in the Remarks that prior art Varghese does not teach these limitations and does not even mention the word “cloud”. The examiner respectfully points out that page 14 of the previous office action (non-final rejection dated 07/13/2022) clearly states that Varghese does not teach these limitations. Further, pages 15-16 of the same office action show the rejection of these limitations based on prior art of record Kuntagod. Kuntagod teaches: “[0041] In some implementations, the system 110 communicates with a cloud service 180 (a second cloud service) over a network 190, e.g., the Internet, to determine one or more context factors that relate to a global context in which the transaction is being requested. The global context can describe factors that relate to a global environment. [0042] For example, the global context factors can include a history of transactions for each person throughout one or more geographic regions. The history of transactions can include, for example, types of the transactions made by a person, timings of the transactions made by a person, monetary amounts of the transactions made by a person, and geographic locations of the transactions made by a person. [0131] Based on a determination that the geographic location of the mobile device corresponds to a geographic location in which the mobile device is configured to operate, the system determines the last geographic location in which a transaction was performed (820). For example, the system can determine the last geographic location in which a transaction was performed based on a transaction history stored in the system 310 or by obtaining a transaction history from the cloud device 350 (second cloud service).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 37 and 40-47 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9 of U.S. Patent No. 10063593 in view of US 20150269383 to Lang et al (hereinafter Lang) and US 7908645 to Varghese et al (hereinafter Varghese). 
Instant application
U.S. Patent No. 10063593
37. (currently amended) A computer implemented method comprising: 
collecting, in a fraud related data cache of a policy enforcement point system through a communication network and from a plurality of cloud fraud services, machine readable fraud related data; 

intercepting, by the policy enforcement point system, a response being transmitted over a communications network from a cloud fraud service to a client device, with the response being responsive to a request generated by a browser script in a browser of the client device; 







determining, by the policy enforcement point system, an authorization related data set, based, at least in part, on the machine readable fraud related data, with the authorization related data set relating to a fraud risk represented by participation of a predetermined computer device; modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response to filter out sensitive data so that any sensitive data that is present in the intercepted response will not be present in the modified response; and sending, by the policy enforcement point system through the communication network, the modified response to the client device; wherein the plurality of cloud fraud services include a first cloud service that provides fraud related data that is related to the predetermined computer device; further wherein the plurality of cloud fraud services include a second cloud service that provides fraud related data that is related to a user of the predetermined computer device.
1. A method comprising: 
caching, in the gateway enforcement point as part of the first authenticated communication session, the first fraud data set; caching, in the gateway enforcement point as part of the first authenticated communication session, the second fraud data set;
receiving, by a gateway enforcement point, through a communication network from a client device used by a user, a first request to access a protected resource; 
responsive to receipt of the first request, authenticating, by the gateway enforcement point, the client device to establish a first authenticated communication session between the gateway enforcement point and the client device, with authenticating the client device including receiving, by the gateway enforcement point, authentication data relating to the user; further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a first cloud fraud detection system, a second request for fraud information relating to the user, with the second request including: (i) the authentication data, and (ii) a session identifier identifying the first authenticated communication session; 
receiving, by the gateway enforcement point from the first cloud fraud detection system, a first fraud data set indicative of fraud related information relating to the user; further responsive to receipt of the first request to access the protected resource, sending, by the gateway enforcement point to a second cloud fraud detection system, a third request for fraud information relating to the user, with the third request including: (i) the authentication data, and (ii) the session identifier; receiving, by the gateway enforcement point from the second cloud fraud detection system, a second fraud data set indicative of fraud related information relating to the user; and controlling, by the gateway enforcement point, access to the protected resource by the client device in a manner based upon both of the following: (i) the fraud related information of the first fraud data set, and (ii) the fraud related information of the second fraud data set.


