DETAILED ACTION
This office action is in reply to applicant communication filed on January 27, 2026.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on January 27, 2026.
Claims 1-18 have been amended.
Claims 19-20 have been added.
Claims 1-20 are pending.
Response to Argument
Applicant’s arguments filed on January 27, 2026 with respect to the 35 U.S.C. 103 rejections have been fully considered but are moot in view of new ground(s) of rejection.
Applicant’s argues that the prior arts on record fails to teach the amended limitation of independent claims. However, upon further consideration, a new ground(s) of rejection is made using the newly find prior arts to Savanah (US Pub. No. 2019/0303543).
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 13-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claims 13-18 are directed to a computer program product comprising a computer readable storage medium. Examiner respectfully asserts that the claimed subject matter does not fall with the statutory class listed in 35 U.S.C. 101. The specification defines the computer-readable storage medium as any kind of storage medium (i.e., see paragraph 17) and therefore, it could be interpreted as a communication media which does not fall within one of the four statutory classes of 101. Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ting (US Pub. No. 2007/0186106) in view of Lee (US Pub. No. 2011/0099612) and further in view of Savanah (2019/0303543).
As per claim 1 Ting in view of Lee discloses:
A method for authentication, authorization, and access-control, the method comprising: receiving identity information from one or more sources regarding a user attempting to access a resource; (paragraph 11 of Ting, in some embodiments (e.g., where the user is requesting access from a client workstation within the secure computer system), the request is received from a client machine. In other cases, such as when a user is requesting access from a remote location, the request is received from a remote-access server acting as a proxy and/or gateway for the secure computer system. The user authentication credentials can include one or more of a user identification code, a secure access code, biometric data, a badge ID, a screen name, and/or a password for granting a user's request to access to secure applications).
Consolidating the received identity information into a single contextualized identity for the user; (paragraph 81 of Ting, an automated credential discovery process can also be used (especially in implementations involving a large number of users and/or issuing entities) to determine correlations among user identity attributes (e.g., name, employee ID, telephone number, gender, address, system usage profile, biometric identifiers, etc.) for individuals known by the authentication server to consolidate multiple user records into a single record for an individual) and (paragraph 88 of Ting, FIG. 5 represents possible "states" to which a user can be attributed, with each state representing his physical location and login status, and the paths among the states represent the possible transitions between states).
Determining whether to authenticate the user based on the contextualized identity; (paragraph 12 of Ting, in some embodiments, combinations of the various types of access-control data are used to build complex profiles that can be used to adjudicate a user's access request. In certain instances where a user is denied access, a second access request including a prompt for additional authentication criteria can be issued, and access granted based on the subsequent credential submission).
Receiving at least one piece of real-time contextual information related to the user, the device, and the process; (paragraph 12 of Ting, in some embodiments, the rules can include time-based access rules (e.g., a user cannot access a certain resource during non-business hours), location-based access rules (e.g., a user can only access workstations that are within an area she entered by presenting a valid badge), and/or resource-based rules (e.g., a user cannot access a production server)) and (paragraph 94 of Ting, in situations where the network authentication policy requires location-based authentication, real-time location service (RTLS) provides a non-intrusive way to establish, within a reasonable margin of error, the location of the user at that moment within the wireless coverage area, which in turn can be used as an additional factor for authentication).
Dynamically determining whether to enforce a policy based on a continuously adjusted trust level associated with the authentication of the single contextualized identity and the at least one real-time piece of contextual information. (Paragraph 14 of Ting, the system also includes an authentication server for providing user access policies based on rules associated with one or more other access-control systems, and which specify criteria for granting the user access the resource. The server also determines if the rules are met, and adjudicates the user's request based on the user access policies) and (paragraph 94 of Ting, in situations where the network authentication policy requires location-based authentication, real-time location service (RTLS) provides a non-intrusive way to establish, within a reasonable margin of error, the location of the user at that moment within the wireless coverage area, which in turn can be used as an additional factor for authentication).
Ting teaches the method of correlating the user identity information including identity of the user (i.e., name or employee ID) and identity of the device (i.e., phone number) into a single contextualized identity for the user (see paragraphs 81 and 88 of Ting) but fail to clearly disclose the identity information to include the identity of process in the limitation, “the identity information includes information pertaining to identity of the user, an identity of a device, and an identity of a process”.
However, in the same field of endeavor, Lee teaches this limitation as, (paragraph 15 of Lee, the present technology provides an innovative way for a server to automatically identify and authenticate a user of a mobile application such as, for example, an instant messaging application executing on a wireless communications device. The device communicates to the server a unique device identifier (e.g. a PIN number, ESN, IMEI or other code or number that uniquely identifies the wireless device) and an e-mail address (that is linked to the device). The server associates the unique device identifier and e-mail address with a registration identifier. The registration identifier, e-mail address and unique device identifier thus form a triplet that can be used to identify and authenticate the user even if the user changes the unique device identifier (e.g. by switching devices) or changes his e-mail address).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ting and include the above limitation using the teaching of Lee in order to secure the computing system by authenticating the user based on multiple authentication identifier and make the authentication process strong (see paragraph 15 of Lee).
The combination of Ting and Lee teaches the method of correlating the user identity information including identity of the user (i.e., name or employee ID) and identity of the device (i.e., phone number) into a single contextualized identity for the user (see paragraphs 81 and 88 of Ting) but fail to clearly disclose the method of having a process that comprising a cryptographic identifier derived from the executing application.
