DETAILED ACTION
The applicant’s amendment filed on August 20, 2025 has been acknowledged. Claims 2, 4, 5, 12, 14 and 15 have been canceled. Claims 1, 3, 6-11, 13 and 16-20, as amended, are currently pending and have been considered below.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 10 is objected to because of the following informalities: Claim 10 recites “ehrtirn” which appears to be a typo. Appropriate correction is required.
Claim 10 is objected to because of the following informalities: Claim 10 has a period in the middle of the claim and fails to end with a period. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 16 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 16 recites the limitation "The method of claim 12" in line 1 of claim 16. There is insufficient antecedent basis for this limitation in the claim. Claim 12 has been canceled as of this amendment, therefore claim is indefinite. For the purposes of expedited prosecution the Examiner has interpreted the claim to depend from claim 11.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3, 6-8, 11, 13 and 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha (US 2022/0035925 A1) hereafter Jha, in view of Cheng (US 2009/0006857 A1) hereafter Cheng, further in view of Sundaresh et al. (US 2017/0078265 A1) hereafter Sundaresh, Sosnosky et al. (US 2010/0257346 A1) hereafter Sosnosky.
As per claim 1, Jha discloses an information handling system, comprising:
a central processing unit (CPU) (Jha paragraphs [0115]-[0117]; discloses the system contains both a CPU and memory executing instructions);
a module communicatively coupled to the CPU (Jha paragraph [0115]-[0116]; disclose that the client system 120 contains the CPU. Figure 3 establishes that the client system contains the Pre-Boot Module which controls the access control for the system. This is discussed in paragraph [0041]); and
a computer readable medium including processor executable instructions that (Jha paragraphs [0115]-[0117]; discloses the system contains both a CPU and memory executing instructions that when executed cause the system to perform the functions), when executed, cause the module to perform operations including:
monitoring password activity wherein monitoring password activity includes monitoring unsuccessful password unlock attempts on each of a plurality of boot paths (Jha paragraph [0066]; discloses monitoring the number of times a password has been incorrectly entered. Jha paragraph [0066]-[0067]; discloses that the system monitors pre-boot thus monitors for all boot paths are prevented based on the monitoring of the password); and
capturing telemetry data generated by the information handling system, including OS boot source information, and transmitting the telemetry data to a cloud-based risk assessment resource (Jha paragraph [0027]; discloses that the central server can be provided in a cloud infrastructure. Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device. Specifically the system captures telemetry data in the form of location data and the boot information to allow the boot process to continue).
responsive to detecting the password activity satisfying a criterion, taking action to restrict access in accordance with a security policy (Jha paragraphs [0067]-[0068]; discloses that a criterion is monitored specifically the threshold of the number of password attempted. When met the system takes action by locking the system and not permitting the user to provide any more password attempts).
While Jha establishes implementing the access control using a module it is not explicit that it uses an embedded controller (EC). While Jha establishes monitoring the total number of unsuccessful password attempts and password unlock attempts were made, it is not explicit that it monitors the number of unsuccessful password change. Jha additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Cheng, which like Jha talks about checking the user’s credentials at startup of a device, teaches it is known to implement an authentication system using an embedded controller (EC) (Cheng paragraphs [0013]-[0014]; teaches implementing an embedded controller for retrieving passwords in order to wake up or gain access to a computer system similar to what is shown in Jha. Like Jha Cheng establishes that the embedded controller will prompt the user to retry the entry until it reaches or exceeds a predetermined limit. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system.
The sole difference between the Jha reference and the claimed subject matter is that the Jha reference does not establish the use of a embedded controller. Jha establishes that the monitoring of the use a password is performed by a module but is not explicit this is an embedded controller.
The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Cheng establishes this type of monitoring was known in the prior art at the time of the invention.
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the module shown in the Jha reference for the embedded controller as taught Cheng.
Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious.
Therefore, from this teaching of Cheng, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, with using an embedded controller for monitoring the password use as taught by Cheng, for the purposes of using one known element for another. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha.
While Jha establishes monitoring the total number of unsuccessful password attempts and password unlock attempts were made, it is not explicit that it monitors the number of unsuccessful password change. Jha additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sundaresh, which like the combination talks about monitoring access control specifically passwords in devices, teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords. Since the combination already monitors unsuccessful password entries it would have been obvious to monitor unsuccessful password changes as they are entry or invalid passwords).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. However, the combination fails to establish monitoring the number of unsuccessful password changes were made.
