DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 10 and 12-14 are cancelled.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition
of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the
conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of: "obtaining a target account"; “determining…a corresponding key service node”; “performing…access interception on a service request” These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind using pen and paper/mental process.
A) The step of "obtaining a target account" is insignificant pre-solution activity that is receiving/obtaining data/account information/account which is routine, conventional, and well understood and again does not amount to significantly more than the abstract idea.
B) The step of “performing…access interception on a service request” is also post solution activity that is applying/performing interception mechanism which is routine, conventional, and well understood and again does not amount to significantly more than the abstract idea.
That is, nothing in the claim element precludes the step from practically being performed in the mind or using pen and paper by a human. For example, the claim encompasses a human simply "obtaining a target account; determining…a corresponding key service node; performing…access interception on a service request”. Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining additional limitation "two service nodes", “a corresponding key service node”, “Key service node”, “a service node” appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere "obtaining a target account"; “determining…a corresponding key service node”; “performing…access interception on a service request" is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
However, the additional elements fails to integrate the judicial application into a practical application and not directed to an improvement in the functioning of a computer or an improvement to the another technology
Thus, claim 1 fails to integrate the judicial exception into a practical application is found non-statutory under 35 U. S. C. 101.
Independent claims 11 and 23 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Regarding Claim 2:
Claim 2 merely adds an additional abstract idea, namely “determining the corresponding key service node”; “obtaining a first service request…”; “determining…an interception gain…”; “ determining…the key service node”; of claim 2. Additional elements are introduced in claim 2 that (“a unit computing resource”), would integrate the judicial exception into a practical application. As a whole, claim 2 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 3:
Claim 3 merely adds an additional abstract idea, namely “determining the interception gain…”; “performing…access interceptions at different service nodes…”; “recording a first moment corresponding to each of the service node…”; “detecting a second service request…”; “recording a second moment corresponding to the second service request…”; “determining gain corresponding to each of the service nodes…” of claim 3.
Additional elements are introduced in claim 3 that (“a predetermined unit computing resource”), would integrate the judicial exception into a practical application. As a whole, claim 3 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 4:
Claim 4 merely adds an additional abstract idea, namely “performing…access interceptions at different service nodes…”; “determining…interception strategy…”; “intercepting…the service request…” of claim 4. Additional elements are introduced in claim 4 that (“a computing resource”), would integrate the judicial exception into a practical application. As a whole, claim 4 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 5:
Claim 5 merely adds an additional abstract idea, namely “obtaining…target account…”; “identifying…the target account… of claim 5. No additional elements are introduced in claim 5 that would integrate the judicial exception into a practical application. As a whole, claim 5 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 6:
Claim 6 merely adds an additional abstract idea, namely “identifying…target account…”; “obtaining the multi-dimensional features of the daily service request…”; “clustering…accounts corresponding to the daily service request…”; “determining…a target clustered account…” of claim 6. No additional elements are introduced in claim 6 that would integrate the judicial exception into a practical application. As a whole, claim 6 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 8:
Claim 8 merely adds an additional abstract idea, namely “obtaining appeal data…”; “updating…the target account and/or an interception strategy…”; of claim 8. No additional elements are introduced in claim 8 that would integrate the judicial exception into a practical application. As a whole, claim 8 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding Claim 9:
Claim 9 merely adds an additional abstract idea, namely “updating…the target account and/or an interception strategy…”; “clustering based on content of the appeal data…”; “updating…the target account and/or the interception strategy…” of claim 9. No additional elements are introduced in claim 9 that would integrate the judicial exception into a practical application. As a whole, claim 9 fails to integrate the judicial exception into a practical application is found non‐statutory under 35 U.S.C. 101 with the addition of the abstract idea.
Regarding claims 15-22 and 24:
Claims 15-22 and 24 do not add any additional abstract ideas or elements as already present, respectively, in claims 2, 3, 4, 5, 6, 7, 8 and 9. For that reason, claims 15-22 and 24 are rejected using the same rational as claims 2, 3, 4, 5, 6, 7, 8 and 9.
