Alex Vaystikh et al.Download PDFPatent Trials and Appeals BoardAug 22, 201913537525 - (D) (P.T.A.B. Aug. 22, 2019) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/537,525 06/29/2012 Alex Vaystikh EMC-12-271 8563 16019 7590 08/22/2019 Ryan, Mason & Lewis, LLP 2425 Post Road Suite 204 Southport, CT 06890 EXAMINER LYNCH, SHARON S ART UNIT PAPER NUMBER 2438 NOTIFICATION DATE DELIVERY MODE 08/22/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ctoffice@rml-law.com kmm@rml-law.com mjc@rml-law.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte ALEX VAYSTIKH, ALON KAUFMAN, and YAEL VILLA ____________________ Appeal 2018-007538 Application 13/537,5251 Technology Center 2400 ____________________ Before DEBRA K. STEPHENS, DANIEL J. GALLIGAN, and DAVID J. CUTITTA II, Administrative Patent Judges. CUTITTA, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 1, 2, 5–9, 12–16, and 19–26.2 We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 Appellants identify EMC Corporation as the real party in interest. See App. Br. 1. 2 Claims 3, 4, 10, 11, 17, and 18 have been cancelled. Claim 27 has been allowed. Appeal 2018-007538 Application 13/537,525 2 STATEMENT OF THE CASE According to Appellants, the claims are directed to an authentication system allowing users to permit private user information stored on a first site, i.e., a “Service Provider,” to be accessed by a second site, i.e., a “Consumer.” Spec. 1:20–24, Abstract.3 Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A method for controlling access by a consumer to a service provider on behalf of a user, the method comprising the steps of: obtaining, by at least one processing device of at least one authentication manager and gateway, one or more rules from said user specifying one or more permissions of the consumer comprising one or more actions that said consumer is one or more of authorized and not authorized to perform on behalf of said user; obtaining, by said at least one processing device of said at least one authentication manager and gateway, an authentication request from said service provider responsive to an initial access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol, wherein said service provider provides an access token to the consumer upon (i) validation by said at least one processing device of said at least one authentication manager and gateway, and (ii) approval from the user to grant access to the consumer on behalf of said user, wherein said access token authorizes the consumer to act on behalf of said user until said access token is revoked, wherein said consumer uses said access token for an initial access to the service provider on behalf of the user; and in response to a subsequent access request, from the consumer with said access token authorizing the consumer to act on behalf of said user when said access token has not been 3 This Decision refers to: (1) Appellants’ Specification filed June 29, 2012 (Spec.); (2) the Final Office Action (Final Act.) mailed November 29, 2017; (3) the Appeal Brief (App. Br.) filed March 26, 2018; (4) the Examiner’s Answer (Ans.) mailed May 14, 2018; and (5) the Reply Brief (Reply Br.) filed July 16, 2018. Appeal 2018-007538 Application 13/537,525 3 revoked, to access the service provider on behalf of the user, wherein the subsequent access request is subsequent to said initial access to the service provider, performing the following step: performing a risk analysis, using at least one processing device of said at least one authentication manager and gateway, in response to said subsequent access request by said consumer with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked, to improve security by detecting an anomalous access request by said authorized consumer, wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said obtained one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user, wherein said one or more rules specify said one or more permissions of the consumer, wherein said user is prompted, based on said risk analysis, to specify whether to allow said subsequent access request by said consumer when said subsequent access request is determined by said at least one processing device of said at least one authentication manager and gateway to demonstrate said anomalous behavior. REFERENCES AND REJECTIONS Claims 1, 2, 5–9, 12–16, and 19–26 stand rejected under 35 U.S.C. § 101 as directed to patent-ineligible