Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's submission filed on 12/30/2025 has been entered. Claims 1-20 are pending.
Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6, 9-13, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.).
Regarding claim 1, Ezrielev discloses a service provider system comprising:
a non-transitory memory storing instructions (FIG. 1, 2A-C & 4); and
one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory to cause the service provider system to perform operations comprising (FIG. 1, 2A-C & 4):
receiving an access request to data by a requestor device via a page of the service provider system, wherein the page comprises one of a webpage or an application interface and presents the data via a data element for the webpage or the application interface (FIG. 3 A-B, ¶ [0017]-[0020], [0062]; i.e. obtaining a data access request for data, the data access request being from a user to display the data at least via web browser of one or more data processing systems or Web enabled appliances);
determining that the data has a restricted access control to the data with the service provider system, wherein the restricted access control is associated with one or more permissions for a presentation of the data via at least the page (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0050]-[0051]; i.e. determining that the data is sensitive and whether to allow accessing and displaying the sensitive data);
determining an identity of a user associated with the requestor device of the data (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0050]-[0051], [101]; i.e. authenticating and/or validating the user and associated user devices at least based on cryptographic key pairs, credentials and/or environment data);
determining a risk assessment of the access request via the page by the requestor device based on the identity and the one or more permissions for the restricted access control (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0054]-[0056]; i.e. determining environmental risk scores or the security of the environment of the combination of user-device and the sensitive data); and
executing a decision on providing the data to the requestor device via the data element on the page based on [[the classification and]] the risk assessment (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0054]-[0056]; i.e. based on the security of the environment, the combination of user-device may be granted accessing and/or displaying the sensitive data).
Ezrielev does not explicitly disclose deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by the restricted access control; determining a classification of the data based on the context, wherein the classification requires that at least one of the one or more permissions are met before the data is presented through the one or more presentations.
However, Day, Jr. discloses deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by the restricted access control (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64); determining a classification of the data based on the context, wherein the classification requires that at least one of the one or more permissions are met before the data is presented through the one or more presentations (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev and Day, Jr. in order to capture data attributes from a variety of sources and provide enhanced data management, analysis and contextual classification of data to support critical revenue generating business functions (Day, Jr., col. 2, line 51-col. 3, line 24).
Regarding claim 6, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1, wherein the access request is associated with one of an account validity check, a credential validity check, a request for sensitive data, a control bypass request, a money transfer, an automation of a custom flow on the page, or a password change (Day, Jr., ¶ [0017]-[0020]).
Regarding claim 9, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1, wherein the restricted access control comprises one of a plurality of restricted access controls for the page, and wherein each of the plurality of restricted access controls are implemented on a data element level for a plurality of data (Day, Jr., ¶ [0094]-[0097], [0139]).
Regarding claim 10, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1, wherein the operations further comprise: dynamically computing each of the one or more permissions for the restricted access control when the page is accessed by the requestor device based on at least one of a data source for the data, page data for the page, an authentication performed by the requestor device prior to accessing the page, an authorization received by the requestor device prior to accessing the page, an action taken by the requestor device on the page, or a navigation flow state when accessing the page by the requestor device (Day, Jr., ¶ [0057]-[0058], [0094]-[0101], [0139]).
Regarding claim 11, Ezrielev discloses a method comprising:
receiving an access request to data for a data element on a page that is accessed by a requestor device, wherein the page comprises one of a webpage or an application interface and presents the data via the data element (FIG. 3 A-B, ¶ [0017]-[0020], [0062]; i.e. obtaining a data access request for data, the data access request being from a user to display the data at least via web browser of one or more data processing systems or Web enabled appliances);
determining page access attributes for the requestor device when accessing the page (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0050]-[0056]; i.e. determining the activity environment data or access control data to allow user access sensitive data via web browser or a webpage);
computing, for the access request, a dynamic permission for a restricted access control for the data element based on a calculation of individual data elements associated with the page access attributes, wherein the restricted access control limits access to the data via the data element based on the dynamic permission (FIG. 3 A-B, ¶ [0022]-[0037], [0050]-[0056], [0090]-[0097]; i.e. calculating attribution scores based on real-time environment data or access control data to determine the access level of the user or the sensitive data);
computing a risk assessment of the access request via the page by the requestor device based on the dynamic permission and the requestor device, wherein the risk assessment comprises a multi-dimension score based on the page access attributes (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0054]-[0056]; i.e. determining environmental risk based on environment scores and/or attribution scores of data collected from the user devices); and
executing a decision on providing the data to the requestor device via the data element on the page based on [[the classification and]] the risk assessment (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0054]-[0056]; i.e. based on the security of the environment, the combination of user-device may be granted accessing and/or displaying the sensitive data).
