Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of AIA .
Status of Claims
This communication is a Final Office action in response to communications received on 07/30/2025. Claims 1, 11 and 12 have been amended. Therefore, claims 1-20 are currently pending and have been addressed below.
Claim Objections
Claim 2 is objected to because of the following informality: Claim 2 recites: “authority ;” and it should be – authority; --. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA the inventor(s), at the time the application was filed, had possession of the claimed invention.
Newly amended Claim 1, analogous to amended Claims 11 and 12, recites: “automatically adjusting a risk control policy associated with the client device based on the security knowledge level test result; and blocking a particular action performed by the target user on the client device in accordance with the adjusted risk control policy, wherein the particular action when performed by another user on another client device will not be blocked in accordance with a risk control policy associated with the other client device that has been adjusted based on another security knowledge level test result representing that the other target user has passed another security knowledge level test.” With respect to “blocking”, Applicant’s specification does not include “blocking”, let alone “blocking a particular action” or “blocked in accordance with a risk control policy”.
The ‘written description’ requirement implements the principle that a patent must describe the technology that is sought to be patented; the requirement serves both to satisfy the inventor’s obligation to disclose the technologic knowledge upon which the patent is based, and to demonstrate that the patentee was in possession of the invention that is claimed." Capon v. Eshhar, 418 F.3d 1349, 1357, 76 USPQ2d 1078, 1084 (Fed. Cir. 2005). Further, the written description requirement promotes the progress of the useful arts by ensuring that patentees adequately describe their inventions in their patent specifications in exchange for the right to exclude others from practicing the invention for the duration of the patent’s term.
To satisfy the written description requirement, a patent specification must describe the claimed invention in sufficient detail that one skilled in the art can reasonably conclude that the inventor had possession of the claimed invention. See, e.g., Moba, B.V. v. Diamond Automation, Inc., 325 F.3d 1306, 1319, 66 USPQ2d 1429, 1438 (Fed. Cir. 2003); Vas-Cath, Inc. v. Mahurkar, 935 F.2d at 1563, 19 USPQ2d at 1116. However, a showing of possession alone does not cure the lack of a written description. Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 969-70, 63 USPQ2d 1609, 1617 (Fed. Cir. 2002). An applicant shows possession of the claimed invention by describing the claimed invention with all of its limitations using such descriptive means as words, structures, figures, diagrams, and formulas that fully set forth the claimed invention. Lockwood v. Amer. Airlines, Inc., 107 F.3d 1565, 1572, 41 USPQ2d 1961, 1966 (Fed. Cir. 1997). The claimed invention as a whole may not be adequately described if the claims require an essential or critical feature which is not adequately described in the specification and which is not conventional in the art or known to one of ordinary skill in the art (MPEP 2163 | (A)). Dependent claims inherit the deficiencies of the parent claims and thus dependent claims are rejected on the same basis as indicated above for the respective parent claims.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to a judicial exception without a practical application and significantly more.
Step 1: Identifying Statutory Categories
When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claims are directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (i.e., Step 1). In the instant case, claims 1-10 are directed to a method (i.e. a process). Claim 11 is directed to a non-transitory, computer-readable storage medium (i.e. an article of manufacture). Claims 12-20 are directed to a system (i.e. a machine). Thus, each of these claims fall within one of the four statutory categories. Nevertheless, the claims fall within the judicial exception of an abstract idea.
