Prosecution Insights
Last updated: July 17, 2026
Application No. 17/187,094

SYSTEMS AND METHODS FOR DYNAMIC ACCESS CONTROL FOR DEVICES OVER COMMUNICATIONS NETWORKS

Non-Final OA §103§112
Filed
Feb 26, 2021
Examiner
DEBNATH, SUMAN
Art Unit
2495
Tech Center
2400 — Computer Networks
Assignee
Ip Technology Labs LLC
OA Round
7 (Non-Final)
75%
Grant Probability
Favorable
7-8
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
310 granted / 413 resolved
+17.1% vs TC avg
Strong +33% interview lift
Without
With
+33.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 0m
Avg Prosecution
9 currently pending
Career history
424
Total Applications
across all art units

Statute-Specific Performance

§101
1.2%
-38.8% vs TC avg
§103
84.8%
+44.8% vs TC avg
§102
11.9%
-28.1% vs TC avg
§112
1.5%
-38.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 413 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-18 are pending in this application. Claims 1 and 9 are currently amended. No new IDS was filed by the Applicant. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/06/2026 has been entered. Claim Objections Claim 17 is objected to because of the following. Claim 17 recites the limitation "the one or more selection parameters" in line 1. Claim 17 is dependent from claim 1 which recites “one or more network connection parameters” in line 14 of claim 1. It is unclear if the limitation "the one or more selection parameters" of claim 17 is referring back to the limitation “one or more network connection parameters” of claim 1. There is insufficient antecedent basis for this limitation in the claim. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-8 and 17-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites limitation “the request module comprising instructions enabling the remote network device microprocessor to post information unique to the request module to the database”, in line 5 and “the grantor module comprising instructions enabling the central network device microprocessor to extract the information from the database” in line 9. These limitations are constructed under 35 U.S.C. 112(f) as means-plus-function (or step-plus-function) limitations because they recite what the modules “do” via instructions without reciting definite structure (e.g., specific algorithms, hardware circuits, or detailed flowcharts) in the claims. The specification provides only high-level, functional descriptions and block diagrams (e.g., see, Figs. 1-5) without sufficient algorithms or structural details for the computer-implemented functions. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Dependent claims 2-8 and 17-18 inherits the features of claim 1 for the dependency and do not cure the deficiency of claim 1. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; Amend the claims to recite sufficient structure (e.g., “a non-transitory computer-readable medium comprising instructions that, when executed …”) to avoid 35 U.S.C. 112(f) or (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-10, 12-15 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Shannon (US 6,233,618 B1) in view of Lee et al. (US 9,621,553 B1) (hereinafter, “Lee”). . As to claim 1, Shannon discloses a system for access control for applications over communications networks, the system comprising: a database (“The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; see also: “… access control databases 230, 204 and 208.” -e.g., see, Fig. 1, col. 5, line 13); a remote network device comprising a request module, a networking application, and a connected remote network device microprocessor in communication therewith, the request module comprising instructions enabling the remote network device microprocessor to post information unique to the request module to the database (“The network device is responsible for controlling access by client computers to data available from server computers, when those requests are made via any one or more of a variety of protocols such as HTTP, FTP, Gopher, Telnet, WAIS, NNTP, and so forth. The invention is extendable to provide access control for other types of data access protocols used to transfer data between computers as well, such as protocols that will arrive in the future to perform data exchange or data transactions. The network device includes, typically, a data processor providing a first interface for receiving requests from clients, such as may be connected to the first network, for data stored on servers on the second network.” -e.g., see, col. 3, lines 46-58; see also: “The network device also includes an access control process coupled to the first interface. The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined.” -e.g., see, col. 3, lines 59-63; see also: “Packet 300 includes a beginning field 301 recognizable by network device 100 as the start of a packet, and an ending field 305 recognizable as the end of the packet. The source address field 302 indicates the source of the data packet, which is the network address of the client computer sending the request. Source address field 302 may contain, for example, IP and/or Media Access Control (MAC) addressing information. The destination address field 303 indicates the destination network address of a remote server computer that is to receive packet 300, and may also contain IP and/or MAC layer addressing information. The data field 304 is used to transport the data or payload of the packet from the browser application (i.e., Netscape) on the client 52 to the web server software operating on the web server 55. In the example shown, the data field 304 contains the request in the form of a full Uniform Resource Locator (URL) for a