ADAPTIVE AUTHENTICATION FOR ACCESS TO SECURE NETWORK RESOURCES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claims are 1 – 30. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01/06/2026 has been entered. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 – 7, 10 – 19 & 21 are rejected under 35 U.S.C.103 as being unpatentable over Sade et al. (U.S. Patent 10,116,658), in view of Geosim et al. (U.S. Patent 7,308,581). As per claim 1 & 21, Sade teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing adaptive authentication for native access to secure network resources, the operations comprising: identifying a request from a network identity to access at least one network resource (Sade: Figure 2B / E-2000 & Col. 2 Line 9 – 12 and Col. 7 Line 24 – 27: identifying a request sent from a client (i.e. networking identity) to access a target service); identifying data associated with the network identity (Sade: see above & Col. 4 Line 51 – 57, Col. 3 Line 18 – 19, Col. 11 Line 18 – 25 and Col. 7 Line 45 – 58 / Line 28 – 35: as per an existing privileged account, obtaining a credential of an access token (i.e. PAT: privileged access ticket) from an authentication service based on a privileged credential (e.g. personal credential) associated with the existing privileged account, wherein the credential of the access token (i.e. PAT) can be a one-time (temporary / short-lived) ephemeral credential(s)); performing at least one first authentication of the network identity, wherein at least one aspect of the first authentication is determined based on an authentication policy and the data associated with the network identity (Sade: see above & Col. 4 Line 55 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: accessing the target service using the created (e.g.) one-time (temporary / short-lived) access token (i.e. PAT) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service); enabling, based on the at least one first authentication, the network identity to access at least one network resource using a native communication protocol (Sade: see above & Col. 3 Line 60 – 67 and Col. 5 Line 20 – 23: (a) a proxy entity of CMS (Credential Management System) authenticates the client (network identity) based on an authentication credential sent in the request via (e.g.) a Kerberos protocol, wherein (b) the CMS entity can be an endpoint device on which the client resides – this constitutes a native client and communication protocol). However, Sade does not disclose expressly after the at least one first authentication, identifying additional data associated with the network identity. Geosim (& Sade) teaches monitoring, after the at least one first authentication, a communication between the network identity and the at least one network resource to identify additional data associated with the network identity (Sade: see above & Col. 11 Line 24 – 25: (a) Sade first teaches: (a-1) monitoring and identifying a request sent from a client (i.e. networking identity) to access a network resource of a target service (Sade: Figure 2B / E-2000 & Col. 2 Line 9 – 12 and Col. 7 Line 24 – 27) and (a-2) identifying data associated with the network identity (i.e. the client) such as an one-time (temporary / short-lived) access token based on a privileged credential (e.g. personal credential) so as to authenticate the user / client to establish a communication session with the network resource of a target service (Sade: see above & Col. 4 Line 51 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32, Col. 11 Line 18 – 25 and Col. 7 Line 28 – 35 / 45 – 58 / Line 28 – 35). (b) However, Examiner notes according to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit since the alleged limitation such as “what is the exact content of additional data” associated with the network identity (i.e. the client) has not been specifically recited into the claim. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). (b-1) In light of that, Examiner notes any additional data related to the data access request sent from the user / client (network identity) is qualified as one type of additional data associated with the network identity, as recited in the claim. (b-2) Accordingly, Geosim teaches after a user have presented a first authentication with a static image (biometric data), the system continues to monitor and identify additional data such as repeated periodically taking a live image (in addition to a static image) of biometric data associated with the user in order to access the secured data of course materials (Geosim: Abstract & Col. 13 Line 26 – 54). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of after the at least one first authentication, identifying additional data associated with the network identity because Geosim teaches to alternatively, effectively and securely provide an enhanced security policy such as after a user have presented a first authentication with a static image (biometric data), the system continues to monitor and identify additional data such as taking a live image of the user repeated periodically (in addition to a static image) of biometric data in order to access the secured data of course materials (see above) within the Sade’s CMS management system authorizing the client using the client’s authentication credential(s) to access the target service based on various requirements of the security policy (see above). updating the authentication policy based on the data associated with the network identity and the additional data associated with the network identity identified by monitoring the communication (Geosim: Abstract & Col. 13 Line 26 – 54: updating the authentication policy to include requiring at least one of an additional factor based on the additional data such as repeated periodically using a live image (in addition to a static image) of biometric data associated with the user in order to access the secured data of course materials – This is also consistent with the disclosure of the instant specification (Spec-PG.PUB [0013]: updating the authentication policy includes requiring at least one of an additional factor or an alternative factor based on the additional data); and dynamically performing at least one second authentication of the network identity, wherein at least one aspect of the second authentication is based on the updated authentication policy (Geosim: Abstract & Col. 13 Line 40 – 54: dynamically performing a plurality