Sundaresh teaches monitor the number of unsuccessful password changes were made.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha and Cheng the ability to monitor the number of unsuccessful password changes were made as taught by Sundaresh since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Sundaresh, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha and Cheng, with the ability to monitor the number of unsuccessful password changes were made as taught by Sundaresh, for the purposes of monitoring security access as taught in Sundaresh. Since the combination already monitors unsuccessful password entries it would have been obvious to monitor unsuccessful password changes as they are entry or invalid passwords.
The combination additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sosnosky, which like the combination talks about booting devices, teaches it is known for the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path (Sosnosky paragraph [0042]; teaches that the boot path includes an operating system such as a local operating system on the machine itself. Paragraph [0043]; teaches remote booting paths such as network OS booting. Paragraph [0058]; teaches booting from a cloud service provider. Since the combination monitors the pre-booting it covers every path which it can be booted to, which as shown by Sosnosky includes these known paths).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. However, the combination fails to establish wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng and Sundaresh the ability for the boot paths to include an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path as taught Sosnosky by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Sosnosky, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng and Sundaresh, with the ability for the boot paths to include an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path as taught Sosnosky, for the purposes of monitoring security on booting of the device. Since the combination monitors the pre-booting it covers every path which it can be booted to, which as shown by Sosnosky includes these known paths.
As per claim 3, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses wherein monitoring unsuccessful password change and password lock attempts includes monitoring unsuccessful preboot password unlock attempts (Jha paragraph [0066]; discloses monitoring the number of times a password has been incorrectly entered, this is done preboot or prior to booting the Operating system).
Sundaresh, teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords).
As per claim 6, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses wherein monitoring password change and password unlock attempts includes monitoring how many unsuccessful password change and unlock attempts have occurred since a most recent successful password change or password unlock attempt (Jha paragraphs [0067]-[0068]; discloses that a criterion is monitored specifically the threshold of the number of password attempted. This is monitoring since the last successful attempt as it has a set threshold which when met the system is locked).
Sundaresh, teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords).
As per claim 7, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses wherein taking action to restrict access includes at least one of: enforcing an operating system (OS) sign on; and enforcing a cloud based login with proof of presence (Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device).
As per claim 8, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses wherein taking action to restrict access includes, responsive to detecting an unsuccessful attempt to change or unlock a basic input/output system (BIOS) password while a safe mode is active, prohibiting boot deviations (Paragraph [0068]; discloses that the system is locked out in BIOS which is pre-boot when the wrong password is entered too many time and remains that way until the password is recovered by retrieving the rescue password from the central server. This prohibits boot deviations as the user is not permitted to boot the system).
As per claim 11, Jha discloses a method comprising:
monitoring, with a module of an information handling system, password activity wherein monitoring password activity includes monitoring unsuccessful password unlock attempts on each of a plurality of boot paths ((Jha paragraph [0066]; discloses monitoring the number of times a password has been incorrectly entered. Jha paragraph [0066]-[0067]; discloses that the system monitors pre-boot thus monitors for all boot paths are prevented based on the monitoring of the password);
capturing telemetry data generated by the information handling system, including OS boot source information, and transmitting the telemetry data to a cloud-based risk assessment resource (Jha paragraph [0027]; discloses that the central server can be provided in a cloud infrastructure. Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device. Specifically the system captures telemetry data in the form of location data and the boot information to allow the boot process to continue); and
responsive to detecting the password activity satisfying a criterion, taking action to restrict access in accordance with a security policy (Jha paragraphs [0067]-[0068]; discloses that a criterion is monitored specifically the threshold of the number of password attempted. When met the system takes action by locking the system and not permitting the user to provide any more password attempts).
While Jha establishes implementing the access control using a module it is not explicit that it uses an embedded controller (EC).
Cheng, which like Jha talks about checking the user’s credentials at startup of a device, teaches it is known to implement an authentication system using an embedded controller (EC) (Cheng paragraphs [0013]-[0014]; teaches implementing an embedded controller for retrieving passwords in order to wake up or gain access to a computer system similar to what is shown in Jha. Like Jha Cheng establishes that the embedded controller will prompt the user to retry the entry until it reaches or exceeds a predetermined limit. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system.
The sole difference between the Jha reference and the claimed subject matter is that the Jha reference does not establish the use of a embedded controller. Jha establishes that the monitoring of the use a password is performed by a module but is not explicit this is an embedded controller.
The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Cheng establishes this type of monitoring was known in the prior art at the time of the invention.
