SYSTEM AND METHOD FOR MANAGEMENT OF OFF-NETWORK REMOTE ACCESS TO PREVENT UNAUTHORIZED ACCESS TO SENSITIVE DATA

§101 §102 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/22/2025 has been entered. DETAILED ACTION This Office Action is in response to a Request for Continued Examination application received on 12/22/2025. In the RCE, claims 1, 8, and 15 have been amended. Claims 2-7, 9-14, and 16-20 remain original. No claim has been cancelled and no new claim has been added. For this Office Action, claims 1-20 have been received for consideration and have been examined. Response to Arguments Claim Rejections – 35 USC § 101 Applicant’s amendments in light of the remarks have been reviewed and amendments have overcome the 35 USC § 101 Abstract Idea rejection. Therefore, this rejection has been withdrawn. Claim Rejections – 35 USC § 102 Applicant’s arguments, filed 12/22/2025, with respect to the rejection(s) of claim(s) 1-20 under 35 USC § 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhan et al., (US20210264004A1) in view of Thomas et al., (US20170359306A1). Regarding claim 1, Zhan discloses: A system for management of off-network remote access to prevent unauthorized access to sensitive data ([0008] FIG. 4 depicts illustrative components of a system for account access monitoring in accordance with one implementation of the present disclosure), the system comprising: at least one non-transitory storage device; and at least one processing device coupled to the at least one non-transitory storage device ([0108] The system 400 may be software stored on a non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device, cause the processing device to: access information associated with a login request), wherein the at least one processing device (i.e., network monitor device 102) is configured to: receive an off-network remote access login (i.e., remote login requests away from normal location) with authentication credentials associated with a user within a network ([0027] Network monitor device 102 may be operable to monitor or track account access to determine a baseline or normal account access activity; [0030] Network monitor device 120 may further detect account access behavior through network monitoring (e.g., human login vs. computer program login); [0038] Network monitor device 102 can use a baseline account access model and detection of access anomalies through policy or statistic learning. Based on the account access map with contextual information and account access behavior as recorded or observed, a baseline for account access patterns can be created for each account; [0039] For example, if a user John logs in each weekday at approximately 9 AM and logs out at approximately 5 PM on a typical work days (e.g., excluding holidays) and the login processes takes approximately 3-4 seconds, when John logins in at 3 AM, it can be compared to previous login information; [0080] At block 302, account request and context information is accessed. The account request information may be associated with a login request and include a username); compare the off-network remote access login against a set of previous off-network remote access logins comprising historical login times, locations, devices, and subsequent user interactions within the network associated with the user using an advanced computational model (i.e., use of statistical learning or machine learning) for data analysis and automated decision-making ([0036] Embodiments may thus determine (and maintain) a baseline of account access including whether the account is usually accessed through a human login, a computer program login, or a combination thereof; [0037] Login failures may also be recorded and stored to be used as an indicator of account compromise and combined with other indicators to determine if an account has been compromised, as described herein; [0039] For example, if a user John logs in each weekday at approximately 9 AM and logs out at approximately 5 PM on a typical work days (e.g., excluding holidays) and the login processes takes approximately 3-4 seconds, when John logins in at 3 AM, it can be compared to previous login information; [0048] Embodiments can further support use of statistical learning or machine learning, e.g., in place of explicit policy rules or in combination with explicit policy rules. For example, the machine learning may be used with a collected baseline of account activity (e.g., data structure 200) to determine when and whether to perform security actions; [0049] When the malware accesses the account from different locations as compared to the account access map, as described herein, the anomalous behavior can be detected and the attack isolated or stopped. This may be performed automatically (e.g., based on machine learning) or with a human configured account access policy; [0068] Context name location column 210 can be used to store context information associated with account access (e.g., account access requests or login requests) including network information and physical location information. The network information of a device associated with the account (e.g., in account column 206) can include a subnet (e.g., 1.1.1.x). For example, an engineering, quality assurance, or finance network subnet can be stored as 1.1.1.x. The physical location information can include department (e.g., accounting), sub department (e.g., accounts payable (AP)), cube, and desk, etc. The physical location information may be determined based on manually entered information (e.g., associated with a network switch) or based on a physical connection (e.g., Ethernet) where the device is coupled to a network device (e.g., switch or wireless access point). A NAC device may have access to network topography and physical location information and can set values of the context name location 210; [0069] Account access result column 212 can be used to store account access results including success or failure. In some embodiments, a percentage of login failures associated with each account and device IP address may be stored. The data of the account access result column 212 can be used as an indicator of whether an account has been compromised. For example, if an account suddenly has lots of account access failures from abnormal locations (e.g., not before observed), a security action may be performed (e.g., a notification sent, network access of a device changed, a combination thereof, etc.) or the