ADAPTIVE RATE LIMITER BASED ON TRANSACTIONAL HEURISTICS AND ARTIFICIAL INTELLIGENCE

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01/22/2026 has been entered. Response to Amendment This Office action is in response to amendment/reconsideration filed on 01/22/2026, the amendments have been considered. Claims 1, 11, 14, 15, and 17-19 have been amended. Claims 22 and 23 are newly added. Claims 1-23 are pending for examination, the rejection cited as stated below. Response to Arguments Applicant's arguments filed 01/22/2026, with regards to the limitation “wherein the classifier generates the classification based at least in part on whether credentials are returned in response to an authentication challenge for the request” have been fully considered but they are not persuasive. Applicant asserts that the prior art of Chhabra fails to disclose the above-mentioned feature because the general-purpose proxy enforces client-configured access control rules, such as whitelists, in combination with upfront credential authentication to protect web-based resources within a provider network. The Examiner respectfully disagrees, as Chhabra discloses in Col 2, lines 1-23, that the proxy receives network traffic requests from clients in order to gain access to a resource/service within the provider network, wherein the proxy authenticates, for each client request, the credentials using an authentication service of the provider network. The proxy will allow access to the services if one or more user-configures access control rules are satisfied and one or more credentials associated with the services are authenticated and prevent access to the services if the conditions are not satisfied (i.e., requests not being authenticated). Furthermore, Col 5, lines 30-43, disclose access control rules which include any rule suitable for limiting access to requests or enabling access to requests that originate from a client based on credentials provided with the requests and/or other information provided with the requests. A whitelist is used to determine one or more accounts for a client that are allowed access to the one or more services based on the credentials provided (i.e., generating a classification based on credentials returned in response to an authentication challenge for the request, as claimed). Based on the rationale explained above, the Examiner disagrees with the prior art being silent to the claimed embodiment. Applicant’s arguments with respect to the limitation “wherein the adjusting comprises rate-limiting authentication requests from untrusted sources while prioritizing processing of authentication requests from trusted sources” have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-3, 5-7, and 9-23 are rejected under 35 U.S.C. 103 as being unpatentable over Jasmeet Chhabra et al (US 11032280 B1), hereinafter “Chhabra”. in view of Christopher Newell Toomey (US 20050108551 A1), hereinafter “Toomey”. Regarding Claim 1, Chhabra discloses a system for adaptively limiting web requests, comprising: one or more processors configured to: receive a request at a proxy for an authentication service (Chhabra, Col 2, lines 1-11, proxy receives network traffic requests that originate from a particular client of the provider network, wherein the network traffic requests are for a resource (e.g., service) within the provider network that need to be authenticated. Col 3, lines 5-16, proxy receiving requests from one or more client networks, wherein the requests are related to access one or more web-based resources); determine whether the request is trusted based at least in part on a classification obtained from a classifier (Chhabra, Col 2, lines 51-57 , using a proxy to apply client-specific access control rules in order to block requests from unauthorized users. Col 3, lines 66-67 – Col 4, lines 1-62, different methods of determining if the user is authentic in order to grant access to the requested resources. Col 5, lines 30-43, whitelists are used to determine accounts from clients that are allowed access to the services based on the credentials provided), wherein the classifier generates the classification based at least in part on whether credentials are returned in response to an authentication challenge for the request (Chhabra, Col 2, lines 1-23, proxy allows/disallows access to requests for services based on authentication/credentials of the requests. Col 5, lines 30-43, whitelists are used to determine accounts from clients that are allowed access to the services based on the credentials provided); and handle the request according to a determination of whether the request is trusted (Chhabra, Col 5, lines 8-22, allowing access to one or more of the services if one or more of the access control rules are satisfied and one or more credentials associated with the one or more services are authenticated and preventing access to one or more services if the one or more access control rules are not satisfied or if the one or more credentials associated with the one or more services are not authenticated), wherein handling the request includes adaptively adjusting a rate at which authentication requests for the authentication service are processed based at least in part on the classification for the request (Chhabra, Col 5, lines 30-43, access control rules include any rule suitable for limiting access to requests or enabling access to requests that originate from a client site of a client (e.g., a client network ) based on credentials provided with the requests and/or other information provided with the request); and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (Chhabra, Col 10, lines 