DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The following claim(s) is/are pending in this office action: 1, 5, 8-9, 13, 16-17, 21, 23-28
The following claim(s) is/are amended: 1, 5, 8-9, 13, 16-18, 21, 23
The following claim(s) is/are cancelled: 2-4, 6-7, 10-12, 14-15, 18-20, 22
The following claim(s) is/are new: -
Claim(s) 1, 8-9, 16-17, 23-28 is/are rejected. Claims 5, 13 and 21 are objected to. This rejection is FINAL.
Response to Arguments
Applicant’s arguments filed in the amendment filed 2/9/2026, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below.
Applicant’s Invention as Claimed
Claim Objections
Claims 5, 13 and 21 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 103
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 8-9, 16-17, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy (US Pub. 2020/0169603) in view of Shtar (US Pub. 2019/0158513) in view of Howard (US Pub. 2019/0199736) and further in view of Elsner (US Pub. 2019/0349391).
With respect to Claim 1, Badawy teaches a method of access privilege governance comprising: (paras. 5, 44-47; identity access management system allows users of a system to have identities for accessing resources of a system.)
Retrieving first identity access data and second identity access data, (Second data will be taught later. para. 54; harvester obtains identity management data such as identities.)
wherein each of the first and second identity access data comprises a plurality of identities, and for each of the identities, a listing of applications that the identity has access to and a corresponding permission level for that application; (para. 29; users have identities. Identities have entitlements. Entitlements define access to, among other things, applications.)
encoding the first identity access data as a first plurality of binary vectors; (para. 60, 63; system graphs identity data including weighing edges between identities as binary vectors.)
using the first plurality of binary vectors, determining a first distinct identity access count (para. 67; identities are clustered into peer groups where identities are strongly connected. See also Shtar, para. 94; users are clustered based on access to resources.)
and performing a first peer group analysis using the determined first k value with the k-means clustering algorithm, the first peer group analysis determining anomalies between the identities and corresponding access to the applications for the first identity access data. (A determined k value will be taught later. paras. 75-77; cluster groups are analyzed. See also Shtar, para. 111; system determines whether an access to a resource group is suspicious.)
But Badawy does not explicitly teach normalization.
Shtar, however, does teach for the first identity access data, determining a first k value, comprising a number of clusters value, for use in a k-means clustering algorithm, the determining the first k value comprising: (paras. 96, 103-106; k-means clustering with a k value. See also Badawy, para. 87; k-means clustering.)
normalizing the first distinct identity access count, wherein the normalized first distinct identity access count comprises the determined first k value; (para. 91-96; normalization of identity data for k-means clustering. Para. 96, 103; k value of 2.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of Badawy with the normalization to eliminate data noise and improve the model. (Shtar, para. 86)
But modified Badawy does not explicitly teach locality sensitive hashing.
Howard, however, does teach using min-wise independent permutations locality sensitive hashing scheme and a locality-sensitive hashing; (para. 78; MinHash locality-sensitive hashing to approximate Jaccard distance. See also Badawy, para. 63; similarity measuring using Jaccard similarity.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Badawy with the MinHash LSH scheme to approximate the Jaccard distance for similarity determination. (Howard, para. 78)
But modified Badaway does not explicitly teach wherein the first k value comprises a different value than the second k value.
Elsner, however, does teach second identity access data; (paras. 46-47, 50; LDAP for an enterprise describing the access of the enterprise according to roles. Therefore, each enterprise has different identity access data. See also para. 63-64; analysis is rerun every 7 days using data from the last 30 days, so even within the same enterprise the system will use a second identity access data once time passes.)
For the second identity access data, determining a second k value, comprising a second number of clusters value, for use in the k-means clustering algorithm, the determining the second k value comprising: encoding the second identity access data as a second plurality of binary vectors; using the second plurality of binary vectors, determining a second distinct identity count using min-wise independent permutations locality sensitive hashing scheme and the locality sensitive hashing; and normalizing the second distinct identity access count, wherein the normalized second distinct identity access count comprises the determined second k value; performing a second peer group analysis using the determined second k value with the k-means clustering algorithm, the second peer group analysis determining anomalies between the identities and corresponding access to the application for the second identity access data; wherein the first k value comprises a different value than the second k value. (These features are taught above with respect to first identity access data. paras. 46-47; LDAP for an enterprise describing the access of the enterprise according to roles. paras. 46-47, 50, 60-62; Clustering is based on LDAP. Therefore, it would have been obvious to one of ordinary skill prior to the effective filing date to apply the same technique to the similar data of second identity access data to allow for analysis of another data set. para. 63-64; analysis is rerun every 7 days using data from the last 30 days. Duplication of parts is obvious, see MPEP 2144.04. Therefore, it would have been obvious to one of ordinary skill prior to the effective filing date to apply the analysis to updated data in order to search for new anomalies.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Badawy with the different k values in order to analyze different data with an accurate clustering fit.