Step 2A: Prong One: Abstract Ideas
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention recites an abstract idea. Independent claim 1, analogous to independent claims 11 and 12 recite: receiving a security knowledge test request that comprises one or more target features of a target user; determining, based on the security knowledge test request and from a plurality of security regulatory authorities associated with a knowledge test platform, a target security regulatory authority to perform a security knowledge level test for the target user; obtaining a target security knowledge test requirement information set that corresponds to the target security regulatory authority, wherein the target security knowledge test requirement information set comprises a mapping relationship between user features and security knowledge test questions; determining, from the target security knowledge test requirement information set that corresponds to the target security regulatory authority, corresponding test questions based on the one or more target features of the target user; providing the corresponding test questions for presentation to the target user; and determining a security knowledge level test result by the target user in response to viewing the corresponding test questions, wherein the security knowledge level test result represents that the target user has failed the security knowledge level test adjusting a risk control policy associated with the client based on the security knowledge level test result; and blocking a particular action performed by the target user in accordance with the adjusted risk control policy, wherein the particular action when performed by another user will not be blocked in accordance with a risk control policy associated with the other client that has been adjusted based on another security knowledge level test result representing that the other target user has passed another security knowledge level test.
The limitations as drafted, is a process that, under its broadest reasonable interpretation, falls under at least the abstract groupings of:
Certain methods of organizing human activity (commercial or legal interactions (including advertising, marketing or sales activities or behaviors; business relations; (managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions)). As independent claims discuss performing a security knowledge level test for a user, including mapping relationship between user features and security knowledge test questions; determining, from the target security knowledge test requirement information set that corresponds to the target security regulatory authority, corresponding test questions based on the one or more target features of the target user; providing the corresponding test questions for presentation to the target user; and determining a security knowledge level test result by the target user in response to viewing the corresponding test questions, which is one of certain methods of organizing human activity.
Mental Processes (concepts performed in the human mind (including an observation, evaluation, judgement, opinion (claim 1, analogous to claims 11 and 12 recite for example: “receiving a security knowledge test request that comprises one or more target features of a target user”; “determining, based on the security knowledge test request and from a plurality of security regulatory authorities associated with a knowledge test platform, a target security regulatory authority to perform a security knowledge level test for the target user”; “obtaining a target security knowledge test requirement information set that corresponds to the target security regulatory authority”, “mapping relationship between user features and security knowledge test questions”; “determining, from the target security knowledge test requirement information set that corresponds to the target security regulatory authority, corresponding test questions based on the one or more target features of the target user”; “providing the corresponding test questions for presentation to the target user”; “determining a security knowledge level test result by the target user in response to viewing the corresponding test questions”; “the security knowledge level test result represents that the target user has failed the security knowledge level test”; “adjusting a risk control policy associated with the client based on the security knowledge level test result”) Concepts performed in the human mind as mental processes because the steps of receiving, determining, obtaining, associating, presenting and analyzing data mimic human thought processes of observation, evaluation, judgement and opinion, perhaps with paper and pencil, where data interpretation is perceptible in the human mind. See In re TLI Commc’ns LLCPatentLitig., 823 F.3d 607, 611 (Fed. Cir. 2016); FairWarning IP, LLC v. Iatric Sys., Inc., 839 F.3d 1089, 1093-94 (Fed. Cir. 2016)).
