PRIVILEGE ASSURANCE USING LOGON SESSION TRACKING AND LOGGING

§102 §103 §DP

DETAILED ACTION Response to Amendment This action is in response to amendment filed April 29, 2026 for the application # 18/764,039 filed on July 03, 2024. Claims 1-20 are pending and are directed toward PRIVILEGE ASSURANCE USING LOGON SESSION TRACKING AND LOGGING. Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s arguments with regards to claims 1-20 have been fully considered, but they are moot because of new grounds of rejection. Further, examiner provides response to DP rejections: U.S. Pat. No. 12,058,178 argument – Applicant argues that the claims of the '178 Patent relate to mismatched information between a first plurality of session details and a second plurality of session details for a particular user, whereas the pending claims, as amended herein, relate to parameters associated with malicious or suspicious behavior across a plurality of users (REMARKS, page 11). Response: Both the instant application and Claims of US 12,058,178 are directed to a system for prevention, mitigation, and detection of cyberattack attacks on computer networks using logon session tracking and logging. Further, Examiner considers “parameters associated with malicious or suspicious behavior” and “indicating a compromised session” to be equivalent to “compare the first and second pluralities of session details to identify any mismatched data; where invalid or mismatched information is identified in the first or second pluralities of session-based details, generate an event log indicating the particular session-based details that contain the invalid or mismatched information;” U.S. Pat. No. 12,113,831 argument – Applicant argues that the claims of the '831 Patent relate to mismatched information between a first plurality of session details and a second plurality of session details for a particular user, whereas the pending claims, as amended herein, relate to parameters associated with malicious or suspicious behavior across a plurality of users. As another example, the claims of the '831 Patent create and store a lateral movement path map, which is absent from the pending claims. (REMARKS, page 13). Response: US 12,113,831 is directed to a system and method for privilege assurance of enterprise computer network environments using lateral movement detection and prevention. The system uses an interrogation agent to monitor logon sessions within a network, track session details, and generate an event log for any suspicious sessions or details. Cyber-physical graphs and histograms using persisted time-series data provides critical information, patterns, and alerts about configurations, attack vectors, and vulnerabilities which enable information technology and cybersecurity professionals greater leverage and control over their infrastructure. Therefore “lateral movement attacks” are examples of “malicious or suspicious behavior” as claimed in instant application. In regards to “a lateral movement path map, which is absent from the pending claims”, there is no requirement this limitation, or any other that is present in the patent but absent in claims of the instant application to invalidate double patenting. U.S. Pat. No. 11,323,484 argument – Applicant argues that the pending claims, as amended herein, recite "generating entries in an event log of session-based authentication information based on the plurality of session-based authentication information" and "maintaining a cyber-physical graph of time-series data associated with a computer network based on the event log," (REMARKS, pages 13-14). Response: The Applicant arguments are persuasive. U.S. Pat. No. 12,500,888 argument – Applicant argues that the claims of the '888 Patent query the cyber-physical graph to determine whether an authentication credential is invalid by comparing results of the query to known directory information from a domain controller, whereas the pending claims, as amended herein, query the cyber-physical graph over time to monitor changes to the cyber-physical graph for parameters associated with malicious or suspicious behavior. As another example, the claims of the '888 Patent receive event logs, whereas the pending claims, as amended herein generate the event log. (REMARKS, page 14). Response: The Applicant arguments are persuasive. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 6, 11 and 16 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Ge et al. (US 2007/0140268, Jun. 21, 2007), hereinafter referred to as Ge. As per claim 1, Ge teaches a computing system for prevention, mitigation, and detection of cyberattack attacks on computer networks using session- based tracking and logging (there is a distributed methodology that efficiently detects an effort to attack a network with an overburdening amount of authentication requests, Ge, [0041]), the computing system comprising: one or more hardware processor (Another function of a bridge is to perform authentication, sometimes in combination with a network server that is either directly connected to the bridges or logically accessible by the bridge through one or more additional bridges. Ge, [0006]) configured for: receiving a first plurality of session-based authentication information for a plurality of authentication session for a plurality of users (In response to the supplicant's request, the authenticator communicates with a network server, again either directly if the authenticator is directly connected to the server or logically through one or more bridges that are in the path of the authenticator to the network server. The entirety of this just-described process is sometimes referred to as an authentication session, which commences with the initial request of the supplicant and continues until the supplicant is granted (or denied) authority to join the network, Ge, [0006]), wherein the session-based authentication information comprises session-related details, session-specific details, and host-based details associated with one of the authentication sessions (In this context, IEEE 802.1X provides port access control for Ethernet and in this regard there is an Extensible. Authentication Protocol ("EAP"). EAP provides certain functions and a negotiation of a desired EAP authentication method, where there are various different methods. Ge, [0006]); generating entries in an event log of session-based authentication information based on the plurality of session-based authentication information (one such function is for network server NS to receive authentication requests and to store sufficient information to respond to