Ezrielev does not explicitly disclose deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by a restricted access control; determining a classification of the data based on the context, wherein the classification indicates one or more permissions that enable the one or more presentations of the data.
However, Day, Jr. discloses deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by a restricted access control (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64); determining a classification of the data based on the context, wherein the classification indicates one or more permissions that enable the one or more presentations of the data (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev and Day, Jr. in order to capture data attributes from a variety of sources and provide enhanced data management, analysis and contextual classification of data to support critical revenue generating business functions (Day, Jr., col. 2, line 51-col. 3, line 24).
Regarding claim 12, Ezrielev in view of Day, Jr. discloses the method of claim 11, wherein the data element-level calculation utilizes a multi-dimension scoring array that checks the individual data elements based on the page access attributes (Day, Jr., FIG. 3 A-B, ¶ [0022]-[0037], [0054]-[0056]).
Regarding claim 13, Ezrielev in view of Day, Jr. discloses the method of claim 12, wherein the page access attributes for the multi-dimension scoring array comprise at least one of authentications by the requestor device prior to accessing the page, authorization states of the requestor device, actions taken by the requestor device on the page, or a page flow to the page by the requestor device (Day, Jr., ¶ [0057]-[0058], [0094]-[0101], [0139]).
Regarding claim 17, Ezrielev discloses a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
detecting a requestor device has requested data via a data element on a page of a service provider system, wherein the page comprises one of a webpage or an application interface (FIG. 3 A-B, ¶ [0017]-[0020], [0062]; i.e. obtaining a data access request for data, the data access request being from a user to display the data at least via web browser of one or more data processing systems or Web enabled appliances);
determining a restricted access control to the data via the data element, wherein the restricted access control restricts access to the data via the data element based on a dynamic permission computed at or after a time that the data is requested via the data element (FIG. 3 A-B, ¶ [0022]-[0037], [0050]-[0056], [0090]-[0097]; i.e. determining access control to the sensitive data based on real-time risk or attribution scores at the time the user requests the sensitive data and after the sensitive data is requested);
determining page access attributes for the requestor device when accessing the page (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0050]-[0056]; i.e. determining the activity environment data or access control data to allow user access sensitive data via web browser or a webpage);
computing the dynamic permission for the restricted access control for the data element based on data element-level calculation from the page access attributes for an access of the page by the requestor device (FIG. 3 A-B, ¶ [0022]-[0037], [0050]-[0056], [0090]-[0097]; i.e. calculating attribution scores based on real-time environment data or access control data to determine the access level of the user or the sensitive data); and
determining, based on [[the classification,]] the dynamic permission and the restricted access control, whether to allow the data to be presented on the page via the data element (FIG. 3 A-B, ¶ [0017]-[0020], [0022]-[0037], [0054]-[0056]; i.e. based on the security of the environment, the combination of user-device may be granted accessing and/or displaying the sensitive data).
Ezrielev does not explicitly disclose deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by the restricted access control; determining a classification of the data based on the context, wherein the classification indicates one or more permissions that enable the one or more presentations of the data.
However, Day, Jr. discloses deriving a context associated with the data based on one or more presentations of the data via the page or other pages accessible via a flow between the page or the other pages, wherein the context indicates that the data is masked by the restricted access control (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64); determining a classification of the data based on the context, wherein the classification indicates one or more permissions that enable the one or more presentations of the data (FIG. 2-7A, col. 7, lines 13-45, col. 8, lines 22-58, col. 10, lines 37-64).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev and Day, Jr. in order to capture data attributes from a variety of sources and provide enhanced data management, analysis and contextual classification of data to support critical revenue generating business functions (Day, Jr., col. 2, line 51-col. 3, line 24).
