Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
2. This action is in response to the amendment filed January 21, 2026.
3. Claims 1-21 have been examined and are pending with this action.
Response to Arguments
4. Applicant's arguments filed January 21, 2026 have been fully considered and are not persuasive.
Applicant asserts that the Glatfelter does not teach “whether a security token authorizing access to a cloud-based service is being used from a geographic region different from where it was deployed” (see Remarks, page 7, 2nd paragraph).
First, Glatfelter explicitly teaches in paragraph [0027], a central cloud storage service, accessible via a security token, “As described above, the storage device 250 may be a centralized cloud service or central storage facility to which location information of each individual asset 205-209 is uploaded. Once location information has been uploaded into the storage device 250, the information may then be encrypted and configured for retrieval by a security token 275.”, and paragraph [0028], the use of a security token to access the cloud storage device, “the security token 275 may retrieve the information located in the storage device 250. This information may be retrieved from the storage device 250 either through a direct, wired, or wireless connection.”, emphasis added.
Glatfelter further teaches in paragraph [0045], that the security token is associated with list of assets and approved geographic location information, “A security token is configured to download or receive the list of the plurality of GPS-enabled assets and the set of rules having approved geographical location information for each of the plurality of GPS-enabled assets. The security token then is configured to retrieve current location information 560 from each asset so that a comparison 580 can be performed.”, emphasis added.
Glatfelter goes on to further teaches in paragraph [0054], of a notification informing that a violation has occurred because the asset has moved outside the approved location, “This predetermined action may comprise of informing a user or sending an alert signal to a security token that a rule violation has occurred. The alert signal may be that of a vibration, a visual display, or voice message describing that an asset has been compromised or stolen and is currently outside of its approved location.”, emphasis added.
The combinational teachings of the citations above, clearly and explicitly disclose, teach and in the very least suggest, not only the pending claim limitations, but also teach “whether a security token authorizing access to a cloud-based service is being used from a geographic region different from where it was deployed”, as argued.
Robinson was not cited to teach the above features, but to merely teach that the token was issued by a token service… .
For at least these reasons above and the rejections set forth below, claims 1-21 remain rejected and pending.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5. Claims 1, 2, 4-6, 10-12, 14-16, 20, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Glatfelter et al. (US 2017/0323548 A1) in view of Robinson et al. (US 2019/0116173 A1).
INDEPENDENT:
As per claim 1, Glatfelter teaches a method, comprising:
detecting a security token received over a network by a cloud-based service from a cloud-based computer (see Glatfelter, [0027]: “As described above, the storage device 250 may be a centralized cloud service or central storage facility to which location information of each individual asset 205-209 is uploaded. Once location information has been uploaded into the storage device 250, the information may then be encrypted and configured for retrieval by a security token 275. In FIG. 2, the security token 275 is illustrated as a universal serial bus (USB) device; however, the security token 275 may be of any type of token. In other words, the security token 275 is not limited to just a USB device or a thumb drive. Other possibilities of a security token 275 may include: a smart badge, an access card, or a key fob (see FIG. 4 for various alternate examples that may comprise of a security token)”; [0039]: “the security token 275 may also include its own security module 320. The security module 320 may be configured so that a user will need to provide security information in order to access data stored in the memory 315 of the security token 275.”; [0040]: “Since a user may constantly have their smartphone 209 in their possession, a user may also conveniently control assets 205-209 from his/her own smartphone 209. The smartphone 209 may be the user's own personal smartphone 209 or it may be a separate smartphone (not depicted) that the user carries around. The smartphone 209 would also comprise of the components described in the security token 275 illustrated in FIG. 3. For example, the smartphone 209 may also include: battery storage, GPS transmitter/receiver, memory, and/or a security module.”, and [0064]: “The security token's memory 852 may receive or be loaded with binary data from computing device 899 and further store this data in a separate storage device or component”);
identifying a first geographic region in which the security token is deployed (see Glatfelter, [0029]: “Once the information is retrieved, the security token 275 may then receive current geographical location information from each of the GPS-enabled assets 205-209. The security token 275 may use this to perform a comparison of the current location of the assets 205-209 with the retrieved information from the storage device 250 to detect or determine if there exists a rule violation.”; [0031]: “the security token 275 may also be configured to transmit geographical location information of the security token 275 to other assets 205-209 in the multiple GPS-enabled computing device or asset environment 201. For instance, if the security token 275 is compromised or stolen, the GPS transmitter/receiver 310 from the security token 275 may transmit location information to the personal computer 207 where a user with access to personal computer 207 may be notified that the security token 275 is outside of its range or approved geographical location.”; and [0039]: “The GPS location information corresponding to each asset in the security token 275 may be encrypted and thus a security measure may first need to be bypassed before a user may decrypt, obtain, or access information related to the assets 205-209”);