Dependent claims 15-22 and 24 do not cure the deficiency of the independent claims and are directed to abstract idea when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-9, 11 and 15-24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 11 and 23 recites “obtaining a target account that is an account having a risk of initiating an unauthorized request to a target service...”. However, It is unclear how “an account having a risk of initiating an unauthorized request to a target service” is getting identified/determined. To perform claimed function “obtaining a target account” that is an account having a risk need to determined/identified “target account”/ “suspicious account” or “risky account”. Specifications fails to describe how “an account which a having risk” is getting determined.
Claims 2-9, 15-22 and 24 are rejected, in addition to the rejections mentioned above for the individual claims, also in light of their dependency on claims 1, 11 and 23 and for not overcoming the grounds of rejection applied to claims 1, 11 and 23.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 4, 11, 17, 19-20, 21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Clemons et al. (U. S. Pat. No. 10,666,620 B1) (hereinafter “Clemons”) and further in view of Reeves et al. (U. S. Pat. No. 8,554,912 B1) (hereinafter “Reeves”).
Regarding Claim 1, Clemons teaches:
A method for service request processing, comprising (Clemons: [Col 10, lines 62-64], At 330, a request for Internet services is received from a user over a public network (e.g., Internet)):
obtaining a target account that is an account having a risk of initiating an unauthorized request to a target service, the target service having at least two service nodes (Clemons: [Col 6, lines 23-34], (28) The content delivery entity 106 can determine whether the requests received at the nodes 110 are legitimate requests or illegitimate requests. For example, the nodes 110 can analyze the requests to determine whether the requests may pose a threat to the content provider entity 104 and/or the content delivery entity 106. The analysis can identify a number of different types of threats (e.g., denial of service attack and/or buffer overflow attack, among other types of attacks). The analysis can include different types of analysis used to detect different types of threats and/or attacks. The content delivery entity 106 can forward requests that are legitimate.);
based on the key service node (Clemons: [Col 6, lines 22-28], (28) The content delivery entity 106 can determine whether the requests received at the nodes 110 are legitimate requests or illegitimate requests. For example, the nodes 110 can analyze the requests to determine whether the requests may pose a threat to the content provider entity 104 and/or the content delivery entity 106)
and performing…access interception on a service request sent by the target account (Clemons: [Col 6, lines 35-39], (29) The content delivery entity 106 can drop (=access interception) the request by filtering the requests that are identified as illegitimate requests. For example, illegitimate requests can be filtered by the nodes 110 such that the illegitimate requests are not forwarded after they are identified as illegitimate)
Clemons does not explicitly disclose:
determining, based on the target account, a corresponding key service node the key service node being a service node among the at least two service nodes that has a best interception effect for performing access interception on an unauthorized request initiated by the target account.
However, in an analogous art, Reeves teaches:
determining, based on the target account, a corresponding key service node (Reeves: [Col 3, lines 43-53], network access control system 140 could receive the network data from service node 120 in the form of specific information regarding the serving infrastructure associated with the failed registration attempt, such as a failure type associated with the failure of wireless communication device 101…an identifier of service node 130 (=key service node) hardware and software versions of service node 130 (=key service node) , general vendor level, a geographic location of service node 130 and/or wireless communication device 101, a date and time of the failure, and any other information that may be tracked by communication network 130 for use in the analysis of service failures) the key service node being a service node among the at least two service nodes that has a best interception effect for performing access interception on an unauthorized request initiated by the target account (Reeves: [Col 3, Lines 54-61], The network data also typically includes indicators of the effectiveness (=a best interception effect) of the serving infrastructure involved in the service failure at successfully authenticating legitimate users (=unauthorized request detected) and preventing fraudulent access (=intercepting unauthorized request), along with known technical limitations of the serving infrastructure, which may be used to determine a level of compatibility between the serving infrastructure and wireless communication device 101. (=Examiner’s note: Key service nodes are part of “serving infrastructure, therefore overall “effectiveness of serving infrastructure” reads on “at least two service nodes that has a best interception effect…as claimed limitation)).
It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Clemons’s method of analyzing the received request is legitimate requests or illegitimate requests and dropping the illegitimate requests requests/preventing the illegitimate requests from being forwarded applying Reeves’s method of providing an indicator of effectiveness (=a best interception effect) of the serving infrastructure involved in the service failure at successfully authenticating legitimate users (=unauthorized request detected) and preventing fraudulent access (=intercepting unauthorized request) in order to determine a level of compatibility between the serving infrastructure and wireless communication device.