57-65, computer system includes one or more processors coupled to a system memory). However, Chhabra fails to explicitly disclose wherein the adjusting comprises rate-limiting authentication requests from untrusted sources while prioritizing processing of authentication requests from trusted sources. Toomey, from the same or similar field of endeavor, discloses wherein the adjusting comprises rate-limiting authentication requests from untrusted sources while prioritizing processing of authentication requests from trusted sources (Toomey, Paragraphs 0022-0023, using trust-based rate limiting methods for network requests. A client that has successfully been authenticated to a server is issued a trust token by the server. At the server, a rate limiting component applies traffic policing measures based on availability of a valid trusted token. Rate policies further specify bandwidth restrictions to be imposed for untrusted network traffic or can drop untrusted traffic entirely. Paragraph 0086, rate limiter prioritized authentication requests to be processed by the authenticator based on the client ID, the presence and assessed validity of the associated trust token, and any defined rate limiting policies, to determine if and how to rate-limit the requests. A request lacking a valid token is given a lower priority). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chhabra in view of Toomey in order to further modify the method of controlling access to services from the teachings of Chhabra with the method of fine-grained rate limiting of network requests from the teachings of Toomey. One of ordinary skill in the art would have been motivated because the system will be able to distinguish friendly network traffic from hostile network traffic by using a trust-based rate limiting approach (Toomey – Paragraphs 0021-0023). Regarding Claim 2, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein handling the request comprises processing the request in response to determining that the request is trusted (Chhabra, Col 5, lines 8-22, allowing access to one or more of the services if one or more of the access control rules are satisfied and one or more credentials associated with the one or more services are authenticated). Regarding Claim 3, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the classifier is a machine learning model (Chhabra, Col 6, lines 46-58, proxy updates access control rules using a self-learning modification system (e.g., via a machine learning model or other artificial intelligence) to identify requests that are attacks or likely to be attacks based on identifier information in a request and/or other request characteristics). Regarding Claim 5, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein handling the request comprises blocking the request in response to determining that the request is untrusted (Chhabra, Col 5, lines 8-22, preventing access to one or more services if the one or more access control rules are not satisfied or if the one or more credentials associated with the one or more services are not authenticated). Regarding Claim 6, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the classifier provides a binary classification of the request as either a trusted request or an invalid request (Chhabra, Col 5, lines 8-26, allowing or preventing access to resources to one or more of the services and/or target resources that are external to the provider network. Col 6, lines 6-15, specifying whitelist of devices that can access the one or more services. Col 6, lines 36-45, logging the rejection of the user request). Regarding Claim 7, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the request is deemed trusted in response to the classification predicting that the request is legitimate (Chhabra, Col 6, lines 46-58, updating access control rules based on analysis of request traffic and/or request rejections due to the access control rules and/or authentication using a machine learning model or other artificial intelligence in order to identify requests that are attacks or likely to be attacks). Regarding Claim 9, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein if the request is deemed untrusted handling the request comprises returning an indication that the request will not be processed (Chhabra, Col 5, lines 8-22, preventing access to one or more services if the one or more access control rules are not satisfied or if the one or more credentials associated with the one or more services are not authenticated. Col 6, lines 36-45, rejection message is delivered to the client device and/or client network that originated the corresponding request). Regarding Claim 10, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the classifier generates a predicted classification based at least in part on one or more attributes associated with the request (Chhabra, Col 2, lines 51-57 , using a proxy to apply client-specific access control rules in order to block requests from unauthorized users. Col 3, lines 66-67 – Col 4, lines 1-62, different methods of determining if the user is authentic in order to grant access to the requested resources. Col 5, lines 8-22, allowing access to one or more of the services if one or more of the access control rules are satisfied and one or more credentials associated with the one or more services are authenticated and preventing access to one or more services if the one or more access control rules are not satisfied or if the one or more credentials associated with the one or more services are not authenticated. Chhabra, Col 6, lines 46-58, proxy updates access control rules using a self-learning modification system (e.g., via a machine learning model or other artificial intelligence) to identify requests that are attacks or likely to be attacks based on identifier information in a request and/or other request characteristics). Regarding Claim 11, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein handling the request according to a determination of whether the request is trusted comprises: obtain an IP address associated with the proxy via which the request is sent (Chhabra, Col 3, lines 54-65, network management device stores or references a list of destinations (e.g., network IP address) that correspond to endpoints for one or more services and/or endpoint for any other locations/devices within the provider network); and configure a security entity to block requests associated with the IP address for a predefined period of time, wherein the predefined period of time is based on a security policy (Chhabra, Col 6, lines 16-24, whitelist of devices may include a whitelist of source network IP addresses for respective devices that are allowed access to the one or more of the services. The proxy may reject the request and/or log the rejection of the request if the credentials and/or information of the request indicates that the source network IP address does not match one of the source network IP addresses specified by the whitelist. Col 6, lines 59-67 – Col 7, lines 1-5, rejecting requests based on log information associated with the response of a service that processed the request (e.g., time that the service sent the response, amount of time between forwarding the request to the service and sending of the response from the service, etc.)). Regarding Claim 12, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the classification for the request is reset after the predefined period of time (Chhabra, Col 6, lines 46-58, proxy updates the access control rules based on analysis of request traffic and/or request rejections due to the access control rules and/or authentication on an ongoing basis. Col 7, lines 6-14, updating access control rules). Regarding Claim 13, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein requests from the IP address are re-classified after predefined period of time (Chhabra, Col 6, lines 46-58, proxy updates access control rules using a self-learning modification system (e.g., via a machine learning model or other artificial intelligence) to identify requests that are attacks or likely to be attacks based on identifier information in a request and/or other request characteristics). Regarding Claim 14, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein handling the request according to the determination of whether the request is trusted comprises: rate-limiting requests from the proxy based at least in part on determining that the classification for the request is indicative of the request being untrusted (Chhabra, Col 5, lines 30-43, access control rules include any rule suitable for limiting access to requests or enabling access to requests that originate from a client site of a client (e.g., a client network ) based on credentials provided with the requests and/or other information provided with the request), and where Toomey further discloses wherein the rate-limiting is dynamic based on a probability score from the classification (Toomey, Paragraph 0065, tagging each user ID that successfully logs in, such that future attempts by that user ID are treated as trusted and incur in no additional login response latency, and add a configurable amount of incremental latency to all untrusted, i.e., untagged, logging attempts. Paragraphs 0085-0086, rate limiter prioritized authentication requests to be processed by the authenticator based on the client ID, the presence and assessed validity of the associated trust token, and any defined rate limiting policies, to determine if and how to rate-limit the requests. A request lacking a valid token is given a lower priority). Regarding Claim 15, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the request is classified based at least in part on the request and a response to an authentication challenge (Chhabra, Col 2, lines 1-11, proxy receives network traffic requests that originate from a particular client of the provider network, wherein the network traffic requests are for a resource (e.g., service) within the provider network that need to be authenticated. Col 2, lines 51-57 , using a proxy to apply client-specific access control rules in order to block requests from unauthorized users. Col 3, lines 66-67 – Col 4, lines 1-62, different methods of determining if the user is authentic in order to grant access to the requested resources). Regarding Claim 16, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein the response is a response to the authentication service for authenticating a user or device associated with the request (Chhabra, Col 6, lines 59-66, after a request is allowed and processed by a service , the service provides a response. In embodiments, the response is transmitted to the client device that originated the request). Claim 17 carries similar limitations as discussed with regards to Claim 1 above and therefore is rejected for the same reason. Claim 18 carries similar limitations as discussed with regards to Claim 1 and Claim 17 above and therefore is rejected for the same reason. Regarding Claim 19, Chhabra discloses a system for training a classifier for adaptively limiting web requests (Chhabra, Col 6, lines 46-58, proxy updates access control rules using a machine learning model or other artificial intelligence) to identify requests that are attacks or likely to be attacks based on