DETAILED ACTION
Continued Examination Under 37 CFR 1.114
1. Continued Examination Under 37 CFR 1.114A request for continued examination under 37 CFR 1.114, including the fee set forth in37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicants’ submission filed on 2/23/2026 has been entered.
2. Pending claims for reconsideration are claims 1-11, and 18-23. Claims 1, 7, and 18 have been amended.
Response to Arguments
3. Applicant's arguments filed 2/03/2026 have been fully considered but they are not persuasive.
In the remarks, applicant argues in substance:
That– Claim 1 has been amended to recite, in part, "receiving, at an identity provider (IdP), a request from an access network provider (ANP), the request indicating a user device's intent to authenticate and connect to a network operated by the ANP," and “retrieving, by the IdP, security data characterizing a security posture of the network operated by the ANP." Claim 18 has been amended in a manner similar to that of claim 1. and Claim 7 has been amended to recite, in part, "receiving, at an access network provider (ANP), a request to authenticate connection of a user device to a network operated by the ANP," and "transmitting, by the ANP, a response to the user device, wherein the response comprises security data characterizing a security posture of the network operated by the ANP."
In response to applicant’s arguments- The claims have been examined in their broadest most reasonable interpretation in light of the applicant’s specification. Regarding claim 1, Henry discloses a method, comprising: receiving, at an identity provider (IdP) in par.0020 which teaches an ((iv) the identity provider (IdP) managing the client device connections. Henry further discloses “a request from an access network provider (ANP) via par.0027 which teaches a federation-based network 140 comprises access network providers 104 (also referred to as “access providers”) providing wireless connectivity for the client device 102 using, e.g., access points (APs) [par.0027]). Henry further discloses “the request indicating a user devices’ intent to authenticate and connect to a network operated by the ANP in par.0020 which teaches Embodiments described herein provide techniques for evaluating QoE to enable devices (e.g., client devices, access network providers, identity providers, etc.) to make decisions on access load balancing. More specifically, embodiments enable devices to exchange capability and key performance indicators (KPIs) types for client device, access network provider, and identity provider QoE evaluation. Henry additionally teaches retrieving, by the IdP, security data characterizing a security posture of the network operated by the ANP” via the client device 102 which provides the selected identity to the access provider 104 (226), and the access provider 104 contacts a Domain Name Service (DNS) server 204 using the identity (228). Henry further discloses “determining, by the IdP, that one or more security criteria are satisfied based on analyzing the security data associated with the network” in par.0032 which teaches The identity provider 106 provides an EAP authorization using Remote Authentication Dial In User Service (RADIUS) attributes to the access provider 104 (232), and the access provider 104 provides an EAP authorization to the client device 102 using EAP over LANs (EAPoL) (234).
Mahaffey was introduced to disclose “and transmitting, by the IdP a response to the user device, wherein the response instructs the user device to establish a connection with the network and does not disclose the security data” via figure 37 which discloses a server transmits security state information and par.0168 which teaches a secure state , in which the widget may display informational statistics such as the number of items backed up or the number of security events processed for the group . If the one or more devices are in a compromised or other insecure state , the widget will prominently display the devices that need attention to the administrator . If the widget indicates that one or more devices need attention , the administrator may click on portions of the widget to access additional security information pertaining to any of the devices that need attention.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claims 1-11, and 18-23 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No: US 2023/0114234 A1 to HENRY et al(hereafter referenced as Henry) in view of Pub.No.: US 2019/0303586 A1 to Mahaffey et al(hereafter referenced as Mahaffey).
Regarding claim 1, Henry discloses “a method, comprising: receiving, at an identity provider (IdP) ((iv) the identity provider (IdP) managing the client device connections [par.0020]), a request from an access network provider (ANP)( the federation-based network 140 comprises access network providers 104 (also referred to as “access providers”) providing wireless connectivity for the client device 102 using, e.g., access points (APs) [par.0027]) , the request indicating a user devices’ intent to authenticate and connect to a network operated by the ANP (Embodiments described herein provide techniques for evaluating QoE to enable devices (e.g., client devices, access network providers, identity providers, etc.) to make decisions on access load balancing. More specifically, embodiments enable devices to exchange capability and key performance indicators (KPIs) types for client device, access network provider, and identity provider QoE evaluation [par.0020]); retrieving, by the IdP, security data characterizing a security posture of the network operated by the ANP”( client device 102 provides the selected identity to the access provider 104 (226), and the access provider 104 contacts a Domain Name Service (DNS) server 204 using the identity (228) “determining, by the IdP, that one or more security criteria are satisfied based on analyzing the security data associated with the network”( The identity provider 106 provides an EAP authorization using Remote Authentication Dial In User Service (RADIUS) attributes to the access provider 104 (232), and the access provider 104 provides an EAP authorization to the client device 102 using EAP over LANs (EAPoL) (234) [par.0032]).
Henry does not explicitly disclose “and transmitting, by the IdP, a response to the user device, wherein the response instructs the user device to establish a connection with the network and does not disclose the security data.”