Regarding Claim 4, Clemons in view of Reeves disclose:
The method of claim 1 (see rejection of claim 1 above),
wherein performing, based on the key service node, access interception on the service request sent by the target account comprises (Clemons: (Col 3, lines 34-41], (13) In a number of example, additional request handling performed on the request if the analysis of the access profile results in a determination that a risk level (e.g., risk determination value) corresponding to the request is at or above a threshold level (e.g., the risk poses a “high risk” such that it may be more likely to be an illegitimate request). Additional request handling can include, for instance, dropping the request (e.g., preventing the request from being forwarded) (=access interception), limiting an access that the request has to the entity, relocating the request to a different node, and/or gathering further information associated with the request.):
determining, based on the key service node, an interception strategy characterizing a computing resource allocation of a predetermined total computing resource at each of the service nodes (Clemons: [Col 3, lines 39-43], Additional request handling can include, for instance, dropping the request (e.g., preventing the request from being forwarded), limiting an access that the request has to the entity, relocating the request to a different node (=interception strategy), and/or gathering further information associated with the request);
and intercepting, based on the interception strategy, the service request sent by the target account at the key service node and at least one further service node (Clemons: (Clemons: (Col 3, lines 34-41], (13) In a number of example, additional request handling performed on the request if the analysis of the access profile results in a determination that a risk level (e.g., risk determination value) corresponding to the request is at or above a threshold level (e.g., the risk poses a “high risk” such that it may be more likely to be an illegitimate request). Additional request handling can include, for instance, dropping the request (e.g., preventing the request from being forwarded) (=access interception)).
Regarding Claim 11, this claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 11.
Regarding Claim 17, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 17.
Regarding Claim 23, this claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 23.
Claim(s) 5-9, 18 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Clemons et al. (U. S. Pat. No. 10,666,620 B1) (hereinafter “Clemons”) in view of Reeves et al. (U. S. Pat. No. 8,554,912 B1) (hereinafter “Reeves”); and further view of Provos et al. (2020/0296115 A1) (hereinafter “Provos”)
Regarding Claim 5, Clemons in view of Reeves disclose:
The method of claim 1 (see rejection of claim 1 above),
wherein obtaining the target account comprises (Clemons: [Col 6, lines 23-34], (28) The content delivery entity 106 can determine whether the requests received at the nodes 110 are legitimate requests or illegitimate requests. For example, the nodes 110 can analyze the requests to determine whether the requests may pose a threat to the content provider entity 104 and/or the content delivery entity 106. The analysis can identify a number of different types of threats (e.g., denial of service attack and/or buffer overflow attack, among other types of attacks). The analysis can include different types of analysis used to detect different types of threats and/or attacks. The content delivery entity 106 can forward requests that are legitimate):
Clemons in view of Reeves does not explicitly disclose:
identifying the target account based on multi-dimensional features of daily service requests.
However, in an analogous art, Provos teaches:
identifying the target account based on multi-dimensional features of daily service requests (Provos: [0069] The ad malware detection system 602 includes a sampler 610 that can serve as a first filter in identifying ads that may contain malware. Specifically, the sampler 610 can identify ads for which malware detection is recommended. The identification process can use ad-related information stored in the adgroup criteria features data base 606 and the URL features database 608. For example, the sampler 610 may search an ad for any of a set of per-determined ad content features (=multi-dimensional features) identified in the adgroup criteria features data base 606).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Provos of identifying ads for which content features identified as malicious feature. The motivation is to detection and processing of malware in sponsored content. (Provos: [0007]).