number of failures may be considered in conjunction with other factors, as described herein), wherein the set of previous off-network remote access logins associated with the user are stored within a user action database ([0038] Network monitor device 102 can use a baseline account access model and detection of access anomalies through policy or statistic learning. Based on the account access map with contextual information and account access behavior as recorded or observed, a baseline for account access patterns can be created for each account. Using the above information as input, anomalies can be detected, e.g., from policies or through statistic learning. For example, new or future behavior can be compared to past or previous behavior to determine if the new behavior is abnormal or anomalous. New behavior may be recorded (e.g., added to the location access map) to update the baseline account access pattern information); determine whether the off-network remote access login constitutes suspicious activity based on the comparison to the set of previous off-network remote access logins associated with the user within the user action database through the advanced computational model for data analysis and automated decision making, wherein suspicious activity comprises deviations from historical login times and user interactions outside of activities associated with authentication credentials of the user ([0037] If a hacker is attempting to log into an account and there is a sudden increase in failures associated with the account, this can suggest that an attack is occurring. The time of the login failures may be compared with the baseline access time pattern. If the time is not within the normal access time pattern (e.g., at 2:30 AM for an employee who typically works 9 AM to 5 PM), this may be combined with the sudden increase in login failures to determine that a security action is to be performed (e.g., possibly restricting network access of the device initiating the login requests)); incorporate the off-network remote access login associated with the user and subsequent actions (i.e., network device context & account access context) within the network attributed to the user into the user action database ([0017] Embodiments can track account access activity to determine historical or baseline account access activity which can then be compared against future account access behavior; [0018] Network device context, e.g., including a location of a device initiating a login, can be correlated with new account access behavior to determine whether an action should be performed; [0022] In some embodiments, additional sources of device information may be used to increase account access context information and accuracy about account behavior reporting. If an agent is present on the device (e.g., a personal computer (PC) or server), the agent can collect and provide detailed account access information (e.g., local account access); [0028] Network monitor device 102 can generate an account access location map that maps a physical location to an IP address. Each IP address may be given a physical location label … When a user logins in, accesses, and logs out of an account from a particular device, those events can be recorded in the account access map. Over time, an account access map, having location and login information, for each particular account is created and stored. An example data structure 200 of a location access map is shown in FIG. 2. The information of the location access map can be used to increase the accuracy of account hijack detection; [0029] Network monitor device 102 can add device context information to the account access map. Information added to the account access map (e.g., based on network access control (NAC) functionality) can include login time (e.g., 8:59 AM), access duration (e.g., 9 AM-5 PM), logout time (e.g., 5:06 PM), and device properties (e.g., one or more security properties or security posture including operating system (OS), applications present, running, or both, vulnerabilities, etc.). This can make the account access map multi-dimensional); and trigger a set of remedial actions if the off-network remote access login constitutes suspicious activity ([0106] Policy component 418 is operable for initiating or triggering one or more remediation actions, as described herein; [0107] The actions may include restricting network access to a particular level (e.g., full, limited, or no network access), remediation actions (e.g., triggering patch systems or services, triggering update systems or services, triggering third party product action, etc.), informational actions (e.g., sending an email notification to a user or IT administrator or creating an IT ticket reflecting the level of compliance), and logging actions (e.g., logging or storing the compliance level)). Zhan fails to disclose: wherein authentication credentials associated with the user determine capabilities of the user within the network; remedial actions comprising altering capabilities of the user within the network based on the suspicious activity and authentication credentials of the user. However, Thomas discloses: wherein authentication credentials associated with the user determine capabilities (i.e., based on suspicious activity on the device by the user, the system requires user to authorize based on various capabilities such as clicking/typing/acknowledging certain commands) of the user within the network ([0200] For example, a request for user input may be presented as a pop-up window or other notification with text requesting a response. This may include a simple request such as “click here to continue,” or a more instructive narrative such as: “A potential security issue has been detected. Please click here to confirm that you requested the following network activity.” This may also or instead include other user input besides clicking, e.g., typing characters into a text box, entering or otherwise providing authentication credentials, answering a security inquiry of information known to the user, or the like. In another aspect, a blocking page may be presented in a web browser that requires human interaction before further network activity can be undertaken; [0263] In an aspect, a detected unexpected event that is determined to be unauthorized (or potentially unauthorized) may be automatically stopped from executing/running on the mobile device; [0264] Other remedial actions