Detecting Anomalous Behavior Using A Browser Extension

DETAILED ACTION This Office Action is in response to the amendment filed on 07/18/2025 in which claims 1-20 are presented for examination on the merits. Notice of Pre-AIA or AIA Status The present application is being examined under the first inventor to file provisions of the AIA . Terminal Disclaimer The terminal disclaimer filed on 07/18/2025 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of the cited applications in the double patenting rejections, in the office action mailed on 05/08/2025, have been reviewed and is accepted. The terminal disclaimer has been recorded. Response to Arguments 1. Applicant's arguments in page 6 of the REMARKS filed on 07/18/2025 with respect to the rejection under 35 USC § 103(a) have been considered but are moot in view of the new grounds of rejection. After careful review and in light of Applicant’s amendments, remarks, and Examiner’s newly performed search and consideration, claims 1-20 are now newly rejected under 35 U.S.C. 103(a) for the reasons specified below. Claim Rejections - 35 USC § 103 2. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 3. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: (a) A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 5. This application currently names joint inventors. In considering patentability of the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) prior art under 35 U.S.C. 103(a). 6. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey et al. (US 20170339178 A1, hereinafter, Mahaffey) in view of Heath (US 20130073387 A1) and further in view of Gustavsson et al. (US 20170124196 A1, hereinafter, Gustavsson). Regarding claim 1, Mahaffey discloses a method comprising (Para 0210: browsers (e.g., Firefox, Chrome, etc.); extensions ): generating a profile associated with a user of a user device (Para 0074: personal data associated with the user of the device includes, but are not limited to, contacts of the user of the device (e.g., an address book or phone number contact list), short message service (SMS) contacts, SMS messages transmitted or received by the user of the device, email contacts, email database (e.g., the device may store emails from an email account of the user)). gathering first information [generated by a browser extension on the user device identifying one or more applications accessed by the user and application behavior of the one or more applications] (Para 0161, 0207, 0078-0079: a deviation in device including pattern of applications used, for how long, with what frequency, in what sequence after unlocking or first attending to a device after a period of inactivity wherein historical analysis system includes a determination of the web page's behavior both in terms of what network connections it makes, e.g…. look at what the impact of the browser on the system is…wherein plugins or extensions for a browser application access personal data) describing activity associated with a user and generated by a browser extension on a user device (Para 0009: monitoring or acquisition is controlled by a policy, which includes sets of norms or models of behavior, as well as appropriate responses to be triggered based on monitoring activity); gathering second information [describing network activity associated with the user] (Para 0064: application runs at the server in a highly instrumented environment in which requests by the application for device local information are delegated to a stub on the actual device via communications between the server and device and display actions sent from server to device and user interactions sent from device to the server execution environment) [generated by a client application executed on the user device] (Para 0079: an application that attempts to retrieve the complete list of installed plugins or extensions for a browser application can be considered to be accessing another type of personal data. ); and determining, based on the first information and the second information, whether the user has deviated from normal activity (Para 0183: analysis server can generate a normal context behavior model and an actual context behavior model. The actual context behavior model can be compared with the normal context behavior model to determine deviations). based on the first information and the profile (Abstract, Para 0288: the norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated.. ..data is collected related to behavior of applications, components, system libraries, firmware, sensors, etc. means that the derived notions or norms for behavior can be used to generate such policies for distribution to devices); and [generating a polygraph upon determining a deviation from normal activity, the polygraph including logical entities representing the one or more applications accessed by the user and edges representing behavioral relationships between the logical entities]. Mahaffey does not explicitly states but Heath from the same or similar fields of endeavor teaches wherein gathering first information generated by a browser extension on the user device identifying one or more applications accessed by the user and application behavior of the one or more applications (Heath, Paragraph 0141, 0148: Social Shoppers to select from a menu of coupons based upon their online activities, location, online communications, search inquiries, social networking, social plugins, ad links, promotions, social applications, entertainment shopping, penny auctions or online auctions, advertisements and affiliate advertising or services, purchasing, behavior, buying patterns and other criteria). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention wherein gathering first information generated by a browser extension on the user device identifying one or more applications accessed by the user and application behavior of the one or more applications as taught by Heath in the teachings of Mahaffey for the advantage of providing broad and alternative category clustering of the same, similar or different categories in social/geo/promo link promotional data sets for end user display of interactive ad links, promotions and sale of educational related Products, Goods, and/or Services integrated with 3D spatial geomapping and social networking (Heath Para 0002). The combination of Mahaffey and Heath discloses not explicitly states but Gustavsson from the same or similar fields of endeavor teaches generating a polygraph upon determining a deviation from normal activity (See, Fig. 3 and associated texts, Para 0019: determine a relative level of the user's contextual affinity with one or more of the list items, contextual affinity to a list item characterized by connectedness of a context of the user's current use of the electronic user device to a manner in which a relation has had interactive behavior with one of the objects that corresponds to the list item; and rank the list items according to the relative levels of affinity), the polygraph including logical entities representing the one or more applications accessed by the user and edges representing behavioral relationships between the logical entities (Para 0024: the logical instructions crawl the electronic device activity of relations in the user's social graph to construct a multi-dimensional object matrix containing value-based indications of multiple types of interactive behavior with the objects; Fig. 3 and associated texts) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention wherein generating a polygraph upon determining a deviation from normal activity, the polygraph including logical entities representing the one or more applications accessed by the user and edges representing behavioral relationships between the logical entities as taught by Gustavsson in the teachings of Mahaffey and Heath for the