Regarding Claim 6, Clemons in view of Reeves and Provos disclose:
The method of claim 5 (see rejection of claim 5 above),
wherein identifying the target account based on the multi-dimensional features of the daily service requests comprises (Provos: [0069] The ad malware detection system 602 includes a sampler 610 that can serve as a first filter in identifying ads that may contain malware…the sampler 610 may search an ad for any of a set of per-determined ad content features (=multi-dimensional features) identified in the adgroup criteria features data base 606):
obtaining the multi-dimensional features of the daily service requests (Provos: [0054] A feature extraction engine 406 can extract features (=obtaining features) from the landing pages and URLs 404. The features can, for example, be indicative of the likelihood that a landing page associated with an ad includes malware. For example, one or more malware-related (or intrusion) features can correspond to small iFrames that may be indicative of an attempt to embed other HTML documents (e.g., malware-related) inside a main document. Another example of an intrusion feature is a bad or suspicious URL, such as a URL that matches a URL on a known list of malware-infected domains. A third example of an intrusion feature is suspicious script language);
clustering, based on the multi-dimensional features, accounts corresponding to the daily service requests to obtain a plurality of clustered accounts, the clustered accounts being a set of a plurality of accounts having a same clustering feature, wherein the clustering feature is a subset of the multi-dimensional features (Provos: [0070] The sampler 610 may use the classification model 402 described in reference to FIG. 4. For example, the sampler 610 may compare features of ads it processes from the data bases 606 and 608 with weighted features represented in the classification model 402. Based on the cumulative or combined feature weights of one or more features in an ad's landing page, the sampler 610 may determine that the ad's landing page exceeds a feature threshold. As such, the URL of the ad can be considered a candidate URL for more thorough malware detection);
and determining, based on the number of accounts in each of the clustered accounts, a target clustered account, an account in the target clustered account being the target account (Provos: [0080], The malware detector 616 may provide information regarding flagged ads, suspended accounts (=target clustered account) and the like to the status database 614).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Provos of detecting suspended accounts (=target clustered account). The motivation is to detection and processing of malware in sponsored content. (Provos: [0007]).
Regarding Claim 7, Clemons in view of Reeves and Provos disclose:
The method of claim 5 (see rejection of claim 5 above),
wherein the multi-dimensional features comprise at least two of: an account feature, a device feature, a behavior feature, or a content feature (Provos: [0054] A feature extraction engine 406 can extract features from the landing pages and URLs 404. The features can, for example, be indicative of the likelihood that a landing page associated with an ad includes malware. For example, one or more malware-related (or intrusion) features (=content feature) can correspond to small iFrames that may be indicative of an attempt to embed other HTML documents (e.g., malware-related) inside a main document, a bad or suspicious URL, such as a URL that matches a URL on a known list of malware-infected domains, suspicious script language have certain function calls or language elements that are known to be used in serving malware).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Provos of providing one or more malware related features. The motivation is to detection and processing of malware in sponsored content. (Provos: [0007]).
Regarding Claim 8, Clemons in view of Reeves disclose:
The method of claim 1 (see rejection of claim 1 above), further comprising:
Clemons in view of Reeves does not explicitly disclose:
obtaining appeal data, the appeal data being appeal information for the access interception sent by the target account; and updating, based on the appeal data, the target account and/or an interception strategy, wherein the interception strategy is a strategy for performing access interception on the service request sent by the target account.
However, in an analogous art, Provos teaches:
obtaining appeal data, the appeal data being appeal information for the access interception sent by the target account (Provos: [0083] The malware hub 612 can receive the appeal request [0082], Each appeal request can represent one or more ads for which the advertiser requests the ad malware detection system 602 to re-evaluate for malware content);
and updating, based on the appeal data, the target account and/or an interception strategy (Provos: [0098], if the intrusion score of the ad's landing page processed by the malware detector 616 exceeds an intrusion threshold, the malware detector 616 may update the status data base 614 with information that the corresponding ad is to be flagged… Ads that are flagged in the ads data base 604 may be precluded in various ways, such as by marking the served ads (e.g., in a user's browser) as containing potential malware or by preventing the ads from being served. Preclusion in stage 806 may also include suspending the advertiser's account (=interception strategy), or in a tiered account system, raising the malware risk rating for the advertiser),
wherein the interception strategy is a strategy for performing access interception on the service request sent by the target account (Provos: [0044] As the result of determining that any part of an advertiser's sponsored content (e.g., a single ad's landing page) includes malware, the system 300 may flag some or all of the advertiser's ads. The system 300 may also suspend the account of the advertiser (=interception strategy), such as to prevent the advertiser from submitting new ads. The system 300 may perform some actions automatically, such as when it is clear that ads are malware-related, e.g., a relatively high intrusion score).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Provos of prevent the advertiser from submitting new ads by suspending the account of the advertiser. The motivation is to detection and processing of malware in sponsored content. (Provos: [0007]).
