DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see page(s) 7, filed 4/3/2026, with respect to the rejection of claim(s) 17-19 under 35 USC 112(b) have been fully considered and are persuasive. The associated rejection(s) to the listed claim(s) has/have been withdrawn.
Applicant’s arguments, see page(s) 8, filed 4/3/2026, with respect to the rejection of claim(s) 17-19 under 35 USC 101 have been fully considered and are persuasive. The associated rejection(s) to the listed claim(s) has/have been withdrawn.
Applicant’s arguments, see pages 8-10, filed 4/3/2026, with respect to the rejection of claims 1-20 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of WALKER et al (Doc ID US 20110167470 A1) and KULKARNI et al (Doc ID US 8533841 B2).
Claim Objections
Claim(s) 14 is/are objected to because of the following informalities:
Regarding claim 14:
The portion of the claim reciting, “… wherein to determine the classification, the processing device is to determine the classification the device based on traffic information …” should be corrected to, “… wherein the processing device is to determine the classification of the device based on traffic information …”.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claim(s) 16-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding claim(s) 16:
Claim 16 recites, “… aggregating results of the compliance scan across the set of compliance rules …”. The claims are indefinite because “the compliance scan” lacks antecedent basis. No instance of a compliance scan has been previously recited in the claim. This is likely a clerical error considering the similar amendments to the other independent claims. This rejection can be overcome by amending the claim(s) such that it recites performing a compliance scan as recited in independent claims 1 and 11.
Regarding claims 17-20:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS. — Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
Claim(s) 8 is/are rejected under 35 U.S.C. 112(d) as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Regarding claim(s) 8:
The claim(s) fails to further limit the depended-on claim. Specifically, claim 8 recites, “… the compliance rule is associated with a weight and the compliance level is based on the weight.” This limitation does not further limit parent claim(s) 1, which recites, “… wherein each compliance rule of the set of compliance rules is associated with a respective weight;” and “… determining a compliance level of the device … accordance with the respective weight associated with each compliance rule;”. Examiner notes this is likely a clerical error resulting from the amendment to the parent claim.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 9-11, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2), and further in view of WALKER et al (Doc ID US 20110167470 A1).
Regarding claim 1:
KULKARNI teaches:
wherein each compliance rule of the set of compliance rules is associated with a respective weight ((19) Col 5 lines 37-39 "As illustrated in FIG. 3, Rule 1 can have a weight of 60, while Rule 12 can possess a weight of 40, for example.");
performing, by the processing device, a compliance scan on the device based on the set of compliance rules ((18) Col 5 lines 13-17 "... Such compliance scoring component 220 can then examine associated logic of the rules involved ..., and generate a report of the compliance score. For example, if the score represents 100% the machine is fully compliant with the security policy.");
determining a compliance level of the device based on aggregating results of the compliance scan across the set of compliance rules in accordance with the respective weight associated with each compliance rule ((20) Col 5 lines 40-43 [0085] "... a benchmark can be defined as a collection of security rules and can be scored for compliance based on weights of rules that evaluate to true. ..."); and
WALKER teaches the following limitation(s) not taught by KULKARNI:
A method, performed by a processing device of a compliance monitoring device, comprising: determining, by the processing device, a classification of a device ([0096] "... Common policy specifications can be specific to a particular device, to all devices in a particular group, to a particular device type or device OS (e.g. Windows Mobile.TM. OS, BlackBerry Storm.TM., or Symbian.TM. OS), or to any combination of these.");
Examiner notes that the reference does not recite a specific step of determining a device classification; it proceeds to choose sets of policies directed to the same device classifications, which makes the step of determining the classification implicit.
accessing a set of compliance rules that are associated with the classification of the device ([0096] "... Common policy specifications can be specific to a particular device, to all devices in a particular group, to a particular device type or device OS (e.g. Windows Mobile.TM. OS, BlackBerry Storm.TM., or Symbian.TM. OS), or to any combination of these.")
initiating an action based on the compliance level for the device, including initiating a patch service associated with the device, initiating an update service associated with the device, or changing network access of the device ([0078] "... Such interception and processing can be done ... to bring a mobile device 2011-2014 into compliance with required policies, to block mobile device 2011-2014 access to applications servers 2020-2022 when the mobile device 2011-2014 is not in compliance with required policies ...").
Assigning weights to compliance rules, performing a compliance scan based on the rules, and determining a device’s compliance level based on the rules are known techniques in the art, as demonstrated by KULKARNI. Further, classifying a device, applying compliance rules associated with the classification, and taking an action on the device based on its compliance with the rules are known techniques in the art, as demonstrated by WALKER. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the weighted rules and compliance scan of KULKARNI with the device classification and compliance actions of WALKER with the motivation to apply targeted rules based on the device to which they are being applied, and to take steps to bring a device into compliance or to prevent a device not in compliance from accessing resources. This makes a system without targeted rules more streamlined.