of second authentications in real time by comparing a live image repeatedly periodically to confirm that the user’s image is live and not simply a static image held in front of a camera for authentication – This is also consistent with the disclosure of the instant specification (Spec-PG.PUB [0025]: comparing the stored at least a portion of the data associated with the network identity with the additional data). As per claim 2, Sade as modified teaches wherein the data associated with the network identity is received as part of the request (Geosim: Abstract & Col. 13 Line 40 – 54: see above). As per claim 3, Sade as modified teaches wherein the data associated with the network identity is accessed from a storage location (Geosim: Abstract & Col. 13 Line 8 – 13). As per claim 4, Sade as modified teaches wherein at least one of the data associated with the network identity or the additional data associated with the network identity includes at least one of: a username of the network identity; a group the network identity is associated with; a role the network identity is associated with; a type of authentication used for the network identity; an IP address associated with the network identity; a type of a client associated with the network identity; a location of the network identity; a network provider for the network identity; a license associated with the network identity; a type of the native communication protocol; a selected cipher suite; the requested network resource; metadata associated with the requested network resource; the requested action; or a device identifier (Geosim: Abstract & Col. 13 Line 40 – 54: see above: the requested network resource is a secured on-line course materials). As per claim 5, Sade as modified teaches identifying a request by the network identity to perform an action associated with the at least one network resource; and enabling, based on the at least one second authentication, the network identity to perform the action (Geosim: Abstract & Col. 13 Line 40 – 54: see above). As per claim 6, Sade as modified teaches wherein the authentication policy includes a multi-factor authentication policy (Sade: see above & Col. 2 Line 30 – 32: (e.g.) including at least, (i) client’s authentication credentials used by the client along with (ii) the IP address or time of the requests) || (Geosim: Abstract & Col. 13 Line 40 – 54: see above). As per claim 7, Sade as modified teaches wherein updating the authentication policy includes requiring at least one of an additional factor or an alternative factor based on the additional data (Geosim: Abstract & Col. 13 Line 26 – 54: updating the authentication policy to include requiring at least one of an additional factor based on the additional data such as repeated periodically using a live image (in addition to a static image) of biometric data associated with the user in order to access the secured data of course materials – This is also consistent with the disclosure of the instant specification (Spec [0013]: updating the authentication policy includes requiring at least one of an additional factor or an alternative factor based on the additional data). As per claim 10 – 17, the instant claim is directed to a claimed content having functionality corresponding to the Claims 1 – 7, and are rejected by a similar rationale. As per claim 18, Sade as modified teaches wherein the operations further comprise storing at least a portion of the data associated with the network identity in association with the first authentication (Sade: see above & Col. 4 Line 55 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: accessing the target service using the created (e.g.) one-time access token (i.e. PAT) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service). As per claim 19, Sade as modified teaches wherein performing the second authentication of the network identity further includes comparing the stored at least a portion of the data associated with the network identity with the additional data (Geosim: Abstract & Col. 13 Line 40 – 54: dynamically performing a plurality of second authentications in real time by comparing a live image repeatedly periodically to confirm that the user’s image of biometric data is live and not simply a static image held in front of a camera for authentication – This is also consistent with the disclosure of the instant specification (Spec-PG.PUB [0025]: comparing the stored at least a portion of the data associated with the network identity with the additional data). Claims 22 – 23 & 25 – 30 are rejected under 35 U.S.C.103 as being unpatentable over in view of Sandhu et al. (U.S. Patent 8,406,120), and in view of Sade et al. (U.S. Patent 10,116,658). As per claim 22 & 30, Sandhu teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing adaptive authentication for native access to secure network resources, the operations comprising: identifying a request from a network identity to access a network resource (Sandhu: Col. 3 Line 16 – 19: identifying an access request from a client device and determining whether the client device should be granted to allocate/ access a communication channel (i.e. a part of the network resources) for network services); identifying context information associated with the network identity, the context information including data associated with the network identity and at least one of an authentication policy associated with the network identity or the network resource or an authorization policy associated with the network identity or the network resource (Sandhu: see above & Col. 4 Line 5 – 19: according to an authentication policy associated with a client device, determining whether the quantity of (failed) access request attempt(s) during a period of time is greater than a threshold value (i.e. as one type of context information associated with the client device) and in case the quantity is greater than the threshold value (e.g., ten failed access requests in a sixty-second period of time), then reinitializing the operating software (i.e. re-evaluate the security policies in an attempt to remedy the failed access requests) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0098]: restricting how many times a client device may access of network resource within a specific time interval). However, Sandhu dos not disclose expressly one authentication of the network identity using a native communication protocol. Sade (& Sandhu) performing, based on the context information and a secret associated with the network identity, at least one authentication of the network identity using a native communication protocol (Sandhu: see above) || (Sade: Col. 4 Line 55 – 57, Col. 3 Line 18 – 19 / Line 60 – 67, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35 and Col. 5 Line 20 – 23: (a) accessing the target service using the created (e.g.) one-time access token (i.e. PAT) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service, and (b) a proxy entity of CMS (Credential Management System) authenticates the client (network identity) based on an authentication credential sent in the request via (e.g.) a Kerberos protocol, wherein (b) the CMS entity can be an endpoint device on which the client resides – this constitutes a native client and communication protocol (Sade: Col. 3 Line 60 – 67 & Col. 5 Line 20 – 23). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of one authentication of the network identity using a native communication protocol because Sade teaches to alternatively, effectively and securely provide a proxy entity of CMS (Credential Management System) authenticates the client (network identity) based on an authentication credential sent in the request via (e.g.) a Kerberos protocol, wherein the CMS entity can be an endpoint device on which the client resides – i.e. as a native client and communication protocol (see above) within the Sandhu’s system of identifying an access request from a client device and determining whether the client device should be granted to allocate/ access a communication channel (i.e. a part of the network resources) for network services (see above). enabling, based on the context information, the network identity to access at least one of the network resource or an additional network resource (Sandhu: see above & Col. 4 Line 5 – 19 || Sade: see above & Col. 3 Line, Col. 4 Line 45 – 57 and Col. 11 Line 21 – 25: (a) first of all, according to an authentication policy associated with a client device, determining whether the quantity of (failed) access request attempt(s) during a period of time has already been greater than a threshold value (i.e. as one type of context information associated with the client device) and in case the quantity has not been greater than the threshold value (Sandhu: see above); and (b) the CMS management entity authorizes the client using the client’s authentication credential to access the target service based on various requirements of the security policy (Sade: Col. 3 Line, Col. 4 Line 45 – 57 and Col. 11 Line 21 – 25); monitoring , after the at least one first authentication, a communication between the network identity and the at least one of the network resource or the additional network resource to identify additional data associated with the network identity (Sandhu: see above & Col. 4 Line 5 – 19: (a) Sandhu first teaches: monitoring and identifying an access request from a client and based on the data associated with the client (i.e. the network identity) to determine whether the client device should be granted to access a desired target service – e.g. to allocate/ access a communication channel (i.e. a part of the network resources) for network services (Sandhu: Col. 3 Line 16 – 19). (b) However, Examiner notes according to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit since the alleged limitation such as “what is the exact content of additional data” associated with the network identity (i.e. the client) has not been specifically recited into the claim. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). (b-1) In light of that, Examiner notes any additional data related to the data access request sent from the user / client (network identity) is qualified as one type of additional data associated with the network identity, as recited in the claim. (b-2) Accordingly, Sandhu teaches, after the first (initial) authentication process, determining whether the quantity of (failed) access request attempt(s) during a period of time is greater than a threshold value (i.e. as one type of additional data associated with the client device) and in case the quantity is greater than the threshold value (e.g., ten failed access requests in a sixty-second period of time), then reinitializing the operating software in an attempt to remedy the failed access requests – As such, the number of client’s failed attempts is qualified as one type of “additional data”, as asserted by Applicant, to match the claim language to identify additional data associated with the network identity (i.e. the client) –– this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0098]: restricting how many times a client device may access of network resource within a specific time interval). updating the context information based on the additional data (Sandhu: Col. 4 Line 5 – 19 and Col. 3 Line 16 – 19: Sandhu teaches updating the context information associated with the client (i.e. the network identity) in memory store so as to determine whether the client device should be granted to access a desired target service (e.g. to allocate/ access a communication channel (i.e. a part of the network resources) for network services) based on the additional data related to the access-request attempts such as how many times of failed access requests in a sixty-second period of time (Sandhu: Col. 4 Line 5 – 19 and Col. 3 Line 16 – 19) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0098]: restricting how many times a client device may access of network resource within a specific time interval); and dynamically validating an action performed by the network identity based on the updated context information (Sandhu: Col. 4 Line 5 – 19 and Col. 3 Line 16 – 19: Sandhu also teaches dynamically validating whether the client device should be granted to access a desired target service (e.g. to allocate/ access a communication channel (i.e. a part of the network resources) for network services) based on the additional data related to the access-request attempts such as how many times of failed access requests in a sixty-second period of time (Sandhu: Col. 4 Line 5 – 19 and Col. 3 Line 16 – 19) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0098]: restricting how many times a client device may access of network resource within a specific time interval). As per claim 23, Sandhu as modified teaches wherein the secret includes a one-time password (Sade: Col. 4 Line 55 – 57, Col. 3 Line 18 – 19 / Line 60 – 67, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35 and Col. 5 Line 20 – 23: (a) accessing the target service using the created (e.g.) one-time access token (i.e. PAT) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service). As per claim 25 – 27, the instant claim is directed to a claimed content having functionality corresponding to the Claims 22 – 4, and are rejected by a similar rationale. As per claim 28, Sandhu as modified teaches wherein the request from the network identity to access the network resource occurs during a current session and wherein the context information is based on the current session (Sandhu: see above & Col. 4 Line 5 – 19: during the on-going current session, according to an authentication policy associated with a client device, determining whether the quantity of (failed) access request attempt(s) during a period of time is greater than a threshold value (i.e. as one type of context information associated with the client device) and in case the quantity is greater than the threshold value (e.g., ten failed access requests in a sixty-second period of time), then re-evaluate the security policies in an attempt to remedy the failed access requests – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0098]: restricting how many times a client device may access of network resource within a specific time interval). As per claim 29, Sandhu as modified teaches wherein the request from the network identity to access the network resource occurs during a current session and wherein at least a portion of the context information is based on a previous session distinct from the current session (Sandhu: see above & Col. 4 Line 5 – 19: in case when the time window such as 60 seconds (i.e. threshold of time interval metric) as described above, the respective correlation of the target time window would cross-over two consecutive sessions – i.e. the current session and the previous session time interval(s)). Claims 8 – 9 are rejected under 35 U.S.C.103 as being unpatentable over Sade et al. (U.S. Patent 10,116,658), in view of Geosim et al. (U.S. Patent 7,308,581), and in view of Barari et al. (U.S. Patent 7,540,022). As per claim 8, Barari (& Sade as modified) teaches wherein the authentication policy includes a single sign-on policy (Barari: Abstract & Col. 2 Line 49 – 60: an authentication policy in conjunction with a single sign-on policy) || (Sade: see above & Col. 4 Line 55 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: accessing the target service using the created (e.g.) one-time access token (i.e. PAT / OTP) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of the authentication policy including a single sign-on policy because Barari teaches to alternatively, effectively and securely provide an authentication policy in conjunction with a single sign-on policy (see above) within the Sade’s CMS management system authorizing the client using the client’s authentication credential(s) to access the target service based on various requirements of the security policy (see above). As per claim 9, Barari (& Sade as modified) teaches wherein updating the authentication policy includes invalidating a secret associated with the single sign-on policy (Barari: see above & Col. 2 Line 55 – 60: only the latest OTP is thereafter used and any other OTP (secret) is invalidated). Claim 20 is rejected under 35 U.S.C.103 as being unpatentable over Sade et al. (U.S. Patent 10,116,658), in view of Geosim et al. (U.S. Patent 7,308,581), and in view of Pereira et al. (U.S. Patent 11,075,918). As per claim 20, Pereira (& Sade as modified) teaches wherein updating the authentication policy based on the data associated with the network identity and the additional data associated with the network identity includes inputting the data and the additional data into a trained machine learning model (Pereira: Col. 6 Line 17 – 24 & Col. 5 Line 48 – 53: (a) inputting the user identifiers and the collected data into a machine learning model for authenticating the request from the user / client device and accordingly, (b) the analytical process can result in an updating of the security authorization policies). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of inputting the data and the additional data into a trained machine learning model for updating the authentication policy because Pereira teaches to alternatively, effectively and securely provide an enhanced security mechanism by inputting the user identifiers and the collected data into a machine learning model for authenticating the request from the user / client device and accordingly, the analytical process can result in an updating of the security authorization policies (see above) within the Sade’s CMS management system authorizing the client using the client’s authentication credential(s) to access the target service based on various requirements of the security policy (see above). Claim 24 is rejected under 35 U.S.C.103 as being unpatentable over Sandhu et al. (U.S. Patent 8,406,120), and in view of Sade et al. (U.S. Patent 10,116,658), and in view of Barari et al. (U.S. Patent 7,540,022). As per claim 24, Barari (& Sandhu as modified) teaches wherein the authentication policy includes a single sign-on policy (Barari: Abstract & Col. 2 Line 49 – 60: an authentication policy in conjunction with a single sign-on policy) || (Sade: see above & Col. 4 Line 55 – 57, Col. 3 Line 18 – 19, Col. 2 Line 29 – 32 and Col. 7 Line 28 – 35: accessing the target service using the created (e.g.) one-time access token (i.e. PAT / OTP) based on the privileged credential (e.g. personal credential) associated with the existing privileged account to establish a communication session with the target service). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of the authentication policy including a single sign-on policy because Barari teaches to alternatively, effectively and securely provide an authentication policy in conjunction with a single sign-on policy (see above) within the Sandhu’s system of identifying an access request from a client device and determining whether the client device should be granted to allocate/ access a communication channel (i.e. a part of the network resources) for network services (see above). Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2496 – 2026 ---------------------------------------------------