Dependent claims add additional limitations, for example: (claims 2 and 13), issuing a first credential to the target user when the test result indicates that the target user has passed the security knowledge level test, wherein the first credential indicates that the target user has passed the security knowledge level test of the target security regulatory authority; and issuing a second credential to the target user when the test result indicates that the target user has not passed the security knowledge level test, wherein the second credential indicates that the target user has not passed the security knowledge level test of the target security regulatory authority; (claims 3 and 14) wherein the first credential has a validity period, and the method further comprises: sending a notification of expiration to the target user when a current time point is outside the validity period of the first credential, wherein the notification of expiration reminds the target user to retake the security knowledge level test; (claims 4 and 15) wherein obtaining the target security knowledge test requirement information set that corresponds to the target security regulatory authorities comprises: obtaining customized requirement information from the target security regulatory authority; and adding the customized requirement information to the target security knowledge test requirement information set that corresponds to the target security regulatory authority; (claims 5 and 16) wherein obtaining the target security knowledge test requirement; information set that corresponds to the target security regulatory authorities comprises: providing predetermined requirement information for the target security regulatory authority; obtaining selected requirement information from the target security regulatory authority; and adding the selected requirement information to the target security knowledge test requirement information set that corresponds to the target security regulatory authority; (claims 6 and 17) wherein the security knowledge test request comprises a current location of the target user, the plurality of security regulatory authorities each corresponds to a respective location range and performs the security knowledge level test for users located within the respective location range, and wherein determining the target security regulatory authority: determining a security regulatory authority as the target security regulatory authority when the current location of the target user is within a respective location range of the security regulatory authority; (claims 7 and 18) wherein the target security regulatory authority updates the target security knowledge test requirement information set, and the method further comprises: sending an update notification to a user who satisfies a predetermined update condition, wherein the update notification reminds the user to retake the security knowledge level test; (claims 8 and 19) wherein the user who satisfies the predetermined update condition comprises one or both of: a user who passes the security knowledge level test of the target security regulatory authority, or a user of all users who have passed the security knowledge level test of the target security regulatory authority and satisfies a user feature included in the target security knowledge test requirement information that has been updated; (claims 9 and 20) wherein the security knowledge test request is sent provided by another user, and wherein the method further comprises: synchronizing the security knowledge level test results of the target user to the another user; (claim 10) issuing, to the target user, a credential code that represents the test result, the credential code comprises information about the target user, but these only serve to further limit the abstract idea. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitations of certain methods of organizing human activity and mental processes but for the recitation of generic computer components, the claims recite an abstract idea.
Step 2A: Prong Two
This judicial exception is not integrated into a practical application because the claims merely describe how to generally “apply” the abstract idea. In particular, the claims only recite the additional elements – (claim 1) computer(s), client device; (claims 9, 10 and 20) scanning a sharing code (claim 11) a non-transitory, computer-readable medium (claim 12) system comprising one or more computers, memory, non-transitory, computer-readable media. These additional elements are recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer components. Simply implementing the abstract idea on generic computer components is not a practical application of the abstract idea, as it adds the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, as discussed in MPEP 2106.05(f). The limitations generally link the abstract idea to a particular technological environment or field of use (such as computing, see MPEP 2106.05(h)). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide generic computer implementation and do not impose a meaningful limit to integrate the abstract idea into a practical application.
Step 2B:
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to discussion of integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply an exception and generally link the abstract idea to a particular technological environment or field of use. Furthermore, claims 1-20 have been fully analyzed to determine whether there are additional elements recited that amount to significantly more than the abstract idea. The limitations fail to include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of the abstract idea to a particular technological environment. Thus, nothing in the claim adds significantly more to the abstract idea. Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation. The claims are ineligible. Therefore, since there are no limitations in the claim that transform the exception into a patent eligible application such that the claim amounts to significantly more than the exception itself, the claims are rejected under 35 USC 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claims 1, 4-12 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over CN 110472038A, hereinafter “CN”, over Drake (US 2017/0346851 A1), hereinafter “Drake”.