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the module shown in the Jha reference for the embedded controller as taught Cheng.
Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious.
Therefore, from this teaching of Cheng, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, with using an embedded controller for monitoring the password use as taught by Cheng, for the purposes of using one known element for another. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha.
While Jha establishes monitoring the total number of unsuccessful password attempts and password unlock attempts were made, it is not explicit that it monitors the number of unsuccessful password change. Jha additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Cheng, which like Jha talks about checking the user’s credentials at startup of a device, teaches it is known to implement an authentication system using an embedded controller (EC) (Cheng paragraphs [0013]-[0014]; teaches implementing an embedded controller for retrieving passwords in order to wake up or gain access to a computer system similar to what is shown in Jha. Like Jha Cheng establishes that the embedded controller will prompt the user to retry the entry until it reaches or exceeds a predetermined limit. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system.
The sole difference between the Jha reference and the claimed subject matter is that the Jha reference does not establish the use of a embedded controller. Jha establishes that the monitoring of the use a password is performed by a module but is not explicit this is an embedded controller.
The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Cheng establishes this type of monitoring was known in the prior art at the time of the invention.
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the module shown in the Jha reference for the embedded controller as taught Cheng.
Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious.
Therefore, from this teaching of Cheng, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, with using an embedded controller for monitoring the password use as taught by Cheng, for the purposes of using one known element for another. Since Cheng establishes the use of embedded controllers for implementing access control it would have been obvious to use this as a means for implementing the access control in Jha.
While Jha establishes monitoring the total number of unsuccessful password attempts and password unlock attempts were made, it is not explicit that it monitors the number of unsuccessful password change. Jha additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sundaresh, which like the combination talks about monitoring access control specifically passwords in devices, teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords. Since the combination already monitors unsuccessful password entries it would have been obvious to monitor unsuccessful password changes as they are entry or invalid passwords).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. However, the combination fails to establish monitoring the number of unsuccessful password changes were made.
Sundaresh teaches monitor the number of unsuccessful password changes were made.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha and Cheng the ability to monitor the number of unsuccessful password changes were made as taught by Sundaresh since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Sundaresh, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha and Cheng, with the ability to monitor the number of unsuccessful password changes were made as taught by Sundaresh, for the purposes of monitoring security access as taught in Sundaresh. Since the combination already monitors unsuccessful password entries it would have been obvious to monitor unsuccessful password changes as they are entry or invalid passwords.
The combination additional fails to establish what the plurality of boot paths could be, specifically wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sosnosky, which like the combination talks about booting devices, teaches it is known for the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path (Sosnosky paragraph [0042]; teaches that the boot path includes an operating system such as a local operating system on the machine itself. Paragraph [0043]; teaches remote booting paths such as network OS booting. Paragraph [0058]; teaches booting from a cloud service provider. Since the combination monitors the pre-booting it covers every path which it can be booted to, which as shown by Sosnosky includes these known paths).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. However, the combination fails to establish wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng and Sundaresh the ability for the boot paths to include an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path as taught Sosnosky by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Sosnosky, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng and Sundaresh, with the ability for the boot paths to include an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path as taught Sosnosky, for the purposes of monitoring security on booting of the device. Since the combination monitors the pre-booting it covers every path which it can be booted to, which as shown by Sosnosky includes these known paths.
As per claim 13, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 11, Jha further discloses wherein monitoring unsuccessful password change and password lock attempts includes monitoring unsuccessful preboot password change and password lock attempts (Jha paragraph [0066]; discloses monitoring the number of times a password has been incorrectly entered, this is done preboot or prior to booting the Operating system).
Sundaresh, teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords).
As per claim 16, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 12, Jha further discloses wherein monitoring password change and password unlock attempts includes monitoring how many unsuccessful password change and unlock attempts have occurred since a most recent successful password change or password unlock attempt (Jha paragraphs [0067]-[0068]; discloses that a criterion is monitored specifically the threshold of the number of password attempted. This is monitoring since the last successful attempt as it has a set threshold which when met the system is locked).
As per claim 17, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 11, Jha further discloses wherein taking action to restrict access includes at least one of: enforcing an operating system (OS) sign on; and enforcing a cloud based login with proof of presence (Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device).
As per claim 18, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 11, Jha further discloses wherein taking action to restrict access includes, responsive to detecting an unsuccessful attempt to change or unlock a basic input/output (BIOS) password while a safe mode is active, prohibiting boot deviations (Paragraph [0068]; discloses that the system is locked out in BIOS which is pre-boot when the wrong password is entered too many time and remains that way until the password is recovered by retrieving the rescue password from the central server. This prohibits boot deviations as the user is not permitted to boot the system).