identifier information in a request and/or other request characteristics), comprising: one or more processors (Chhabra, Col 10, lines 57-65, computer system includes one or more processors coupled to a system memory) configured to: obtain a set of requests at a proxy for an authentication service (Chhabra, Col 2, lines 1-11, proxy receives network traffic requests that originate from a particular client of the provider network, wherein the network traffic requests are for a resource (e.g., service) within the provider network that need to be authenticated. Col 3, lines 5-16, proxy receiving requests from one or more client networks, wherein the requests are related to access one or more web-based resources); train a classifier based at least in part on the set of requests, wherein the classifier is configured to identify legitimate requests to the proxy for the authentication service ((Chhabra, Col 6, lines 46-58, proxy updates access control rules using a self-learning modification system (e.g., via a machine learning model or other artificial intelligence) to identify requests that are attacks or likely to be attacks based on identifier information in a request and/or other request characteristics); and deploy the classifier in connection with adaptively limiting requests to the proxy for the authentication service based on one or more classifications predicted by the classifier (Chhabra, Col 5, lines 30-43, access control rules include any rule suitable for limiting access to requests or enabling access to requests that originate from a client site of a client (e.g., a client network ) based on credentials provided with the requests and/or other information provided with the request. Col 6, lines 46-58, machine learning or other artificial intelligence is used to identify requests that are attacks or likely to be attacks based on identified information in a request and/or other request characteristics. In response, the proxy may update the access control rules to reject requests that include the identified information and/or that have the identified request characteristics); wherein: the classifier generates a particular classification based at least in part on whether credentials are returned in response to an authentication challenge for a particular request (Chhabra, Col 2, lines 1-23, proxy allows/disallows access to requests for services based on authentication/credentials of the requests. Col 5, lines 30-43, whitelists are used to determine accounts from clients that are allowed access to the services based on the credentials provided); and a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (Chhabra, Col 10, lines 57-65, computer system includes one or more processors coupled to a system memory). However, Chhabra fails to explicitly disclose and the adaptively limiting comprises adjusting a rate at which authentication requests are processed based at least in part on the one or more classifications predicted by the classifier. Toomey, from the same or similar field of endeavor, discloses and the adaptively limiting comprises adjusting a rate at which authentication requests are processed based at least in part on the one or more classifications predicted by the classifier (Toomey, Paragraphs 0022-0023, using trust-based rate limiting methods for network requests. A client that has successfully been authenticated to a server is issued a trust token by the server. At the server, a rate limiting component applies traffic policing measures based on availability of a valid trusted token. Rate policies further specify bandwidth restrictions to be imposed for untrusted network traffic or can drop untrusted traffic entirely. Paragraph 0086, rate limiter prioritized authentication requests to be processed by the authenticator based on the client ID, the presence and assessed validity of the associated trust token, and any defined rate limiting policies, to determine if and how to rate-limit the requests. A request lacking a valid token is given a lower priority). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chhabra in view of Toomey in order to further modify the method of controlling access to services from the teachings of Chhabra with the method of fine-grained rate limiting of network requests from the teachings of Toomey. One of ordinary skill in the art would have been motivated because the system will be able to distinguish friendly network traffic from hostile network traffic by using a trust-based rate limiting approach (Toomey – Paragraphs 0021-0023). Regarding Claim 20, the combination of Chhabra and Toomey disclose the system of claim 19 above, where Chhabra further discloses wherein the set of requests are obtained based on a log of requests at the authentication service (Chhabra, Col 6, lines 46-58, proxy updates the access control rules to reject requests that include the identified information and/or that have the identified request characteristics). Regarding Claim 21, the combination of Chhabra and Toomey disclose the system of claim 19 above, where Chhabra further discloses wherein the set of requests correspond to past authentication requests (Chhabra, Col 6, lines 36-58, proxy logging the rejection of the request, as well as information associated with the request (e.g., source network IP address, the requested target resource, etc. Col 9, lines 33-43, logging information, which is then used to provide the information for the rejected request to an attack detection service that analyzes rejected requests, determines whether an attack in progress based on the analysis, and provides an indication of the attack to the client (e.g., to an administrator