Regarding Claim 1, CN teaches A method performed by one or more computers, wherein the method comprises: receiving a security knowledge test request that comprises one or more target features of a target user; (CN, see at least page 4, teaching computing environment; CN, page 3, Data safety is generated based on the multiple data safety topic and tests questionnaire, and the data safety is tested into questionnaire It is sent to the user terminal. Further, described according to the user login information, match at least one number corresponding with the user According to safety legislation rule, comprising: Based on the user login information, the characteristic information of the user is obtained (Examiner interprets characteristic information of user as target features of user));
determining, based on the security knowledge test request and from a plurality of security regulatory authorities associated with a knowledge test platform, a target security regulatory authority to perform a security knowledge level test for the target user; (CN, page 3, According to the user login information, at least one data safety law rule corresponding with the user are matched);
obtaining a target security knowledge test requirement information set that corresponds to the target security regulatory authority, wherein the target security knowledge test requirement information set comprises a mapping relationship between user features and security knowledge test questions; (CN, page 5, third para, It has been investigated that currently, being that questionnaire comes to correlation by inquiry for the monitoring of people's data safety legal consciousness Personage tests and assesses, but for the people of different field needed for it is to be understood that rules and regulations content be also different, example Such as the people of different tissues, in even one tissue for the member of different grouping, it may be necessary to the rule for using and abiding by system is variant, therefore the test of data safety needed for people different when testing topic is also just different);
determining, from the target security knowledge test requirement information set that corresponds to the target security regulatory authority, corresponding test questions based on the one or more target features of the target user; (CN, page 3, First acquisition module, at least one data safety statutory rules for being matched according to the matching module, from Multiple data safety topics relevant to each data safety statutory rules are obtained in preset exam pool; First sending module generates data peace for obtaining multiple data safety topics that module obtains based on described first Full test questionnaire, and data safety test questionnaire is sent to the user terminal.);
providing the corresponding test questions for … to the target user; (CN, page 3, data safety is tested into questionnaire It is sent to the user terminal); determining a security knowledge level test result from inputs to the client device by the target user in response to viewing the corresponding test questions, wherein the security knowledge level test result represents that the target user has failed the security knowledge level test; (CN, page 6, para 4, Wherein, risk can be carried out different grades of division by the height of score according to by the result of the test, such as " 91-100, low-risk ", " 71-90, risk ", " 61-70, high risk ", " 0-60, risk " etc. Examiner interprets users who test results are from 91-100 are users that have passed; and users who have low scores, for example 0-60, have not passed);
automatically adjusting a risk control policy associated with the client device based on the security knowledge level test result; and (CN, page 5, third para, being that questionnaire comes to correlation by inquiry for the monitoring of people's data safety legal consciousness Personage tests and assesses, but for the people of different field needed for it is to be understood that rules and regulations content be also different... it may be necessary to the rule for using and abiding by system is variant, therefore the test of data safety needed for people different when testing topic is also different; CN, page 6, If the target answer solution analyze it is incorrect, according to target answer described in the target data safety legislation Policy Updates parse; CN page 7, content of statutory rules generates multiple update data safeties topics corresponding with each updated data safety statutory rules); Yet, CN does not appear to explicitly teach and in the same field of endeavor Drake teaches presentation on a client device (Drake, Figure 1, teaches presentation on a client device) blocking a particular action performed by the target user on the client device in accordance with the adjusted risk control policy, wherein the particular action when performed by another user on another client device will not be blocked in accordance with a risk control policy associated with the other client device that has been adjusted based on another security knowledge level test result representing that the other target user has passed another security knowledge level test (See at least Drake, para 0521-0522, 0524-0526, discussing blocking actions to prevent fraudulent activity, for example Actions that users might wish to perform (e.g. sending money to family) can be at risk of malware interference (e.g. the malware changing the recipient of the money to someone else). Examiner notes this is analogous to Applicant’s own specification example, para 0138, recites: “when the user needs to transfer a large amount of money in a bank”; Further, rejecting actions of a user is found throughout Drake, see for example Drake, para 0530, teaches “If a signature is invalid, the provider should reject whatever action might be found within the response, since it may have been interfered with maliciously.” Examiner notes Drake also describes a user passing a security test, for example Drake, para 0524, teaches “If the user provides a correct code, this lets the provider know with reasonable confidence that the user is confirming the correct intended action.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN with presentation on a client device ... blocking a particular action performed by the target user on the client device in accordance with the adjusted risk control policy, wherein the particular action when performed by another user on another client device will not be blocked in accordance with a risk control policy associated with the other client device that has been adjusted based on another security knowledge level test result representing that the other target user has passed another security knowledge level test as taught by Drake with the motivation for improvements to authentication, techniques to resist phishing attacks, techniques to neutralize the effects of malware, and numerous related computer security improvements, as well as providing user-experience improvements including increased speed of authentication, enrolment, integration, and other operational aspects, and greater ease of use, convenience, ability to scale and other improvements (Drake, para 0022). The CN invention now incorporating the Drake invention, has all the limitations of claim 1.