With respect to Claim 8, modified Badawy teaches the method of claim 1, and Badawy also teaches wherein the encoding the first identity access data as the first plurality of binary vectors comprises, for each identity, and for each possible combination of application/permission identity, a vector equals a 1 if the combination is present for that identity, and a 0 if the combination is not present for that identity. (para. 50, 54, 60; vector of entitlements for an entity. para. 29; users have identities. Identities have entitlements. Entitlements define access to, among other things, applications. para. 61; listing of identified entitlements for an identity. Examiner notes that a person of ordinary skill would conventionally assign 1 to a true and 0 to a false, but regardless the vector is binary (para. 63) and the assignment of either 1 or 0 to “present” is obvious to try.)
With respect to Claim 9, it is substantially similar to Claim 1, and is rejected in the same manner, the same art and reasoning applying. Further, Badawy also teaches a non-transitory computer readable medium having instructions stored thereon that, when executed by one or more processors, cause the processors to provide cloud based access privilege governance, the governance comprising: (para. 105; processors. para. 113; computer readable medium such as a hard drive. Para. 47; cloud based applications or services.)
With respect to Claim 16, it is substantially similar to Claim 8 and is rejected in the same manner, the same art and reasoning applying.
With respect to Claim 17, Badawy teaches a cloud infrastructure comprising: (Para. 47; cloud based applications or services. paras. 5, 44-47; identity access management system allows users of a system to have identities for accessing resources of a system.)
a database storing first identity access data and second identity access data for a plurality of identities and a plurality of applications, (Second data will be taught later. para. 51; database querying. para. 54; harvester obtains identity management data such as identities.)
wherein each of the first and second identity access data comprises a plurality of identities, and for each of the identities, a listing of applications that the identity has access to and a corresponding permission level for that application; (para. 29; users have identities. Identities have entitlements. Entitlements define access to, among other things, applications.)
an access privilege governance server coupled to the database, (para. 51; servers)
encoding the first identity access data as a first plurality of binary vectors; (para. 63; system graphs identity data including weighing edges between identities as binary vectors.)
using the first plurality of binary vectors, determining a first distinct identity access (para. 67; identities are clustered into peer groups where identities are strongly connected. See also Shtar, para. 94; users are clustered based on access to resources.)
and a first performing peer group analysis using the determined first k value with the k-means clustering algorithm, the first peer group analysis determining anomalies between the identities and corresponding access to the applications for the first identity access data; (A determined k value will be taught later. paras. 75-77; cluster groups are analyzed. See also Shtar, para. 111; system determines whether an access to a resource group is suspicious.)
But Badawy does not explicitly teach normalization.
Shtar, however, does teach the access privilege governance server determining access profile anomalies comprising: (para. 111; system determines whether access to a resource is suspicious)
For the first identity access data, determining a first k value, comprising a first number of clusters value, for use in a k-means clustering algorithm, the determining the first k value comprising: (paras. 96, 103-106; k-means clustering with a k value. See also Badawy, para. 87; k-means clustering.)
normalizing the first distinct identity access count, wherein the normalized first distinct identity access count comprises the determined first k value; (para. 91-96; normalization of identity data for k-means clustering. Para. 96, 103; k value of 2.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the infrastructure of Badawy with the normalization to eliminate data noise and improve the model. (Shtar, para. 86)
But modified Badawy does not explicitly teach locality sensitive hashing.
Howard, however, does teach using min-wise independent permutations locality sensitive hashing scheme and a locality-sensitive hashing; (para. 78; MinHash locality-sensitive hashing to approximate Jaccard distance. See also Badawy, para. 63; similarity measuring using Jaccard similarity.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the infrastructure of modified Badawy with the MinHash LSH scheme to approximate the Jaccard distance for similarity determination. (Howard, para. 78)
But modified Badaway does not explicitly teach wherein the first k value comprises a different value than the second k value.
Elsner, however, does teach second identity access data; (paras. 46-47, 50; LDAP for an enterprise describing the access of the enterprise according to roles. Therefore, each enterprise has different identity access data. See also para. 63-64; analysis is rerun every 7 days using data from the last 30 days, so even within the same enterprise the system will use a second identity access data once time passes.)