web page. A URL serves as the indicator of the request from the client for a specific web page stored one of the servers, and can be detected by network device 100.” -e.g., see, col 13, lines 1-18; herein, Shannon teaches client/remote devices (with processors and networking apps) send (“post”) packets containing unique source/address/URL/protocol info that is received and stored/used by access control database (equivalent to “request module” posting to database)); and a central network device comprising a grantor module, a central networking application, and a connected central network device microprocessor in communication therewith, the grantor module comprising instructions enabling the central network device microprocessor to extract the information from the database and permit the remote network device to access the central network device via a security means of the central network device (“The network device also includes an access control process coupled to the first interface. The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; herein, Shannon teaches access control process (e.g., central networking device) extracts/analyzes information from the request/database and forwards (permits) access via its function (e.g., security means); see also, Fig. 4, see also: “… once a web page request is detected in a packet, in step 201, the source address of the packet in field 302 is examined. The source address may be an IP address, or a MAC address, or an address/username combination. Then, step 202 matches the source address and data with the group/source database 203 (i.e., Table 1) in order to determine the group in Table 1 to which the packet containing the HTTP request belongs. In other words, the packet came from one of clients 50 through 53. Hence, step 202 matches packet information to group information such as that shown in Table 1, in order to determine which client and/or user on LAN 40 is sending this particular web page request packet and determine what group that machine or machine/username combination is in within database 203.” -e.g., see, col. 13, lines 52-65; see also: “… step 211 allows the request to be forwarded to the content server through network device 100. In other words, the request was for legitimate non-restricted web pages, services, or data provided by a server on WAN 45. Once the request is received by the server to which it was destined, the server begins to return the requested data in the form of a web page, a file transfer, a news group, or other data.” -e.g., see, col. 14, lines 49-59); … wherein the one or more network connection parameters are obtained from the information from the request module prior to receipt of traffic from the remote network device for each of the connections (“The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; see also: “… once a web page request is detected in a packet, in step 201, the source address of the packet in field 302 is examined. The source address may be an IP address, or a MAC address, or an address/username combination. Then, step 202 matches the source address and data with the group/source database 203 (i.e., Table 1) in order to determine the group in Table 1 to which the packet containing the HTTP request belongs.” -e.g., see, col. 13, lines 52-65; see also: “… step 211 allows the request to be forwarded to the content server through network device 100. In other words, the request was for legitimate non-restricted web pages, services, or data provided by a server on WAN 45. Once the request is received by the server to which it was destined, the server begins to return the requested data in the form of a web page, a file transfer, a news group, or other data.” -e.g., see, col. 14, lines 49-59; herein, Shannon teaches parameters (source IP/MAC, URL as action/request, port/protocol) from the client request are obtained and used to apply filtering rules in the central device prior to allowing full traffic for that connection; See also, Fig. 4 and its description). Shannon teaches request/packet-based analysis and pre-traffic filtering using pre-existing databases but Shannon doesn’t explicitly disclose wherein the grantor module is configured to configure an access control list that allows connections matching one or more network connection parameters posted by the grantor module to the database. However, in an analogous art, Lee discloses wherein the grantor module is configured to configure an access control list that allows connections matching one or more network connection parameters posted by the grantor module to the database (“… the less-restricted subset of the protected network and the restricted subset of the protected network are characterized by Virtual Local Area Networks (e.g., VLANs) defined within the access point and optionally by access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network. Different VLANs within the same access point, or within different access points, may be configured to characterize a plurality of restricted subsets and/or a plurality of less-restricted subsets within the protected network. A communication port of the access point is configured such that network traffic directed at the protected network is initially passed through a restricted VLAN rather than through a less-restricted VLAN. The restricted VLAN allows network traffic to pass to the restricted subset of the protected network and is typically restricted in the sense that it only allows access to elements of the protected network that are configured to communicate with an access device whose security characteristics are unknown or questionable. In contrast, the less-restricted VLAN allows