DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 09/19/2025.
In the instant Amendment, claims 1, 21 and 28 have been amended; and claims 1, 21 and 28 are independent claims. Claims 1-12 and 21-28 have been examined and are pending. This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 09/19/2025, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Seller does not teach or suggest the claimed “enhanced authentication token, the enhanced authentication token comprising indicating the malicious session request.””
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Seller discloses the enhanced authentication token comprising information indication the malicious session request (Sellers: col. 5 lines 65-67 through col. 6 lines 1-11 [] Honeytoken tracker engine 110 generates honeytoken tracker 185(1) and modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1); col. 5 lines 22-25 honeytokens provide an indication that a repository or location [] holding the honeytoken has been compromised by the malicious attacker). More specifically, Seller discloses honeytokens can include email addresses, database data, executable files, embedded links, web beacons, browser cookies, Amazon Web Services (AWS) keys, and the like. Honeytokens look enticing to attackers, are possible to detect when accessed and/or used, and in existing implementations and paradigms, do not have any actual value other than use detection (e.g., to indicate that a given data repository or network location has been compromised) [col. 3 lines 28-35] and unique honeytokens (called honey trackers) are provided to malicious attackers (e.g., one or more attackers 150(1)-(N)) and are tracked as the malicious attacker(s) target multiple systems over time and/or source malicious attacks from multiple network addresses [col. 4 lines 11-15]. Therefore, the examiner finds this argument not persuasive.
Applicant’s arguments: “Dykes does not teach or suggest the enhanced authentication token indicating establishment of an application clone session in place of the requested application session.””
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Dykes discloses establishment of an application clone session in place of the requested application session [] (Dykes: par. 0127 in response to a security incident, the policy enforcement manager creates a deception honeypot and redirects the suspicious connection session to the deception honeypot []). More specifically, Dykes discloses the network security system further includes a ticket-based access control layer 64 deployed at the front-end of the protected resource 18 and working in conjunction with the access control manager 70 to implement access control to the protected resource [] the ticket-based access control layer 64 is provided in addition to the access control layer 16 implementing conventional access control schemes [par. 0036] and a method 350 receives a notification of a security policy violation or a security incident (352). The method 350 receives run-time transaction information for the connection session associated with the security incident (354). The method 350 launches a deception honeypot service using the run-time transaction information for the suspicious connection session (356). The method 350 then redirects network traffic associated with the suspected connection session to the deception honeypot service (358). The method 350 then conducts the redirected connection session at the deception honeypot service (360) [par. 0131] . Therefore, the examiner finds this argument not persuasive.
The amended claims 1, 21 and 28 have been addressed in rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 21 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Sellers (US 11057429) in view of Dykes et al. (“Dykes,” US 2019/0312860).
Regarding claim 1: Sellers discloses a method for securing an application, the method comprising:
comparing submitted credentials for an application session request to stored credentials (Sellers: col. 5 lines 7-11 receives a malicious attack intended for protected host 155(1) from attacker 150(1) and determines that attack event 165(1) associated with the malicious attack includes compromised deceptive credential information);
responsive to determining that the submitted credentials indicate a malicious session request, generating an enhanced authentication token, the enhanced authentication token comprising information indication the malicious session request (Sellers: col. 5 lines 65-67 through col. 6 lines 1-11 honeytoken tracker engine 110 determines that attack event 165(1) has compromised deceptive credential 135(1) maintained by honeypot 105(1) and generates unique credential pair 180(1) [] Honeytoken tracker engine 110 generates honeytoken tracker 185(1) and modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1); col. 5 lines 22-25 honeytokens provide an indication that a repository or location [] holding the honeytoken has been compromised by the malicious attacker); and
transmitting the enhanced authentication token to a requesting computing device (Sellers: col. 5 lines 18-22 modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1) [] and transmits unique credential pair 180(1) to attacker 150(1)).
Sellers does not explicitly disclose establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account.
However, Dykes discloses establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account (Dykes: par. 0127 in response to a security incident, the policy enforcement manager creates a deception honeypot and redirects the suspicious connection session to the deception honeypot. A deception honeypot is a service that appears to implement the same service application instance function but without actually performing the tasks; par. 0103 the network security system [] interact with the user or with the system administrator in the event of detected security incident; par. 0125 a network security incident [] receives a notification of a security policy violation or a security incident (302)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dykes with the system/method of Sellers to include the application clone session includes at least some alternative data in place of data associated with an application account. One would have been motivated to using the deception honeypot to allow the security administrator time to react and trace the attackers (Dykes: par. 0127).