at the client site). Regarding Claim 22, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Toomey further discloses wherein the predefined period of time for blocking requests associated with the IP address is dynamically determined based at least in part on a severity of the untrusted classification or a frequency of untrusted requests from the IP address (Toomey, Paragraphs 0096-0103, 0107, using timestamps to determine authentication record). Regarding Claim 23, the combination of Chhabra and Toomey disclose the system of claim 1 above, where Chhabra further discloses wherein after the classification for the request is reset, the system is configured to forward a subsequent request from the same IP address to the authentication service to determine whether the subsequent request is legitimate or illegitimate based on whether credentials are returned in response to an authentication challenge for the subsequent request (Chhabra, Col 2, lines 1-23, proxy allows/disallows access to requests for services based on authentication/credentials of the requests. Col 5, lines 8-22, preventing access to one or more services if the one or more access control rules are not satisfied or if the one or more credentials associated with the one or more services are not authenticated. Col 5, lines 30-43, whitelists are used to determine accounts from clients that are allowed access to the services based on the credentials provided. Col 6, lines 36-45, rejection message is delivered to the client device and/or client network that originated the corresponding request). Claims 4 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra and Toomey, and in further view of Pratap Singh Rathore et al (US 11206179 B1), hereinafter “Rathore”. Regarding Claim 4, the combination of Chhabra and Toomey disclose the system of claim 1 above. However, the combination of Chhabra and Toomey fail to explicitly disclose wherein the classifier is trained based at least in part on XGBoost machine learning process. Rathore, from the same or similar field of endeavor, discloses wherein the classifier is trained based at least in part on XGBoost machine learning process (Rathore, Col 11, lines 7-27, classification machine learning model is implemented as an extreme gradient boosting tree (XGBoost)). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chhabra in view of Toomey and in further view of Rathore in order to further modify the method of controlling access to services using a proxy from the teachings of Chhabra and the method of fine-grained rate limiting of network requests from the teachings of Toomey with the method of management of bid data based on machine learning techniques from the teachings of Rathore. One of ordinary skill in the art would have been motivated because the normalization techniques can prevent inaccuracies in predictions by implementing a learning model as an XGBoost (Rathore – Col 11, lines 7-27). Claims 8 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra and Toomey, and in further view of Rani Yadav-Ranjan et al (US 20240039938 A1), hereinafter “Yadav-Ranjan”. Regarding Claim 8, the combination of Chhabra and Toomey disclose the system of claim 1 above. However, the combination of Chhabra and Toomey fail to explicitly disclose wherein the request is deemed untrusted in response to the classification predicting that the request is part of a distributed denial of service attack. Yadav-Ranjan, from the same or similar field of endeavor, discloses wherein the request is deemed untrusted in response to the classification predicting that the request is part of a distributed denial of service attack (Yadav-Ranjan, Fig 1, Paragraph 0037, scale and automation for detecting and addressing DDoS attacks. Paragraph 0039, determining if an anomaly should or should not be treated as an attack. Paragraph 0046, addressing UE and network DDoS causes via countermeasures and/or other remedial actions. Paragraph 0048, machine learning is used to determine which approach taken is most successful at detecting DDoS attacks or in addressing the causes. Paragraph 0063, environmental conditions that give rise to denials of service may be forecast based on offline historical data and this may be used to generate a model to predict future occurrences. Paragraph 0153, detecting denial of service attacks by training a detection module). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chhabra in view of Toomey and in further view of Yadav-Ranjan in order to further modify the method of controlling access to services using a proxy from the teachings of Chhabra and the method of fine-grained rate limiting of network requests from the teachings of Toomey with the method of DDoS detection and countermeasures from the teachings of Yadav-Ranjan. One of ordinary skill in the art would have been motivated because by having previous data obtained from past attacks, the system will be able to train a detection module to detect DDoS attacks with the correlated data and prevent future attacks (Yadav-Ranjan – Paragraphs 008, 0063, and 0153). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. All the references listed on 892 are related to the subject matter of identifying attacks to resources from users. Some of the prior art include: US 20240276177 A1, US 11297152 B1, and US 20140325588 A1. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAVIER O GUZMAN whose telephone number is (571)270-0588. The examiner can normally be reached Monday - Friday 8 am to 4 pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached at 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAVIER O GUZMAN/ Primary Examiner, Art Unit 2446