subject matter. See Final Act. 15–17. Claims 1, 2, 6–9, 13–16, 19, 20, and 22–26 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Bodi (US 2013/0036455 A1; published Feb. 7, 2013), Monjas Llorente (US 2012/0204221 A1; published Appeal 2018-007538 Application 13/537,525 4 Aug. 9, 2012), and Dominguez (US 2011/0196791 A1; published Aug. 11, 2011). Id. at 18–51. Claims 5, 12, and 21 stand rejected under 35 U.S.C. §103(a) as being unpatentable over Bodi, Monjas Llorente, Dominguez, and Lin (US 2010/0121916 A1; published May 13, 2010). See id. at 52–53. Our review in this appeal is limited to the above rejections and the issues raised by Appellants. Arguments not made are waived. See MPEP § 1205.02; 37 C.F.R. § 41.37(c)(1)(iv). ANALYSIS 35 U.S.C. § 101 Principles of Law An invention is patent-eligible if it claims a “new and useful process, machine, manufacture, or composition of matter.” 35 U.S.C. § 101. However, the Supreme Court has long interpreted 35 U.S.C. § 101 to include implicit exceptions: “[l]aws of nature, natural phenomena, and abstract ideas” are not patentable. E.g., Alice Corp. Pty. Ltd. v. CLS Bank Int’l, 573 U.S. 208, 216 (2014). In determining whether a claim falls within an excluded category, we are guided by the Supreme Court’s two-step framework, described in Mayo and Alice. Id. at 217–18 (citing Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 75–77 (2012)). In accordance with that framework, we first determine what concept the claim is “directed to.” See Alice, 573 U.S. at 219 (“On their face, the claims before us are drawn to the concept of intermediated settlement, i.e., the use of a third party to mitigate settlement risk.”); see also Bilski v. Kappos, 561 U.S. 593, 611 (2010) (“Claims 1 and 4 Appeal 2018-007538 Application 13/537,525 5 in petitioners’ application explain the basic concept of hedging, or protecting against risk.”). Concepts determined to be abstract ideas, and thus patent ineligible, include certain methods of organizing human activity, such as fundamental economic practices (Alice, 573 U.S. at 219–20; Bilski, 561 U.S. at 611); mathematical formulas (Parker v. Flook, 437 U.S. 584, 594–95 (1978)); and mental processes (Gottschalk v. Benson, 409 U.S. 63, 69 (1972)). Concepts determined to be patent eligible include physical and chemical processes, such as “molding rubber products” (Diamond v. Diehr, 450 U.S. 175, 192 (1981)); “tanning, dyeing, making waterproof cloth, vulcanizing India rubber, smelting ores” (id. at 184 n.7 (quoting Corning v. Burden, 56 U.S. 252, 267–68 (1854))); and manufacturing flour (Benson, 409 U.S. at 69 (citing Cochrane v. Deener, 94 U.S. 780, 785 (1876))). In Diehr, the claim at issue recited a mathematical formula, but the Supreme Court held that “[a] claim drawn to subject matter otherwise statutory does not become nonstatutory simply because it uses a mathematical formula.” Diehr, 450 U.S. at 176; see also id. at 191 (“We view respondents’ claims as nothing more than a process for molding rubber products and not as an attempt to patent a mathematical formula.”). Having said that, the Supreme Court also indicated that a claim “seeking patent protection for that formula in the abstract . . . is not accorded the protection of our patent laws, and this principle cannot be circumvented by attempting to limit the use of the formula to a particular technological environment.” Id. at 187 (“It is now commonplace that an application of a law of nature or mathematical formula to a known structure or process may well be deserving of patent protection.”) and 191 (citing Benson and Flook). Appeal 2018-007538 Application 13/537,525 6 If the claim is “directed to” an abstract idea, we turn to the second step of the Alice and Mayo framework, where “we must examine the elements of the claim to determine whether it contains an ‘inventive concept’ sufficient to ‘transform’ the claimed abstract idea into a patent- eligible application.” Alice, 573 U.S. at 221 (quotations omitted). “A claim that recites an abstract idea must include ‘additional features’ to ensure ‘that the [claim] is more than a drafting effort designed to monopolize the [abstract idea].’” Id. (quoting Mayo, 566 U.S. at 77). “[M]erely requir[ing] generic computer implementation[] fail[s] to transform that abstract idea into a patent-eligible invention.” Id. USPTO January 7, 2019 Revised Section 101 Memorandum The USPTO recently