Regarding claim 9:
The combination of KULKARNI and WALKER teaches:
The method of claim 1, wherein the classification indicates an operating system of the device (WALKER [0096] "... Common policy specifications can be specific to a particular device, to all devices in a particular group, to a particular device type or device OS (e.g. Windows Mobile.TM. OS, BlackBerry Storm.TM., or Symbian.TM. OS), or to any combination of these.").
Classifying a device by its operating system (OS) is a known technique in the art, as demonstrated by WALKER. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the OS classification of WALKER with the motivation to apply compliance rules which allow or prohibit devices depending on their OS, so that devices using an unsupported or unsecure OS can be prevented from accessing resources.
Regarding claim 10:
The combination of KULKARNI and WALKER teaches:
The method of claim 1, wherein the classification indicates a functionality of the device (WALKER [0096] "... Common policy specifications can be specific to a particular device, to all devices in a particular group, to a particular device type or device OS (e.g. Windows Mobile.TM. OS, BlackBerry Storm.TM., or Symbian.TM. OS), or to any combination of these.").
Classifying a device by its function is a known technique in the art, as demonstrated by WALKER. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the functionality classification of WALKER with the motivation to apply compliance rules which allow or prohibit devices depending on their functionality, so that devices meant for undesired purposes can be prevented or restricted from accessing resources.
Regarding claim 11:
KULKARNI teaches:
A system comprising: a memory; and a processing device of a compliance monitoring system, operatively coupled to the memory, to ((41) Col 9 lines 46-50 "The computer 1012 includes a processing unit 1014, a system memory 1016, and a system bus 1018. The system bus 1018 couples ... the system memory 1016 to the processing unit 1014."):
The remainder of this claim’s limitations are rejected with the same prior art mapping and justification, mutatis mutandis, as its counterpart claim 1.
Regarding claim 16:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claims 1 and 11 above.
Claims 2, 5, 7, 8, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2) and WALKER et al (Doc ID US 20110167470 A1) as applied to claims 1 and 11 above, and further in view of KOHLI et al (Doc ID US 20120102543 A1).
Regarding claim 2:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
KOHLI teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein the compliance scan of the device is performed periodically ([0080] "The audit management system, for example, allows the user to specify a specific schedule start date and end date and time, a recurring schedule … etc.").
Scanning a device for compliance on a periodic schedule is a known technique in the art, as demonstrated by KOHLI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the scanning schedule of KOHLI with the motivation to ensure that devices are regularly scanned so that changes to a device which bring it out of compliance are discovered.
Regarding claim 5:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
KOHLI teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
further comprising: performing another compliance scan of the device based on a security policy ([0080] "The audit management system, for example, allows the user to specify a specific schedule start date and end date and time, a recurring schedule … etc.").
Scanning a device for compliance based on a policy is a known technique in the art, as demonstrated by KOHLI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the scanning schedule of KOHLI with the motivation to grant the user the ability to have scans performed for any reason, including adherence to a policy.
Regarding claim 7:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
KOHLI teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein the compliance scan of the device is performed automatically according to a security policy ([0080] "… the audit management system allows the process of auditing to be triggered through … an event driven scheduling, etc.").
Scanning a device for compliance based on a policy is a known technique in the art, as demonstrated by KOHLI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the scanning schedule of KOHLI with the motivation to grant the user the ability to have scans performed for any reason, including adherence to a policy.
Regarding claim 8:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
KOHLI teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein the compliance rule is associated with a weight and the compliance level is based on the weight ([0191] "... Determining risk and providing recommendations ... allows the user 702 to associate a ... priority rating and weighting for each compliance policy.").
Regarding claim 12:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 2 above.
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2) and WALKER et al (Doc ID US 20110167470 A1) as applied to claims 1 and 11 above, and further in view of KEOHANE et al (Doc ID US 20090077631 A1).
Regarding claim 3:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
KEOHANE teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein determining the classification of the device is based on a media access control (MAC) address of the device ([0049] "… process 500 may determine the type of device using a media access control (MAC) address of the device.").
Determining a device type based on its MAC address is a known technique in the art, as demonstrated by KEOHANE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the MAC address categorization of KEOHANE with the motivation to use a well-known standard which is present on nearly every device which is able to connect to a network.
Regarding claim 13:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 3 above.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2) and WALKER et al (Doc ID US 20110167470 A1) as applied to claims 1 and 11 above, and further in view of GUPTA et al (Doc ID US 20160359915 A1).
Regarding claim 4:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
GUPTA teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein determining the classification of the device is based on traffic information associated with the device ([0050] "… Using network traffic data …, the network traffic monitoring system can determine the type of devices existing in the network …").
Identifying a network device based on its network traffic is a known technique in the art, as demonstrated by GUPTA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the network device identification of GUPTA with the motivation to provide the system with a simple way to identify devices which are active on a network.
Regarding claim 14:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 4 above.
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2) and WALKER et al (Doc ID US 20110167470 A1) as applied to claim 1 above, and further in view of WIEGLAND et al (Doc ID US 20070055752 A1).
