Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments / Arguments
Regarding the rejection(s) of claims under 35 USC 103:
Applicant’s arguments, filed 07/22/2025, in view of the amended claims, have been fully considered and are not persuasive.
For claims 1 and 20, Applicant argues that Whelan does not teach "associating together and storing the passive fingerprint, the active fingerprint, and the cookie with one another" because Whelan "does not disclose any association between the cookie and the generated fingerprint" and "does not store a tripartite association linking a passive fingerprint, an active fingerprint, and a cookie together as part of a single record."
In response, it is noted that Whelan paragraph [0019] recites "the fingerprint or ID generated for the unrecognized device may be associated and stored with the username and password." Paragraph [0090] further recites setting a BFP cookie associated with the same user credentials (Figure 5, blocks 506-510). Accordingly, both the fingerprint and cookie are stored in association with the same user credentials. This teaches the claimed "associating together and storing the passive fingerprint, the active fingerprint, and the cookie with one another;" the elements are associated through their common linkage to user credentials.
Additionally, Whelan teaches different fingerprinting methods: browser-based fingerprints from device vectors ([0063], Table 1) and mobile device unique IDs ([0093], blocks 516-518), corresponding to the claimed "passive fingerprint" and "active fingerprint."
For claims 1, 15 and 20, Applicant argues that Whelan does not teach determining that a request is "malicious" based on fingerprint/cookie mismatch or flagging elements as "malicious" because "when a mismatch is detected, Whelan describes prompting administrative approval or requiring secondary authentication" and "Whelan does not designate any element—whether a fingerprint or cookie—as malicious."
In response, Whelan paragraph [0081] and block 218 recite that when match percentage is below a predetermined threshold, "database system 16 may restrict access to database system 16 by device 12." Paragraph [0079] further recites "if device 12 is reported as lost or stolen, the fingerprint may be used to deny any access to database system 16, even if valid user access credentials are supplied." Accordingly, Whelan evaluates fingerprints/cookies and marks certain devices for access denial. This teaches the claimed "determining that the request is malicious" and "flagging... as malicious." The distinction between "unauthorized," "unrecognized," "suspicious," or "malicious" is semantic, not functional.
Additionally, Whelan paragraphs [0086]-[0090] and Figure 5 discuss querying for BFP cookies and comparing device fingerprints to stored fingerprints, teaching cookie mismatch detection and access control decisions based thereon.
For claim 15, Applicant argues that Whelan does not teach "automatically terminating or redirecting current application sessions" because "when a mismatch is detected, Whelan describes prompting administrative approval or requiring secondary authentication."
In response, Whelan paragraph [0081] and block 218 recite that when fingerprint match percentage is below the predetermined threshold, "database system 16 may restrict access to database system 16 by device 12." Paragraph [0079] further recites tracking device activities including "length of time of any type of access." Accordingly, Whelan automatically restricts access upon detecting mismatches. This teaches the claimed "automatically terminating or redirecting current application sessions;" restricting access encompasses terminating or redirecting sessions as obvious design choices.
Additionally, paragraph [0081] recites restrictions "may be established as a default policy" and "database system 16 may prevent further access," teaching automatic security responses.
Applicant argues that Whelan does not teach "denying access to the application despite the valid credentials" because "if approved, Whelan permits access and may even update the stored fingerprint" and "at no point does Whelan teach or suggest denying access based on fingerprint evaluation where valid credentials have been presented."
In response, Whelan paragraph [0079] explicitly recites: "if device 12 is reported as lost or stolen, the fingerprint may be used to deny any access to database system 16, even if valid user access credentials are supplied (e.g. where a user may have opted to have an app or browser on device 12 remember the user's login credentials)."
Applicant argues that Araujo does not teach "determining that a fingerprint is associated with a different application user as a basis for identifying a request as malicious" and that Araujo is limited to "monitoring interactions within sandboxed or decoy applications."