However, Mahaffey in an analogous art discloses “and transmitting, by the IdP(server transmits security state information Mahaffey [Fig.37]), “a response to the user device, wherein the response instructs the user device to establish a connection with the network and does not disclose the security data. (In the secure state , the widget may display informational statistics such as the number of items backed up or the number of security events processed for the group . If the one or more devices are in a compromised or other insecure state , the widget will prominently display the devices that need attention to the administrator . If the widget indicates that one or more devices need attention , the administrator may click on portions of the widget to access additional security information pertaining to any of the devices that need attention Mahaffey [par.0168]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Henry’s authentication process within a network with Mahaffey’s secured authentication process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Henry discloses an authentication process within a network for a user device, Mahaffey teaches a secured authentication process of a network device within a network and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “wherein: the IdP authenticates user devices based on one or more authentication protocols”(identity provider (IdP) manages the client device connections Henry[par.0019]), “and the ANP manages connections between user devices and the network” (In multi-access environments that support OpenRoaming, it may be desirable to allow devices (e.g., client device, access network provider, service provider, identity provider, etc.) to determine the type of OR access for a client device when the client device is roaming Henry[par.0033]).
Regarding claim 3 in view of claim 2, the references combined disclose “wherein: the security data associated with the network is retrieved from a second network device”(when the client device is at location B, the client device is wirelessly connected to a second network. In one example, the second network may be a home network (e.g., WiFi network) providing accessibility to an external network Henry[par.0024]) , “and the second network device is integrated into a federation-based system that comprises the IdP and the ANP”(federation-based network 140 may be implemented using any standardized and/or proprietary techniques and protocols Henry[par.0026]), “and periodically synchronizes the security data associated with the network within a database of the federation-based system.”(sync data Mahaffey[Fig.6]).
Regarding claim 4 in view of claim 2, the references combined disclose “wherein: the security data associated with the network is retrieved from a second network device, the second network device comprises an application programming interface (API) service” ( When the client device is at location B, the client device is wirelessly connected to a second network. In one example, the second network may be a home network (e.g., WiFi network) providing accessibility to an external network Henry[par.0024]), “and retrieving, by the IdP, the security data associated with the network comprises transmitting(server transmits security state information Mahaffey [Fig.37]), by the IdP, structured API calls to the second network device, in order to retrieve the security data associated with the network” (device transmits security state information Mahaffey [Fig.11]).
Regarding claim 5 in view of claim 1, the references combined disclose “wherein the security data associated with the network comprises at least one of (i) a reputation score of the network, or (ii) a security profile of the network.”(risk score Mahaffey[par.0046]).
Regarding claim 6 in view of claim 1, the references combined disclose “wherein determining, by the IdP, that the one or more security criteria are satisfied comprises determining(server transmits security state information Mahaffey [Fig.37]), by the IdP, that a reputation score associated with the network exceeds a defined threshold” (if the similarity is within a threshold degree of similarity , compare the first application with the second application to identity differences between the applications[Fig.62/item 6215]).
Regarding claim 7 , the references combined disclose “a method, comprising: receiving, at an access network provider (ANP), a request to authenticate connection of a user device to a network operated by the ANP” (Embodiments described herein provide techniques for evaluating QoE to enable devices (e.g., client devices, access network providers, identity providers, etc.) to make decisions on access load balancing. More specifically, embodiments enable devices to exchange capability and key performance indicators (KPIs) types for client device, access network provider, and identity provider QoE evaluation [par.0020]), transmitting, by the ANP(The federation-based network 140 comprises access network providers 104 (also referred to as “access providers”) providing wireless connectivity for the client device 102 using, e.g., access points (APs), wireless LAN controllers, [par.0027]) , a response to the user device, wherein the response comprises security data characterizing a security posture of the network operated by the ANP” ( client device 102 provides the selected identity to the access provider 104 (226), and the access provider 104 contacts a Domain Name Service (DNS) server 204 using the identity (228)
Henry does not explicitly disclose “and upon receiving a confirmation from the user device to establish a connection with the network, proceeding to verify an identify of the user device”
However, Mahaffey in an analogous art discloses “and upon receiving a confirmation from the user device to establish a connection with the network, proceeding to verify an identify of the user device (The user or administrator responsible for a device or group of devices needs to enter authentication information to allow the widget to connect to the server and retrieve information Mahaffey[par.0168])
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Henry’s authentication process within a network with Mahaffey’s secured authentication process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Henry discloses an authentication process within a network for a user device, Mahaffey teaches a secured authentication process of a network device within a network and both are from the same field of endeavor.
Regarding claim 8 in view of claim 7, the references combined disclose “wherein the ANP manages connections between user devices and the network” (In multi-access environments that support OpenRoaming, it may be desirable to allow devices (e.g., client device, access network provider, service provider, identity provider, etc.) to determine the type of OR access for a client device when the client device is roaming Henry[par.0033])
Regarding claim 9 in view of claim 8, the references combined disclose “wherein the security data associated with the network within the response comprises a reputation score that is cryptographically signed by a second network device” (API may have encryption and require authentication for a service provider 950 to retrieve security state information corresponding to a mobile communications device Mahaffey[par.0202]).