published revised guidance on the application of § 101. See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019 (“2019 Guidance”). Under the 2019 Guidance, we first look to whether the claim recites: (1) any judicial exceptions, including certain groupings of abstract ideas (i.e., mathematical concepts, certain methods of organizing human activity such as a fundamental economic practice, or mental processes); and (2) additional elements that integrate the judicial exception into a practical application (see MPEP § 2106.05(a)–(c), (e)–(h)). Only if a claim (1) recites a judicial exception and (2) does not integrate that exception into a practical application, do we then look to whether the claim: (3) adds a specific limitation beyond the judicial exception that is not “well-understood, routine, conventional” in the field (see MPEP § 2106.05(d)); or Appeal 2018-007538 Application 13/537,525 7 (4) simply appends well-understood, routine, and conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. Discussion We are persuaded of Examiner error. We analyze the claims and the Examiner’s rejection in view of the 2019 Guidance and we adopt the nomenclature for the steps used in the 2019 Guidance. Step 1 Section 101 provides that “[w]hoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.” 35 U.S.C. § 101. Independent claim 1 recites a method, independent claim 8 recites an apparatus, and independent claim 15 recites an article of manufacture. As such, the claims are directed to statutory classes of invention within 35 U.S.C. § 101, i.e., a process, a machine, and a manufacture. Step 2A, Prong 1 Under Step 2A, Prong 1 of the 2019 Guidance, we must determine whether the claims, being directed to a statutory classes of invention, nonetheless fall within a judicial exception. We determine they do not. The Examiner determines [t]he underlying invention is directed to the abstract idea of performing a risk analysis to determine whether to grant a request, which is similar to abstract ideas involving mathematical relationships and an [i]dea [i]tself previously identified by case law, such as managing risk, calculating parameters indicating an abnormal condition and diagnosing an abnormal condition and collecting and analyzing information to detect [m]isuse. Final Act. 15–16 (citations omitted); Ans. 3. Appeal 2018-007538 Application 13/537,525 8 Appellants argue that the “present claims do not merely recite the alleged [a]bstract [i]dea of ‘performing a risk analysis to determine whether to grant a request’” (App. Br. 8) but instead “the claims are directed to an improvement to computer functionality itself,” specifically, “risk-based authentication between two servers (a Service Provider and a Consumer) on behalf of a user” (id. at 12). We are persuaded of Examiner error. The Examiner has not demonstrated that the claimed “risk analysis,” which “determines when the subsequent access request from said consumer,” e.g., a consumer server, “to act on behalf of said user should be granted,” is directed to a judicial exception and is therefore an abstract idea, particularly when understood in the context of the claims. The Examiner determines that the claimed risk analysis is “similar to abstract ideas involving mathematical relationships” (Final Act. 15 (citing Digitech Image Techs., LLC v. Elecs. for Imaging, Inc., 758 F.3d 1344 (Fed. Cir. 2014)), but the claims do not recite any particular mathematical formula or process, and the Examiner has not explained how the claims include such mathematical relationships. Further the Examiner determines that the claimed risk analysis is “similar to . . . managing risk” (id. at 15–16) as in Alice. However, the risk management discussed in Alice was “drawn to the concept of intermediated settlement” and, so, was a “fundamental economic practice long prevalent in our system of commerce.” Id. at 219 (citation omitted). The claimed invention here, however, is not directed to risk management in the context of economic practices. Instead, the claimed risk management is “between two servers (a Service Provider and a Consumer) on behalf of a user.” Spec. 3:17–18 (emphasis added); see id. 1:20–24. The claims recite language confirming that the recited risk analysis is for computer authentication, namely, authentication between a service Appeal 2018-007538 Application 13/537,525 9 provider computer and a consumer computer. For example, the claims recite, among other limitations, an access request from the consumer to access the service provider on behalf of the user in accordance with a server-to-server protocol, wherein said service provider provides an access token to the consumer . . . wherein said consumer uses said access token for an initial access to the service provider. Therefore, we are persuaded that the Examiner has not established that the claims recite a judicial exception. As the “claim[s] do[] not recite a judicial exception, [they are] not directed to a judicial exception” and “this concludes the eligibility analysis.” 