DETECTING USE OF COMPROMISED SECURITY CREDENTIALS IN PRIVATE ENTERPRISENETWORKS

DETAILED ACTION This office action is in response to the application filed on 12/31/2025. Claim(s) 21-40 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority/Benefit Applicant’s priority claim is hereby acknowledged of CON of 18/348,287 07/06/2023 PAT 12166794, 18/348,287 is a CON of 17/671,323 02/14/2022 PAT 11750645, 17/671,323 is a CON of 16/667,367 10/29/2019 PAT 11283832, 16/667,367 has PRO 62/753,812 10/31/2018, which papers have been placed of record in the file. Examiner’s Note – Patentably Distinct Subject Matter Applications 16/667,486 now US Patent 11,438,360, 16/776,877 now US Patent 12,093,375, and 16/777,005 now US Patent 11,461,458, and application 18/793,686 contain similar, yet patentably distinct subject matter. Similarly, parent applications 18/348,287 now US Patent 12166794, 17/671,323 now US Patent 11750645, 16/667,367 now US Patent 11283832 contain similar, yet patentably distinct subject matter. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 21-23, 26-28, 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady (US 2018/0007087 A1), in view of Kinder (US 2018/0152480 A1). Regarding claims 21 and 40, Grady teaches: “A tangible, non-transitory, computer-readable medium storing instructions that, when executed by one or more processors (Grady, ¶ 61 and 64 teaches processor and medium to execute method steps), cause the one or more processors to perform operations comprising: authenticating, by a computing system associated with a private enterprise network (Grady, Fig. 1, ¶ 23, as well as ¶ 31 and ¶ 30, authentication server 130 is a domain controller in a private network for enterprises such as company, university or government), a user associated with a user account, wherein the authenticating succeeds to provide an authenticated user account (Grady, ¶ 50, and 53-54 teaches authentication request containing a username and password which is successfully validated); determining, by the computing system and based at least in part on breach intelligence obtained from a credential-monitoring system external to the private enterprise network (Grady, Fig. 1A, ¶ 26-27 intelligence feed is received external to the private enterprise network), that a credential associated with the user account corresponds to a compromised credential (Grady, ¶ 50-52 teaches determining that the password from the authentication request is a compromised credential); and in response to the determining, modifying, by the computing system, an authorization enforcement state associated with the authenticated user account to reduce permitted access to one or more protected resources within the private enterprise network (Grady, ¶ 54 teaches limiting access to files and network locations for the legitimate login using compromised credentials)”. Grady does not, but in related art, Kinder teaches: “and without invalidating authentication credentials or denying authentication (Kinder, ¶ 42, teaches a situation where security has been threatened to reduce and limit access. Examiner notes that Kinder teaches the locking out option in the alternative form. Kinder ¶ 46-48 that the user still has access to the system while in the heightened security state and that the heightened security state remains until the user decides to remedy the situation)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady and Kinder, to modify the compromised credential system of Grady to include the continued access while limiting access method of Kinder. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Regarding claim 22, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above), wherein modifying the authorization enforcement state comprises removing or disabling one or more account privileges or access permissions associated with the authenticated user account while maintaining an active authenticated session (Grady, ¶ 54 teaches limiting access to files and network locations for the legitimate login using compromised credentials. Kinder, ¶ 41-42, teaches a situation where security has been threatened to reduce and limit access. Kinder ¶ 46-48 that the user still has access to the system while in the heightened security state and that the heightened security state remains until the user decides to remedy the situation)”. Regarding claim 23, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above), wherein modifying the authorization enforcement state comprises restricting access to a subset of resources or services designated as high-risk while permitting access to at least one lower-risk resource or service (Grady, ¶ 54 teaches limiting access to sensitive files and locations on the network which are high risk)”. Regarding claim 26, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above), wherein modifying the authorization enforcement state is performed without terminating an existing authenticated session associated with the user account (Grady, ¶ 54 teaches limiting access to files and network locations for the legitimate login using compromised credentials. Kinder, ¶ 41-42, teaches a situation where security has been threatened to reduce and limit access. Kinder ¶ 46-48 that the user still has access to the system while in the heightened security state and that the heightened security state remains until the user decides to remedy the situation)”. Regarding claim 27, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above), wherein the breach intelligence identifies reuse of the credential associated with the user account across multiple computing domains