Regarding claim 10 in view of claim 9, the references combined disclose “wherein the user device, upon receiving the reputation score, verifies an integrity of the reputation score using a public key associated with the second network device.” (identifiers in the application binary or metadata (e.g., package name, fingerprint of code-signing certificate, public key used to sign the app, requested entitlements/permissions) Mahaffey[par.0794])
Regarding claim 11 in view of claim 9, the references combined disclose “wherein the user device compares the reputation score with a defined threshold, and upon determining that the reputation score exceeds the defined threshold” (risk score Mahaffey[par.0046]), “transmits the confirmation to the ANP, wherein the confirmation instructs the ANP to establish the connection with the network.” (device transmits security state information Mahaffey [Fig.11])
Regarding claim 18, Henry discloses “a system comprising: one or more memories collectively storing computer-executable instructions; and one or more processors configured to collectively execute the computer- executable instructions and cause the system to: receive, an identity provider (IdP)” ((iv) the identity provider (IdP) managing the client device connections [par.0020]), “a request from an access network provider (ANP), the request indicating a user device’s intent to authenticate and connect to a network operated by the ANP(Embodiments described herein provide techniques for evaluating QoE to enable devices (e.g., client devices, access network providers, identity providers, etc.) to make decisions on access load balancing. More specifically, embodiments enable devices to exchange capability and key performance indicators (KPIs) types for client device, access network provider, and identity provider QoE evaluation [par.0020])retrieve, by the IdP (DNS) server 204 using the identity (228), security data characterized a security posture of the network operated by the ANP” ( client device 102 provides the selected identity to the access provider 104 (226), and the access provider 104 contacts a Domain Name Service (DNS) server 204 using the identity (228),determine, by the first network device, that one or more security criteria are satisfied based on analyzing the security data associated with the network” (client device 102 may determine to join the access provider 104 when one or more of the performance metrics satisfies a predetermined condition [par.0041]).
Henry does not explicitly disclose “and transmit, by the IdP, a response to the user device, wherein the response instructs the user device to establish a connection with the network and does not disclose the security data”
However, Mahaffey in an analogous art discloses “and transmit, by the IdP (device transmits security state information Mahaffey [Fig.11]), “, a response to the user device, wherein the response instructs the user device to establish a connection with the network and does not disclose the security data” (In the secure state , the widget may display informational statistics such as the number of items backed up or the number of security events processed for the group . If the one or more devices are in a compromised or other insecure state , the widget will prominently display the devices that need attention to the administrator . If the widget indicates that one or more devices need attention , the administrator may click on portions of the widget to access additional security information pertaining to any of the devices that need attention Mahaffey [par.0168]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Henry’s authentication process within a network with Mahaffey’s secured authentication process in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Henry discloses an authentication process within a network for a user device, Mahaffey teaches a secured authentication process of a network device within a network and both are from the same field of endeavor.
Regarding claim 19 in view of claim 18, the references combined discloses “wherein: the IdP (server and identity provider Fig.2/item 106]) authenticates user devices based on one or more authentication protocols”(identity provider (IdP) manages the client device connections Henry[par.0019]), “and the ANP that manages connections between user devices and the network”(In multi-access environments that support OpenRoaming, it may be desirable to allow devices (e.g., client device, access network provider, service provider, identity provider, etc.) to determine the type of OR access for a client device when the client device is roaming Henry[par.0033]).
Regarding claim 20 in view of claim 19, the references combined discloses “wherein: the security data associated with the network is retrieved from a second network device” (when the client device is at location B, the client device is wirelessly connected to a second network. In one example, the second network may be a home network (e.g., WiFi network) providing accessibility to an external network Henry[par.0024]), “and the second network device is integrated into a federation-based system that comprises the IdP and the ANP” (federation-based network 140 may be implemented using any standardized and/or proprietary techniques and protocols Henry[par.0026]), “and periodically synchronizes the security data associated with the network within a database of the federation-based system” (sync data Mahaffey[Fig.6]).
Regarding claim 21 in view of claim19, the references combined disclose “wherein: the security data associated with the network is retrieved from a second network device ( i.e. DNS server 204 in combination with second device located at the Identity provider 106 [Henry Fig.2]) , “the second network device comprises an application programming interface (API) service”(.i.e. second network device comprising rules and protocols that allows different software applications to communicate with each other see multiple providers interconnected to federation based network Henry[Fig.1]) , “and retrieving, by the IdP, the security data associated with the network comprises transmitting, by the IdP, structured API calls to the second network device, in order to retrieve the security data associated with the network.”(security data associated with network retrieved by IdP Henry[Fig.2]).
Regarding claim 22 in view of claim18, the references combined disclose “wherein the security data associated with the network comprises at least one of (i) a reputation score of the network, or (ii) a security profile of the network” (risk score Mahaffey[par.0046]).
Regarding claim 23 in view of claim18, the references combined disclose “wherein determining, by the IdP, that the one or more security criteria are satisfied comprises determining, by the IdP, that a reputation score associated with the network exceeds a defined threshold.” (if the similarity is within a threshold degree of similarity , compare the first application with the second application to identity differences between the applications[Fig.62/item 6215]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433