Claim(s) 9 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha (US 2022/0035925 A1) hereafter Jha, in view of Cheng (US 2009/0006857 A1) hereafter Cheng, further in view of Sundaresh et al. (US 2017/0078265 A1) hereafter Sundaresh, Sosnosky et al. (US 2010/0257346 A1) hereafter Sosnosky, further in view of Cameron et al. (US 2005/0027713 A1) hereafter Cameron.
As per claim 9, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses further comprising: maintaining the device in a locked state until a cloud issued token is received (Jha paragraph [0060]; discloses the rescue password is stored in the central server associated with each client. Paragraph [0027]; discloses that the central server can be a cloud infrastructure. Paragraph [0068]; discloses that the system is locked out when the wrong password is entered too many time and remains that way until the password is recovered by retrieving the rescue password from the central server as shown in paragraph [0069]).
The combination however fails to explicitly disclose advertising brute force attempts with time and date information.
Cameron, which like the combination talks about password management, teaches it is known to advertise brute force attempts with time and date information (Cameron Paragraphs [0066], [0068] and [0070]; teaches it is known to include all password attempts and changes in the system with who performed them and the date and time they were performed. This is done as an auditing record to track what changes were made and when. Since the combination is already tracking the password attempts it would have been obvious to record them as an audit to act as a history indicating when changes were made and possible problems might have occurred).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path. However, the combination fails to establish to advertising brute force attempts with time and date information.
Cameron teaches advertising brute force attempts with time and date information.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng, Sundaresh and Sosnosky the ability advertise brute force attempts with time and date information as taught Cameron by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Cameron, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng, Sundaresh and Sosnosky, with the ability advertise brute force attempts with time and date information as taught Cameron, for the purposes of auditing the password history. Since the combination is already tracking the password attempts it would have been obvious to record them as an audit to act as a history indicating when changes were made and possible problems might have occurred.
As per claim 19, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 11, Jha further discloses further comprising: maintaining the device in a locked state until a cloud issued token is received (Jha paragraph [0060]; discloses the rescue password is stored in the central server associated with each client. Paragraph [0027]; discloses that the central server can be a cloud infrastructure. Paragraph [0068]; discloses that the system is locked out when the wrong password is entered too many time and remains that way until the password is recovered by retrieving the rescue password from the central server as shown in paragraph [0069]).
The combination however fails to explicitly disclose advertising brute force attempts with time and date information.
Cameron, which like the combination talks about password management, teaches it is known to advertise brute force attempts with time and date information (Cameron Paragraphs [0066], [0068] and [0070]; teaches it is known to include all password attempts and changes in the system with who performed them and the date and time they were performed. This is done as an auditing record to track what changes were made and when. Since the combination is already tracking the password attempts it would have been obvious to record them as an audit to act as a history indicating when changes were made and possible problems might have occurred).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path. However, the combination fails to establish to advertising brute force attempts with time and date information.
Cameron teaches advertising brute force attempts with time and date information.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng, Sundaresh and Sosnosky the ability advertise brute force attempts with time and date information as taught Cameron by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Cameron, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng, Sundaresh and Sosnosky, with the ability advertise brute force attempts with time and date information as taught Cameron, for the purposes of auditing the password history. Since the combination is already tracking the password attempts it would have been obvious to record them as an audit to act as a history indicating when changes were made and possible problems might have occurred.
Claim(s) 10 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jha (US 2022/0035925 A1) hereafter Jha, in view of Cheng (US 2009/0006857 A1) hereafter Cheng, further in view of Sundaresh et al. (US 2017/0078265 A1) hereafter Sundaresh, Sosnosky et al. (US 2010/0257346 A1) hereafter Sosnosky, further in view of Golan et al. (US 2005/0097320 A1) hereafter Golan.
As per claim 10, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the information handling system of claim 1, Jha further discloses capturing telemetry data generated by platform and transmitting the telemetry data to a cloud-based risk assessment resource (Jha paragraph [0027]; discloses that the central server can be provided in a cloud infrastructure. Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device. Specifically the system captures telemetry data in the form of location data and the boot information to allow the boot process to continue).