identifying a second geographic region in which the cloud-based computer is deployed (see Glatfelter, [0004]: “One way to increase computer device or asset security in a multiple GPS-enabled or non GPS-enabled (e.g., Wi-Fi or Bluetooth) computing device or asset environment, for instance, is to identify, register, and store location information for each individual computing device or asset.”; and [0024]: “Level 5 security 105 enables a system to identify, register, and store GPS location information for each individual asset. From the GPS location associated with each individual asset, a set of predetermined rules having approved geographical locations can be generated for each asset.”); and
generating an alert for the security token upon detecting that the second geographic region does not match the first geographic region (see Glatfelter, Abstract: “An alert is generated if a computing device or asset that is in a rule violation of the set of rules”; and [0005]: “A system configured to generate a list of GPS-enabled or non GPS-enabled computing devices or assets, storing a set of rules having approved locations corresponding to each of the computing devices or assets, and then generate an alert responding to a computing device or asset that is in violation of the set of rules is disclosed herein. The security token may compare the retrieved information with a current location of an asset to determine if a rule violation has occurred. By retrieving information, data, or a set of rules from a storage device into a security token and comparing the current location of an asset to a set of rules having approved geographical location information associated with the asset, a system may determine, for instance, whether the asset is being misused or stolen”).
Glatfelter does not explicitly teach the security token comprising an access credential issued by a token service for authenticating access to cloud-based services; and wherein the alert indicated potential unauthorized use of the security token.
Robinson teaches access credential issued by a token service for authenticating access to cloud-based services (see Robinson, [0019]: “A digital certificate may be issued by one or more certification authorities (CAs) that validate the identity of the certificate-holder both before the certificate is issued and each time the certificate is used.”; and [0034]: “The policy may specify that when each device state (e.g., certificate, secret, proximity, or the like) is aligned with the policy, then access to a target device is authorized. For example, each device in a network environment may be (i) pre-provisioned (e.g., certificate provided by a server or by an administrator), (ii) granted permission to access one or more target devices, (iii) within a pre-determined proximity (e.g., distance) to the target device(s), to other device(s), or both, and (iv) have a valid token issued from a server, a cloud-based authority, a network gateway, or a trust fabric (e.g., of an ad-hoc network).”; and [0036], “For example, each device may be provisioned with a certificate and with a policy specifying that each device performs a handshake with the server, the gateway, or the cloud to prevent unauthorized devices from gaining access (e.g., using spoofing or counterfeiting) to the network environment. The handshake may include each device exchanging (or encrypt using) one or more data items, such as a device secret (e.g., token), a beacon secret, or the like with the server, the gateway, or the cloud.”); and
wherein the alert indicated potential unauthorized use of the security token (see Robinson, [0034]: “The policy may specify what happens when (i) an unauthorized (e.g., rogue) device is detected within a particular proximity to devices (including the target device) in the network environment, (ii) an unauthorized device attempts to communicate with a server, a cloud, a gateway or a trust fabric associated with the network environment, or (iii) one or more devices are missing (e.g., not within the predetermined proximity) when access to a target device is requested.”; and [0051]: “For example, each of the devices 102, 108 may be provisioned with a corresponding policy 118, 128 that specifies how a trusted relationship is established with other devices, including how the devices 102, 108 perform a handshake with the server 104, the gateway, or the cloud to prevent unauthorized devices from gaining access (e.g., using spoofing or counterfeiting) to the network environment. The handshakes 144, 146 may include each device exchanging (or encrypt contents of messages using) one or more data items, such as the token 122”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Glatfelter in view of Robinson by implementing access credential issued by a token service for authenticating access to cloud-based services; and wherein the alert indicated potential unauthorized use of the security token. One would be motivated to do so because Glatfelter teaches in paragraph [0027], “In FIG. 2, the security token 275 is illustrated as a universal serial bus (USB) device; however, the security token 275 may be of any type of token. In other words, the security token 275 is not limited to just a USB device or a thumb drive.”, emphasis added.