Regarding Claim 4, CN, now incorporating Drake, teaches The method of claim 1, wherein obtaining the target security knowledge test requirement information set that corresponds to the target security regulatory authorities comprises: obtaining customized requirement information from the target security regulatory authority; and adding the customized requirement information to the target security knowledge test requirement information set that corresponds to the target security regulatory authority (CN, page 5, third para, It has been investigated that currently, being that questionnaire comes to correlation by inquiry for the monitoring of people's data safety legal consciousness Personage tests and assesses, but for the people of different field needed for it is to be understood that rules and regulations content be also different, example Such as the people of different tissues, in even one tissue for the member of different grouping, it may be necessary to the rule for using and abiding by system is variant, therefore the test of data safety needed for people different when testing topic is also just different).
Regarding Claim 5, CN, now incorporating Drake, teaches The method of claim 1, wherein obtaining the target security knowledge test requirement information set that corresponds to the target security regulatory authorities comprises: providing predetermined requirement information for the target security regulatory authority; obtaining selected requirement information from the target security regulatory authority; and adding the selected requirement information to the target security knowledge test requirement information set that corresponds to the target security regulatory authority (CN, page 5, third para, It has been investigated that currently, being that questionnaire comes to correlation by inquiry for the monitoring of people's data safety legal consciousness Personage tests and assesses, but for the people of different field needed for it is to be understood that rules and regulations content be also different, example Such as the people of different tissues, in even one tissue for the member of different grouping, it may be necessary to the rule for using and abiding by system is variant, therefore the test of data safety needed for people different when testing topic is also just different; CN, page 5, people of different field needed for it is to be understood that rules and regulations content be also different, such as difference The people of (such as different collectives, different enterprises, different geographical etc.)).
Regarding Claim 6, CN, now incorporating Drake, teaches The method of claim 1, wherein the security knowledge test request comprises… , the plurality of security regulatory authorities each corresponds to a respective location range and performs the security knowledge level test for users located within the respective location range, and wherein determining the target security regulatory authority: (CN, page 5, people of different field needed for it is to be understood that rules and regulations content be also different, such as difference The people of (such as different collectives, different enterprises, different geographical etc.); CN, Abstract, appraisal procedure of data safety, at least one data safety statutory rules corresponding with the user are matched; multiple data safety topics relevant to each data safety statutory rules are obtained from preset exam pool; So as to independently provide different safety test questionnaires for different users, the matching degree between safety test questionnaire and tested personnel is effectively ensured); determining a security regulatory authority as the target security regulatory authority when … is within a respective location range of the security regulatory authority (CN, page 5, people of different field needed for it is to be understood that rules and regulations content be also different, such as difference The people of (such as different collectives, different enterprises, different geographical etc.)). Yet, CN does not appear to explicitly teach and in the same field of endeavor Drake teaches a current location of the target user … the current location of the target user (Drake, para 0353, User GPS coordinates).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN with a current location of the target user … the current location of the target user as taught by Drake with the motivation for improvements to authentication, techniques to resist phishing attacks, techniques to neutralize the effects of malware, and numerous related computer security improvements, as well as providing user-experience improvements including increased speed of authentication, enrolment, integration, and other operational aspects, and greater ease of use, convenience, ability to scale and other improvements (Drake, para 0022).