2019 Guidance, 84 Fed. Reg. at 54. Accordingly, we do not sustain the Examiner’s rejection of claims 1, 2, 5–9, 12–16, and 19–26 under 35 U.S.C. § 101 as directed to patent-ineligible subject matter. 35 U.S.C. § 103 Clams 1, 5–8, 12–15, 19–21, 23, 25, and 26 “access request from said consumer to act on behalf of said user” Appellants contend the Examiner erred in finding Dominguez teaches performing a risk analysis . . . in response to said subsequent access request by said consumer with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked . . . wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said obtained one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user, wherein said one or more rules specify said one or more permissions of the consumer, Appeal 2018-007538 Application 13/537,525 10 as recited in claim 1 and similarly recited in claims 8 and 15. See App. Br. 15–19; Reply Br. 17–22. Specifically, Appellants argue “Dominguez does not teach a ‘consumer (that accesses) a service provider on behalf of a user’” and “the consumer of Dominguez does not have an access token that authorizes the consumer to act on behalf of said user.” App. Br. 18 (emphasis omitted); Reply Br. 19–20. Additionally, Appellants argue that “any rules of Dominguez are automatically learned by the system from prior transactions,” rather than being rules specified by a user. App. Br. 18–19; Reply Br. 21. We are not persuaded. The Examiner finds, and we agree, Bodi teaches a “subsequent access request by said consumer with said access token authorizing the consumer to act on behalf of said user.” Ans. 14–15 (citing Bodi ¶¶ 28, 32, 80, 83, 85, 86, 88, 91, and Fig. 6); see Final Act. 10– 11, 19–20. In particular, Bodi describes an “access token (denoted by TC) which encapsulates the requesting user’s consent for the consumer service to access the resource in the name of the requesting user i.e.[,] to act in their name towards the service provider for accessing the resource,” and subsequently using the access token TC for “a third access request.” Bodi ¶¶ 85, 91; see id. ¶¶ 22, 32, and Fig. 6. The Examiner further finds, and we agree, Monjas Llorente teaches “one or more rules . . . specified by said user wherein said one or more rules specify said one or more permissions of the consumer.” Ans. 16–17 (citing Monjas Llorente ¶¶ 40, 62, 65–68, 72–74, 95–100, 125, 136, 137, 141, and 142); Final Act. 12, 23. In particular, Monjas Llorente describes a “consumer,” i.e., a computer requesting data on behalf of a user (see Monjas Llorente ¶¶ 3–4), which “wants to access a protected resource” from a service provider; access to that “protected Appeal 2018-007538 Application 13/537,525 11 resource is governed by policy settings set by the user” (id. ¶ 125; see id. ¶¶ 66–67). Appellants’ argument that “the consumer of Dominguez does not have an access token that authorizes the consumer to act on behalf of said user” (App. Br. 18; Reply Br. 19–20) does not persuade us of Examiner error because that argument does not address the Examiner’s reliance on Bodi to teach an access token that authorizes the consumer to act on behalf of said user (see Ans. 14–15 (citing Bodi ¶¶ 22, 32, 85, 91, and Fig. 6)). Further, Appellants’ argument that the claims require rules specified by a user, but “any rules of Dominguez are automatically learned by the system from prior transactions” (App. Br. 18–19; Reply Br. 21) does not persuade us of Examiner error because that argument does not address the Examiner’s reliance on Monjas Llorente to teach access rules specified by a user (Ans. 16–17 (citing Monjas Llorente ¶¶ 66–67, 125)). Accordingly, we are not persuaded the Examiner erred in finding the combination of Bodi, Monjas Llorente, and Dominguez, teaches performing a risk analysis . . . in response to said subsequent access request by said consumer with said access token authorizing the consumer to act on behalf of said user when said access token has not been revoked . . . wherein said risk analysis (i) determines when the subsequent access request from said consumer to act on behalf of said user should be granted, and (ii) determines when said subsequent access request demonstrates anomalous behavior comprising one or more of abnormal, risky and atypical behavior relative to (a) prior transactions, stored in at least one memory, performed by said consumer on behalf of said user, and (b) said obtained one or more rules, stored in said at least one memory, specified by said user who has granted access to the consumer on behalf of said user, wherein said one or more rules specify said one or more permissions of the consumer, Appeal 2018-007538 Application 13/537,525 12 as recited in claim 1 and similarly recited in claims 8 and 15. Improper Combination Appellants contend the Examiner improperly combined Bodi, Monjas Llorente, and Dominguez. App. Br. 19–21; Reply Br. 22–24. Specifically, Appellants argue, “[s]ince Dominguez does not teach four parties in a server-to-server protocol, such as OAuth . . . a person of ordinary skill in the art would not be motivated to combine Dominguez with Bodi and Monjas Llorente . . . in order to reevaluate the previously authorized credentials.” App. Br. 19–20; Reply Br. 22. Further, Appellants argue “that there are currently 1,536 published US Patent Applications that mention ‘OAuth’” and “a person of ordinary skill in the art would turn first to this body of literature before turning to Dominguez.” App. Br. 20; Reply Br. 23. Still further, Appellants argue “the Examiner’s characterization of the field of Dominguez appears to be conjecture and not expressly stated in Dominguez” and “a more appropriate characterization of the field of Dominguez would be fraud prevention in transaction processing.” App. Br. 20; Reply Br. 23. We are not persuaded. The Examiner determines that [i]t would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Dominguez’s method of performing a risk analysis . . . in order to “provide an early indication or warning of a potentially fraudulent transaction[,”] “reduce the likelihood of actual fraud[,”] and “save time and data processing resources that might otherwise be spent processing data related to the transaction before it is identified as fraudulent.” Ans. 18 (citing Dominguez ¶ 7); Final Act. 28. Appellants’ arguments that Dominguez does not teach “four parties in a server-to-server protocol, such as OAuth” and that “there are currently Appeal 2018-007538 Application 13/537,525 13 1,536 published US Patent Applications that mention ‘OAuth’” (App. Br. 19–20; Reply Br. 23) do not persuade us that the Examiner’s stated motivation for the combination lacks reasoning with rational underpinnings. Initially, as the Examiner points out (Ans. 18–19), the claims do not recite OAuth authentication and Appellants’ arguments based on OAuth authentication do not address features recited by the claims. Furthermore, those arguments essentially state that OAuth authentication exists and that Dominguez does not describe OAuth authentication. But stating that OAuth authentication exists and that Dominguez does not describe OAuth does not explain why the Examiner’s articulated reasoning for the combination, i.e., fraud detection and reduction, is not supported by rational underpinning. KSR International Co. v. Teleflex Inc. (KSR), 550 U.S. 398, 418 (2007). A technique for ensuring that access requests are not fraudulent is a reasonable feature to incorporate into an authentication system because, on its face, adding fraud detection to an authentication system improves authentication. As such, we determine that the Examiner has articulated reasoning for the combination supported by rational underpinning. Further, to the extent Appellants argue Dominguez is non-analogous art (see App. Br. 20 (“the Examiner’s characterization of the field of Dominguez appears to be conjecture and not expressly stated in Dominguez”); Reply Br. 23), that argument is also not persuasive. A reference is analogous art to the claimed invention if: (1) the reference is from the same field of endeavor as the claimed invention (even if it addresses a different problem); or (2) the reference is reasonably pertinent