As per claim 11, Glatfelter and Robinson teach a computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer (see Glatfelter, [0059]: “Memory device 804 includes a non-transitory computer-readable storage medium, such as, without limitation, random access memory (RAM), flash memory, a hard disk drive, a solid state drive, a diskette, a Flash drive, a compact disc, a digital video disc, and/or any suitable memory. In the exemplary implementation, memory device 804 includes data and/or instructions embodying aspects of the disclosure that are executable by processor 802 (e.g., processor 802 may be programmed by the instructions) to enable processor 802 to perform the functions described herein”), cause the computer:
to detect a security token received over a network by a cloud-based service from a cloud-based computer, the security token comprising an access credential issued by a token service for authenticating access to cloud-based services (see Claim 1 rejection above);
to identify a first geographic region in which the security token is deployed (see Claim 1 rejection above);
to identify a second geographic region in which the cloud-based computer is deployed (see Claim 1 rejection above); and
to generate an alert for the security token upon detecting that the second geographic region does not match the first geographic region, wherein the alert indicated potential unauthorized use of the security token (see Claim 1 rejection above).
As per claim 21, Glatfelter and Robinson teach a cloud-based resource, comprising:
a memory (see Glatfelter, [0059]: “Memory device 804 includes a non-transitory computer-readable storage medium, such as, without limitation, random access memory (RAM), flash memory, a hard disk drive, a solid state drive, a diskette, a Flash drive, a compact disc, a digital video disc, and/or any suitable memory. In the exemplary implementation, memory device 804 includes data and/or instructions embodying aspects of the disclosure that are executable by processor 802 (e.g., processor 802 may be programmed by the instructions) to enable processor 802 to perform the functions described herein”); and
one or more processors (see Glatfelter, [0058]: “Processor 802 includes any suitable programmable circuit including one or more systems and microcontrollers, microprocessors, reduced instruction set circuits (RISC), application specific integrated circuits (ASIC), programmable logic circuits (PLC), field programmable gate arrays (FPGA), and any other circuit capable of executing the functions described herein. The above example examples are not intended to limit in any way the definition and/or meaning of the term “processor””) configured:
to detect, in the memory, a security token received over a network by a cloud-based service from a cloud-based computer, the security token comprising an access credential issued by a token service for authenticating access to cloud-based services (see Claim 1 rejection above),
to identify a first geographic region in which the security token is deployed (see Claim 1 rejection above),
to identify a second geographic region in which the cloud-based computer is deployed (see Claim 1 rejection above), and
to generate an alert for the security token upon detecting that the second geographic region does not match the first geographic region, wherein the alert indicated potential unauthorized use of the security token (see Claim 1 rejection above).
DEPENDENT:
As per claim 2 and 12, which respectively depend on claims 1 and 11, Glatfelter further teaches wherein the cloud-based service executes on a cloud-based resource managed by a cloud service provider, and wherein detecting the security token comprises detecting, by an endpoint security agent executing on the cloud-based resource, the security token, and conveying a notification to a security server (see Glatfelter, [0027]: “As described above, the storage device 250 may be a centralized cloud service or central storage facility to which location information of each individual asset 205-209 is uploaded.”; and [0045]: “it may be provided to an asset registry library 550 located in central cloud storage facility. The information provided to the asset registry library 550 may initially be encrypted 555. A security token is configured to download or receive the list of the plurality of GPS-enabled assets and the set of rules having approved geographical location information for each of the plurality of GPS-enabled assets.”).
As per claim 4 and 14, which respectively depend on claims 2 and 12, Glatfelter further teaches wherein the steps of identifying the first and the second geographic regions, and generating the alert are performed by the security server (see Glatfelter, [0066]: “may be used to implement the described functionality in various embodiments; for example, software components running on a variety of different devices and servers may collaborate to provide the functionality.”; and Claim 1 rejection above).