U.S. Patent No. 10063593 does not teach: modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response to filter out sensitive data so that any sensitive data that is present in the intercepted response will not be present in the modified response; and sending, by the policy enforcement point system through the communication network, the modified response to the client device; and fraud related data that is related to the predetermined computer device. However, Lang teaches: 
modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response to filter out sensitive data so that any sensitive data that is present in the intercepted response will not be present in the modified response; and sending, by the policy enforcement point system through the communication network, the modified response to the client device (Lang: [0470]: CMP-PDP then transmits the decision (and optional actions, e.g. obligations) to CMP-PEP, which enforces the decision (allow, deny, log, redact/filter, trigger specified other action etc.). [0693]: For example, a generic policy could be to "redact all personal identifiable information (Pll) by a random placeholder", which could be refined based on a content model to "redact all social security numbers by a random placeholder”. [0695] Based on the generated rules, CMP-PDP instructs the redaction/filtering components about which parts of the content to redact/filter, and how to redact/filter (obfuscate, remove, black out, randomize etc.). [0696] Redaction/filtering components ("CMP- RF") do the redaction/filtering based on the instructions provided by CMP-PDP. [0698]: This response may include including redaction and filtering instructions, which--in the example depicted in FIG. 35--the RF Service (3525) uses to redact and/or filter the response before it is communicated (3550) to the requesting application (3530)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lang in the invention of U.S. Patent No. 10063593 to include the above limitations. The motivation to do so would be so that the MDS System can be used to manage policies that determine certain content from the returned data to be redacted and/or filtered instead of allowing/denying requests, and carry out other actions such as "alert" (Lang: [0686]).
And, Varghese teaches:
fraud related data that is related to the predetermined computer device (Varghese: column 11, lines 57-67 and column 12, lines 1-4: The DCR process gathers the results of the current request-authentication processing and stores them in DCR database 1110 in association with the identifying information (for example, the Device ID) for the originating user device. Column 19, lines 8-20: The device-type data items generally test whether or not a particular device has been used and/or is being used in a manner that suggests it has been accessed by users with a likely malicious intent. Column 24, lines 16-32: check historical logins from this device. Also, Column 14, lines 45-60).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Varghese in the invention of U.S. Patent No. 10063593 to include the above limitations. The motivation to do so would be to enable a service provider to take action to authorize, deny, or put on hold online transactions in real time as a function of the risk presented by both the user and the device attempting to conduct a transaction (Varghese: column 4, lines 30-35).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 37, 40, 42-43 and 45-46 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 7908645 to Varghese et al (hereinafter Varghese), prior art of record US 20150269383 to Lang et al (hereinafter Lang) and prior art of record US 20140172707 to Kuntagod et al (hereinafter Kuntagod).
As per claims 37, 42 and 45, Varghese teaches:
A computer implemented method comprising: 
collecting, in a fraud related data cache of a policy enforcement point system through a communication network and from a plurality of cloud fraud services, machine readable fraud related data (Varghese: column 11, line 55-column 12, line 12: The DCR process gathers the results of the current request-authentication processing and stores them in DCR database 1110 in association with the identifying information (for example, the Device ID) for the originating user device. Thereby, the DCR database can provide an historical record of the results of previous request-authentication processing to guide the FAAS in current authentication-request processing. The DCR database includes at least data obtained from the current service provider. Preferably, it also includes data from other service providers. Data from the current request can optionally be supplemented by the third party data similar to that data already retrieved by the FAAS); 
with the response being responsive to a request generated by a browser script in a browser of the client device (Varghese: column 12, lines 12-55: This process is invoked when a user request is received by, e.g., a firewall, and receives information describing the request. In one alternative, this process determines actions and scores from input data descriptive of the user transaction and rules retrieved from database 1809. When the system finds an elevated risk score, it evaluates rules in view of the risk score and can carry out actions, alerts, or risk score reporting. Column 24, lines 44-50: The user device may be a personal computer 720 as in FIG. 13A, a cell phone, personal data assistant (PDA), automated teller machine (ATM), or other suitable device capable of accessing a server. Preferably, the service provider server is a web server accessible from the user device via the Internet, or other public network, or a private network. Using a browser to generate requests to a web server are well known to one of ordinary skill before the effective filing date of the claimed invention); 