In response, it is noted that the cited portions of Araujo (paragraphs [0009] and [0045]-[0046]) recite that "once a booby trap is tripped, the affected code is moved into a decoy sandbox for further monitoring and forensics" and that collected information is used "to search for similar attacks on the network."([0026]). Paragraph [0052] of Araujo further recites that the techniques "integrate deceptive capabilities into information systems with genuine production value," confirming application to production systems, not merely isolated decoys. Accordingly, Araujo teaches detecting suspicious activities and treating them as security threats requiring immediate response. This teaches the identifying of malicious behavior based on unexpected patterns; when combined with Whelan's fingerprint system, detecting fingerprint reuse across different users constitutes such an unexpected pattern triggering Araujo's threat response framework.
Applicant further argues that Araujo does not discuss "generating or comparing device fingerprints to detect identity conflicts." In response, it is noted that at least paragraphs [0026] and [0032] of Araujo recite monitoring and collecting "packet, and system call traces" for forensic analysis, tracking identifying characteristics of potential attackers. The combination of Whelan (providing fingerprint generation and comparison) with Araujo (providing malicious behavior detection and response) would have been obvious to one of ordinary skill in the art motivated by security concerns. Whelan identifies fingerprint inconsistencies, while Araujo teaches treating such anomalies as malicious threats requiring automated security responses.
Additionally, regarding "automatically terminating or redirecting current application sessions," paragraph [0048] of Araujo recites that "the action of switching execution from the original operating environment to the sandbox is triggered from within the running process," and paragraph [0025] describes "transparently moving the current execution thread of the application into a decoy sandbox." This directly corresponds to the claimed automatic redirection of sessions based on malicious activity detection.
Therefore, the identified claim language is considered to be taught by the combination of Whelan, Grajek, and Araujo, and the rejection is maintained. Further, since Applicant has not presented additional substantive arguments concerning the dependent claims, their rejections are likewise maintained.
DETAILED ACTION
This is a reply to the arguments filed on 07/22/2025, in which, claims 1-4, 6-16 and 18-20 are pending. Claims 1, 15, and 20 are independent. Claims 5 and 17 are cancelled.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Whelan et al. (US 20190384956 A1), in view of Grajek et al. (US 20180124039 A1).
In reference to claim 1, A method for securing an application, the method comprising: receiving a plurality of requests to access an application (Whelan: [0003] Provides for securing applications receiving multiple requests. Whelan paragraph [0060] further provides for a method for securing access to an application or database system.)
Where at least some of the requests are received from different requesting computing devices (Whelan: Fig.2 and [0017] Provides for receiving requests from different devices, as it mentions tracking and managing multiple devices interacting with the service. Whelan paragraph [0035] further provides that multiple different devices can request access to the system.)
For the respective requests: capturing information associated with the requesting computing device (Whelan: Fig. 2 and [0061] Provides for capturing device-specific information upon receiving a connection request.)
Generating a passive fingerprint based on the captured information (Whelan: Fig. 2 and [0061]-[0062] Provides for generating a passive fingerprint based on captured information, specifically through deriving a unique device ID from various vectors. Whelan paragraph [0065] further provides for the generation of a fingerprint from device characteristics.)
Exchanging information with the requesting computing device (Whelan: Fig. 2 and [0065]-[0067] Provides for interaction by calculating hashes from vectors obtained from the device, teaching an exchange of information.)
Generating an active fingerprint based on the exchanged information and the passive fingerprint (Whelan: Fig. 2 and [0064]-[0065] Provides for generating an active fingerprint based on exchanged information and passive fingerprint information.)
Generating a cookie (Whelan: Fig. 2 and [0015] Provides for generating a cookie, explicitly mentioning the creation and placement of a browser cookie. Whelan paragraph [0091] further provides for generating a cookie with the fingerprint.)
Associating together and storing the passive fingerprint, active fingerprint, and cookie (Whelan: Fig. 2 and 5, [0083] Provides for associating and storing fingerprints and credentials. Whelan paragraph [0067] further provides for storing information.)
Managing access to the application based on one or more stored passive fingerprints, one or more stored active fingerprints, or one or more stored cookie (Whelan: Fig. 2, [0078] and [0084] Provides for managing access to the application based on stored fingerprints, detailing permissions based on matched stored fingerprints.)
Wherein managing access to the application comprises: upon determining that an additional request includes a cookie having a value that does not match any of the stored cookies, determining that the additional request is malicious; flagging the cookie, a passive fingerprint associated with the additional request, and an active fingerprint associated with the additional request as malicious; and denying access to the application for the additional request”, (Whelan: FIG 2 (218), (208) [0080] and [0019] Provides for evaluating fingerprints/cookies and marks certain devices for access denial.)