The combination however fails to further disclose further comprising: responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
Golan, which like the combination talks about password recovery, teaches it is known responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level (Golan paragraph [0090]; teaches it is known to receive risk assessment information including risk level of a user and tune the criterion for password recovery based on the risk level. Since the combination already determines password recovery and even includes the user location it would have been obvious to include risk assessment information and dynamically configure the criterion based on the level of risk to enhance security as shown in Golan).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path. However, the combination fails to establish responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
Golan teaches responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng, Sundaresh and Sosnosky the ability receive risk assessment information indicative of risk level and dynamically tuning the criterion in accordance with the risk level as taught Golan by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Golan, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng, Sundaresh and Sosnosky, with the ability receive risk assessment information indicative of risk level and dynamically tuning the criterion in accordance with the risk level as taught Golan, for the purposes of tailoring the requirements to the level of risk. Since the combination already determines password recovery and even includes the user location it would have been obvious to include risk assessment information and dynamically configure the criterion based on the level of risk to enhance security as shown in Golan.
As per claim 20, the combination of Jha, Cheng, Sundaresh and Sosnosky teaches the method of claim 11, the combination however fails to further disclose further comprising responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
Golan, which like the combination talks about password recovery, teaches it is known responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level (Golan paragraph [0090]; teaches it is known to receive risk assessment information including risk level of a user and tune the criterion for password recovery based on the risk level. Since the combination already determines password recovery and even includes the user location it would have been obvious to include risk assessment information and dynamically configure the criterion based on the level of risk to enhance security as shown in Golan).
The primary reference Jha discloses controlling the access to a system by implementing a module for monitoring the use of a password on the system. Specifically Jha counts the number of times a password was entered incorrectly and based on exceeding a threshold value the system will lockout the system and prevent the user from access the system. The Cheng reference establishes the use of an embedded controller for monitoring the use of a password in the system. Sundaresh teaches monitor the number of unsuccessful password changes were made. Sosnosky teaches wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path. However, the combination fails to establish responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
Golan teaches responsive to receiving risk assessment information indicative of risk level, dynamically tuning the criterion in accordance with the risk level.
It would have been obvious to one of ordinary skill in the art to include in the access control system of Jha, Cheng, Sundaresh and Sosnosky the ability receive risk assessment information indicative of risk level and dynamically tuning the criterion in accordance with the risk level as taught Golan by since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Therefore, from this teaching of Golan, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the method of access control provided by Jha, Cheng, Sundaresh and Sosnosky, with the ability receive risk assessment information indicative of risk level and dynamically tuning the criterion in accordance with the risk level as taught Golan, for the purposes of tailoring the requirements to the level of risk. Since the combination already determines password recovery and even includes the user location it would have been obvious to include risk assessment information and dynamically configure the criterion based on the level of risk to enhance security as shown in Golan.
Response to Arguments
Applicant's arguments filed August 20, 2025 have been fully considered but they are not persuasive.
In response to the applicant’s arguments on pages 7-8 regarding the art rejection, the Examiner respectfully disagrees.
The applicant has argued that the “teaching of Jha and Cheng does not teach or suggest monitoring password activity wherein monitoring password activity includes monitoring unsuccessful password change and password unlock attempts on each of a plurality of boot paths, wherein the plurality of boot paths includes an operating system (OS) boot path, a network OS boot path, and a service OS (SOS) boot path, in combination with capturing telemetry data generated by the information handling system, including OS boot source information, and transmitting the telemetry data to a cloud-based risk assessment resource” the Examiner respectfully disagrees. As established in the rejection Jha discloses monitoring password activity wherein monitoring password activity includes monitoring unsuccessful password unlock attempts on each of a plurality of boot paths (Jha paragraph [0066]; discloses monitoring the number of times a password has been incorrectly entered. Jha paragraph [0066]-[0067]; discloses that the system monitors pre-boot thus monitors for all boot paths are prevented based on the monitoring of the password); and capturing telemetry data generated by the information handling system, including OS boot source information, and transmitting the telemetry data to a cloud-based risk assessment resource (Jha paragraph [0027]; discloses that the central server can be provided in a cloud infrastructure. Jha paragraphs [0112]-[0113]; discloses that the OS sign on is enforced by the location or proof of presence of a device. Specifically the system captures telemetry data in the form of location data and the boot information to allow the boot process to continue).
Sundaresh teaches it is known to monitor the number of unsuccessful password changes were made (Sundaresh paragraph [0060]; teaches it is known to monitor and record the history of unauthorized access attempts or unsuccessful password change attempts such as invalid passwords. Since the combination alrea