Regarding Claim 9, Clemons in view of Reeves disclose:
The method of claim 8 (see rejection of claim 8 above),
wherein updating the target account and/or the interception strategy based on the appeal data comprises (Provos: [0044] Ads that are flagged in the ads data base 302 may be precluded from being served to users, or the ads may be annotated in some way to indicate their likelihood of the ad's landing page including malware [0098], if the intrusion score of the ad's landing page processed by the malware detector 616 exceeds an intrusion threshold, the malware detector 616 may update the status data base 614 with information that the corresponding ad is to be flagged… Ads that are flagged in the ads data base 604 may be precluded in various ways, such as by marking the served ads (e.g., in a user's browser) as containing potential malware or by preventing the ads from being served. Preclusion in stage 806 may also include suspending the advertiser's account, or in a tiered account system, raising the malware risk rating for the advertiser):
clustering based on content of the appeal data to obtain a first appeal sample and a second appeal sample (Provos: [0083] The malware hub 612 can receive the appeal request and update an appeals data base 620. Specifically, pending and completed appeal requests may be stored in the appeals data base 620 (=clustering). The information for each ad stored in the appeals data base 620 may include, for example, the advertiser’s name, the advertiser's account information, the URL(s) associated with the ad's landing pages and URLs in the redirect chain, and any other information that may be used to process the appeal),
wherein the first appeal sample is appeal information sent by a normal account (Provos: [0033], The malware detection system can provide a process for an advertiser to have its “flagged” ads re-checked and its accounts unsuspended (=normal account). Moreover, if the malware detection system re-checks the landing pages of an advertiser's flagged ad or ads (=appeal information sent by unsuspended account) and determines that the associated landing pages are clean (=normal account) (e.g., free from malware), the advertiser's account can be reinstated (or cleared)),
and the second appeal sample is an account having a risk of initiating an unauthorized request to the target service (Provos: [0033] The malware detection system can, for example, automatically test landing pages (e.g., a web page defined by a URL embedded or associated with sponsored content) for malware and take appropriate action when malware is detected. Such actions may follow pre-determined policies, such as to suspend an advertiser's account (=second appeal sample) (e.g., an advertiser's account with Google AdSense or AdWords), “flag” the ad or ads associated with the landing page as malware-related, and help the end-user avoid the negative effects of such ads in the future);
and updating, based on the first appeal sample and/or the second appeal sample, the target account and/or the interception strategy (Provos: [0044] Ads that are flagged in the ads data base 302 may be precluded from being served to users, or the ads may be annotated in some way to indicate their likelihood of the ad's landing page including malware [0098] Ads that are flagged in the ads data base 604 may be precluded in various ways, such as by marking the served ads (e.g., in a user's browser) as containing potential malware or by preventing the ads from being served. Preclusion in stage 806 may also include suspending the advertiser's account, or in a tiered account system, raising the malware risk rating for the advertiser (=the intercepting strategy))
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Provos of providing various ways of preventing the ads from being served such as suspending the advertiser's account, or in a tiered account system, raising the malware risk rating for the advertiser. The motivation is to detection and processing of malware in sponsored content. (Provos: [0007])
Regarding Claim 18, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 18.
Regarding Claim 19, this claim contains identical limitations found within that of claim 6 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 19.
Regarding Claim 20, this claim contains identical limitations found within that of claim 7 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 20.
Regarding Claim 21, this claim contains identical limitations found within that of claim 8 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 21.
Regarding Claim 22, this claim contains identical limitations found within that of claim 9 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 22.
Claim(s) 2, 15 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Clemons et al. (U. S. Pat. No. 10,666,620 B1) (hereinafter “Clemons”) in view of Reeves et al. (U. S. Pat. No. 8,554,912 B1) (hereinafter “Reeves”); and further view of Xie et al. (U. S. Pat. No. 9,787,640 B1) (hereinafter “Xie”)
Regarding Claim 2, Clemons in view of Reeves teaches:
The method of claim 1 (see rejection of claim 1 above),
wherein determining the corresponding key service node based on the target account comprises (Reeves: [Col 3, lines 43-53], network access control system 140 could receive the network data from service node 120 in the form of specific information regarding the serving infrastructure associated with the failed registration attempt, such as a failure type associated with the failure of wireless communication device 101…an identifier of service node 130 (=key service node) hardware and software versions of service node 130 (=key service node) , general vendor level, a geographic location of service node 130 and/or wireless communication device 101, a date and time of the failure, and any other information that may be tracked by communication network 130 for use in the analysis of service failures) :
obtaining a first service request sent by the target account (Clemons: [Col 13,lines 12-13], (62) At step 502, the authentication server 402 may receive a requested that is originated form a first computing device. A user may send a request via the computing device 408-2)
Clemons in view of Reeves does not explicitly disclose:
determining, based on the first service request, an interception gain corresponding to each of the service nodes, wherein the interception gain characterizes, based on a unit computing resource, an effective interception duration for intercepting an attacker of the target account at a corresponding service node; and determining, based on the interception gain, the key service node.