Whelan does not explicitly teach wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting for additional information of the requesting computing device that is not included in the captured information and responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application. However, Grajek discloses: Wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting for additional information of the requesting computing device that is not included in the captured information (Grajek: [0057]-[0059] Provides for sending scripts/commands to collect device characteristics beyond what was initially captured.)
Responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application (Grajek: [0059]-[0060] Provides for the device executing the script and sending the collected characteristics back to the system.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan, which provides a method for securing applications through passive and active fingerprinting techniques, with the teachings of Grajek, which introduces the use of scripts to collect additional device information not initially captured. One of ordinary skill in the art would recognize the ability to incorporate Grajek's script-based information collection approach into Whelan's fingerprinting system to enhance the completeness and accuracy of device identification. One of ordinary skill in the art would be motivated to make this modification in order to gather more comprehensive device information for stronger authentication.
In reference to claim 2, “wherein the passive fingerprint includes at least one of a source IP address, user agent information, operating system information, or processor information”, Whelan discloses a method of generating device-specific characteristics and creating a unique device ID or fingerprint, which aligns with both claim 2 and claim 3 elements. Specifically, Whelan describes obtaining device-specific characteristics such as platform, color, time zone, DRM, codec, language, and user agent information from device 12, and subsequently generating a fingerprint or unique ID by calculating hashes from these vectors and concatenating them into a single string, as depicted in Whelan FIG 2 (204) (see paragraphs 0062-0064).
In reference to claim 3, “wherein the active fingerprint includes at least some information used to generate the passive fingerprint in addition to at least one of language or display information for the requesting computing device”, Whelan anticipates the generation of an active fingerprint that includes information used to generate the passive fingerprint, such as language and user agent information. Whelan's method involves obtaining vectors including language and user agent information, and incorporating these vectors into the generated fingerprint or unique device ID, which can later be processed and compared individually, as illustrated in Whelan FIG 2 (204) (see paragraphs 0062-0064).
In reference to claim 4, “wherein managing access to the application comprises upon determining that an additional request includes a cookie having a value that matches a stored cookie, allowing access to the application for the additional request”, Whelan discloses a method of querying a device, specifically device 12, for the existence of a browser fingerprint (BFP) cookie associated with a web login request. If the BFP cookie exists (the YES branch from block 506), Whelan stores a previously generated fingerprint in the BFP cookie, which can be retrieved from the cookie for comparison purposes rather than generating a new unique ID or device fingerprint. This process is explicitly described in Whelan FIG 5 (506) (see paragraph 0089). If the BFP does not exist (the NO branch from block 506), Whelan discloses generating a new fingerprint or unique device ID according to FIG 2 and setting it into a BFP cookie in block 510. Subsequently, the method allows device 12 to be tracked and managed, as indicated in Whelan FIG 5 (510) and FIG 2 (508) (see paragraph 0090).
In reference to claim 12, “wherein managing access to the application comprises upon determining that a current application session associated with an application user is malicious based on user activity during the current session, flagging a cookie, a passive fingerprint, and an active fingerprint associated with the current application session as malicious”, Whelan further discloses a process in block 222, where, following administrative approval and/or secondary authentication, the stored fingerprint may be updated with the generated fingerprint if the match percentage falls below the predetermined threshold. This step aligns with Hebert, where access to the application is denied upon determining that an additional request includes a cookie value that does not match any of the stored cookies. Whelan's process of updating stored fingerprints when they do not match with generated fingerprints serves a similar purpose to Hebert's concept of flagging and denying access for malicious requests. This process is clearly outlined in Whelan FIG 2 (222) (see paragraph 0082).
In reference to claim 20, "responsive to a pre-authentication interaction initiated by a computing device and received at the application, generating a passive fingerprint, an active fingerprint, and a cookie and associating the passive fingerprint, the active fingerprint, and the cookie with one another and storing the assoication", Whelan discloses a method that aligns closely with these steps. Whelan teaches obtaining device-specific characteristics upon a connection request, which is a form of pre-authentication interaction. This process involves generating a unique device ID or fingerprint, akin to the passive and active fingerprint generation in the claim. Whelan’s detailed description in FIG 2 (202-204) and corresponding paragraphs (see paragraphs 0060-0061) demonstrates this process.
