DETAILED ACTION
This application has been examined. Claims 1-7,15-20 are pending. Claims 8-14 are cancelled.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/14/2025 has been entered.
Response to Arguments
Applicant's arguments filed 11/14/2025 have been fully considered but they are moot in view of the new grounds for rejection.
Gutesman-Mohanty-BenNoon disclosed (re. Claim 1) generate, via an artificial intelligence model, a plurality of potential malfeasant approval combinations, (BenNoon-Paragraph 71, Values for U-CRP(n) components may include risk estimates values, optionally derived from U-KPI(n) components values, for at least one or any combination of more than one of: careless permissions management; or risk estimate for user abusing privilege to MyCompany resources,Paragraph 84, Paragraph 107,An anomaly in user profile U-PRF(n) may be a change in a value for a user risk estimate ucrp.sub.n,r of the set U-CRP(n) such as a risk estimate for reckless clicking on actionable content or careless permissions management greater than a standard deviation for the estimate.) wherein at least one input to the artificial intelligence model comprises historical access data associated with a plurality of users aggregated from a plurality of channels, (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.) wherein at least one output of the artificial intelligence model comprises the plurality of potential malfeasant approval combinations, and wherein the artificial intelligence model is trained based on user input labeling of known malfeasant approval combinations (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.)
Priority
The effective date of the claims described in this application is July 7, 2023.
Information Disclosure Statement
The Applicant is respectfully reminded that each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in 37 CFR 1.56.
There were no information disclosure statements filed with this application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2,4-7,15-16,18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gutesman (USPGPUB 2016/0119380) further in view of Mohanty (US Patent 8713461) further in view of Ben-Noon (USPGPUB 2024/0045953)
Regarding Claim 1
Gutesman Paragraph 5 disclosed tools to check the permissions assigned to users by checking them against what is commonly known as the incompatibility matrices (or SoD matrices).
Gutesman Paragraph 30 disclosed wherein these matrices express conflicting actions in the business-critical application and are an input to the present embodiments. Two actions are considered to be in conflict if a user is authorized to execute both inside the same business-critical application. Conflicting actions could lead to fraudulent business activity. Avoiding fraud is the ultimate goal of the SoD analysis.
Gutesman disclosed (re. Claim 1) a system for secure network access management using a dynamic constraint specification matrix, the system comprising:
at least one non-transitory storage device containing instructions; and at least one processing device coupled to the at least one non-transitory storage device, wherein the at least one processing device, upon execution of the instructions, is configured to:
receive an application access log associated with a user of a network, wherein the application access log comprises one or more approved applications for which the user has access;(Gutesman-Paragraph 36,Paragraph 39, polling the software application and/or logs where the actions executed by users inside the software application are stored)
determine a potential malfeasance indication for the user based on the application access log, (Gutesman-Paragraph 37, verify if a potential fraud has already been committed, by detecting the execution of conflicting actions,Paragraph 39, SoD conflict detection engine 100 reads the conflict rules database 107 and the user authorization tables 102 present in every business-critical application, stored in the database systems of the application) and
wherein each of the one or more potential malfeasant approval combinations comprises two or more actions that one or more users on the network should not be authorized for access simultaneously; (Gutesman-Paragraph 30,matrices express conflicting actions in the business-critical application … Two actions are considered to be in conflict if a user is authorized to execute both inside the same business-critical application,Paragraph 131, find real SoD conflict executions, and not only improper authorization assignments. It will show whether a user is executing two parts of the same process flow in which another person should be involved, thus bypassing process controls)
and cause an execution of an investigation action, wherein the investigation action determines whether access for at least one of the first application or the second application was approved for the user.(Gutesman-Paragraph 165, facilitates the investigation to detect fraudulent actions in the period and for the user under analysis.)
While Gutesman substantially disclosed the claimed invention Gutesman does not disclose (re. Claim 1) wherein the potential malfeasance indication is based on a first application of the one or more approved applications and a second application of the one or more approved applications that correspond to one of one or more potential malfeasant approval combinations.
Mohanty Column 12 Lines 45-50 disclosed cross-application analysis to detect risk (e.g., the potential for violations of the guidelines 160) occurring across multiple business application subsystems, even though no risk may be present within one business application subsystem or another.
Mohanty disclosed (re. Claim 1) wherein the potential malfeasance indication is based on a first application of the one or more approved applications and a second application of the one or more approved applications that correspond to one of one or more potential malfeasant approval combinations.(Mohanty-Column 12 Lines 55-65, the business application manager 102 can detect issues across the subsystems 104-108… if a user can update a vendor in one subsystem and make a payment in another subsystem, the application manager 102 will discover both and then report from which role in which system the match was found.)