Regarding claim 21: Sellers discloses a system, comprising:
a processor (Sellers: fig. 8 item 855); and
one or more computer-readable storage media storing computer-readable instructions (Sellers: fig. 8 item 860) that, when executed by the processor, perform operations comprising:
comparing submitted credentials for an application session request to stored credentials (Sellers: col. 5 lines 7-11 receives a malicious attack intended for protected host 155(1) from attacker 150(1) and determines that attack event 165(1) associated with the malicious attack includes compromised deceptive credential information);
responsive to determining that the submitted credentials indicate a malicious session request, generating an enhanced authentication token, the enhanced authentication token comprising information indication the malicious session request (Sellers: col. 5 lines 65-67 through col. 6 lines 1-11 honeytoken tracker engine 110 determines that attack event 165(1) has compromised deceptive credential 135(1) maintained by honeypot 105(1) and generates unique credential pair 180(1) [] Honeytoken tracker engine 110 generates honeytoken tracker 185(1) and modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1); col. 5 lines 22-25 honeytokens provide an indication that a repository or location [] holding the honeytoken has been compromised by the malicious attacker); and
transmitting the enhanced authentication token to a requesting computing device (Sellers: col. 5 lines 18-22 modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1) [] and transmits unique credential pair 180(1) to attacker 150(1)).
Sellers does not explicitly disclose the enhanced authentication token indicating establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account.
However, Dykes discloses the enhanced authentication token indicating establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account (Dykes: par. 0127 in response to a security incident, the policy enforcement manager creates a deception honeypot and redirects the suspicious connection session to the deception honeypot. A deception honeypot is a service that appears to implement the same service application instance function but without actually performing the tasks; par. 0103 the network security system [] interact with the user or with the system administrator in the event of detected security incident; par. 0125 a network security incident [] receives a notification of a security policy violation or a security incident (302)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dykes with the system/method of Sellers to include the application clone session includes at least some alternative data in place of data associated with an application account. One would have been motivated to using the deception honeypot to allow the security administrator time to react and trace the attackers (Dykes: par. 0127).
Regarding claim 28: Sellers discloses one or more non-transitory computer-readable storage media storing computer-executable instructions for securing an application, the securing comprising:
comparing submitted credentials for an application session request to stored credentials (Sellers: col. 5 lines 7-11 receives a malicious attack intended for protected host 155(1) from attacker 150(1) and determines that attack event 165(1) associated with the malicious attack includes compromised deceptive credential information);
responsive to determining that the submitted credentials indicate a malicious session request, generating an enhanced authentication token, the enhanced authentication token comprising information indication the malicious session request (Sellers: col. 5 lines 65-67 through col. 6 lines 1-11 honeytoken tracker engine 110 determines that attack event 165(1) has compromised deceptive credential 135(1) maintained by honeypot 105(1) and generates unique credential pair 180(1) [] Honeytoken tracker engine 110 generates honeytoken tracker 185(1) and modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1); col. 5 lines 22-25 honeytokens provide an indication that a repository or location [] holding the honeytoken has been compromised by the malicious attacker); and
transmitting the enhanced authentication token to a requesting computing device (Sellers: col. 5 lines 18-22 modifies honeytoken tracker state table 125(1) to include unique credential pair 180(1) [] and transmits unique credential pair 180(1) to attacker 150(1)).
Sellers does not explicitly disclose the enhanced authentication token indicating establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account.
However, Dykes discloses the enhanced authentication token indicating establishment of an application clone session in place of the requested application session, wherein the application clone session includes at least some alternative data in place of data associated with an application account (Dykes: par. 0127 in response to a security incident, the policy enforcement manager creates a deception honeypot and redirects the suspicious connection session to the deception honeypot. A deception honeypot is a service that appears to implement the same service application instance function but without actually performing the tasks; par. 0103 the network security system [] interact with the user or with the system administrator in the event of detected security incident; par. 0125 a network security incident [] receives a notification of a security policy violation or a security incident (302)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Dykes with the system/method of Sellers to include the application clone session includes at least some alternative data in place of data associated with an application account. One would have been motivated to using the deception honeypot to allow the security administrator time to react and trace the attackers (Dykes: par. 0127).