For the second identity access data, determining a second k value, comprising a second number of clusters value, for use in the k-means clustering algorithm, the determining the second k value comprising: encoding the second identity access data as a second plurality of binary vectors; using the second plurality of binary vectors, determining a second distinct identity count using min-wise independent permutations locality sensitive hashing scheme and the locality sensitive hashing; and normalizing the second distinct identity access count, wherein the normalized second distinct identity access count comprises the determined second k value; performing a second peer group analysis using the determined second k value with the k-means clustering algorithm, the second peer group analysis determining anomalies between the identities and corresponding access to the application for the second identity access data; wherein the first k value comprises a different value than the second k value. (These features are taught above with respect to first identity access data. paras. 46-47; LDAP for an enterprise describing the access of the enterprise according to roles. paras. 46-47, 50, 60-62; Clustering is based on LDAP. Therefore, it would have been obvious to one of ordinary skill prior to the effective filing date to apply the same technique to the similar data of second identity access data to allow for analysis of another data set. para. 63-64; analysis is rerun every 7 days using data from the last 30 days. Duplication of parts is obvious, see MPEP 2144.04. Therefore, it would have been obvious to one of ordinary skill prior to the effective filing date to apply the analysis to updated data in order to search for new anomalies.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the infrastructure of modified Badawy with the different k values in order to analyze different data with an accurate clustering fit.
With respect to Claim 23, it is substantially similar to Claim 8 and is rejected in the same manner, the same art and reasoning applying.
Claims 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy (US Pub. 2020/0169603) in view of Shtar (US Pub. 2019/0158513), in view of Howard (US Pub. 2019/0199736), in view of Elsner (US Pub. 2019/0349391) and further in view of Brar (US Pub. 2021/0377166).
With respect to Claim 24, modified Badawy teaches the method of Claim 1, but does not explicitly teach a LPG in a VCN.
Brar, however, does teach further comprising using a cloud infrastructure for access privilege governance, the cloud infrastructure comprising a first virtual cloud network (VCN) comprising a local peering gateway (LPG) communicatively coupled to a secure shell (SSH) VCN via the LPG; wherein the LPG is contained in a control plane VCN and the SSH VCN is communicatively coupled to a data plane VCN. (Access privilege governance was taught above. Fig. 16, Paras. 192-193; VCN includes a LPG coupled to a SSH VCN. The LPG is in the control plane and the SSH VCN is coupled to a data plane VCN.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Badawy with the LPG in a VCN in order to provide infrastructure as a service. (Brar, para. 38-40, 192)
With respect to Claim 25, it is substantially similar to Claim 24 and is rejected in the same manner, the same art and reasoning applying.
Claims 26-28 are rejected under 35 U.S.C. 103 as being unpatentable over Badawy (US Pub. 2020/0169603) in view of Shtar (US Pub. 2019/0158513), in view of Howard (US Pub. 2019/0199736), in view of Elsner (US Pub. 2019/0349391) and further in view of Al-Serw (Al-Serw, Nour, “K-Means: The maths behind it, how it works and an example” available at https://nouralserw.medium.com/k-means-the-maths-behind-it-how-it-works-and-an-example-67fdcfcb80f0, 4/11/2022).
With respect to Claim 26, modified Badawy teaches the method of Claim 1, and Shtar also teaches k-means clustering (paras. 96, 103-106; k-means clustering with a k value. See also Badawy, para. 87; k-means clustering.)
The same motivation to combine as the independent claim applies here.
However, modified Badawy does not explicitly teach recalculating a mean.
Al-Serw, however, does teach wherein the k-means clustering algorithm comprises: assigning each observation to a cluster with a nearest mean; and recalculating a means for observations assigned to each cluster. (Examiner notes that Shtar and Badawy previously taught k-means clustering, and therefore they teach this limitation through inherency. Regardless, Examiner cites Al-Serw, pgs. 3-4, Steps 3-4; In k-means clustering each data point is assigned to the cluster with the closest centroid, and then the centroids are re-averaged.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Badawy with the recalculating a mean in order to perform k-means clustering.
With respect to Claims 27-28, they are substantially similar to Claim 26 and are rejected in the same manner, the same art and reasoning applying.
Remarks
Applicant argued in the recent interview (see Examiner Interview Summary 2/6/2026) that the previously cited prior art references simply identified a fixed k-value, whereas the instant invention is capable of dynamically determining a k-value. Applicant now amends to change actions that were directed to “identity access data” to “first identity access data” and “second identity access data” and then performs the same steps with respect to the second identity access data as the first. The only distinction is that “the first k value comprises a different value than the second k value.” Applicant argues at Remarks, pgs. 12-13 that Shtar fails to disclose determining a potentially different k value for each peer group analysis.