Regarding claim 20, Ezrielev in view of Day, Jr. discloses the non-transitory machine-readable medium of claim 17, wherein the operations further comprise: determining one or more static permissions for the restricted access control, wherein the determining whether to allow the data is further based on the one or more static permissions (Day, Jr., ¶ [0057]-[0058], [0094]-[0101], [0139]).
Claims 2-4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.) and further in view of Chakra et al. (US 2018/0343274 hereinafter Chakra).
Regarding claim 2, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1.
Ezrielev in view of Day, Jr. does not explicitly disclose wherein the access request is associated with a navigation to the page in a navigation flow through a plurality of pages, wherein the page includes page elements having one or more restricted data policies requiring an authorization based on the one or more permissions for the page, and wherein the operations further comprise: dynamically calculating the one or more permissions in response to the navigation to the page by the requestor device based at least one the page elements and one or more the restricted data policies.
However, Chakra discloses wherein the access request is associated with a navigation to the page in a navigation flow through a plurality of pages, wherein the page includes page elements having one or more restricted data policies requiring an authorization based on the one or more permissions for the page, and wherein the operations further comprise: dynamically calculating the one or more permissions in response to the navigation to the page by the requestor device based at least one the page elements and one or more the restricted data policies (¶ [0060]-[0063]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr. and Chakra in order to generate a behavioral certificate based on aggregated feedback/measurement of interactions of plurality of users navigating the webpages to allow a user accessing webpages with confidence (Chakra, ¶ [0023]-[0024]).
Regarding claim 3, Ezrielev in view of Day, Jr. and Chakra discloses the service provider system of claim 2, wherein the navigation and the access request are performed through the navigation flow that lowers the authorization from what is required by another navigation flow, and wherein the dynamically calculating includes determining an authorization score for the page elements based on different ones of the restricted data policies for each of the page elements (Ezrielev, ¶ [0022]-[0037]; Chakra, ¶ [0060]-[0063]).
Regarding claim 4, Ezrielev in view of Day, Jr. and Chakra discloses the service provider system of claim 2, wherein the determining the risk assessment is further based on a plurality of parameters for the page including an action performed by the requestor device during the navigation flow or a page flow through the plurality of pages by the requestor device (Ezrielev, ¶ [0022]-[0037]; Chakra, ¶ [0060]-[0063]).
Regarding claim 15, Ezrielev in view of Day, Jr. discloses the method of claim 11.
Ezrielev in view of Day, Jr. does not explicitly disclose wherein the access request is associated with a navigation to the page in a navigation flow through a plurality of pages, and wherein the dynamic permission is computed in response to the navigation to the page by the requestor device and a comparison of the navigation flow for the navigation to an expected navigation for the requestor device and the access request.
However, Chakra discloses wherein the access request is associated with a navigation to the page in a navigation flow through a plurality of pages, and wherein the dynamic permission is computed in response to the navigation to the page by the requestor device and a comparison of the navigation flow for the navigation to an expected navigation for the requestor device and the access request (¶ [0060]-[0063]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr. and Chakra in order to generate a behavioral certificate based on aggregated feedback/measurement of interactions of plurality of users navigating the webpages to allow a user accessing webpages with confidence (Chakra, ¶ [0023]-[0024]).
Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.) and Chakra et al. (US 2018/0343274 hereinafter Chakra) and further in view of Poynov (US 2023/0328091).
Regarding claim 5, Ezrielev in view of Day, Jr. and Chakra discloses the service provider system of claim 2, wherein, prior to the dynamically calculating, the operations further comprise: [[simulating]] a plurality of unique pathways to the page during a plurality of navigation flows that includes the navigation flow; and determining the restricted data policies for the page elements based on the plurality of unique pathways (Chakra, ¶ [0060]-[0063]).
Ezrielev in view of Day, Jr. and Chakra does not explicitly disclose simulating the plurality of unique pathways.
However, Poynov discloses simulating the plurality of unique pathways (¶ [0022]-[0026]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr., Chakra and Poynov in order to ensure security of an extensible application server (Poynov, ¶ [0009]-[0012]).
Regarding claim 16, see claim 5 above for the same reasons of rejections.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.) and further in view of Poynov (US 2023/0328091).
Regarding claim 7, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1.