access to the less-restricted subset of the protected network and, in typical embodiments, to elements of both the less-restricted subset and the restricted subset. For example, the restricted VLAN allows traffic to pass to a gatekeeper configured to receive requests for access to the less-restricted VLAN, and to determine if, and to what extent, access may be allowed. To grant access, the gatekeeper sends commands to the access point in order to reconfigure a communication port to which the access device is connected. The reconfiguration typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN.” -e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee teaches Central “grantor module” (e.g., gatekeeper) which extracts information, generates/uses connection parameters and actively configures/reconfigures ACLs and security means (firewall/router/switch) to permit access based on these parameters). Thus, the combination of Shannon and Lee produces the claimed system architecture with request module posting to Database, grantor extracting and posting parameters, and configuring ACLs to allow matching connections prior to traffic. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-parameter analysis and pre-traffic DB cross-referencing with Lee’s explicit gatekeeper/grantor that actively posts/configures ACLs and security means based on extracted parameter in order to solve bandwidth and precision issues in central control systems and provide “a greater level of access control” with dynamic, policy-based permitting of remote access (e.g., see, Lee’s Spec. Background and Detail Description). As to claim 2, Shannon in view of Lee discloses the system of claim 1, Although Shannon discloses request processing, Database cross-referencing, and extraction of information from request/databases, Shannon doesn’t explicitly disclose but Lee discloses wherein the grantor module further comprises instructions which when executed by the remote network device microprocessor cause the remote network device microprocessor to process the extracted information and post additional connection requirements to the database; and the request module further comprises instructions which when executed by the central network device microprocessor cause the central network device microprocessor to extract the connection requirements from the database, transmit the additional connection requirements to the central network device and establish communication between the remote network device and the central network device (“To grant access, the gatekeeper sends commands to the access point in order to reconfigure a communication port to which the access device is connected. The reconfiguration typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN.” -e.g., see, Lee: col. 3, lines col. 3, lines 24-54; see also: “GateKeeper 110 is configured to control access to Secure Network 100. In addition to authenticating users who wish to access Secure Network 100 using an Access Device 160, GateKeeper 110 is configured to ensure that Access Device 160 conforms to a predetermined security policy, before granting access to Secure Network 100. For example, GateKeeper 110 may make certain that Access Device 160 has up-to-date virus software and encryption protocols as proscribed by the security policy.” -e.g., see, col. 2, liens 41-52; herein, Lee teaches grantor module (GateKeeper) which determines/extracts additional connection/security requirements (e.g., up-to-date virus software, encryption protocols, etc.) beyond initial requirement information, generates corresponding actions/commands (effectively posting/communicating requirements) and enables the remote device (via reconfiguration) to process and establish full communication). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-analysis system by adding the additional feature of Lee in order to improve the precision and security of the connection. As to claim 3, Shannon in view of Lee discloses the system of claim 1, Shannon doesn’t explicitly disclose but Lee discloses wherein the security means is selected from the group consisting of a firewall, a router, a network switch, a network security application or combinations thereof (“… the less-restricted subset of the protected network and the restricted subset of the protected network are characterized by Virtual Local Area Networks (e.g., VLANs) defined within the access point and optionally by access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network.” - e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee recites the exact group of security means used for the reconfiguration and access permitting functions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-analysis system by adding the additional feature of Lee in order to improve the precision and security of the connection. As to claim 4, Shannon in view of Lee discloses the system of claim 2, Lee further discloses wherein the security means is a firewall, a router, a network switch, a network security application or combinations thereof (“… the less-restricted subset of the protected network and the restricted subset of the protected network are characterized by Virtual Local Area Networks (e.g., VLANs) defined within the access point and optionally by access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network.” - e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee recites the exact group of security means used for the reconfiguration and access permitting functions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-analysis system by adding the additional feature of Lee in order to improve the precision and security of the connection. As