Examiner questions whether this needs a new teaching. Duplication of parts is not a patentable act, see MPEP 2144.04. Further, motivations are rarely unique when applied to generic items. i.e. One has the same motivation to analyze different or “second” identity access data that one had to analyze the first identity access data. Therefore, the claims would only be nonobvious if a person of ordinary skill believed that the k-value must remain constant regardless of what the underlying data is. Examiner thinks a person of ordinary skill applying k-means analysis would not believe that to be the case. The record, for its part, includes Shtar which explicitly states “[B]lock 360 includes clustering all of the determined distances using a clustering algorithm (e.g., k-means clustering with a k value of 2) to identify the distance threshold value…distances between all pairs of clusters can be calculated and fed into the k-means algorithm (or one of the many variants thereof) using k=2, indicating that the distances are to be clustered into two cluster. As a result, the k-means clustering algorithm will assign each distance into one of the two groups.” (Shtar, paras. 103-104) Examiner thinks the usage of the term “k value” and identifying that k=2 at a minimum suggests that different k values can be selected.
Examiner stated in the interview that the word “dynamically” is somewhat problematic from both an obviousness and indefiniteness standpoint, because “dynamic” is usually used to place some sort of undefined artificial temporal cutoff, with things happening before the boundary being “static” or “preexisting” while things happening after the cutoff being “dynamic.” Applicant’s argument at Remarks, pgs. 12-13 evidences this problem – Applicant outright admits that “examples of k-means clustering in Shtar all use a predefined k value, such as 2.” (pg. 12) But Examiner could just as easily call this a “dynamic” determination of k values that end up as 2, because there is no identifiable boundary of when a determination transitions from “predefined” to “dynamic.” Regardless, the instant claims do not use the word “dynamic” and the only thing the claims require is determining a first and second k-value, where the same steps are applied in the first and second determinations other than the second determination involving “second identity access data” rather than “first identity access data.” Examiner asserts the existence of a k-value as a variable or stating “k=2” suggests “determining a different k value for each peer group analysis.”
Therefore the argument that Shtar fails to disclose determining a potentially different k value for each peer group analysis is really a statement that Shtar does not explicitly provide multiple examples for multiple datasets, not a statement that a person of ordinary skill after reading Shtar would find determining different k-values for different data sets to be a nonobvious act.
However, to answer Applicant’s concern and to supplement the record as to the knowledge in the art, Examiner will cite Elsner. Elsner discloses two relevant features – First, Elsner teaches clustering into n clusters “typically, the total number of LDAP groups” using a Gaussian Mixture Model, but allows for K-Means as an alternative to GMM. (Elsner, paras. 60-62) The LDAP groups are groupings are functions of the user registry of the enterprise. (paras. 46-47, 50) Consequently, application of the technique to multiple enterprises would result in using first and second identity access data and would commonly result in different k-means clustering values because different organizations would have different groupings (see, e.g., para. 65; engineering user group and sales user group). Second, Elsner teaches reassessing the model every seven days (para. 63) using updated data which would result in a new amount of clusters. This only makes common sense, as even within a given enterprise the nature of the enterprise may change such that new departments are added or people within a given department may be given different responsibilities which results in different access patterns. A person of ordinary skill after reading Elsner would have recognized that the number of groupings which accurately circumscribe non-anomalous accesses of data would be dependent upon the data describing the conventional access acts of the enterprise.
Turning to the binary vector issue, Applicant argues at Remarks, pgs. 11-12 that Badawy fails to disclose encoding identity access data as a plurality of binary vectors. Applicant points to Badawy, para. 39, but fails to discuss the actual citation which was to paras. 60, 63. Para. 63 explicitly uses the term “entitlement binary vectors” and Applicant does not explain how “entitlement binary vectors” does not suggest encoding identity access data (wherein the identity access data comprises a listing of applications that the identity has access to) as a plurality of binary vectors.
Examiner maintains the rejection to the claims that require determining a k-value in order to perform peer group analysis, which Examiner asserts that now three cited references teach. Examiner continues to object to Claim 5 and similar claims, which ties particular k-values to particular identity access accounts while the specification asserts that “[t]he normalization in accordance to embodiments provides unexpected results as performance improves while the accuracy remains the same or nearly the same as using non-normalized, much higher cluster counts.” (Spec, para. 45)
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205. The examiner can normally be reached on M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NICHOLAS P CELANI/Examiner, Art Unit 2449