"upon determining based on the pre-authentication interaction that the computing device is engaging in malicious activity, flagging as malicious the cookie, the passive fingerprint, and the active fingerprint associated with the computing device", Whelan also covers a similar concept. Whelan’s method includes steps for processing and analyzing the information obtained during the pre-authentication phase, which could include determining the nature of the interaction (malicious or otherwise) and responding accordingly. This is implicit in the process outlined in Whelan FIG 2 (206-208) (see paragraphs 0065-0067).
"receiving a request for an application session from an application user, the request including valid credentials for the application user", Whelan's teachings encompass a system that processes connection requests and evaluates the credentials provided by the user. This step is part of the standard functionality described in Whelan's method, particularly in the context of managing access to an application or system as shown in FIG 2 (214-216) (see paragraph 0084).
"upon determining that a passive or active fingerprint of a computing device associated with the request matches the passive or active fingerprint previously flagged as malicious based on the pre-authentication interaction, denying access to the application despite the valid credentials and terminating or redirecting current application sessions associated with the application user except for current application sessions that are allow-listed", Whelan also teaches a similar concept. Whelan discloses a method for updating and managing the stored fingerprint or ID based on the generated fingerprint, which includes the functionality to deny access or manage sessions based on the analysis of the fingerprint data. This is detailed in Whelan FIG 2 (222) and FIG 5 (510) (see paragraphs 0082 and 0089).
Whelan does not explicitly teach wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting for additional information of the requesting computing device that is not included in the captured information and responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application. However, Grajek discloses: Wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting additional information of the requesting computing device that is not included in the captured information (Grajek: [0057]-[0059] Provides for sending scripts/commands to collect device characteristics beyond what was initially captured.)
Responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application (Grajek: [0059]-[0060] Provides for the device executing the script and sending the collected characteristics back to the system.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan, which provides a method for securing applications through passive and active fingerprinting techniques, with the teachings of Grajek, which introduces the use of scripts to collect additional device information not initially captured. One of ordinary skill in the art would recognize the ability to incorporate Grajek's script-based information collection approach into Whelan's fingerprinting system to enhance the completeness and accuracy of device identification. One of ordinary skill in the art would be motivated to make this modification in order to gather more comprehensive device information for stronger authentication.
Claim 15 and 9 is rejected under 35 U.S.C. 103 as being unpatentable over Whelan, in view of Grajek et al. (US20180124039A1), in further view of Kutner (U.S Pub No. 2020/0213334 A1, referred to as Kutner), and in further view of Araujo (U.S Pub No. 2019/0068641 A1, referred to as Araujo).
In reference to claim 15, "receiving a request from a computing device to access an application, the request being associated with an account of an application user", Whelan discloses a similar process. Whelan teaches obtaining one or more device-specific characteristics in response to a connection request from a device, where these characteristics are used to identify the requesting device. This is detailed in Whelan FIG 2 (202), where a connection request initiates the collection of device-specific information, enabling the identification of the device associated with an application user (see paragraph 0060).
"generating a passive fingerprint for the request based on information associated with the computing device captured from the request", Whelan anticipates this action. Whelan’s methodology involves capturing information from the requesting device and using this data to generate a unique device ID or fingerprint, which aligns with the concept of a passive fingerprint. This process is outlined in Whelan FIG 2 (204) (see paragraph 0061).
"generating an active fingerprint for the request based on the passive fingerprint and on additional information extracted from the computing device", Whelan also teaches a corresponding method. Whelan's process includes exchanging information with the requesting device, obtaining user credentials, and generating a fingerprint or device ID. This comprehensive approach includes steps that mirror the generation of an active fingerprint as described in the claim. Whelan FIG 2 (206-208) illustrates this process (see paragraphs 0065-0067).