Gutesman and Mohanty are analogous art because they present concepts and practices regarding separation of duty and authorization enforcement. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Mohanty into Gutesman. The motivation for the said combination would have been to enable the approver to isolate which specific role or combination of roles is the cause of the segregation of duties violations.(Mohanty-Column 11 Lines 45-50)
Gutesman-Mohanty disclosed (re. Claim 1) analyze data associated with a plurality of users aggregated from a plurality of channels to generate a plurality of potential malfeasant approval combinations; (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.)
generate, using the plurality of potential malfeasant approval combinations and domain- specific knowledge of one or more analysists, a dynamic constraint specification matrix (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.)
determine, based on the user simultaneously accessing two or more applications (Mohanty-Column 12 Lines 55-65, the business application manager 102 can detect issues across the subsystems 104-108… if a user can update a vendor in one subsystem and make a payment in another subsystem, the application manager 102 will discover both and then report from which role in which system the match was found.) of the one or more approved applications that correspond to a potential malfeasant approval combination of the dynamic constraint specification matrix, a potential malfeasance indication for the user based on the application access log (Gutesman-Paragraph 37, verify if a potential fraud has already been committed, by detecting the execution of conflicting actions,Paragraph 39, SoD conflict detection engine 100 reads the conflict rules database 107 and the user authorization tables 102 present in every business-critical application, stored in the database systems of the application)
cause an execution of an investigation action, wherein the investigation action determines whether access for at least one of the first application or the second application was approved for the user.(Gutesman-Paragraph 165, facilitates the investigation to detect fraudulent actions in the period and for the user under analysis.)
While Gutesman-Mohanty substantially disclosed the claimed invention Gutesman-Mohanty does not disclose (re. Claim 1) analyze, using an artificial intelligence model, data associated with a plurality of users and
generate, using the artificial intelligence model and the potential malfeasance indication, a potential malfeasant activity confidence level; and cause, if the potential malfeasant activity confidence level is above a threshold, an execution of an investigation action.
BenNoon Paragraph 103 disclosed wherein security analytics comprises processing monitoring data to identify an anomalous event that might indicate a risk for cyber damage and/or infringement of MyCompany policy. Response to the anomalous event may comprise invoking an ICAP procedure optionally similar to ICAP 200 illustrated by flow diagram 200 in FIGS. 3A-3C to curtail user permissions and/or access to data in a resource
analyze, an artificial intelligence model, data associated with a plurality of users (BenNoon-Paragraph 78, using an artificial intelligence (AI) for example, a machine learning algorithm, such as a decision tree or clustering algorithm, or a convolutional neural network (CNN), educated by supervised and/or unsupervised learning.)
generate, using the artificial intelligence model and the potential malfeasance indication, a potential malfeasant activity confidence level; the potential malfeasant activity confidence level is above a threshold.(BenNoon-Paragraph 71, Values for U-CRP(n) components may include risk estimates values, optionally derived from U-KPI(n) components values, for at least one or any combination of more than one of: careless permissions management; or risk estimate for user abusing privilege to MyCompany resources,Paragraph 84, Paragraph 107,An anomaly in user profile U-PRF(n) may be a change in a value for a user risk estimate ucrp.sub.n,r of the set U-CRP(n) such as a risk estimate for reckless clicking on actionable content or careless permissions management greater than a standard deviation for the estimate.)
Gutesman and BenNoon are analogous art because they present concepts and practices regarding separation of duty and authorization enforcement. Before the time of the effective filing date of the claimed invention it would have been obvious to combine BenNoon into Gutesman. The motivation for the said combination would have been to implement a high resolution observation (HIRO) procedure for observing activity of a user operating the UE.sub.e to interact with MyCompany resources (BenNoon-Paragraph 97)
Gutesman-Mohanty-BenNoon disclosed (re. Claim 1) generate, via an artificial intelligence model, a plurality of potential malfeasant approval combinations, (BenNoon-Paragraph 71, Values for U-CRP(n) components may include risk estimates values, optionally derived from U-KPI(n) components values, for at least one or any combination of more than one of: careless permissions management; or risk estimate for user abusing privilege to MyCompany resources,Paragraph 84, Paragraph 107,An anomaly in user profile U-PRF(n) may be a change in a value for a user risk estimate ucrp.sub.n,r of the set U-CRP(n) such as a risk estimate for reckless clicking on actionable content or careless permissions management greater than a standard deviation for the estimate.) wherein at least one input to the artificial intelligence model comprises historical access data associated with a plurality of users aggregated from a plurality of channels, (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.) wherein at least one output of the artificial intelligence model comprises the plurality of potential malfeasant approval combinations, and wherein the artificial intelligence model is trained based on user input labeling of known malfeasant approval combinations (Gutesman-Paragraph 6, permissions for every single user are extracted from the business-critical applications and then the matrices are filled. After these steps have been completed, an analyst proceeds to process the information obtained and reporting all the incompatibilities that should be fixed.)