to claim 5, Shannon in view of Lee discloses the system of claim 1, Shannon further discloses wherein data transport within the communications networks is selected from the group consisting of connection-oriented, connectionless and combinations thereof (“The network device is responsible for controlling access by client computers to data available from server computers, when those requests are made via any one or more of a variety of protocols such as HTTP, FTP, Gopher, Telnet, WAIS, NNTP, and so forth.” -e.g., see, col. 3, lines 46-58; see also: “… these protocols use the data communication facilities provided by a standardized network layer protocol known as the Transmission Control Protocol/Internet Protocol (TCP/IP) to perform the data transactions described above.” -e.g., see, col. 1, lines 39-42). As to claim 6, Shannon in view of Lee discloses the system of claim 2, Shannon further discloses wherein data transport within the communications networks is selected from the group consisting of connection-oriented, connectionless and combinations thereof (“The network device is responsible for controlling access by client computers to data available from server computers, when those requests are made via any one or more of a variety of protocols such as HTTP, FTP, Gopher, Telnet, WAIS, NNTP, and so forth.” -e.g., see, col. 3, lines 46-58; see also: “… these protocols use the data communication facilities provided by a standardized network layer protocol known as the Transmission Control Protocol/Internet Protocol (TCP/IP) to perform the data transactions described above.” -e.g., see, col. 1, lines 39-42). As to claim 7, Shannon in view of Lee discloses the system of claim 3, Shannon further discloses wherein data transport within the communications networks is selected from the group consisting of connection-oriented, connectionless and combinations thereof (“The network device is responsible for controlling access by client computers to data available from server computers, when those requests are made via any one or more of a variety of protocols such as HTTP, FTP, Gopher, Telnet, WAIS, NNTP, and so forth.” -e.g., see, col. 3, lines 46-58; see also: “… these protocols use the data communication facilities provided by a standardized network layer protocol known as the Transmission Control Protocol/Internet Protocol (TCP/IP) to perform the data transactions described above.” -e.g., see, col. 1, lines 39-42). As to claim 8, Shannon in view of Lee discloses the system of claim 4, Shannon further discloses wherein data transport within the communications networks is selected from the group consisting of connection-oriented, connectionless and combinations thereof (“The network device is responsible for controlling access by client computers to data available from server computers, when those requests are made via any one or more of a variety of protocols such as HTTP, FTP, Gopher, Telnet, WAIS, NNTP, and so forth.” -e.g., see, col. 3, lines 46-58; see also: “… these protocols use the data communication facilities provided by a standardized network layer protocol known as the Transmission Control Protocol/Internet Protocol (TCP/IP) to perform the data transactions described above.” -e.g., see, col. 1, lines 39-42). As to claim 9, Shannon discloses a method of controlling access to applications over communications networks, the method comprising: posting information from a request module of a remote network device to a database without transforming the information from the request module (“The network device includes, typically, a data processor providing a first interface for receiving requests from clients, such as may be connected to the first network, for data stored on servers on the second network … The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 46-66; see also: “Packet 300 includes a beginning field 301 recognizable by network device 100 as the start of a packet, and an ending field 305 recognizable as the end of the packet. The source address field 302 indicates the source of the data packet, which is the network address of the client computer sending the request. Source address field 302 may contain, for example, IP and/or Media Access Control (MAC) addressing information. The destination address field 303 indicates the destination network address of a remote server computer that is to receive packet 300, and may also contain IP and/or MAC layer addressing information. The data field 304 is used to transport the data or payload of the packet from the browser application (i.e., Netscape) on the client 52 to the web server software operating on the web server 55. In the example shown, the data field 304 contains the request in the form of a full Uniform Resource Locator (URL) for a web page.” -e.g., see, col. 13, lines 1-18; herein, Shannon teaches client/remote devices send (post) packets containing unique source/address/URL/ protocol information directly to the central network device’s access control process and databases; the information is analyzed and used exactly as received in the packet fields (no transformation of the posted data is described or required)); extracting the posted information to a grantor module of a central network device (“The network device also includes an access control process coupled to the first interface. The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; herein, Shannon teaches the central network device’s access control process (grantor module equivalent) extracts and cross-references the posted request information from the databases/packet for further processing); … wherein the one or more network connection parameters are obtained