such requests, that is, to determine if a new connection to system 10 should be authorized. Ge, [0018]); maintaining a cyber-physical graph of time-series data associated with a computer network based on the event log of session-based authentication information, wherein vertices of the cyber-physical graph represent directory access protocol objects and edges of the cyber-physical graph represent relationships between those objects (Returning then to the query of step 34, the bridge node determines whether it has received an indication to change a threshold PAS_THR_BP x for a corresponding one of its ports BP x ( or for more than one such ports). Ge, [0024]); performing a plurality of pre-defined queries over time to monitor changes to the cyber-physical graph for parameters associated with malicious or suspicious behavior (By way of example, therefore, if step 34 is applied to bridge node BRN1 of FIG. 1, then bridge node BRN1 determines whether it has received an indication to change a threshold PAS_THR_P for any of its bridge ports BP1 0 throughBP1 4 . If such an indication is received, method 20 continues from step 34 to step 36, where the appropriate threshold PAS_THR_BP is changed as was indicated in step 34 to require such a change. Looking again then to bridge node BRN1 as an example, assume in step 34 it determines that it received an indication from the central resource to change its threshold for its bridge port BP 1.1, that is, an indication in change for PAS_THR_BP 1.1, Ge [0024]); and in response to the monitored changes exceeding a threshold indicating a compromised session (In step 42, the bridge node BRNx takes a corrective action to reduce the effect that is occurring at the overburdened port, that it, that port (or ports) at which a large number of active authentication sessions PAS_BP x exists so that the number exceeds the port's respective threshold PAS_THR_BPx., Ge, [0027]): generating and sending an alert comprising the session-related details, session-specific details, or host-based details associated with the compromised session (each bridge node may be configured so as to periodically report this information to the central resource. In any event, therefore, step 64 represents a recognition that this data is made available to the central resource. Ge, [0031]). Claims 6, 11 and 16 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2-5, 7-10 and 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Ge et al. (US 2007/0140268, Jun. 21, 2007) in view of MILLER et al. (US 2011/0252465, Oct. 13, 2011), hereinafter referred to as Ge and MILLER respectively. As per claim 2, Ge teaches the system of claim 1, but does not teach expiration, MILLER however teaches wherein the plurality of session-based authentication information comprises session expiration timing information (A cookie may contain six (6) parameters that can be passed. These are: 1) the name of the cookie; 2) the value of the cookie; 3) the expiration date of the cookie; MILLER, [0029]). Ge in view of MILLER are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ge in view of MILLER. This would have been desirable because Once the session is over, the credential or authentication is no longer valid and the client user must re-establish their credentials or authentication in order for them to again have access to the protected resources of the server (MILLER, [0006]). As per claim 3, Ge in view of MILLER teaches the system of claim 1, wherein the plurality of session-based authentication information comprises a username (Server app2.jpmorgan.com (system 2) generates an HTTP response with response code 200, of MIME type "text/plain" and with a body of "username", and returns this as the response to the request from appl.jpmorgan.com (system 1). MILLER, [0076]). Ge in view of MILLER are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ge in view of MILLER. This would have been desirable because Once the session is over, the credential or authentication is no longer valid and the client user must re-establish their credentials or authentication in order for them to again have access to the protected resources of the server (MILLER, [0006]). As per claim 4, Ge in view of MILLER teaches the system of claim 2, wherein each of the plurality of users is a human user (406 - Client (human or automated process, MILLER, FIG. 4). Ge in view of MILLER are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ge in view of MILLER. This would have been desirable because Once the session is over, the credential or authentication is no longer valid and the client user must re-establish their credentials or authentication in order for them to again have access to the protected resources of the server (MILLER, [0006]). As per claim 5, Ge in view of MILLER teaches the system of claim 3, wherein at least one of the at least one of plurality of users comprises a non-human user, the non-human user comprising one or more of an agent, a bot, an automated process, or a computing system (406 - Client (human or automated process, MILLER, FIG. 4). Ge in view of MILLER are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ge in view of MILLER. This would have been desirable because Once the session is over, the credential or authentication is no longer valid and the client user must re-establish their credentials or authentication in order for them to again have access to the protected resources of the server (MILLER, [0006]). Claims 7-10 and 12-16 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-10 of US patent No. 12,058,178. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-20 of the instant application correspond to elements of claims 1-10 of US patent No. 12,058,178. The above claims of the present application would have been obvious over claims 1-10 of US patent No. 12,058,178 because each element of the claims of the present application is anticipated by the claims 1-10 of US patent No. 12,058,178 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-6 of US patent No. 12,113,831. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-20 of the instant application correspond to elements of claims 1-6 of US patent No. 12,113,831. The above claims of the present application would have been obvious over claims 1-6 of US patent No. 12,113,831 because each element of the claims of the present application is anticipated by the claims 1-6 of US patent No. 12,113,831 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938. The examiner can normally be reached on 5:00 AM- 4:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLEG KORSAK/Primary Examiner, Art Unit 2492