Regarding Claim 15
Claim 15 (re. method) recites substantially similar limitations as Claim 1. Claim 15 is rejected on the same basis as Claim 1.
Regarding Claim 2,16
Gutesman-Mohanty-BenNoon disclosed (re. Claim 2,16) wherein the at least one processing device, upon execution of the instructions, is configured to determine the one or more potential malfeasant approval combinations, (Gutesman-Paragraph 30,matrices express conflicting actions in the business-critical application … Two actions are considered to be in conflict if a user is authorized to execute both inside the same business-critical application,Paragraph 131, find real SoD conflict executions, and not only improper authorization assignments. It will show whether a user is executing two parts of the same process flow in which another person should be involved, thus bypassing process controls) wherein each of the one or more potential malfeasant approval combinations comprises two or more applications that one or more users on the network should not be authorized for access simultaneously. (Mohanty-Column 12 Lines 55-65, the business application manager 102 can detect issues across the subsystems 104-108… if a user can update a vendor in one subsystem and make a payment in another subsystem, the application manager 102 will discover both and then report from which role in which system the match was found.)
Regarding Claim 4,18
Gutesman-Mohanty-BenNoon disclosed (re. Claim 4,11,18) wherein the at least one processing device, upon execution of the instructions, is configured to: receive application activity information for at least one of the first application or the second application, (Gutesman-Paragraph 36,Paragraph 39, polling the software application and/or logs where the actions executed by users inside the software application are stored) wherein the application activity information comprises one or more actions taken by an end-point device associated with the user on at least one of the first application or the second application; (Gutesman-Paragraph 48, connection properties are identified by the packet inspector 105 inspecting the IP and TCP headers of the captured packet, as shown by block 201. Once the source and destination IP addresses and ports have been extracted, the connection is uniquely identified and an entry in the connection directory 304,Paragraph 53, protocol processor 303 extracts the relevant information from the packet such as, but not limited to, the user performing the action, the action being executed, parameters to that action being executed, the host where the action takes place, and a timestamp when the action is being executed.) and determine a potential malfeasant activity based on the application activity information. (Gutesman-Paragraph 30,matrices express conflicting actions in the business-critical application … Two actions are considered to be in conflict if a user is authorized to execute both inside the same business-critical application,Paragraph 131, find real SoD conflict executions, and not only improper authorization assignments. It will show whether a user is executing two parts of the same process flow in which another person should be involved, thus bypassing process controls, Paragraph 165, facilitates the investigation to detect fraudulent actions in the period and for the user under analysis)
Regarding Claim 5
While Gutesman substantially disclosed the claimed invention Gutesman does not disclose (re. Claim 5) wherein the at least one processing device, upon execution of the instructions, is configured to determine an access change action, wherein the access change action comprises changing access for the user to at least one of the first application or the second application.
Mohanty Column 11 Lines 55-65 disclosed a computer-assisted remediation function, whereby the business application manager 102 assists a business application subsystem user (such as a role approver) in treating risks found in the analysis of operation 405. In remediation, the business application manager 102 coordinates options such as removing a requested or proposed role addition or change that caused a risk violation found in operation 405, or commencing mitigation 406, etc. After completing the selected one of these options, the resulting role change more closely satisfies the guidelines 160.
Mohanty disclosed (re. Claim 5) wherein the at least one processing device, upon execution of the instructions, is configured to determine an access change action, wherein the access change action comprises changing access for the user to at least one of the first application or the second application.(Mohanty-Column 11 Lines 55-65, computer-assisted remediation function, whereby the business application manager 102 assists a business application subsystem user (such as a role approver) in treating risks found in the analysis of operation 405. In remediation, the business application manager 102 coordinates options such as removing a requested or proposed role addition or change that caused a risk violation found in operation 405, or commencing mitigation 406, etc. After completing the selected one of these options, the resulting role change more closely satisfies the guidelines 160.)