Ezrielev in view of Day, Jr. does not explicitly disclose wherein, prior to the determining the risk assessment, the operations further comprise: determining whether the access request includes an indication of a use of a toolkit associated with a previous data breach, wherein the risk assessment is further based on whether the access request includes the indication of the use of the toolkit.
However, Poynov discloses wherein, prior to the determining the risk assessment, the operations further comprise: determining whether the access request includes an indication of a use of a toolkit associated with a previous data breach, wherein the risk assessment is further based on whether the access request includes the indication of the use of the toolkit (¶ [0026], [0058]-[0059]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr. and Poynov in order to ensure security of an extensible application server (Poynov, ¶ [0009]-[0012]).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.) and further in view of Most et al. (US 2017/0111383 hereinafter Most).
Regarding claim 8, Ezrielev in view of Day, Jr. discloses the service provider system of claim 1.
Ezrielev in view of Day, Jr. does not explicitly disclose wherein prior to the receiving the access request, the operations further comprise: determining that a page flow to the page bypassed a verification of the requestor device by the service provider system that is associated with the restricted access control, wherein the risk assessment is determined in response to the determining that the page flow bypassed the verification request.
However, Most discloses wherein prior to the receiving the access request, the operations further comprise: determining that a page flow to the page bypassed a verification of the requestor device by the service provider system that is associated with the restricted access control, wherein the risk assessment is determined in response to the determining that the page flow bypassed the verification request (¶ [0022]-[0023], [0034]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr. and Most in order to detect bypass vulnerabilities with respect to cloud-based applications (Most, ¶ [0002]-[0011]).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.) and further in view of Burshan et al. (US 2025/023899 hereinafter Burshan).
Regarding claim 14, Ezrielev in view of Day, Jr. discloses the method of claim 11.
Ezrielev in view of Day, Jr. does not explicitly disclose computing a similarity to a sequence of steps associated with a computing attack, wherein the risk assessment is further computed based on the similarity.
However, Burshan discloses computing a similarity to a sequence of steps associated with a computing attack, wherein the risk assessment is further computed based on the similarity (¶ [0084]-[0088]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr. and Burshan in order to proactively assess the real risk associated with the actions of a malicious actor (Burshan, ¶ [0002]).
Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ezrielev et al. (US 2024/0289489 hereinafter Ezrielev) in view of Day, Jr. et al. (US 11,567,975 hereinafter Day, Jr.), Melson et al. (US 2021/0314353 hereinafter Melson) and further in view of Ward et al. (US 2018/0255102 hereinafter Ward).
Regarding claim 18, Ezrielev in view of Day, Jr. discloses the non-transitory machine-readable medium of claim 17.
Ezrielev in view of Day, Jr. does not explicitly disclose wherein the operations further comprise: simulating a plurality of navigation pathways to the page; determining a plurality of page access attributes from the plurality of navigation pathways and a plurality of permissions for the restricted access control; and determining a security gap in the plurality of permissions for the restricted access control based on the plurality of page access attributes and the plurality of permissions, wherein the dynamic permission is further computed based on the security gap.
However, Melson discloses simulating a plurality of navigation pathways to the page; determining a plurality of page access attributes from the plurality of navigation pathways and a plurality of permissions for the restricted access control; and determining a security gap in the plurality of permissions for the restricted access control based on the plurality of page access attributes and the plurality of permissions (¶ [0118]-[0119]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev and Melson in order to automatically check and detect whether a website has been compromised by malicious third party scripts (Melson, ¶ [0003]-[0004]).
Ward discloses wherein the dynamic permission is further computed based on the security gap (¶ [0052]-[0053]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Ezrielev, Day, Jr., Melson and Ward in order to enable a system to identify resources such as applications or network locations that are not adequately covered by an enterprise’s security policy (Ward, ¶ [0001]-[0003]).
Regarding claim 19, Ezrielev in view of Day, Jr., Melson and Ward discloses the non-transitory machine-readable medium of claim 18, wherein, based on the simulating, the operations further comprise: establishing a state for an access of the page that enforces a permission to block the data present via the data element using the restricted access control based on the security gap and a corresponding one of the plurality of navigation pathways (Ward, ¶ [0052]-[0055]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571)270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/C.D.N/Examiner, Art Unit 2435
/AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435
Prosecution Insights