Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments have been fully considered, but are moot in view of inclusion of Sumida US 2013/0024769 which meets the claims as amended.
Applicant argues that the Gujarathi reference fails to teach selecting different servers based on determined data access right. Gujarathi does teach evaluation of access rights based on risk metric including full access and limited access thresholds.
Examiner agrees Gujarathi fails to teach selecting between a first and second server.
Applicant argues that Lian fails to teach partially restricted access and only shows directing access based on full access or fully restricted.
Examiner asserts Lian does show selection of servers based on access level and risk level.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 6-9, 11-14, 16-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gujarathi US 2021/0334091 in view of Lian US 9,294,442 in view of Sumida US 2013/0024769.
As per claims 1, 6, 11, 16. Gujarathi teaches A method for security control, the method implemented by a network traffic management system comprising one or more network traffic management apparatuses, client devices, or server devices, the method comprising: evaluating a security risk of a transaction; determining a risk metric for the transaction based on the evaluation; determining a data access right for the transaction based on the risk metric; and directing the transaction to a target application entity based on the data access right of the transaction. [0025][0047][0050][0051][0080] (teaches requesting access to an application, the user and or client being evaluated and calculating a risk score based on user and device properties, this score is compared to a risk threshold. full access is granted for low risk, partial access for medium risk or denying access for high risk)
Gujarathi teaches selecting a target server for a transaction based on a data access right, and based on the risk metric directing the transaction to the selected target server. [0026][0043][0080][0081] (teaches determining a risk score of the transaction based on the user and user attributes, and comparison to needed authentication attributes in order to select and allow access to a target server, teaches denying or blocking a connection request to the application if access is denied) [0037][0055] (more explicitly teaches that the application may be on a server, and thus those servers must be communicated with based on approval of the transaction)
Lian teaches selecting a target server for a transaction based on a data access right by evaluating a security risk and risk metric, and directing the transaction to the selected server. (Column 3 lines 34-55; Column 4 lines 26-60, Column 6 lines 47-52) (teaches a risk score that violates a trigger threshold, and redirecting communication to a honeypot server, or tarpit, scores or policies that are within the norm are forwarded to the recipient including a server, as normal)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Lian with the prior art because it increases security.
Sumida teaches in response to determining the data access right indicates full access, selecting a first server as the target server, and in response to determining the data access right indicates partially restricted access selecting a second server as the target server wherein the second server is different from the first server. [0060][0061] (teaches an authentication certificate and permissions so that a user with only partial access is directed towards an intermediate server, but a user with full access will be directed to the confidential server)
As per claims 2, 7, 12, 17. Gujarathi teaches The method of claim 1, wherein the determining the data access right of the transaction based on the risk metric further comprising:in response to the risk metric indicating a low risk, assigning a full access right to the transaction; in response to the risk metric indicating a medium risk, assigning a partially restricted access right to the transaction; and in response to the risk metric indicating a high risk, assigning a fully restricted access right to the transaction. [0025][0047][0050][0051][0080] (teaches requesting access to an application, the user and or client being evaluated and calculating a risk score based on user and device properties, this score is compared to a risk threshold. full access is granted for low risk, partial access for medium risk or denying access for high risk)
As per claims 3, 8, 13, 18. Lian teaches The method of claim 2, wherein in response to the transaction has a fully restricted access right, the directing the transaction to a target application entity comprising: determining the transaction as an attacking transaction from an attacking source; directing the transaction to a trapping application entity to process the transaction, wherein the trapping application entity responds the transaction with trapping data; obtaining information transmitted from the attacking source during following one or more interactions between the trapping application entity and the attacking source; recording the attacking source and identity of a user initiating the transaction; and analyzing an attacking pattern of the transaction based on the captured information. (Column 4 lines 26-47, Column 6 lines 47-52) (teaches a high risk request is directed to a honeypot, where communications are observer including identity of attacker and attacker techniques)
As per claims 4, 9, 14, 19. Gujarathi teaches The method of claim 3, wherein the evaluating the security risk of the transaction comprises: evaluating the security risk of the transaction based on at least one of the analysis of the attacking pattern, the recorded attacking source, the recorded identity of the user initiating the transaction, a security policy implemented by the network traffic management system, a feature of the transaction, or a behavior of the user initiating the transaction. [0025][0047][0050][0051][0080] (at least user ID, source of request, feature of the transaction, detection of malware)
Claim(s) 5, 10, 15, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gujarathi US 2021/0334091 in view of Lian US 9,294,442 in view of Sumida US 2013/0024769in view of Bowen US 10,171495.
As per claims 5, 10, 15, 20. Bowen teaches The method of claim 2, wherein, in response to the transaction having a partially restricted access right, directing the transaction to the target application entity with a lower processing load. (Column 3 lines 50-68) (Column 8 lines 20-30) (teaches the partially restricted is directed to a load balancer that does not take up resources, thus a low load)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Bowen with the prior art because it increases efficiency and security.
Conclusion
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439