may also or instead be taken. For example, cellular radio and other communications hardware (e.g., radios for Bluetooth, WiFi, etc.) may be deactivated to prevent further network communications to and from the device; [0271] In an aspect, the display on the mobile device requesting confirmation by the user may be related to activity on the mobile device. In an aspect, the display on the mobile device requesting confirmation by the user may be related to activity on another endpoint. Another device, such as a gateway or another endpoint, identifies a potential or actual security threat. Using a heartbeat functionality on the mobile device, an instruction to the mobile device is communicated securely to request user the confirmation of activity on the mobile, device, another device or recognized by the another device (e.g., a gateway). In an aspect, the display may require authentication, or submission of authentication data such as a PIN, password, biometric information, etc. to confirm authorization); remedial actions comprising altering capabilities (i.e., providing controlled access based on certain criteria) of the user within the network based on the suspicious activity and authentication credentials of the user ([0076] The threat management facility 100 may provide controlled access to the enterprise facility 102 networks. For instance, a manager of the enterprise facility 102 may want to restrict access to certain applications, networks, files, printers, servers, databases, or the like. In addition, the manager of the enterprise facility 102 may want to restrict user access based on certain criteria, such as the user's location, usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration, or the like; [0094] However, if the mobile client facility were to attempt to connect into an unprotected connection point, such as at a secondary location 108 that is not a part of the enterprise facility 102, the mobile client facility may be required to request network interactions through the threat management facility 100 … where the endpoint computer security facility 152 may dictate what actions are allowed, blocked, modified, or the like [0264] In another aspect, communications may be restricted to exclusive communications with a threat management facility so that a compromised condition can be remediated before restoring other network communications. In another aspect, all services or applications may be suspended except for a local remediation agent or similar program until the device has been adequately remediated). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the network monitor device of Zhan and include a threat management facility comprising a manager to restrict malicious access, as disclosed by Thomas. The motivation to include the threat management facility comprising the manager to provide controlled access to enterprise resources is to improve network security to prevent compromise, e.g., data leakage, damage, and other negative consequences for compromised endpoints (Thomas: [0003]). Regarding claim 8, it is a computer program product claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection. Regarding claim 15, it is a method claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection. Regarding claim 2, the combination of Zhan and Thomas discloses: The system of claim 1, wherein suspicious activity is defined by a set of predetermined criteria within the user action database (Zhan: [0028-0029). Regarding claim 9, it is a computer program product claim and recites similar subject matter as claim 2 and therefore rejected under similar ground of rejection. Regarding claim 16, it is a method claim and recites similar subject matter as claim 2 and therefore rejected under similar ground of rejection. Regarding claim 3, the combination of Zhan and Thomas discloses: The system of claim 2, wherein the set of predetermined criteria comprises the off-network remote access login occurring during a set of predetermined hours (Zhan: [0028-0029). Regarding claim 10, it is a computer program product claim and recites similar subject matter as claim 3 and therefore rejected under similar ground of rejection. Regarding claim 17, it is a method claim and recites similar subject matter as claim 3 and therefore rejected under similar ground of rejection. Regarding claim 4, the combination of Zhan and Thomas discloses: The system of claim 1, wherein the set of remedial actions comprises transmission of a customizable notification to a third party (Zhan: [0039] & [0042]). Regarding claim 11, it is a computer program product claim and recites similar subject matter as claim 4 and therefore rejected under similar ground of rejection. Regarding claim 18, it is a method claim and recites similar subject matter as claim 4 and therefore rejected under similar ground of rejection. Regarding claim 5, the combination of Zhan and Thomas discloses: The system of claim 1, wherein the set of remedial actions comprises transmission of a push notification to an end-point device to enable the off-network remote access login (Zhan: [0041]). Regarding claim 12, it is a computer program product claim and recites similar subject matter as claim 5 and therefore rejected under similar ground of rejection. Regarding claim 19, it is a method claim and recites similar subject matter as claim 5 and therefore rejected under similar ground of rejection. Regarding claim 6, the combination of Zhan and Thomas discloses: The system of claim 5, wherein the push notification is transmitted to an end-point device during a set of predetermined notification login hours (Zhan: [0039] & [0042]). Regarding claim 13, it is a computer program product claim and recites similar subject matter as claim 6 and therefore rejected under similar ground of rejection. Regarding claim 7, the combination of Zhan and Thomas discloses: The system of claim 1, wherein a set of systems within the network are restricted for off-network remote access logins constituted as suspicious activity (Zhan: [0047], and [0106-0107]). Regarding claim 14, it is a computer program product claim and recites similar subject matter as claim 7 and therefore rejected under similar ground of rejection. Regarding claim 20, it is a method claim and recites similar subject matter as claim 7 and therefore rejected under similar ground of rejection. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SYED M AHSAN/Primary Examiner, Art Unit 2491