Claims 2, 12 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Sellers (US 11057429) in view of Dykes et al. (“Dykes,” US 2019/0312860) and Palanisamy (US 2015/0312038).
Regarding claim 2: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein the enhanced authentication token appears to authenticate the application session but contains encrypted information indicating the establishment of the application clone session.
However, Palanisamy discloses wherein the enhanced authentication token appears to authenticate the application session but contains encrypted information indicating the establishment of the application clone session (Palanisamy: par. 0042 the sensitive information or token issued by token server 102 can be encrypted by token server 102 to prevent the sensitive information or token form being stored in the clear).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Palanisamy with the system/method of Sellers and Dykes to include the enhanced authentication token appears to authenticate the application session but contains encrypted information indicating the establishment of the application clone session. One would have been motivated to enhancing the security of storing sensitive information on a communication device (Palanisamy: par. 0004).
Regarding claim 12: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein the enhanced authentication token is provided to a proxy, and wherein the proxy initiates the application clone session in place of the requested application session.
However, Palanisamy discloses wherein the enhanced authentication token is provided to a proxy, and wherein the proxy initiates the application clone session in place of the requested application session (Palanisamy: fig. 5; par. 0071 token request computer 504 [] forward the request as token request 554 to token server 502; par. 0073 token request computer 504 may then send the encrypted token [] to communication device 520 in response 558).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Palanisamy with the system/method of Sellers and Dykes to include the proxy initiates the application clone session in place of the requested application session. One would have been motivated to enhancing the security of storing sensitive information on a communication device (Palanisamy: par. 0004).
Regarding claim 22: Claim 22 is similar in scope to claim 2 and is therefore rejected under similar rationale.
Claims 3-4 and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Sellers (US 11057429) in view of Dykes et al. (“Dykes,” US 2019/0312860) and Little (US 2011/0276597).
Regarding claim 3: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein a signature of the enhanced authentication token indicates the establishment of the application clone session.
However Little discloses wherein a signature of the enhanced authentication token indicates the establishment of the application clone session (Little: par. 0028 each entry for an application server in the service registry 110 includes a unique signature value (e.g., a hash value) which identifies whether that application server is a decoy application server 130 or a designated application server 140).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Little with the system/method of Sellers and Dykes to include a signature of the enhanced authentication token indicates the establishment of the application clone session. One would have been motivated to use of decoy application servers to reduce an application server's vulnerability to hackers (Little: par. 0001).
Regarding claim 4: Sellers in view of Dykes and Little discloses the method of claim 3.
Little further discloses wherein the signature is generated while the enhanced authentication token includes an attack indicator, wherein the attack indicator is removed prior to transmitting the enhanced authentication token to the requesting computing device, and wherein at a proxy between the requesting computing device and the application, the signature is determined to be invalid but when the attack indicator is added back into the enhanced authentication token, the signature is determined to be valid, indicating establishment of the application clone session (Little: par. 0029 signature values from designated application servers, when processed by a key-checking algorithm, may be validated. In contrast, signature values from decoy application servers, when processed by a key-checking algorithm, may be identified as invalid; par. 0034 the decoy dispatcher 210 then determines which of the received service responses is a real service response, and forwards that service response to legitimate client 205 [] each service response includes a unique signature value associated with the application server that generated the service response [] decoy service responses may not be sent back to legitimate client 205 or decoy dispatcher 210 ).
The motivation is the same that of claim 3 above.
Regarding claims 23-24: Claims 23-24 are similar in scope to claims 3-4, respectively, and are therefore rejected under similar rationale.
Claims 5-9 and 25-27 are rejected under 35 U.S.C. 103 as being unpatentable over Sellers (US 11057429) in view of Dykes et al. (“Dykes,” US 2019/0312860) and Hebert (US 2012/0042364).
Regarding claim 5: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein the malicious session request is indicated by a valid username and a password that matches a false password in a stored group of false passwords.