from the information from the request module prior to receipt of traffic from the remote network device for each of the connections (“The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; see also: “… once a web page request is detected in a packet, in step 201, the source address of the packet in field 302 is examined. The source address may be an IP address, or a MAC address, or an address/username combination. Then, step 202 matches the source address and data with the group/source database 203 (i.e., Table 1) in order to determine the group in Table 1 to which the packet containing the HTTP request belongs.” -e.g., see, col. 13, lines 52-65; see also: “… step 211 allows the request to be forwarded to the content server through network device 100. In other words, the request was for legitimate non-restricted web pages, services, or data provided by a server on WAN 45. Once the request is received by the server to which it was destined, the server begins to return the requested data in the form of a web page, a file transfer, a news group, or other data.” -e.g., see, col. 14, lines 49-59; herein, Shannon teaches parameters (source IP/MAC, URL as action/request, port/protocol) from the client request are obtained and used to apply filtering rules in the central device prior to allowing full traffic for that connection; See also, Fig. 4 and its description); and configuring a security means of the central network device to permit access thereto by the remote network device based on the information extracted to the grantor module (“The network device also includes an access control process coupled to the first interface. The access control process analyzes data in each request from the clients and determines if the request should be forwarded to the second network for processing by a server to which it is destined. The determination to forward or not is made by cross referencing information in the request with access control data in at least one access control database, …” -e.g., see, col. 3, lines 59-66; herein, Shannon teaches access control process (e.g., central networking device) configures its security/filtering means (security means) to permit (forward) access based on the extracted/analyzed information from the grantor-equivalent process). Shannon teaches request/packet-based analysis and pre-traffic filtering using pre-existing databases but Shannon doesn’t explicitly disclose configuring an access control list that allows connections matching one or more network connection parameters posted by the grantor module to the database. However, in an analogous art, Lee discloses configuring an access control list that allows connections matching one or more network connection parameters posted by the grantor module to the database (“… the less-restricted subset of the protected network and the restricted subset of the protected network are characterized by Virtual Local Area Networks (e.g., VLANs) defined within the access point and optionally by access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network. Different VLANs within the same access point, or within different access points, may be configured to characterize a plurality of restricted subsets and/or a plurality of less-restricted subsets within the protected network. A communication port of the access point is configured such that network traffic directed at the protected network is initially passed through a restricted VLAN rather than through a less-restricted VLAN. The restricted VLAN allows network traffic to pass to the restricted subset of the protected network and is typically restricted in the sense that it only allows access to elements of the protected network that are configured to communicate with an access device whose security characteristics are unknown or questionable. In contrast, the less-restricted VLAN allows access to the less-restricted subset of the protected network and, in typical embodiments, to elements of both the less-restricted subset and the restricted subset. For example, the restricted VLAN allows traffic to pass to a gatekeeper configured to receive requests for access to the less-restricted VLAN, and to determine if, and to what extent, access may be allowed. To grant access, the gatekeeper sends commands to the access point in order to reconfigure a communication port to which the access device is connected. The reconfiguration typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN.” -e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee teaches Central “grantor module” (e.g., gatekeeper) which extracts information, generates/uses connection parameters and actively configures/reconfigures ACLs and security means (firewall/router/switch) to permit access based on these parameters). Thus, the combination of Shannon and Lee produces the claimed system architecture with request module posting to Database, grantor extracting and posting parameters, and configuring ACLs to allow matching connections prior to traffic. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-parameter analysis and pre-traffic DB cross-referencing with Lee’s explicit gatekeeper/grantor that actively posts/configures ACLs and security means based on extracted parameter in order to solve bandwidth and precision issues in central control systems and provide “a greater level of access control” with dynamic, policy-based permitting of remote access (e.g., see, Lee’s Spec. Background and Detail Description). As to claim 10, it is rejected using the similar rationale as for the rejection of claim 3. As to claim 12, it is rejected using the similar rationale as for the rejection of claim 5. As to claim 13, it is rejected using the similar rationale as for the rejection of claim 2, As to claim 14, it is rejected using the similar rationale as for the rejection of claim 5. As to claim 15, Shannon in view of Lee discloses the method of claim 14, Lee further discloses wherein the security rules are firewall rules (“… access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network.” - e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee explicitly uses firewall rules/ACLs as the security rules). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-analysis system by adding the additional feature of Lee in order to improve the precision and security of the connection. As to claim 17, Shannon in view of Lee discloses the system of claim 1, Shannon further discloses wherein the one or more selection parameters are selected from a group comprising-media access control (MAC) address, an X.509 certificate, a hash code, an action request, a source IP address, a source port identifier, or a source protocol (“The source address field 302 indicates the source of the data packet, which is the network address of the client computer sending the request. Source address field 302 may contain, for example, IP and/or Media Access Control (MAC) addressing information.” -e.g., see, col. 13, lines 1-18). As to claim 18, Shannon in view of Lee discloses the system of claim 1, Lee further discloses wherein the grantor module is in communication with an intermediate network device, where the intermediate network device, in response to a signal from the grantor module, performs a switching action in response to instructions transmitted from the grantor module to the intermediate network device such that a device external to the central network device may configure firewall rules or equivalent security features of the central network device to allow connections to be established between the networking application and the central networking application (“… the less-restricted subset of the protected network and the restricted subset of the protected network are characterized by Virtual Local Area Networks (e.g., VLANs) defined within the access point and optionally by access control lists (ACL) of a router, firewall, or switch situated between the VLAN and the protected network. … the restricted VLAN allows traffic to pass to a gatekeeper configured to receive requests for access to the less-restricted VLAN, and to determine if, and to what extent, access may be allowed. To grant access, the gatekeeper sends commands to the access point in order to reconfigure a communication port to which the access device is connected. The reconfiguration typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN.” -e.g., see, Lee: col. 3, lines col. 3, lines 24-54; herein, Lee teaches the gatekeeper (grantor) sending instructions to an intermediate network device (access point) to perform switching/reconfiguration actions that configure firewall rules/security features). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Shannon’s request-analysis system by adding the additional feature of Lee in order to improve the precision and security of the connection. Claims 11 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Shannon in view of Lee as applied to claims 1 and 9 above, and further in view of Saeki (US 2004/0181469 A1). As to claim 11, Shannon in view of Lee discloses the method of claim 9, Shannon in view of Lee doesn’t explicitly disclose wherein the remote network device is permitted to access the central network device only during a fixed timeframe. However, in an analogous art, Saeki discloses wherein the remote network device is permitted to access the central network device only during a fixed timeframe (“The client system 20 stores the time to live and the authorized amount 520 that the user is allowed to spend until the expiry of the time period from the certificate 500 onto a storage medium 820 for remaining amount records.” -e.g., see, Saeki: [0043]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Shannon and Lee by adding the additional feature of Saeki in order to provide an improved security feature. As to claim 16, it is rejected using the similar rationale as for the rejection of claim 11. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SUMAN DEBNATH Patent Examiner Art Unit 2495 /S.D/ Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/ Supervisory Patent Examiner, Art Unit 2495
Read full office action

Prosecution Timeline

Show 15 earlier events
Jun 05, 2025
Non-Final Rejection mailed — §103, §112
Aug 12, 2025
Response Filed
Oct 06, 2025
Final Rejection mailed — §103, §112
Dec 10, 2025
Response after Non-Final Action
Feb 05, 2026
Examiner Interview Summary
Feb 06, 2026
Request for Continued Examination
Feb 21, 2026
Response after Non-Final Action
Jun 16, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12670807
METHOD AND SYSTEM FOR EVALUATING INDIVIDUAL AND GROUP CYBER THREAT AWARENESS
2y 2m to grant Granted Jun 30, 2026
Patent 12665879
SECURITY GROUP RESOLUTION AT INGRESS ACROSS VIRTUAL NETWORKS
1y 8m to grant Granted Jun 23, 2026
Patent 12639732
CENTRALIZED GATEWAY SERVER FOR PROVIDING ACCESS TO SERVICES
3y 9m to grant Granted May 26, 2026
Patent 12639446
PROTECTING SOFTWARE DEVELOPMENT ENVIRONMENTS FROM MALICIOUS ACTORS
3y 8m to grant Granted May 26, 2026
Patent 12639418
COMPUTER SYSTEM, SERVICE PROCESSING METHOD, READABLE STORAGE MEDIUM, AND CHIP
3y 6m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

7-8
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+33.0%)
4y 0m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 413 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month