Regarding Claim 7, CN, now incorporating Drake, teaches The method of claim 1, wherein the target security regulatory authority updates the target security knowledge test requirement information set, and the method further comprises: (CN, page 7, for when any one of data safety law in the multiple data safety statutory rules When the content of rule has update, the content of updated data safety statutory rules is obtained; each of the module acquisition updated data safety for being directed to the third The content of statutory rules generates multiple update data safeties topics corresponding with each updated data safety statutory rules); sending an update … update … to retake the security knowledge level test (CN, page 7, content of statutory rules generates multiple update data safeties topics corresponding with each updated data safety statutory rules; CN, page 3, the data safety is tested into questionnaire It is sent to the user terminal.) Yet, CN does not appear to explicitly teach and in the same field of endeavor Drake teaches notification to a user who satisfies a predetermined … condition, wherein the … notification reminds the user (Drake, para 0360, When a positive match is found, the credential agent notifies the User).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN with notification to a user who satisfies a predetermined … condition, wherein the … notification reminds the user as taught by Drake with the motivation for improvements to authentication, techniques to resist phishing attacks, techniques to neutralize the effects of malware, and numerous related computer security improvements, as well as providing user-experience improvements including increased speed of authentication, enrolment, integration, and other operational aspects, and greater ease of use, convenience, ability to scale and other improvements (Drake, para 0022).
Regarding Claim 8, CN, now incorporating Drake, teaches The method of claim 7, wherein the user who satisfies the predetermined update condition comprises one or both of: (CN, page 7, content of statutory rules generates multiple update data safeties topics corresponding with each updated data safety statutory rules); a user who passes the security knowledge level test of the target security regulatory authority, or a user of all users who have passed the security knowledge level test of the target security regulatory authority and satisfies a user feature included in the target security knowledge test requirement information that has been updated (CN, page 7, sending module, answer parsing report and described first for generating first generation module generate The assessment parsing report that module generates is sent; CN, page 6, risk can be carried out different grades of division by the height of score according to by the result of the test, such as " 91-100, low-risk ", " 71-90, risk ", " 61-70, high risk ", " 0-60, risk " etc. Answer parsing report and assessment parsing report are sent to the user terminal. Examiner interprets users who test results are from 91-100 are users that have passed).
Regarding Claim 9, CN, now incorporating Drake, teaches The method of claim 1, wherein the security knowledge test request is sent based … by another user, and wherein the method further comprises: … the security knowledge level test results of the target user to the another user (CN, page 7, sending module, answer parsing report and described first for generating first generation module generate The assessment parsing report that module generates is sent; CN, page 6, para 4, Wherein, risk can be carried out different grades of division by the height of score according to by the result of the test, such as " 91-100, low-risk ", " 71-90, risk ", " 61-70, high risk ", " 0-60, risk " etc.). Yet, CN does not appear to explicitly teach and in the same field of endeavor Drake teaches on a scanning result of a sharing code provided … synchronizing (Drake, Figure 4, teaches scanning and sharing a code, elements 427 and element 424 teaches a QR code; Drake, claim 40, an authentication service in synchronization).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN with scanning result of a sharing code provided … synchronizing as taught by Drake with the motivation for improvements to authentication, techniques to resist phishing attacks, techniques to neutralize the effects of malware, and numerous related computer security improvements, as well as providing user-experience improvements including increased speed of authentication, enrolment, integration, and other operational aspects, and greater ease of use, convenience, ability to scale and other improvements (Drake, para 0022).
Regarding Claim 10, CN, now incorporating Drake, teaches The method of claim 1, further comprising: issuing, to the target user, a credential … that represents the test result, wherein … (CN, page 6, the assessment parsing report name of the user, the score of the user, test as a result, the risk of risk require point, quantity of mistake topic etc. …. Wherein, risk can be carried out different grades of division by the height of score according to by the result of the test, such as " 91-100, low-risk ", " 71-90, risk ", " 61-70, high risk ", " 0-60, risk " etc.)
Yet, CN does not appear to explicitly teach and in the same field of endeavor Drake teaches code … a scanning result of the … code comprises information about the target user (Drake, Figure 4, teaches scanning and sharing a code, elements 427 and element 424 teaches a QR code; Drake, para 0209, Serial numbers are any unique-among-the-set-of-issued-tokens identifier for an individual token… They are also appended to URLs encoded in QR codes. Examiner notes QR codes store user information). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN with code … a scanning result of the … code comprises information about the target user as taught by Drake with the motivation for improvements to authentication, techniques to resist phishing attacks, techniques to neutralize the effects of malware, and numerous related computer security improvements, as well as providing user-experience improvements including increased speed of authentication, enrolment, integration, and other operational aspects, and greater ease of use, convenience, ability to scale and other improvements (Drake, para 0022).