However, Herbert discloses wherein the malicious session request is indicated by a valid username and a password that matches a false password in a stored group of false passwords (Herbert: par. 0070 the log-in attempt may be determined to be potentially unauthorized, based on the receipt of at least one false password (210) [] the attack detector 130 may be configured to consider receipt of the false password [] and to associate the false password with the actual password stored in the password repository 124; par. 0025 in conjunction with the operations of the password manager 116, a false password generator 118 may be configured to generate or otherwise provide potential false passwords to be associated with the actual password associated with the user 104).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Herbert with the system/method of Sellers and Dykes to include the malicious session request is indicated by a valid username and a password that matches a false password in a stored group of false passwords. One would have been motivated for authenticating or otherwise securing user access to a computer or to a specific computing resource (Herbert: par. 0002).
Regarding claim 6: Sellers in view of Dykes and Herbert discloses the method of claim 5.
Herbert further discloses wherein the stored group of false passwords includes one or more of:
a default password, an administrator password, a password associated with the valid username for other accounts, a compromised password, a password based on user identification information, a previously used password for the valid username, or a modified version of a previously used password for the username (Herbert: par. 0027 a unique username and associated password to be associated with the user profile within the application 106).
The motivation is the same that of claim 5 above.
Regarding claim 7: Sellers in view of Dykes and Herbert discloses the method of claim 5.
Herbert further discloses wherein some of the false passwords in the group of false passwords are generated based on user identification information for a user corresponding to the valid username (Herbert: par. 0070 the log-in attempt may be determined to be potentially unauthorized, based on the receipt of at least one false password (210) [] the attack detector 130 may be configured to consider receipt of the false password [] and to associate the false password with the actual password stored in the password repository 124; par. 0025 in conjunction with the operations of the password manager 116, a false password generator 118 may be configured to generate or otherwise provide potential false passwords to be associated with the actual password associated with the user 104).
The motivation is the same that of claim 5 above.
Regarding claim 8: Sellers in view of Dykes and Herbert discloses the method of claim 5.
Herbert further discloses further comprising adding a new false password to the group of false passwords reflecting a password change performed in the application clone session (Herbert: par. 0022 the password system 102 may redirect the provider of the false password, i.e., the user of the hostile computing system 108, to a honey pot system 114).
The motivation is the same that of claim 5 above.
Regarding claim 9: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein the malicious session request is indicated by a valid username and a number of submitted incorrect passwords exceeding a threshold.
However, Herbert discloses wherein the malicious session request is indicated by a valid username and a number of submitted incorrect passwords exceeding a threshold (Herbert: par. 0092 checked for each password individually until a desired number of false passwords is reached).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Herbert with the system/method of Sellers and Dykes to include the malicious session request is indicated by a valid username and a number of submitted incorrect passwords exceeding a threshold. One would have been motivated for authenticating or otherwise securing user access to a computer or to a specific computing resource (Herbert: par. 0002).
Regarding claims 25-27: Claims 25-27 are similar in scope to claims 5-7, respectively, and are therefore rejected under similar rationale.
Claims 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Sellers (US 11057429) in view of Dykes et al. (“Dykes,” US 2019/0312860) and Fan (US 2019/0319946).
Regarding claim 10: Sellers in view of Dykes discloses the method of claim 1.
Sellers in view of Dykes does not explicitly disclose wherein the enhanced authentication token is generated by an identity provider.
However, Fan discloses wherein the enhanced authentication token is generated by an identity provider (Fan: par. 0052 the access token 242 [] may be generated by anyone of the different types of identity providers 240).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Fan with the system/method of Sellers and Dykes to include the enhanced authentication token is generated by an identity provider. One would have been motivated to providing authentication of a user operating a computing device requesting access to a service provider to determine if the user of the computing device has permission to access desired services (Fan: par. 0005).
Regarding claim 11: Sellers in view of Dykes and Fan discloses the method of claim 10.
Fan further discloses wherein the application is a web application, the identity provider is a service that authenticates sessions with application through a web browser, and wherein the web browser receives the enhanced authentication token from the identity provider (Fan: par. 0057 a web browser within the computing device 220 is in communications with the service provider 230 via communications path 250 at Block 306; par. 0043 the central authentication service 210 receives access tokens that may be generated by different types of identity providers 240(1)-240(n)).
The motivation is the same that of claim 10 above.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439