external to the private enterprise network (Grady, ¶ 17 and 45 teaches the detection of password reuse in multiple domains)”. Regarding claim 28, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above), wherein modifying the authorization enforcement state comprises disabling at least one data exfiltration capability selected from file data export (Grady, ¶ 46 teaches locking out access to external systems)”. Claim(s) 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Kinder in view of Goldfarb (US 2017/0366547 A1). Regarding claim 24, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above)”. Grady in view of Kinder does not, but in related art, Goldfarb teaches: “wherein modifying the authorization enforcement state comprises issuing a session credential or access artifact that omits or restricts authorization information associated with the authenticated user account (Goldfarb, ¶ 5 and 32 teaches modifying an access token to limit access)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Goldfarb, and Kinder, to modify the compromised credential system of Grady and Kinder to include the method to include modifying the access token. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Claim(s) 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Kinder in view of Ufford (US 2015/0295906 A1). Regarding claim 25, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above)”. Grady in view of Kinder does not, but in related art, Ufford teaches: “wherein the authenticating is performed by an identity provider and the authorization enforcement state is enforced by a separate authorization enforcement component distinct from the identity provider (Ufford, ¶ 5 and 32 teaches implementing a separate identity provider and authorization control system)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Ufford, and Kinder, to modify the compromised credential system of Grady and Kinder to include the method to implement a separate identity provider and authorization control system. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Claim(s) 29-30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Kinder in view of Lindemann (US 2019/0222424 A1). Regarding claim 29, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above) wherein the reduced permitted access is maintained until a remediation condition associated with the compromised credential is satisfied (Kinder ¶ 46-48 that the user still has access to the system while in the heightened security state and that the heightened security state remains until the user decides to remedy the situation)”. Grady in view of Kinder does not, but in related art, Lindemann teaches: “wherein the reduced permitted access is time-bounded (Lindemann, ¶ 114, and 117 defines a time window for restricted access)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Lindemann, and Kinder, to modify the compromised credential system of Grady and Kinder to include the method to include time-based access as taught in Lindemann. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Regarding claim 30, Grady and Kinder teaches: “The tangible, non-transitory, computer-readable medium of claim 21 (Grady and Kinder teach the limitations of the parent claims as discussed above)”. Grady in view of Kinder does not, but in related art, Lindemann teaches: “wherein modifying the authorization enforcement state comprises dynamically updating authorization enforcement at a resource gateway without altering stored authentication credentials (Lindemann, Fig. 4, ¶ 135 and 180 teaches a dynamic authorization enforcement mechanism)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Lindemann, and Kinder, to modify the compromised credential system of Grady and Kinder to include the method to dynamically modify authorization as taught in Lindemann. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Claim(s) 31-35, and 37-38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Sancheti (US 2019/016196 A1). Regarding claim 31, Grady teaches: “A tangible, non-transitory, computer-readable medium storing instructions that, when executed by one or more processors (Grady, ¶ 61 and 64 teaches processor and medium to execute method steps), cause the one or more processors to perform operations comprising: receiving, by a computing system associated with a private enterprise network (Grady, Fig. 1, ¶ 23, as well as ¶ 31 and ¶ 30, servers in a domain are in a private network for enterprises such as company, university or government), breach intelligence indicating compromised credentials associated with one or more user accounts (Grady, Fig. 1A, ¶ 24, 26-28 intelligence feed is received external to the private enterprise network. Grady, ¶ 42-48 teaches determining that account information has compromised passwords); based at least in part on the breach intelligence, modifying, by the computing system, stored authorization enforcement rules or stored access-control configuration data applicable to a plurality of user accounts within the private enterprise network to provide updated authorization enforcement rules or updated access-control configuration data (Grady, ¶ 46-48 external access is locked for the compromised accounts and on premises login is required until the password is changed. Grady, Fig. 1A, ¶ 24, 26-28 intelligence feed is received external to the private enterprise network.); and the updated authorization enforcement rules or the updated access-control configuration data such that subsequent authorization determinations enforced within the private enterprise network are performed according to the updated authorization enforcement rules or the updated access-control configuration data (Grady, ¶ 46-48 external access is locked for the compromised accounts and on premises login is required until the password is changed. Grady, Fig. 1A, ¶ 24, 26-28 intelligence feed is received external to the private enterprise network. Grady, ¶ 28, SDC 140 updates on a periodic basis performing a push or pull)”. Grady does not, but in related art, Sancheti teaches: “storing, by the computing system (Sancheti, ¶ 13 teaches storing and updating rules for an access control system)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady and Sancheti, to modify the compromised credential system of Grady to include the method to store updated rules in an access control system as taught in Sancheti. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Regarding claim 32, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein modifying the stored authorization enforcement rules or the stored access-control configuration data comprises adding or updating a conditional authorization rule that requires additional verification for user accounts associated with the breach intelligence (Grady, ¶ 47-48, additional security steps may be added like multi-factor authentication)”. Regarding claim 33, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein modifying the stored authorization enforcement rules or access-control configuration data is performed independently of any current authentication attempt by the plurality of user accounts (Grady, ¶ 42-48 teaches determining that account information has compromised passwords without involving the user to login. Grady, ¶ 46-48 external access is locked for the compromised accounts and on premises login is required until the password is changed)”. Regarding claim 34, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein the updated authorization enforcement rules or the updated access-control configuration data apply to user accounts that have not yet initiated an authentication session (Grady, ¶ 42-48 teaches determining that account information has compromised passwords without involving the user to login. Grady, ¶ 46-48 external access is locked for the compromised accounts and on premises login is required until the password is changed)”. Regarding claim 35, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein modifying the stored authorization enforcement rules or the stored access-control configuration data comprises reducing authorization scope associated with user accounts identified by the breach intelligence (Grady, ¶ 54 teaches limiting access to files and network locations for the legitimate login using compromised credentials)”. Regarding claim 37, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein modifying the stored authorization enforcement rules or the stored access-control configuration data is performed automatically without administrative approval in response to receipt of the breach intelligence (Sancheti, ¶ 46 teaches automatically implementing the remediation plan with the highest quality score)”. Regarding claim 38, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above), wherein the updated authorization enforcement rules or the updated access-control configuration data are configured to restore a prior authorization enforcement configuration upon detection of remediation of the compromised credentials (Sancheti, ¶ 43 teaches restoring the access permissions of the user when the security issue is fixed)”. Claim(s) 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Sancheti in view of Wang (US 2018/0173891 A1). Regarding claim 36, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above)”. Grady and Sancheti does not, but in related art, Wang teaches: “wherein storing the updated authorization enforcement rules or the updated access-control configuration data comprises distributing the updated authorization enforcement rules or access-control configuration data to a plurality of authorization enforcement points within the private enterprise network (Wang, ¶ 21-22 and 24-26 teaches storing the servers processing the rules for comprised passwords in a distributed system)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Wang and Sancheti, to modify the compromised credential system of Grady and Sancheti to include the method to use a distributed system as taught in Wang. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Claim(s) 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Sancheti in view of Ranjan (US 2017/0331840 A1). Regarding claim 39, Grady and Sancheti teaches: “The tangible, non-transitory, computer-readable medium of claim 31 (Grady and Sancheti teaches the limitations of the parent claims as discussed above)”. Grady and Sancheti does not, but in related art, Ranjan teaches: “wherein the breach intelligence is received from a multi-tenant credential-monitoring service serving a plurality of enterprise networks (Ranjan, ¶ 37, 49 and 78 teaches a multi-tenant system that provides breach reports)”. Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Grady, Ranjan and Sancheti, to modify the compromised credential system of Grady and Sancheti to include the method to use a multi-tenant breach reporting system as taught in Ranjan. The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results. Conclusion In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Stephen T Gundry whose telephone number is (571) 270-0507. The examiner can normally be reached Monday-Friday 9AM-5PM (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /STEPHEN T GUNDRY/Primary Examiner, Art Unit 2435