Regarding claim 6:
The combination of KULKARNI and WALKER teaches:
The method of claim 1,
WIEGLAND teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein performing the compliance scan is performed in response to detecting the device being communicatively coupled to the network ([0031] "… device 110 may provide an indication of a desire to connect to destination network 170.", [0035] "In stage 204, communication device 110 connects first to compliance network 150.", and [0036] "In stage 206, compliance network 150 checks if communication device 110 is sufficiently in compliance with the up-to-date policies of destination network 170.").
Performing a compliance scan on a device that is newly connected to a network is a known technique in the art, as demonstrated by WIEGLAND. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the new device compliance scan of WIEGLAND with the motivation to ensure that new devices are scanned immediately to prevent access by device with unsafe configurations.
Claims 15, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2) and WALKER et al (Doc ID US 20110167470 A1) as applied to claims 11 and 16 above, and further in view of TARAZ (Doc ID US 20070124803 A1).
Regarding claim 15:
The combination of KULKARNI and WALKER teaches:
The system of claim 11,
TARAZ teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein the action is initiated based on a comparison of the compliance level of the device with a threshold ([0028] "Once a compliance score and authorization level have been determined, .... The policy server may base the network access decision on the score by determining whether the attaching device meets or exceeds the minimum standard level …").
Comparing a compliance score to a threshold to determine a follow-on action is a known technique in the art, as demonstrated by TARAZ. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the compliance score threshold of TARAZ with the motivation to withhold actions taken against devices which may be non-compliant, but not to a degree requiring immediate action.
Regarding claim 17:
The combination of KULKARNI and WALKER teaches:
The non-transitory computer readable medium of claim 16,
TARAZ teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein changing the network access of the device comprises, in response to the compliance level for the device being above a threshold, granting full network access to the device ([0028] "The policy server may base the network access decision on the score by determining whether the attaching device meets or exceeds the minimum standard .... The result of this comparison will govern whether the user is granted ... full/unrestricted network access ...").
Granting full network access to a device as an action taken in response to a compliance scan is a known technique in the art, as demonstrated by TARAZ. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the full network access of TARAZ with the motivation to control the access levels of devices based on their compliance with policies. It is obvious to grant full access to a device which has achieved full compliance with applied policies.
Regarding claim 20:
The combination of KULKARNI and WALKER teaches:
The non-transitory computer readable medium of claim 16,
TARAZ teaches the following limitation(s) not taught by the combination of KULKARNI and WALKER:
wherein changing the network access of the device comprises, in response to the compliance level for the device being below a threshold, granting limited network access to the device ([0028] "The policy server may base the network access decision on the score by determining whether the attaching device meets or exceeds the minimum standard .... The result of this comparison will govern whether the user is granted ... limited network access ...").
Restricting network access to a device as an action taken in response to a compliance scan is a known technique in the art, as demonstrated by TARAZ. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI and WALKER with the restricted network access of TARAZ with the motivation to control the access levels of devices based on their compliance with policies. It is obvious to restrict access to a device which has not achieved full compliance with applied policies.
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2), WALKER et al (Doc ID US 20110167470 A1), and TARAZ (Doc ID US 20070124803 A1) as applied to claim 17 above, and further in view of KOHLI et al (Doc ID US 20120102543 A1).
Regarding claim 18:
The combination of KULKARNI, WALKER, and TARAZ teaches:
The non-transitory computer readable medium of claim 17,
KOHLI teaches the following limitation(s) not taught by the combination of KULKARNI, WALKER, and TARAZ:
wherein the compliance scan of the device is performed periodically ([0080] "The audit management system, for example, allows the user to specify a specific schedule start date and end date and time, a recurring schedule … etc.").
Scanning a device for compliance on a periodic schedule is a known technique in the art, as demonstrated by KOHLI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI, WALKER, and TARAZ with the scanning schedule of KOHLI with the motivation to ensure that devices are regularly scanned so that changes to a device which bring it out of compliance are discovered.
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over KULKARNI et al (Doc ID US 8533841 B2), WALKER et al (Doc ID US 20110167470 A1), TARAZ (Doc ID US 20070124803 A1), and KOHLI et al (Doc ID US 20120102543 A1) as applied to claim 18 above, and further in view of KEOHANE et al (Doc ID US 20090077631 A1).
Regarding claim 19:
The combination of KULKARNI, WALKER, TARAZ, and KOHLI teaches:
The non-transitory computer readable medium of claim 18,
KEOHANE teaches the following limitation(s) not taught by the combination of KULKARNI, WALKER, TARAZ, and KOHLI:
wherein determining the classification of the device is based on a media access control (MAC) address of the device ([0049] "… process 500 may determine the type of device using a media access control (MAC) address of the device.").
Determining a device type based on its MAC address is a known technique in the art, as demonstrated by KEOHANE. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the weighted compliance scan and remedial actions for classified devices of KULKARNI, WALKER, TARAZ, and KOHLI with the MAC address categorization of KEOHANE with the motivation to use a well-known standard which is present on nearly every device which is able to connect to a network.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BB/Examiner, Art Unit 2437
/ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437
Prosecution Insights