Regarding claims 11 and 12 the claims are an obvious variant to claim 1 above, and are therefore rejected on the same premise. CN further teaches non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations and A system, comprising: one or more computers; and one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media. See at least CN, page 4, teaches computer readable storage medium; CN, page 8, teaches processor and memory with executable machine readable instructions.
Regarding Claim 15, the claim recites analogous limitations to claim 4 above, and is therefore rejected on the same premise.
Regarding Claim 16, the claim recites analogous limitations to claim 5 above, and is therefore rejected on the same premise.
Regarding Claim 17, the claim recites analogous limitations to claim 6 above, and is therefore rejected on the same premise.
Regarding Claim 18, the claim recites analogous limitations to claim 7 above, and is therefore rejected on the same premise.
Regarding Claim 19, the claim recites analogous limitations to claim 8 above, and is therefore rejected on the same premise.
Regarding Claim 20, the claim recites analogous limitations to claim 9 above, and is therefore rejected on the same premise.
Claims 2-3 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over CN and Drake, and further in view of Dettman et al. (WO 2013/0123548 A2), hereinafter “Dettman”.
Regarding Claim 2, CN, now incorporating Drake, teaches The method of claim 1, further comprising: … to the target user when the test result indicates that the target user has passed the security knowledge level test, wherein the first credential indicates that the target user has passed the security knowledge level test of the target security regulatory authority; and … to the target user when the test result indicates that the target user has not passed the security knowledge level test, wherein the second credential indicates that the target user has not passed the security knowledge level test of the target security regulatory authority (CN, page 7, sending module, answer parsing report and described first for generating first generation module generate The assessment parsing report that module generates is sent; CN, page 6, risk can be carried out different grades of division by the height of score according to by the result of the test, such as " 91-100, low-risk ", " 71-90, risk ", " 61-70, high risk ", " 0-60, risk " etc. Answer parsing report and assessment parsing report are sent to the user terminal. Examiner interprets users who test results are from 91-100 are users that have passed; and users who have low scores, for example 0-60, have not passed).
Yet, CN and Drake do not appear to explicitly teach and in the same field of endeavor Dettman teaches issuing a first credential … issuing a second credential (Dettman, para 0055, teaches issued certificate(s) for example from a certification authority, self-signed certificate(s), public certificate(s), private certificate(s), trust certificate(s), Certification Authority (CA) certificate(s); Dettman, para 0085, Figure 2 illustrates a key management architecture through the use of layers. For example, a first layer may enable the management of credentials).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN and Drake with issuing a first credential … issuing a second credential as taught by Dettman with the motivation to provide improved private and/or secure communications between users and/or applications (Dettman, para 0022). The CN and Drake invention now incorporating the Dettman invention, has all the limitations of claim 2.
Regarding Claim 3, CN, now incorporating Drake and Dettman, teaches The method of claim 2, … to retake the security knowledge level test (CN, page 3, the data safety is tested into questionnaire It is sent to the user terminal). Yet, CN and Drake do not appear to explicitly teach and in the same field of endeavor Dettman teaches wherein the first credential has a validity period, and the method further comprises: sending a notification of expiration to the target user when a current time point is outside the validity period of the first credential, wherein the notification of expiration reminds the target user (Dettman, para 0212, Warnings may include pending certificate expiry etc. Notifications may be delivered in many forms and in many ways. Notifications may have a severity level. Notifications may be bunched together, such that if many events occur in a given time period, then a single notification containing relevant events included in that notification).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine CN and Drake with wherein the first credential has a validity period, and the method further comprises: sending a notification of expiration to the target user when a current time point is outside the validity period of the first credential, wherein the notification of expiration reminds the target user as taught by Dettman with the motivation to provide improved private and/or secure communications between users and/or applications (Dettman, para 0022).
