DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim status in the amendment received on 4/7/2026:
Claims 1, 5, 9, 13, 17 and 21 have been amended.
Claims 1-7, 9-15 and 17-22 are pending.
Response to Arguments
Applicant’s arguments have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-7, 9-15 and 17-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feyzibehnagh et al. (Pub. No.: US 20190215308 A1) in view of May et al. (Patent. No.: US 9503477 B2) and further in view of Andrews et al. (Pub. No.: US 20220200989 A1).
As to claim 1, Feyzibehnagh teaches receiving, from a client device, traffic that is to be sent over the network to an application (fig. 8, 801);
determining a security score associated with the traffic (fig. 8, 811, and fig. 9, “entropy score” teaches security score);
determining, based at least in part on the security score and based at least in part on an application-aware routing policy, a path for sending the traffic to the application (fig. 8, 813, “encrypted VPN” teaches a path, selecting between VPNs teaches an application-aware routing policy); and
causing the traffic to be sent to the application via the path (fig. 8, 813).
Feyzibehnagh does not explicitly teach receiving the policy and determining, using an identity provider service, security score based on identifier associated with the user and indicating security posture of the client device as trusted or untrusted device in the network.
However, in the same field of endeavor (computer networks) May teaches receiving an application-aware routing policy associated with a network (col. 13, lines 14-16, i.e. from a policy database 226);
determining, at least partially using an identity provider service (col. 15, lines 4-9, “Controller 306 can, in turn, be operatively coupled with a client reputation database (CRDB) 308 that stores CR scores for one or more users along with other information such as user profile, designation, work responsibilities and roles, past history, change in pattern of CR scores, category/grade, among other like information.”, i.e. CRDB teaches identity provider service), a security score associated with the traffic, the security score being based in part on an identifier associated with a user profile of a user of the client device (fig. 5, i.e. CR Score), the security score indicating a security posture of the client device (col. 2, lines 39-45, “…CR scores, also interchangeably referred to as reputation scores hereinafter, indicate a quantitative and/or qualitative measure of level of network activity that a resource, say an internal resource, does with external resources. Such activity can relate to requests that internal resource sends out to network (traffic generated) …”).
Based on Feyzibehnagh in view of May, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate receiving the policy and determining, using an identity provider service, security score based on identifier associated with the user and indicating security posture of the client device (taught by May) with routing network traffic based on associated score (taught by Feyzibehnagh) in order to allow network administrators to configure network traffic as needed and to keep track of network users and their associated scores.
Feyzibehnagh in view of May does not explicitly teach security score indicating security posture of the client device as trusted or untrusted device in the network.
However, in the same field of endeavor (computer networks) Andrews teaches security score indicating a security posture of a client device as a trusted device in the network or an untrusted device in the network (paragraph [0089], “…device risk: 1 (high level of control because of corporate owned/managed platform, known versions, security features enabled, etc.)…”).
Based on Feyzibehnagh in view of May and further in view of Andrews, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate security score indicating security posture of the client device as trusted or untrusted device in the network (taught by Andrews) with receiving the policy and determining, using an identity provider service, security score based on identifier associated with the user and indicating security posture of the client device (taught by May) with routing network traffic based on associated score (taught by Feyzibehnagh) in order to allow network administrators to configure network traffic as needed and to keep track of network users and their associated scores and in order to increase the security by considering the trust status of the client device.
As to claim 2, May further teaches wherein the security score is further based at least in part on an internet protocol (IP) address associated with the client device or access policies associated with the user profile (col. 11, lines 6-13, “(49) According to one embodiment, reputation score retrieval module 214 can be configured to retrieve client reputation (CR) score associated with a given user, wherein the client reputation (CR) score can be generated based on one or more of network level activities, interactions of users, user profiles, all or part of which can be stored in a client reputation database (CRDB) 224, which can be directly or indirectly coupled with network controller 210.”). The limitations of claim 2 are rejected in view of the analysis of claim 1 above, and the rationale to combine, as discussed in claim 1, applies here as well.
As to claim 3, Andrews further teaches security score is based at least in part on a security level of a connectivity network of the client device (paragraph [0089], “…network risk: 1 (low risk because of on premise, wired connection detected) …”). The limitations of claim 3 are rejected in view of the analysis of claim 1 above, and the rationale to combine, as discussed in claim 1, applies here as well.
As to claim 4, Feyzibehnagh teaches further comprising determining a traffic signature associated with the traffic, the traffic signature indicating one or more of a type of the client device or a traffic type, wherein determining the path for sending the traffic to the application is further based at least in part on the traffic signature associated with the traffic (paragraph [0076], “…In some embodiments, the security parameters and/or network path are selected based on characteristics of the traffic flows determined by the security device…”).
As to claim 5, Andrews further teaches a value of the security score is based at least in part on whether the client device is utilizing a private network or a public network (paragraph [0089], “…network risk: 1 (low risk because of on premise, wired connection detected) …”). The limitations of claim 5 are rejected in view of the analysis of claim 1 above, and the rationale to combine, as discussed in claim 1, applies here as well.
As to claim 6, Feyzibehnagh teaches determining that a value of the security score meets or exceeds a threshold value, wherein the path is a direct path for sending the traffic to the application (fig. 8, 813, and paragraph [0133]).
As to claim 7, Feyzibehnagh teaches determining that a value of the security score is less than a threshold value, wherein the path for sending the traffic to the application includes a cloud-delivered security service (fig. 8, 819).
As to claim 9, Feyzibehnagh further teaches a system comprising:
one or more processors (fig. 15); and one or more non-transitory computer-readable media storing instructions that, when executed, cause the one or more processors to perform operations (fig. 15). Therefore, the limitations of claim 9 are substantially similar or broader in scope to claim 1. Please refer to claim 1 above.
As to claim 10, Andrews further teaches security score is based at least in part on a security posture of the client device (paragraph [0089], “…device risk: 1 (high level of control because of corporate owned/managed platform, known versions, security features enabled, etc.)…”). The limitations of claim 10 are rejected in view of the analysis of claim 9 above, and the rationale to combine, as discussed in claim 9, applies here as well.
As to claims 11 and 13, the limitations of the claims are substantially similar to claims 3 and 5, respectively. Please refer to each respective claim above.
As to claims 12 and 14-15, the limitations of the claims are substantially similar or broader in scope to claims 4 and 6-7, respectively. Please refer to each respective claim above.
As to claim 17, Feyzibehnagh further teaches One or more non-transitory computer-readable media storing instructions that, when executed, cause one or more processors to perform operations (fig. 15). Therefore, the limitations of claim 17 are substantially similar or broader in scope to claim 1. Please refer to claim 1 above.
As to claim 18, the limitations of the claim are substantially similar to claim 10. Please refer to claim 10 above.
As to claim 19, the limitations of the claim are substantially similar to claim 3. Please refer to claim 3 above.
As to claim 20, the limitations of the claim are substantially similar or broader in scope to claim 4. Please refer to claim 4 above.
As to claim 21, the limitations of the claim are substantially similar to claim 5. Please refer to claim 5 above.
As to claim 22, the limitations of the claim are substantially similar or broader in scope to claim 6. Please refer to claim 6 above.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULKADER M ALRIYASHI whose telephone number is (313)446-6551. The examiner can normally be reached Monday - Friday, 8AM - 5PM Alt, Friday, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOON HWANG can be reached at (571)272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Abdulkader M Alriyashi/ Primary Examiner, Art Unit 2447 5/15/2026