determining, by the policy enforcement point system, an authorization related data set, based, at least in part, on the machine readable fraud related data, with the authorization related data set relating to a fraud risk represented by participation of a predetermined computer device (Varghese: column 10, lines 61-67 and column 11, lines 1-2: FAAS process 600 is invoked with the Device ID (and optionally other device and/or user identifying information). This process evaluates its input identifying information and either can, e.g., recommend to the service-provider application or system that the request should be processed further or blocked from the system (referred to herein as "actions"). This process can also provide risk alerts and risk scores (referred to herein as "alerts" and "scores") describing the relative risks of the input request. Column 13, lines 15-40: The methods receive a copy of the request itself or information describing and abstracting the substance of a current request. The input information is processed, and the methods output risk scores, risk alerts, and actions (or action recommendations). Risk scores and alerts are indicia of the likely risks that the current request is incorrect, or malicious, or fraudulent, and so forth. Fraud detection inputs describe the user, the user's device, the location of the user's device, the workflow of transaction entered by the user, historical patterns of user accesses, and data from 3rd party data sources. Column 19, lines 8-20: The device-type data items generally test whether or not a particular device has been used and/or is being used in a manner that suggests it has been accessed by users with a likely malicious intent); 
wherein the plurality of cloud fraud services include a first cloud service that provides fraud related data that is related to the predetermined computer device (Varghese: column 11, lines 57-67 and column 12, lines 1-4: The DCR process gathers the results of the current request-authentication processing and stores them in DCR database 1110 in association with the identifying information (for example, the Device ID) for the originating user device. Thereby, the DCR database can provide an historical record of the results of previous request-authentication processing to guide the FAAS in current authentication-request processing. The DCR database includes at least data obtained from the current service provider. Preferably, it also includes data from other service providers so that device risk information can be shared and the accuracy of authentication processing can be multiplied. Column 19, lines 8-20: The device-type data items generally test whether or not a particular device has been used and/or is being used in a manner that suggests it has been accessed by users with a likely malicious intent. Column 24, lines 16-32: check historical logins from this device. Also, Column 14, lines 45-60); 
further wherein the plurality of cloud fraud services include a second cloud service that provides fraud related data that is related to a user of the predetermined computer device (Varghese: column 13, lines 20-40: Fraud detection inputs describe the user, the workflow of transaction entered by the user, historical patterns of user accesses, and data from 3rd party data sources. Column 11, lines 4-10: Information sources can include system DCR services, which stores an authentication system's past authentication results, and third party data services).
Varghese teaches receiving a user request, evaluating risk/fraud score in response to the request and initiating action as a result of an elevated risk score but does not explicitly teach: intercepting, by the policy enforcement point system, a response being transmitted over a communications network from a cloud fraud service to a client device; modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response to filter out sensitive data so that any sensitive data that is present in the intercepted response will not be present in the modified response; and sending, by the policy enforcement point system through the communication network, the modified response to the client device. Also, Varghese does not teach: a plurality of cloud fraud services, wherein the plurality of cloud fraud services include a first cloud service and wherein the plurality of cloud fraud services include a second cloud service. However, Lang teaches:
intercepting, by the policy enforcement point system, a response being transmitted over a communications network from a cloud fraud service to a client device (Lang: [0648] As a consequence, the best of both worlds for such use cases may be to have CMP-PEPs that intercept both inbound (to the resource) and outbound (from the resource) communications),
modifying, by the policy enforcement point system and to generate a modified response, session data included in the intercepted response to filter out sensitive data so that any sensitive data that is present in the intercepted response will not be present in the modified response (Lang: [0470]: CMP-PDP then transmits the decision (and optional actions, e.g. obligations) to CMP-PEP, which enforces the decision (allow, deny, log, redact/filter, trigger specified other action etc.). [0693]: For example, a generic policy could be to "redact all personal identifiable information (PII) by a random placeholder", which could be refined based on a content model to "redact all social security numbers by a random placeholder". [0695] Based on the generated rules, CMP-PDP instructs the redaction/filtering components about which parts of the content to redact/filter, and how to redact/filter (obfuscate, remove, black out, randomize etc.). [0696] Redaction/filtering components ("CMP-RF") do the redaction/filtering based on the instructions provided by CMP-PDP); and 
sending, by the policy enforcement point system through the communication network, the modified response to the client device (Lang: [0698]: This response may include including redaction and filtering instructions, which--in the example depicted in FIG. 35--the RF Service (3525) uses to redact and/or filter the response before it is communicated (3550) to the requesting application (3530)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lang in the invention of Varghese to include the above limitations. The motivation to do so would be so that the MDS System can be used to manage policies that determine certain content from the returned data to be redacted and/or filtered instead of allowing/denying requests, and carry out other actions such as "alert" (Lang: [0686]).