Regarding Claim 13, the claim recites analogous limitations to claim 2 above, and is therefore rejected on the same premise.
Regarding Claim 14, the claim recites analogous limitations to claim 3 above, and is therefore rejected on the same premise.
Response to Arguments
Applicant’s arguments filed on 07/30/2025 have been fully considered but they are not persuasive.
Regarding 35 U.5.C. § 101 rejections: Examiner has updated the 101 rejections in light of the most recent claim amendments. Applicant’s arguments have been fully considered but are found unpersuasive and Examiner maintains the 101 rejection.
With respect to Applicant’s remarks: “...Thus, each of the independent claims, as amended, is similar to the patent-eligible claim 3 in "Example 47. Anomaly Detection" provided in the 2024 Guidance Update on Patent Subject Matter Eligibility, Including on Artificial Intelligence.
Applicant respectfully submits that under Step 2A, Prong Two analysis, "automatically adjusting a risk control policy associated with the client device based on the security knowledge level test result" and "blocking a particular action performed by the target user on the client device in accordance with the adjusted risk control policy," as recited in the amended independent claims, are indistinguishable for eligibility purposes from "(d) detecting a source address associated with the one or more malicious network packets in real time; (e) dropping the one or more malicious network packets in real time; and (f) blocking future traffic from the source address," as recited in the patent eligible claim 3 provided in Example 47.
Just as how the patent-eligible claim 3 in Example 47 recites subject matter that reflects an improvement in the technical field of network intrusion detection ("Steps (d)-(f) provide for improved network security using the information from the detection to enhance security by taking proactive measures to remediate the danger by detecting the source address associated with the potentially malicious packets." Id.), the present case recites subject matter that reflects an improvement in the technical field of information security. See, e.g., "reduce the possibility that the user loses property due to a fraud or intimidation," at paragraph 0138 of the Specification, and "reduce the possibility that the user is infringed by a risk," at paragraphs 0140 and 174 of the Specification.
For the reasons noted above, Applicant respectfully submits that the independent claims are directed to patent eligible subject matter, and the rejection should therefore be withdrawn.”
Examiner respectfully disagrees.
As an initial matter, Applicant is arguing limitations (blocking a particular action, etc.) that are not in Applicant’s specification, see above 112(a) rejection. Further, with respect to integration of the abstract idea into a practical application, the computing elements are additional elements to perform the steps and amount to no more than mere instructions to apply the exception using generic computer components. Examiner fails to see how the generic recitations of these most basic computer components and/or of a system so integrates the judicial exception as to “impose a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception.” Guidance, 84 Fed. Reg. at 53. Thus, Examiner finds that the claims recite the judicial exception of certain methods of organizing human activity and mental processes and is not integrated into a practical application.
With respect to Applicant’s remarks analogizing Example 47, Examiner does not find Applicant’s remarks persuasive. The reasoning given in Example 47 analysis is as follows:
The consideration of whether the claim as a whole includes an improvement to a computer or to a technological field requires an evaluation of the specification and the claim to ensure that a reflects the asserted improvement. See MPEP 2106.04(d)(1). According to the background section, existing systems use various detection techniques for detecting potentially malicious network packets and can alert a network administrator to potential problems. The disclosed system detects network intrusions and takes real-time remedial actions, including dropping suspicious packets and blocking traffic from suspicious source addresses. The background section further explains that the disclosed system enhances security by acting in real time to proactively prevent network intrusions.
Examiner again, respectfully notes Applicant’s specification does not include “blocking”, let alone “blocking a particular action...”
Even further, with respect to Example 47, the claimed invention was directed to: “using an artificial neural network (ANN) to detect malicious network packets comprising: training, by a computer, the ANN based on input data and a selected training algorithm to generate a trained ANN, wherein the selected training algorithm includes a backpropagation algorithm and a gradient descent algor