As per claim 5 and 15, which respectively depend on claims 4 and 14, Glatfelter teaches further comprising defining, by the security server, prior to identifying the first geographic region, a set of geographic regions comprising the first and the second geographic regions (see Glatfelter, Abstract: “An improved system for increasing computer security generates a list of computing devices or assets, and a set of rules having approved locations corresponding to each of the computing devices or assets.”; [0032]: “The set of rules may define a physical boundary or physical area of approved usage (e.g., personal computer 207 can only be inside of a user's home). In other words, the geographical rules provide the location information as to whether an asset is within its defined area of use.”; and [0033]: “The programmable GPS pattern rules defines behavior (time, location, movement, pattern, proximity) in comparison to other devices or assets. These rules may provide comparison of actual coordinate/location with definite region(s) of movement of an asset in absolute two-dimensional or proximity to another asset location. For this example, the security token 275 may compare not only the location information of an asset 205-209 to its corresponding approved geographical location information but also compare current time, current movement, current pattern, and current proximity to the asset's own set of rules corresponding to an approved time, an approved movement, an approved pattern, and/or an approved proximity information. These approved set of rules regarding the time, movement, pattern, and/or proximity may also be retrieved from the storage device 250.”).
As per claim 6 and 16, which respectively depend on claims 5 and 15, Glatfelter further teaches wherein defining the set of geographic regions comprises conveying, by the security server, a query to the cloud service provider, and receiving, by the security server, a response comprising the set of geographic regions (see Glatfelter, Abstract: “receive a current location of an asset, and compare the retrieved information with the current location of the asset to determine if a rule violation has occurred is also disclosed herein.”; [0025]: “This storage device 250 may be a separate storage device located in a user's home, a storage device located inside of a computing device (e.g., personal computer 207) that the user owns, or it may even be a cloud based storage device (e.g., centralized cloud service or central storage facility).”; and [0066]: “may be used to implement the described functionality in various embodiments; for example, software components running on a variety of different devices and servers may collaborate to provide the functionality.”).
As per claim 10 and 20, which respectively depend on claims 1 and 11, Glatfelter further teaches wherein the cloud-based computer comprises a physical host computer (see Glatfelter, [0066]: “Portions or all of the multiple computer systems, such as those illustrated herein, may be used to implement the described functionality in various embodiments; for example, software components running on a variety of different devices and servers may collaborate to provide the functionality.”).
6. Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Glatfelter et al. (US 2017/0323548 A1) and Robinson et al. (US 2019/0116173 A1), and still further in view of Official Notice.
As per claim 3 and 13, which respectively depend on claims 2 and 12, Glatfelter and Robinson do not explicitly teach wherein the cloud-based resource comprises a first cloud-based resource, and wherein the security server comprises a second cloud-based resource.
The examiner takes Official Notice.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Glatfelter and Robinson view of Official Notice so that the cloud-based resource comprises a first cloud-based resource, and wherein the security server comprises a second cloud-based resource. One would be motivated to do so because the application of plural cloud-based resources are well-known, routine, and conventional, because Glatfelter teaches in paragraph [0025], “a cloud based storage device (e.g., centralized cloud service or central storage facility)”, paragraph [0045], “after the information pertaining to each individual asset is created or initialized, it may be provided to an asset registry library 550 located in central cloud storage facility. The information provided to the asset registry library 550 may initially be encrypted 555. A security token is configured to download or receive the list of the plurality of GPS-enabled assets and the set of rules having approved geographical location information for each of the plurality of GPS-enabled assets.”, and in paragraph [0066], “Portions or all of the multiple computer systems, such as those illustrated herein, may be used to implement the described functionality in various embodiments; for example, software components running on a variety of different devices and servers may collaborate to provide the functionality”), and further because Robinson also teaches in paragraph [0034], “The policy may specify that when each device state (e.g., certificate, secret, proximity, or the like) is aligned with the policy, then access to a target device is authorized. For example, each device in a network environment may be… (ii) granted permission to access one or more target devices… ”.
7. Claims 7-9 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Glatfelter et al. (US 2017/0323548 A1) and Robinson et al. (US 2019/0116173 A1), and still further in view of Bagwell (US 2021/0289371 A1).
As per claim 7 and 17, which respectively depend on claims 5 and 15, although Glatfelter teaches further comprising mapping a set of geolocations to the set of geographic regions (see Glatfelter, Abstract: “A separate personal security token configured to retrieve the list of assets and the set of rules having approved geographical location information from the storage device, receive a current location of an asset, and compare the retrieved information with the current location of the asset to determine if a rule violation has occurred is also disclosed herein.”; and [0005]: “The security token may compare the retrieved information with a current location of an asset to determine if a rule violation has occurred.”), Glatfelter and Robinson do not explicitly teach wherein identifying the second an IP address to which the security token was deployed, and mapping the IP address to the first geographic region comprises identifying an Internet protocol (IP) address of the cloud-based computer, mapping the IP address to a given geolocation.