Gutesman and Mohanty are analogous art because they present concepts and practices regarding separation of duty and authorization enforcement. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Mohanty into Gutesman. The motivation for the said combination would have been to enable the approver to isolate which specific role or combination of roles is the cause of the segregation of duties violations.(Mohanty-Column 11 Lines 45-50)
Regarding Claim 6,19
Gutesman-Mohanty-BenNoon disclosed (re. Claim 6,13,19) wherein the access change action is based on the execution of the investigation action, wherein access for the user to at least one of the first application or the second application is restricted in an instance at least one of the first application or the second application was not approved for the user. (Mohanty-Column 11 Lines 55-65, computer-assisted remediation function, whereby the business application manager 102 assists a business application subsystem user (such as a role approver) in treating risks found in the analysis of operation 405. In remediation, the business application manager 102 coordinates options such as removing a requested or proposed role addition or change that caused a risk violation found in operation 405, or commencing mitigation 406, etc. After completing the selected one of these options, the resulting role change more closely satisfies the guidelines 160, Column 18 Lines 15-20 , operation 505 may stop a proposed assignment of a role to a given user in one subsystem 104-105 where that role, considered with the existing assignment of another role to the same user in another subsystem, would create a segregation of duties violation..)
Regarding Claim 7,20
Gutesman-Mohanty-BenNoon disclosed (re. Claim 7,14,20) wherein the at least one processing device, upon execution of the instructions, is configured to determine an access change action, wherein the access change action comprises changing access for the user to at least one of the first application or the second application in an instance in which the potential malfeasant activity is determined. (Mohanty-Column 11 Lines 55-65, computer-assisted remediation function, whereby the business application manager 102 assists a business application subsystem user (such as a role approver) in treating risks found in the analysis of operation 405. In remediation, the business application manager 102 coordinates options such as removing a requested or proposed role addition or change that caused a risk violation found in operation 405, or commencing mitigation 406, etc. After completing the selected one of these options, the resulting role change more closely satisfies the guidelines 160, Column 18 Lines 15-20 , operation 505 may stop a proposed assignment of a role to a given user in one subsystem 104-105 where that role, considered with the existing assignment of another role to the same user in another subsystem, would create a segregation of duties violation..)
Claim(s) 3,17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gutesman (USPGPUB 2016/0119380) further in view of Mohanty (US Patent 8713461) further in view of Ben-Noon (USPGPUB 2024/0045953) further in view of Kulathumani (USPGPUB 2025/0005145)
Regarding Claim 3,17
While Gutesman-Mohanty-BenNoon substantially disclosed the claimed invention Gutesman-Mohanty-BenNoon does not disclose (re. Claim 3,17) wherein the at least one processing device, upon execution of the instructions, is configured to determine a usage amount for at least one of the first application or the second application by the user.
Kulathumani Paragraph 4 disclosed recording user activity data representing activities by a plurality of users within the tenant at endpoints on a computer network associated with the tenant.
Kulathumani Paragraph 145 disclosed activity or combination of activity classes performed within some predetermined amount of time.
Kulathumani disclosed (re. Claim 3,17) wherein the at least one processing device, upon execution of the instructions, is configured to determine a usage amount for at least one of the first application or the second application by the user (Kulathumani- Kulathumani Paragraph 4, recording user activity data representing activities by a plurality of users, Paragraph 145, activity or combination of activity classes performed within some predetermined amount of time, Paragraph 63, the number in each cell of a sampled activity matrix represents the number of times the corresponding activity-set was performed by the corresponding user during the corresponding period of time (e.g., on a given day))
Gutesman and Kulathumani are analogous art because they present concepts and practices regarding authorization enforcement. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Kulathumani into Gutesman-Mohanty. The motivation for the said combination would have been to enable detecting internal user behavior threats in a multi-tenant software as a service (SaaS) security system by comparing a user's behavior (e.g., a single user activity or single user activity-set) to that user's own prior behavior patterns and furthermore comparing user behavior to that of other users in the tenant) (e.g., based on prior user activities and user activity-sets by that user).(Kulathumani-Paragraph 126)
Gutesman-Mohanty-Kulathumani disclosed (re. Claim 3,17) wherein the usage amount indicates an amount that given application was accessed, used, or opened on an end-point device associated with the user.(Gutesman-Paragraph 48, connection properties are identified by the packet inspector 105 inspecting the IP and TCP headers of the captured packet, as shown by block 201. Once the source and destination IP addresses and ports have been extracted, the connection is uniquely identified and an entry in the connection directory 304,Paragraph 53, protocol processor 303 extracts the relevant information from the packet such as, but not limited to, the user performing the action, the action being executed, parameters to that action being executed, the host where the action takes place, and a timestamp when the action is being executed.)
Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944. The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREG C BENGZON/ Primary Examiner, Art Unit 2444