"comparing the passive fingerprint and active fingerprint to stored active and passive fingerprints for other requests corresponding to the application user and to other application users", Whelan’s teachings encompass a similar comparison. Whelan describes updating the stored fingerprint or ID with the generated fingerprint, which involves a comparison of current and stored data, akin to the process of comparing passive and active fingerprints. This is explained in Whelan FIG 2 (222) and FIG 5 (510) (see paragraphs 0082 and 0089).
"determining that the received request is malicious" and "terminating or redirecting current application sessions associated with the application user”, Whelan also covers these aspects. Whelan teaches a system that permits full access to authenticated devices while tracking and managing these devices, which implicitly includes the capability to determine malicious requests and manage sessions accordingly. This functionality is evident from Whelan FIG 2 (214-216) (see paragraph 0084).
Whelan does not explicitly teach wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting for additional information of the requesting computing device that is not included in the captured information and responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application. However, Grajek discloses: Wherein exchanging information comprises: sending, from the application, to the requesting computing device a script requesting for additional information of the requesting computing device that is not included in the captured information (Grajek: [0057]-[0059] Provides for sending scripts/commands to collect device characteristics beyond what was initially captured.)
Responsive to receiving the script, the requesting computing device providing the requested additional information of the requesting computing device to the application (Grajek: [0059]-[0060] Provides for the device executing the script and sending the collected characteristics back to the system.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan, which provides a method for securing applications through passive and active fingerprinting techniques, with the teachings of Grajek, which introduces the use of scripts to collect additional device information not initially captured. One of ordinary skill in the art would recognize the ability to incorporate Grajek's script-based information collection approach into Whelan's fingerprinting system to enhance the completeness and accuracy of device identification. One of ordinary skill in the art would be motivated to make this modification in order to gather more comprehensive device information for stronger authentication.
Whelan in view of Grajek does not explicitly disclose; however, Araujo teaches:
determining that the received request is malicious comprises determining that the passive or active fingerprints for the request are already associated with a different application user (Araujo: [0047]-[0054] Provides for Integrating deceptions into applications to identify threats and gain security insights. This includes embedding cyber traps in applications and analyzing interactions for threat identification, which can encompass recognizing when fingerprints are associated with different users. Araujo’s methods are outlined in paragraphs 0047-0054.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2, 222) (see paragraph 0082) by incorporating Araujo’s methods (as described in paragraphs 0047-0054). The combination of Whelan's approach to fingerprint management with Araujo's advanced techniques for cyber threat detection and response creates a robust system for security management. This integration enables the system to effectively identify and respond to malicious requests, particularly when fingerprints are associated with different user.
In reference to claim 9, “wherein redirecting a current application session comprises transferring the current application session to a cloned application session including at least some alternative data in place of data associated with the application session”, Whelan teaches the method of claims 5 and 1 of managing access to the application (Whelan FIG 2; 214-216) (see paragraph 0084). Kutner teaches the process of denying website access based on credential mismatches would result in a comprehensive security mechanism. This integration effectively manages access by both biometric and credential verification, enhancing the security framework of the application (FIG 1, 110) (see paragraphs 0023-0024).
Whelan and Kutner does not explicitly disclose; however, Araujo teaches wherein a deception is injected directly into a running target application. The injected deception triggers a response in the application, allowing for active responses such as moving the current execution thread of the application into a decoy sandbox for further analysis. This active response involves establishing a cloned application session, as depicted in Araujo FIG 1 (114) (see paragraphs 0024-0026).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2; 214-216) (see paragraph 0084) by incorporating Araujo’s methods (FIG 1, 114) (see paragraphs 0024-0026). The integration of Whelan's access management techniques with Araujo's concept of injecting deception into an application to initiate a cloned session with alternative data provides a sophisticated means of security. This combination effectively transfers a potentially compromised session to a controlled environment, enhancing security measures while allowing for continuous monitoring and analysis of suspicious activities.
Claims 10-11, 14-15 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Whelan, in view of Grajek et al. (US20180124039A1), in further view of Araujo (U.S Pub No. 2019/0068641 A1, referred to as Araujo).
In reference to claim 10, “wherein managing access to the application further comprises upon receiving a second additional request including at least one of the cookie, the passive fingerprint, or the active fingerprint that have been flagged as malicious, denying access to the application for the second additional request”, Whelan teaches the method of claim 1, if the match percentage between the generated fingerprint and the stored fingerprint falls below a predetermined threshold (the "NO" path from block 212), access to database system 16 by device 12 is restricted in block 218 (Whelan FIG 2 (218) and (208) (see paragraph 0080).