Bagwell teaches identifying the second an IP address to which the security token was deployed, and mapping the IP address to the first geographic region comprises identifying an Internet protocol (IP) address of the cloud-based computer, mapping the IP address to a given geolocation (see Bagwell, [0054]: “For example, CSCF Selection Component 105 may identify, based on a mapping of PGW IP addresses (and/or other identifiers) to locations or regions, a location or region associated with PGW 103. As discussed above, the location of PGW 103 may correspond to a location or region in which UE 101 is located.”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Glatfelter and Robinson in view of Bagwell by implementing identifying the second an IP address to which the security token was deployed, and mapping the IP address to the first geographic region comprises identifying an Internet protocol (IP) address of the cloud-based computer, mapping the IP address to a given geolocation. One would be motivated to do so because Glatfelter teaches in paragraph [0041], “The information from the security token 275 may be that of a display motion map (not depicted) of GPS recorded location history for each individual asset 205-209. In other words, the motion map may provide the user with a historical replay of the paths each asset 205-209 has taken”.
As per claim 8 and 18, which respectively depend on claims 4 and 14, Glatfelter, Robinson, and Bagwell further teaches wherein the cloud-based resource manages an event log, and wherein identifying the first geographic region comprises querying the event log and detecting, in the event log, an IP address to which the security token was deployed, and mapping the IP address to the first geographic region (see Glatfelter, [0033]: “The programmable GPS pattern rules defines behavior (time, location, movement, pattern, proximity) in comparison to other devices or assets. These rules may provide comparison of actual coordinate/location with definite region(s) of movement of an asset in absolute two-dimensional or proximity to another asset location. For this example, the security token 275 may compare not only the location information of an asset 205-209 to its corresponding approved geographical location information but also compare current time, current movement, current pattern, and current proximity to the asset's own set of rules corresponding to an approved time, an approved movement, an approved pattern, and/or an approved proximity information. These approved set of rules regarding the time, movement, pattern, and/or proximity may also be retrieved from the storage device 250”; [0041]: “The information from the security token 275 may be that of a display motion map (not depicted) of GPS recorded location history for each individual asset 205-209. In other words, the motion map may provide the user with a historical replay of the paths each asset 205-209 has taken.”; and Claim 1 & Claim 7 rejections above).
As per claim 9 and 19, which respectively depend on claims 4 and 14, although Glatfelter further teaches wherein identifying the first geographic region comprises conveying a deployment query to the cloud provider, receiving, from the cloud provider, a response and mapping to the first geographic region (see Glatfelter, Abstract: “receive a current location of an asset, and compare the retrieved information with the current location of the asset to determine if a rule violation has occurred is also disclosed herein.”; and [0033]: “The programmable GPS pattern rules defines behavior (time, location, movement, pattern, proximity) in comparison to other devices or assets. These rules may provide comparison of actual coordinate/location with definite region(s) of movement of an asset in absolute two-dimensional or proximity to another asset location. For this example, the security token 275 may compare not only the location information of an asset 205-209 to its corresponding approved geographical location information but also compare current time, current movement, current pattern, and current proximity to the asset's own set of rules corresponding to an approved time, an approved movement, an approved pattern, and/or an approved proximity information. These approved set of rules regarding the time, movement, pattern, and/or proximity may also be retrieved from the storage device 250.”), Glatfelter and Robinson do not explicitly teach the response comprising an IP address and mapping the IP address to the geographic region.
Bagwell teaches response comprising an IP address and mapping the IP address to the geographic region (see Bagwell, [0054]: “For example, CSCF Selection Component 105 may identify, based on a mapping of PGW IP addresses (and/or other identifiers) to locations or regions, a location or region associated with PGW 103. As discussed above, the location of PGW 103 may correspond to a location or region in which UE 101 is located.”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Glatfelter and Robinson in view of Bagwell by implementing response comprising an IP address and mapping the IP address to the geographic region. One would be motivated to do so because Glatfelter teaches in paragraph [0041], “The information from the security token 275 may be that of a display motion map (not depicted) of GPS recorded location history for each individual asset 205-209. In other words, the motion map may provide the user with a historical replay of the paths each asset 205-209 has taken”.
Conclusion
8. For the reasons above, claims 1-21 have been rejected and remain pending.
9. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
10. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993. The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Won/Primary Examiner, Art Unit 2443