However, in the same field of endeavor, Savanah teaches this limitation as, (paragraph 81 of Savanah, he second hash value (H2) may be determined based on the hash of the concatenation of the data (D1) and the executable (or hash of the executable, that is, the first hash value (H1)) of the computer software. In a further example, the second hash value (H2) may be determined based on the hash of the concatenation of the data (D1), the executable (or hash of the executable) of the computer software and additional information) and (paragraph 82 of Savanah, additional information may comprise a public key of the first user 23 (PU1) or second user 24 (PU2). In a further example the additional information may comprise an identifier of an entity associated with the first user 23 or second user 24).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ting and Lee to include the above limitation using the teaching of Savanah in order to ensuring and verifying authorized use/control of computing system (see paragraph 1 of Savanah).
Claims 7 and 13 are rejected under the same reason set forth in rejection of claim 1.
As per claim 2 Ting in view of Lee and further in view of Savanah discloses:
The method of claim 1, wherein determining to enforce the policy based on the authentication of the contextualized identity and at least one piece of contextual information comprises one or more of granting access to the resource, denying access to the resource, or throttling access to the resource. (Paragraph 11 of Ting, the request is received from a remote-access server acting as a proxy and/or gateway for the secure computer system. The user authentication credentials can include one or more of a user identification code, a secure access code, biometric data, a badge ID, a screen name, and/or a password for granting a user's request to access to secure applications).
Claims 8 and 14 are rejected under the same reason set forth in rejection of claim 2.
As per claim 3 Ting in view of Lee and further in view of Savanah discloses:
The method of claim 2, further comprising notifying the user of the determination to grant access to the resource, deny access to the resource, or throttle access to the resource. (Paragraph 62 of Ting, the user's overall authentication state (e.g., active remote user, inactive user for an application present in a secure room, etc.) is determined (STEP 424) and based on the users state and how it meets or does not meet the access policy, a decision can be made whether to grant or deny access to the requested resource (STEP 428). If the policy is not met, the user is denied access (STEP 432) and may be prompted to provide additional criteria (e.g., a biometric credential, token) or to present a physical authentication device to the PACS in an attempt to increase the likelihood that the individual is an authorized user).
Claims 9 and 15 are rejected under the same reason set forth in rejection of claim 3.
As per claim 4 Ting in view of Lee and further in view of Savanah discloses:
The method of claim 1, wherein the at least one piece of contextual information comprises location, network security, human resource status, attached network, or geo-location related compliance regulations. (Paragraph 12 of Ting, the rules can include time-based access rules (e.g., a user cannot access a certain resource during non-business hours), location-based access rules (e.g., a user can only access workstations that are within an area she entered by presenting a valid badge), and/or resource-based rules (e.g., a user cannot access a production server)).
Claims 10 and 16 are rejected under the same reason set forth in rejection of claim 4.
As per claim 5 Ting in view of Lee and further in view of Savanah discloses:
The method of claim 1, wherein the contextualized identity comprises the trust level associated with the user. (Paragraph 46 of Ting, in some cases, access policies may be based on meeting a threshold certainty value and may be satisfied when some subset of the rules are met. For example, an access policy may indicate that access is to be granted if there is at least a 98% likelihood that the user requesting access is in fact an authorized user based on individual probability weights assigned to each rule).
Claims 11 and 17 are rejected under the same reason set forth in rejection of claim 5.
As per claim 6 Ting in view of Lee and further in view of Savanah discloses:
The method of claim 5, further comprising automatically adjusting the trust level based on the at least one piece of contextual information related to the user. (Paragraph 13 of Ting, the audit records can also be analyzed to determine trends or anomalies in the data, and based on the analysis, the access policies can be updated).
Claims 12 and 18 are rejected under the same reason set forth in rejection of claim 6.
As per claim 19 discloses:
The combination of Ting and Lee teaches the method of correlating the user identity information including identity of the user (i.e., name or employee ID) and identity of the device (i.e., phone number) into a single contextualized identity for the user (see paragraphs 81 and 88 of Ting) but fail to clearly disclose:
The method of claim1, wherein the cryptographic identifier comprises a cryptographic hash of the executing application.
However, in the same field of endeavor, Savanah teaches this limitation as, (paragraph 81 of Savanah, he second hash value (H2) may be determined based on the hash of the concatenation of the data (D1) and the executable (or hash of the executable, that is, the first hash value (H1)) of the computer software. In a further example, the second hash value (H2) may be determined based on the hash of the concatenation of the data (D1), the executable (or hash of the executable) of the computer software and additional information) and (paragraph 82 of Savanah, additional information may comprise a public key of the first user 23 (PU1) or second user 24 (PU2). In a further example the additional information may comprise an identifier of an entity associated with the first user 23 or second user 24).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ting and Lee to include the above limitation using the teaching of Savanah in order to ensuring and verifying authorized use/control of computing system (see paragraph 1 of Savanah).
Claim 20 is rejected under the same reason set forth in rejection of claim 19.
Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Li (US Pub. No. 2014/0259130).
Li’s reference discloses:
Systems, apparatus, and methods of authentication utilizing contextual data to authenticate individuals and prevent security breaches are described herein. An example proxy engine may monitor interactions with a computing device to obtain contextual data unique to a user. The contextual data may be utilized to generate unique challenge questions in response to requests for access to a secure resource, and may eliminate the need for a user to remember credentials to access the resource. Challenge questions may be limited to a single use and vary in difficulty in proportion to the value of the resource. In response to correct responses to challenge question(s), the proxy engine may access a vault containing a credential authorizing access to the resource. The vault and proxy engine may be entirely contained on the computing device or they may be implemented on a remote apparatus accessed via an application or interface on the computing device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TESHOME HAILU/Primary Examiner, Art Unit 2434