However, in an analogous art, Xie teaches:
determining, based on the first service request, an interception gain corresponding to each of the service nodes (Xie: [Col 6, lines 37-41], (42) The graph diffusion process infers (=calculate) a score indicating the level of suspiciousness for each graph node (=interception gain). This process begins with assigning a high suspiciousness score (e.g., 1) to each suspicious graph node identified using the suspicious node detection by comparing with the global profile)
wherein the interception gain characterizes, based on a unit computing resource, an effective interception duration for intercepting an attacker of the target account at a corresponding service node (Xie: [Col 6, lines 58-60], (44) At the end of the graph diffusion process, the system outputs a list of graph nodes with suspiciousness scores higher than a pre-set threshold);
and determining, based on the interception gain, the key service node (Xie: [Col 3, lines 62-67], through data analysis, the big data analytics engine can automatically detect fake accounts, compromised accounts, and various malicious account activities, e.g., spam, phishing, fraudulent transactions or payments. The system sends back detection results both in real-time and through periodic updates. [Col 4, lines 1-4], (11) Through detecting malicious/compromised accounts, the system can pro-actively help fighting different forms of malicious activities, e.g., spam, phishing, cloud-computing abuse, fraudulent transactions or payments.
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Xie of infer/calculating a score indicating the level of suspiciousness for each graph node (=interception gain of each service node) and detecting compromised/fake/malicious accounts using hypergraph based detection. The motivation is to provide the big data analytics engine can automatically detect fake accounts, compromised accounts, and various malicious account activities, e.g., spam, phishing, fraudulent transactions or payments (Xie: [Col3, lines 62-66]).
Regarding Claim 15, this claim contains identical limitations found within that of claim 2 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 15.
Regarding Claim 24, this claim contains identical limitations found within that of claim 2 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 24.
Claim(s) 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Clemons et al. (U. S. Pat. No. 10,666,620 B1) (hereinafter “Clemons”) in view of Reeves et al. (U. S. Pat. No. 8,554,912 B1) (hereinafter “Reeves”) and Xie et al. (U. S. Pat. No. 9,787,640 B1) (hereinafter “Xie”); and in further view of Compagna et al. (U. S PGPub. No. 2017/0109534 A1) (hereinafter “Compagna”)
Regarding Claim 3, Clemons in view of Reeves and Xie teaches:
The method of claim 2 (see rejection of claim 2 above),
performing, based on a predetermined unit computing resource and for the first service request sent by the target account, access interceptions at different service nodes, respectively (Clemons: [Col 6, lines 40-44], (30) The analysis can be performed at a number of selected nodes. For example, the analysis can be performed at the node 110-8, the node 110-9, and/or the node 110-10, among other nodes. In a number of examples, the analysis can be performed at each of the nodes 110. [Col 6, lines 28-34], The analysis can identify a number of different types of threats (e.g., denial of service attack and/or buffer overflow attack, among other types of attacks). The analysis can include different types of analysis used to detect different types of threats and/or attacks. The content delivery entity 106 can forward requests that are legitimate),
detecting a second service request sent by the target account for the different service nodes (Clemons: [Col 13,lines 12-13], (62) At step 502, the authentication server 402 may receive a requested that is originated form a first computing device. A user may send a request via the computing device 408-2) ,
and request sent by the target accounting a second moment corresponding to the second service request (Clemons: [Col 6, lines 57-61-62], (32) In the example shown in FIG. 1, a user sends illegitimate requests (=second service request) to the content provider entity 104 through the computing devices 108-2, 108-5, and/or 108-6. As shown, the computing devices 108-2, 108-5, and/or 108-6 can send the illegitimate requests directly to the content provider entity 104. [Col 6, lines 40-44], (30) The analysis can be performed at a number of selected nodes. For example, the analysis can be performed at the node 110-8, the node 110-9, and/or the node 110-10, among other nodes. In a number of examples, the analysis can be performed at each of the nodes 110)
Clemons in view of Reeves does not explicitly disclose:
wherein determining the interception gain corresponding to each of the service nodes based on the first service request comprises:
and recording a first moment corresponding to each of the service nodes, the first moment being a start moment of the access interception;
wherein the second service request is a service request for bypassing the access interception, and the second moment is a moment at which the second service request is received.