Varghese in view of Lang does not teach: a plurality of cloud fraud services, wherein the plurality of cloud fraud services include a first cloud service and wherein the plurality of cloud fraud services include a second cloud service. However, Kuntagod teaches:
a plurality of cloud fraud services (Kuntagod: Fig. 1, [0041]: cloud service 180. Fig. 3, [0051]: cloud service 350), wherein the plurality of cloud fraud services include a first cloud service and wherein the plurality of cloud fraud services include a second cloud service  (Kuntagod: [0041] In some implementations, the system 110 communicates with a cloud service 180 over a network 190, e.g., the Internet, to determine one or more context factors that relate to a global context in which the transaction is being requested. [0042] For example, the global context factors can include a history of transactions for each person throughout one or more geographic regions. The history of transactions can include, for example, types of the transactions made by a person, timings of the transactions made by a person, monetary amounts of the transactions made by a person, and geographic locations of the transactions made by a person. [0131] Based on a determination that the geographic location of the mobile device corresponds to a geographic location in which the mobile device is configured to operate, the system determines the last geographic location in which a transaction was performed (820) (historical use of client device). For example, the system can determine the last geographic location in which a transaction was performed based on a transaction history stored in the system 310 or by obtaining a transaction history from the cloud device 350).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kuntagod in the invention of Varghese in view of Lang to include the above limitations. The motivation to do so would be to adjust user authentication performed for a transaction based on a context in which a user requested the transaction (Kuntagod: [0028]).

As per claims 40, 43 and 46, Varghese in view of Lang and Kuntagod teaches:
The method of claim 37 wherein the computer code further includes instructions for causing the processor(s) set to perform the following operation(s): providing a converged view of a predetermined device and user of the predetermined device for authorization purposes based on the fraud related data provided by the first cloud service and from the second cloud service (Varghese: column 13, lines 15-40: Risk scores and alerts are indicia of the likely risks that the current request is incorrect, or malicious, or fraudulent, and so forth. More specifically, the risk scores output are products of a number fraud detection inputs which are weighted and analyzed in real time using analytic processes customizable for individual service providers. Fraud detection inputs describe the user (user specific information), the user's device (device specific information), the location of the user's device, the workflow of transaction entered by the user, historical patterns of user accesses, and data from 3rd party data sources, i.e., the fraud detection inputs regarding the user, the user’s device etc. are converged to output risk scores, risk alerts and actions).

Claims 41, 44 and 47 are rejected under 35 U.S.C. 103 as being unpatentable over Varghese in view of Lang and Kuntagod as applied to claims 37, 42 and 45 above, and further in view of prior art of record US 20060013372 to Russell (hereinafter Russell).
As per claims 41, 44 and 47, Varghese in view of Lang and Kuntagod teaches:
The method of claim 37 wherein: the policy point enforcement system is hosted on a gateway (Lang: [0224] The present application describes several feature components of MDS System embodiments (i.e., CMP-PDP, CMP-PEP). [0228]: The components of the MDS System can be implemented as system 6300. For example, system 6300 may be implemented as part of gateway device); 
Varghese in view of Lang does not teach: an inline channel is used to propagate data back to the gateway so that the data can be used for downstream applications. However, Russell teaches:
an inline channel is used to propagate data back to the gateway so that the data is used for downstream applications (Russell: [0014]: Data gateway server 102 comprises a computing platform that receives message signal unit (MSU) data from link probes 106 and/or network monitoring processors 108 and generates CDRs based on the MSUs. Network monitoring processors 108 receive MSUs copied internally by network monitoring transport cards within a signal transfer point 110. [0015]. [0021]: Referring to FIG. 2, in step 200, CDRs are generated and provided to fraud detection application 100. The CDRs may be generated by data gateway server 102 based on MSUs received from external link probes 106 or network monitoring processors 108. [0022] The CDRs may include parameters extracted from signaling messages associated with call setup. The parameters may be those usable by fraud detection application 100 to detect fraud).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Russell in the invention of Varghese in view of Lang and Kuntagod to include the above limitations. The motivation to do so would be to mitigate fraud in telecommunications networks (Russell: [0008)).

 Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438