Whelan in view of Grajek does not explicitly disclose; however, Araujo teaches wherein any process created or entering a sandbox is re-parented to the /sbin/init process, separating attackers from benign users and monitoring their actions. The sandboxing approach described in Araujo provides lightweight application sandboxing based on Linux namespaces, enabling monitoring and analysis of attacks in real-time without significant performance overhead. Araujo's technique allows rapid deployments of application-level deceptions, including booby traps, to implant cyber deceptions into running legacy applications on both production and decoy systems (see paragraphs 0047-0054).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2, 218 and 208) (see paragraph 0080) by incorporating Araujo’s methods (as detailed in paragraphs 0047-0054). The merger of Whelan's approach in restricting access based on fingerprint matching discrepancies with Araujo’s sandboxing technique provides a sophisticated system for security management. This combination ensures that upon detecting a request with flagged components, such as a cookie or fingerprint, the system not only denies access but also isolates and analyzes the request in a controlled environment, thereby enhancing the application's defensive mechanisms against potential malicious activities.
In reference to claim 11, “wherein denying access comprises establishing a cloned application session including at least some alternative data in place of data associated with an actual application session”, Whelan teaches the method of claims 5 and 1 of managing access to the application (Whelan FIG 2; 214-216) (see paragraph 0084).
Whelan in view of Grajek does not explicitly disclose; however, Araujo teaches:
A method where a response triggered by a booby trap involves moving the affected code into a decoy sandbox for further monitoring and forensics, establishing a cloned application session with alternative data in place of data associated with an actual application session. This is evident from the description (paragraph 0045) and the corresponding steps in the process.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2; 214-216) (see paragraph 0084) by incorporating Araujo’s methods (as described in paragraph 0045). The integration of Whelan's access management strategies with Araujo's approach of establishing cloned application sessions using alternative data offers a novel solution for enhancing application security. This combination results in an advanced system where access denials lead to the creation of decoy environments, allowing for real-time analysis and prevention of potential security breaches without compromising the actual application data.
In reference to claim 14, “wherein managing access to the application further comprises upon receiving an additional request to access the application having the passive fingerprint, active fingerprint, or cookie flagged as malicious but corresponding to a different application user’s credentials, flagging the additional request as malicious and denying access to the application”, Whelan teaches all the features of claims 12 and 1, the process of updating stored fingerprints when they do not match with generated fingerprints serves a similar purpose to Hebert's concept of flagging and denying access for malicious requests (Whelan FIG 2; 222) (see paragraph 0082).
Whelan in view of Grajek does not explicitly disclose; however, Araujo teaches wherein deceptions are integrated into genuine applications and services, offering a new vantage point for security analysts to identify threats and gain attack insights. The approach facilitates embedding cyber traps into commercial off-the-shelf (COTS) applications and provides an effective way for early attack alerting, logging, attacker sandboxing, and automated synthesis of high-interaction honeypots (see paragraphs 0047-0054).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2, 222) (see paragraph 0082) by incorporating Araujo’s methods (as outlined in paragraphs 0047-0054). The integration of Whelan's process for updating stored fingerprints in case of mismatch with Araujo's techniques for embedding cyber traps within genuine applications creates a comprehensive system for identifying and responding to security threats. This combination effectively flags and denies access to requests identified as malicious, even when they correspond to different user credentials, thereby enhancing the application's capability to preemptively address potential security breaches.
In reference to claim 18, "determining that the received request is malicious comprises determining that the passive or active fingerprints for the request are already associated with a stored cookie and a different cookie is present in the request", Whelan provides relevant teachings. Whelan discloses a method involving the updating of stored fingerprints or device IDs, and the association of this data with cookies. This process, which includes analyzing and comparing fingerprints and cookies, can implicitly cover the scenario where a fingerprint matches a stored one but is associated with a different cookie, indicating potential maliciousness. This aspect is outlined in Whelan FIG 2 (222) and in the associated description (see paragraph 0082).