to the problem faced by the inventor (even if it is not in the same field of endeavor as the claimed invention). See In re Bigio, 381 F.3d 1320, 1325 (Fed. Cir. 2004). Appellants address the first test for analogous art, but do Appeal 2018-007538 Application 13/537,525 14 not address the alternative second test for non-analogous art. As the Examiner points out, Dominguez addresses the problem of “risk analysis based on previous fraudulent transactions” (Ans. 18; see Dominguez ¶ 51), which is reasonably pertinent to the problem faced by the inventor, namely, “risk analysis [to] determine if the subsequent access demonstrates one or more of abnormal, risky and atypical behavior relative to prior transactions of the consumer” (Spec. 2:21–24). Accordingly, we are not persuaded the Examiner improperly combined Bodi, Monjas Llorente, and Dominguez in rejecting independent claims 1, 8, and 15. We, therefore, sustain the 35 U.S.C. § 103(a) rejection of independent claims 1, 8, and 15, as well as the 35 U.S.C. § 103(a) rejections of dependent claims 5–7, 12–14, 19–21, 23, 25, and 26, which are not argued separately. See App. Br. 15–22. Claims 2, 9, and 16 Appellants contend the Examiner erred in finding Dominguez teaches “said risk analysis determines if said subsequent access request complies with said one or more rules of said user,” as recited in claim 2 and similarly recited in claims 9 and 26. App. Br. 21–22; Reply Br. 24. Relying on arguments presented for the independent claims, Appellants specifically argue, “if Dominguez does not teach the rules, as recited in the independent claims, then Dominguez cannot teach” the limitations recited in dependent claims 9 and 26. App. Br. 22; Reply Br. 24. We are not persuaded. As discussed above in regards to the independent claims, we agree with the Examiner that Monjas Llorente teaches rules specified by the user. Ans. 16–17 (citations omitted); see Monjas Llorente ¶ 125 (“[C]onsumer 300 wants to access a protected resource. The protected resource is governed by policy settings set by the Appeal 2018-007538 Application 13/537,525 15 user . . . .”); see id. ¶¶ 66–67. And, as discussed above, Appellants’ arguments that Dominguez does not teach rules set by a user does not persuade us that Monjas Llorente fails to teach rules set by a user. Accordingly, we are not persuaded the Examiner erred in finding the combination of Bodi, Monjas Llorente, and Dominguez teaches “said risk analysis determines if said subsequent access request complies with said one or more rules of said user,” as recited in claim 2 and similarly recited in claims 9 and 26. Claims 22 and 24 Appellants contend the Examiner erred in finding Dominguez teaches “learning typical access patterns of a consumer,” as recited in claim 22 and similarly recited in claim 24. App. Br. 22; Reply Br. 24–25. Relying on similar arguments presented for the independent claims, Appellants specifically argue Dominguez describes “a traditional consumer 302 selecting products or services and finalizes purchases directly with Merchant System 304,” i.e., “[c]onsumer 302 is the user, and there is no entity operating on behalf of the consumer.” App. Br. 22 (citation omitted); Reply Br. 24–25. We are not persuaded. As discussed above in regards to the independent claims, we agree with the Examiner that Bodi teaches a consumer computer acting on behalf of a user. Ans. 14–15 (citations omitted); see Bodi ¶ 22 (disclosing “a resource request from an application to a service provider, the resource request requesting access to a resource at the service provider, wherein the resource request is issued by the application in the name of a requesting user”); see also id. ¶¶ 33, 85, Abstract. And, as discussed above, Appellants’ arguments that Dominguez does not teach a consumer acting on behalf of a user does not persuade us Appeal 2018-007538 Application 13/537,525 16 that Bodi fails to teach a consumer acting on behalf of a user. Accordingly, we are not persuaded the Examiner erred in finding the combination of Bodi, Monjas Llorente, and Dominguez teaches “learning typical access patterns of a consumer,” as recited in claim 22 and similarly recited in claim 24. DECISION For the reasons above, we affirm the Examiner’s decision rejecting claims 1, 2, 5–9, 12–16, and 19–26. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED Copy with citationCopy as parenthetical citation