advantage of determining a relative level of the user's contextual affinity with one or more items, contextual affinity to a list item characterized by connectedness of a context of the user's current use of the electronic user device to a manner in which a relation has had interactive behavior with one of the objects that corresponds to the list item; and ranking the list items according to the relative levels of affinity (Gustavsson Abstract). Regarding claim 2, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 1 wherein determining whether the user has deviated from normal activity is further based on historical information describing historical activity of the user (Para 0087: historical, and derivative context. Instantaneous context includes configuration, state, and activities or events happening now or in the present. Historical context includes history (over several time scales) of configuration, state, and activities or events happening in the past) . Regarding claim 3, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 2 wherein the historical information is generated at least in party by the browser extension (para 0207: most historical analysis systems took place on the server side. However, gathering data from devices, from sensors out in the world, allows for a determination of the web page's behavior both in terms of what network connections it makes, e.g., loaded image). Regarding claim 4, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 3 wherein the historical information is generated at least in party by the application (Para 0087: historical, and derivative context. Instantaneous context includes configuration, state, and activities or events happening now or in the present. Historical context includes history (over several time scales) of configuration, state, and activities or events happening in the past). Regarding claim 5, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 1 wherein the first information describes a browser context during user activity (Para 0088: context can include measurements or observations of configuration, state, activities, events, sequences thereof, of elements of the device, the user and the user's activity, of the environment (geographical, network, etc.) in which the device currently finds itself, and of other devices or elements external to the device itself. The context information may be used to help cluster or determine norms of other data or behaviors collected from the device). Regarding claim 6, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 1 wherein determining whether the user has deviated from normal activity includes correlating portions of the first information with portions of the second information (Para 0007: analysis process uses risk models, correlation of states and events or event sequences, and prior knowledge concerning known bad actors (applications, websites, etc.), and known bad behaviors (for example, malformed content, vulnerability exploits, etc.). Regarding claim 7, the combination of Mahaffey, Heath, and Gustavsson discloses the method of claim 1 further comprising generating an alert indicating the deviation from normal activity; and including the alert in the polygraph (Para 0010, 0207: determining that a deviation between the norm and the data collected from the first device is outside of a threshold deviation, and upon the determination, generating an alert by the server.. wherein historical analysis includes determination of the web page's behavior). Regarding claim 8, the combination of Mahaffey and Heath discloses the method of claim 1 further comprising directing the user device to an approval workflow via the browser extension in response to determining that the user has deviated from normal activity (Fig, 1 and Fig 4 and associated texts; Para 0189, 0223: model allows for periodic checks that are sufficient to conclude that further action is not required. The checks, actions, or both may relate to risk level, to other changes on the system which may trigger monitor level changes. The system provides techniques to fast path checking so that if the behavior is the normal behavior, no or relatively few actions need to be taken). Regarding claim 9, the combination of Mahaffey and Heath discloses the method of claim 8 wherein the user device is directed to the approval workflow instead of a requested resource (Para 0251: monitoring features (in hardware, software, or both) which can be used by different applications. For example, a device may include a neural processor (or other processor) that prohibits unsigned models; prohibits models not signed by approved signers; prohibits or limits the number or type of models during particular context situations). Regarding claim 10, the combination of Mahaffey and Heath discloses the method of claim 8 wherein the user device is directed to the approval workflow in line with another resource (Para 0210: system using this instrumentation can then detect a variety of potential or actual attacks. In a specific implementation, there is an inspection module that inspects resources (e.g., web pages) visited by the browser). Regarding claim 11; Claim 11 is similar in scope to claim 1, and is therefore rejected under similar rationale. Regarding claim 12; Claim 12 is similar in scope to claim 2, and is therefore rejected under similar rationale. Regarding claim 13; Claim 13 is similar in scope to claim 3, and is therefore rejected under similar rationale. Regarding claim 14; Claim 14 is similar in scope to claim 4, and is therefore rejected under similar rationale. Regarding claim 15; Claim 15 is similar in scope to claim 5, and is therefore rejected under similar rationale. Regarding claim 16; Claim 16 is similar in scope to claim 6, and is therefore rejected under similar rationale. Regarding claim 17; Claim 17 is similar in scope to claim 7, and is therefore rejected under similar rationale. Regarding claim 18; Claim 18 is similar in scope to claim 8, and is therefore rejected under similar rationale. Regarding claim 19; Claim 19 is similar in scope to claim 9, and is therefore rejected under similar rationale. Regarding claim 20; Claim 20 is similar in scope to claim 10, and is therefore rejected under similar rationale. Examiner Notes 7. The Examiner notes that incorporating the combined limitations of claims 7, 8, and 9 including the limitations “…determining whether a difference between the first information and the profile exceeds a threshold…” into independent claim 1 would better clarify the subject matter/embodiment of claimed invention. Similarly, amending independent claim 11 with aforesaid claim limitations from similar claims would help advance the prosecution as it would clarify the claimed invention. Conclusion 8. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ramic et al. (US 20100312739 A1) discloses a system for controlling the activities of real and virtual entities by monitoring and analyzing a real entity's activities and providing responses to affect virtual and real behavior patterns, according to pre-established rules. A Real-time Monitoring and Virtualization (RMV) utility collects information about the real entity's behavior utilizing monitors. Hull Mark Everett et al. (WO 2005074443 A2) discloses method are directed towards enabling information filtering using measures of an affinity of a relationship between subscribers of an online portal system. The affinity of a relationship may be determined based, in part, on the tracking of various online behaviors of and between subscribers of the portal system. 9. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHFUZUR RAHMAN whose telephone number is (571)270-7638. The examiner can normally be reached on Monday thru Friday. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MAHFUZUR RAHMAN/Primary Examiner, Art Unit 2498