Whelan does not explicitly disclose; however, Araujo teaches integrating deceptions into applications, which includes the use of cyber traps and sophisticated monitoring techniques. This approach can effectively identify anomalies such as mismatched cookies and fingerprints, indicating a malicious request. Araujo’s methods, providing advanced threat detection capabilities, are detailed in paragraphs 0047-0054.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2, 222) (see paragraph 0082) by incorporating Araujo’s methods (as described in paragraphs 0047-0054). The integration of Whelan's approach to managing and updating fingerprint and cookie data with Araujo's advanced deception and threat detection techniques creates a comprehensive system for application security. This combination effectively enables the system to identify and respond to situations where a fingerprint is associated with an unexpected cookie, as described in claim 18. The synergistic effect of combining Whelan and Araujo’s teachings makes the functionalities described in claim 18 appear obvious, warranting a rejection on these grounds.
In reference to claim 19, "redirecting a current application session comprises transferring the current application session to a cloned application session including at least some alternative data in place of data associated with the application session", Whelan provides relevant teachings. Whelan discusses methods for managing access to an application, which include tracking and managing device interactions with the application. This process could implicitly involve manipulating application sessions in response to security concerns, a concept that aligns with the idea of session redirection to a cloned environment. This aspect is covered in Whelan FIG 2 (214-216) as detailed in paragraph 0084.
Whelan in view of Grajek does not explicitly disclose; however, Araujo teaches where deception is injected directly into a running application, which triggers the application to respond by moving its execution into a decoy or cloned environment for further analysis. This process, involving the creation of a cloned application session with alternative data, directly relates to the concept of transferring a session to a cloned environment as stated in claim 19. Araujo’s methods are outlined in FIG 1 (114) and the associated descriptions in paragraphs 0024-0026.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan (FIG 2; 214-216) (see paragraph 0084) by incorporating Araujo’s methods (FIG 1, 114) (see paragraphs 0024-0026). The combination of Whelan's techniques for managing application access with Araujo's approach of creating cloned sessions in response to deceptive interactions results in an advanced security mechanism. This integration effectively enables the redirection of application sessions to controlled, cloned environments for security purposes, mirroring the functionalities described in claim 19. The teachings of Whelan and Araujo together make the features of claim 19 appear obvious, warranting a rejection on these grounds.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 6-8, 13 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Whelan, in view of Grajek et al. (US20180124039A1), in further view of Araujo (U.S Pub No. 2019/0068641 A1, referred to as Araujo) in further view of Kutner (U.S Pub No. 2020/0213334 A1, referred to as Kutner).
In reference to claim 6 “wherein managing access to the application further comprises upon determining that the additional request includes valid credentials for an application user and upon determining that the additional request is malicious, locking the account of the application user”, Whelan teaches a method of Claim 1 where, if the match percentage between the generated fingerprint and the stored fingerprint falls below a predetermined threshold (the "NO" path from block 212), access to database system 16 by device 12 is restricted in block 218 (Whelan FIG 2 (218) and (208) (see paragraph 0080).
Whelan in view of Grajek does not explicitly disclose, however, Kutner teaches wherein a credential analysis engine detects compromised credentials and enforces action rules, including locking one or more accounts associated with the compromised credentials, notifying users, adding the credentials to a compromised list, triggering password changes, and analyzing existing accounts for similar credentials. This is evident from Kutner FIG 2 (256) and the corresponding description (see paragraphs 0044 and 0023-0024).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan and Grajek (FIG 2, 218 and 208) (see paragraph 0080) by incorporating Kutner's methods (FIG 2, 256) (see paragraphs 0044 and 0023-0024). The combination of Whelan-Grajek's approach of restricting access when a fingerprint match is low with Kutner's comprehensive method of detecting and responding to compromised credentials, including account locking, forms a robust security mechanism. This integration effectively locks user accounts upon detection of valid but malicious requests, thus enhancing the security and integrity of the application.
In reference to claim 7, “wherein managing access to the application further comprises terminating or redirecting current application sessions associated with the locked application user”, Whelan in view of Grajek teaches a method of Claim 6 where, if the match percentage between the generated fingerprint and the stored fingerprint falls below a predetermined threshold (the "NO" path from block 212), access to database system 16 by device 12 is restricted in block 218 (Whelan FIG 2 (218) and (208) (see paragraph 0080).