and determining, based on the first moment and the second moment, the interception gain corresponding to each of the service nodes.
However, Xie teaches:
wherein determining the interception gain corresponding to each of the service nodes based on the first service request comprises (Xie: [Col 6, lines 37-41], (42) The graph diffusion process infers a score indicating the level of suspiciousness for each graph node. This process begins with assigning a high suspiciousness score (e.g., 1) to each suspicious graph node identified using the suspicious node detection by comparing with the global profile):
and recording a first moment corresponding to each of the service nodes, the first moment being a start moment of the access interception (Xie: [Col 1, lines 54-57], generate an initial list of malicious accounts with a high confidence, as they have exhibited stronger global correlations in conducting malicious activities);
and determining, based on the first moment and the second moment, the interception gain corresponding to each of the service nodes (Xie: [Col 6, lines 37-41], (42) The graph diffusion process infers a score indicating the level of suspiciousness for each graph node. This process begins with assigning a high suspiciousness score (e.g., 1) to each suspicious graph node identified using the suspicious node detection by comparing with the global profile).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves by applying the well-known technique as disclosed by Xie of infer/calculating a score indicating the level of suspiciousness for each graph node (=interception gain of each service node) and detecting compromised/fake/malicious accounts using hypergraph based detection. The motivation is to provide the big data analytics engine can automatically detect fake accounts, compromised accounts, and various malicious account activities, e.g., spam, phishing, fraudulent transactions or payments (Xie: [Col3, lines 62-66])
The Clemons in view of Reeves and Xie does not explicitly disclose:
wherein the second service request is a service request for bypassing the access interception, and the second moment is a moment at which the second service request is received.
However, in an analogous art, Compagna teaches:
wherein the second service request is a service request for bypassing the access interception, and the second moment is a moment at which the second service request is received (Compagna: [0098] Web Attacker: he/she can control a SP (referred to as the SP.sub.M) that is integrated with a TTP. The SP.sub.M can subvert the protocol flow (e.g., by changing the order and value of the HTTP requests/responses generated from her SP, including redirection to arbitrary domains) (=bypass the access interception by changing values of http request/response). The web attacker can also operate a browser and communicate with other SPs and TTPs. [0087] Some SPs (e.g. twitter.com) do not properly perceive and/or manage the risk associated to the security-sensitive URIs sent to their users. It turns out that some of these URIs give access to sensitive services skipping any authentication step…);
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Clemons in view of Reeves and Xie by applying the well-known technique as disclosed by Compagna of attacker bypass/skip authentication step by changing the order and value of the HTTP requests/responses. The motivation is to provide a security testing framework to leverage attack patterns in order to determine attack pattern of attackers (Compagna: [Abstract])
Regarding Claim 16, this claim contains identical limitations found within that of claim 3 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 16.
Conclusion
The prior art made of record and not relied upon is considered pertinent to a disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Koottayi et al. (U. S. PGPub. No. 2020/0267162 A1): The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.
Huffiner et al. (U. S. Pat. No. 10,896473 B2): Technology is disclosed for detecting imposters of a brand account. The technology can store a brand profile of the brand account, detect that a message has been publicly communicated to the brand account from a social media account, monitor messages sent publicly to the social media account from other social media accounts by repeatedly comparing the brand profile to metadata of each of the monitored messages, and identify at least one of the other social media accounts as an imposter account based on the comparing. The technology can cease the comparing at predetermined expiration time occurring after the detection of the message that was sent publicly to the brand account.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/R.D./Examiner, Art Unit 2437
/ALI S ABYANEH/Primary Examiner, Art Unit 2437