Whelan in view of Grajek does not explicitly disclose, however, Kutner teaches:
A process where access attempts to a website are denied based on the comparison of provided credential sets against existing site credentials. If a mismatch is found, the credential set is added to the failure log, and access to the website is denied. This is clearly outlined in Kutner FIG 1 (110) and the corresponding description (see paragraphs 0023-0024).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan in view of Grajek (FIG 2, 218 and 208) (see paragraph 0080) by incorporating Kutner's methods (FIG 1, 110) (see paragraphs 0023-0024). The combination of Whelan-Grajek's system for restricting access to a database system when a fingerprint match falls below a threshold with Kutner's process of denying website access based on credential mismatches would result in a comprehensive security mechanism. This integration effectively manages access by both biometric and credential verification, enhancing the security framework of the application.
In reference to claim 8, “wherein managing access to the application further comprises not terminating or redirecting an allow-listed current application session associated with the locked application user”, Whelan teaches permitting the device full access to the system and tracking or managing the device. After the device is positively authenticated, Whelan allows full access to the system and provides tracking and management functionalities (Whelan FIG 2; 214-216) (see paragraph 0084).
Whelan in view of Grajek does not explicitly disclose; however, Kutner teaches:
A method wherein a determination is made as to whether the first set of user credentials represent a valid set of user credentials for a particular website. If a match exists with a plurality of site-specific user credentials, the login attempt is authenticated, and login is allowed. If no match exists and the user credentials are associated with an existing entry in a failed credential log, the counter value associated with that entry is incremented. In case no existing entry is found, a new entry is added to the log. This process ensures that only valid login attempts are authenticated, and suspicious login attempts are tracked in the failed credential log. This is evident from Kutner FIG 3 (325) (see paragraphs 0056-0057).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan in view of Grajek (FIG 2; 214-216) (see paragraph 0084) by incorporating Kutner's methods (FIG 3, 325) (see paragraphs 0056-0057). The integration of Whelan-Grajek's approach of allowing full system access post-authentication with Kutner's method of credential validation and logging failed attempts, results in a nuanced access management system. This combination effectively distinguishes between valid and suspicious login attempts, thereby maintaining system integrity while ensuring that legitimate users retain uninterrupted access to the application.
In reference to Claim 13, “wherein managing access to the application further comprises locking an account associated with the application user and redirecting or terminating other current application sessions associated with the application user”, Whelan teaches a process in block 222, where, following administrative approval and/or secondary authentication, the stored fingerprint may be updated with the generated fingerprint if the match percentage falls below the predetermined threshold Whelan FIG 2 (222) (see paragraph 0082).
Whelan in view of Grajek does not explicitly disclose, however, Kutner teaches wherein compromised credentials lead to actions such as locking the associated user account and redirecting or terminating current application sessions. While Whelan provides the foundation for this concept, Kutner's detailed description of action rules and their enforcement in response to compromised credentials provides additional insight into the process of managing access to the application. This is evident from Kutner FIG 2 (256) and the corresponding description (see paragraph 0044).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Whelan in view of Grajek (FIG 2, 222) (see paragraph 0082) by incorporating Kutner's methods (FIG 2, 256) (see paragraph 0044). The combination of Whelan-Grajek's process of updating a stored fingerprint following a low match percentage with Kutner's detailed approach to locking accounts and terminating sessions upon compromised credentials would result in a robust security system. This integrated method effectively locks out unauthorized access while maintaining flexibility in handling account security breaches, thereby enhancing the overall security protocol of the application.
In reference to claim 16, "wherein the operations further comprise not terminating or redirecting an allow-listed current application session associated with the user", Whelan discloses a method where, following the positive authentication of a device, the system grants full access and provides tracking and management functionalities. This approach implies the ability to maintain active sessions for authenticated users, which aligns with the concept of not terminating or redirecting allow-listed sessions. This is detailed in Whelan FIG 2 (214-216) (see paragraph 0084).
Whelan in view of Grajek does not explicitly disclose; however, Kutner teaches:
A method for validating user credentials and managing login attempts. Specifically, Kutner's method involves determining if user credentials match those in a d