Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the Amendment filed on 12/14/2023. Claim 1 is independent claims. Claims 1-10 have been examined and are pending. This Action is made non-FINAL.
Drawings
The drawing (i.e. figure 3) are objected to because there is no short description for labels (12A, 12B, 14A, 14 B, and 14C). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. 111148399, filed on Dec. 16, 2022.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
Regarding claims 1-10, The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term "means" or "step" or a term used as a substitute for "means" that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term "means" or "step" or the generic placeholder is modified by functional language, typically, but not always linked by the transition word "for" (e.g., "means for") or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term "means" or "step" or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word "means" (or "step") in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Absence of the word "means" (or "step") in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word "means" (or "step") are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word "means" (or "step") are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word "means," but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “storage unit storing …;” “processing unit linked …;” “credential modification module adapted to use …;” “remote login module adapted to use …;” “account verification module adapted to contact …;” recited in claim 1; “device detect module looks for …;” recited in claim 5; “account detect module is adapted to detect …;” recited in claim 8; “modified credential process module splits …;”recited in claim 9; “modified credential process module updates …” recited in clam 10. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201)
Regarding claim 1, Kottahachchi teaches an automatic account management system applied in a network environment, wherein the network environment comprises
a plurality of devices, and the devices comprise a managed device (Kottahachchi: fig. 1, par. [0036], depicts a simplified example system or architecture100 in which techniques for providing a privileged account management service may be implemented. In architecture 100, one or more users and/or administrators 102 (i.e.,account holders) may utilize user computing devices 104( (1)(N) (collectively, user devices 104) to access an application (e.g., a web service application or the like) 106, or a user account accessible through the application 106, via one or more networks 108. In some aspects, the application 106 and/or user account may be hosted, managed, and/or provided by a computing resources service or service provider, such as by utilizing one or more target system computers 110. The one or more target system computers 110 may, in some examples, provide computing resources and/or services such as, but not limited, web services, data storage, email, identity management, authorization, authentication services, or the like. The one or more target system computers 110 may also be operable to provide web hosting, application development platforms, implementation platforms, or the like to the one or more users 102; See also pars. 0037-0040) the managed device is adapted to be logged in using multiple accounts, each of which is accompanied by a credential for logging into the managed device (Kottahachchi: par. [0010], multiple accounts of a target system ; par. 0056, target system computers 110 may include one or more accounts 212(1)-(N), collectively account 212; Abstract, “access the target system may be logged during this time.” Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password.); par. 0057, a password for login account 212);
among these accounts, there is a privileged account that, when used to log in to the managed device, allows one to edit, create, or delete accounts and their respective credentials (Kottahachchi: par. [0010], multiple accounts of a target system;; par. 0027, The target system may include one or more databases, lightweight directory access protocol (MAP) servers, UNIX systems or the like. Further, special accounts (e.g., a security account and/or an application. account) may be implemented to aid in facilitating the privileged account management. As used herein, a privileged account may include one that relies on a password to receive access to the target system; par. [0029] In some examples, the security account (i.e., the super root) may not be accessible by a user or an administrator. This security account may be a special account that only provides target system access to the account management service; par. [0058], password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password. Since the security account 206 always has password modification grants …);
the managed device is configured to be logged into by an authorized individual (Kottahachchi: par. 0057, a user (or and administrator) of an account 212 associated with target computer 110 may provide user credentials 216 for access the account management service computer 112) ... Upon authenticating the user and checking the grant data 204 (e.g., to determine whether the user has been granted rights to access the account0, the manager 202 may provide ...a password for login account 212);
the automatic account management system comprising:
a storage unit storing a personnel information (Kottahachchi: par. 0042, the memory 114 may store access credentials and/or other user information such as, but not limited to, user IDs, passwords, other user information; par. 0057, users/administrators with “granted rights”) and a device information (Kottahachchi: par. 0060, the account data 304 may include information … account identifiers, account credentials, authorized users/administrators, access grant information, and/or information indicating with which target system the account 312 is associated), wherein the personnel information corresponds to the authorized person (Kottahachchi: pars. 0042, par. 0057, Upon authenticating the user and checking the grant data 204 (e.g., to determine whether the user has been granted rights to access the account, the manager 202 may provide ..a password for login account 212);
the device information corresponds to the managed device, and comprises the accounts and the credentials which are capable of logging in the managed device (Kottahachchi: par. 0060, the account data 304 may include information … account identifiers, account credentials, authorized users/administrators, access grant information, and/or information indicating with which target system the account 312 is associated));
the storage unit also stores an authorization relationship between the authorized person and the managed device (Kottahachchi: par. 0057, and checking the grant data 204 (e.g., to determine whether the user has been granted rights to access the account; par. 0060, the account data 304 may include information … account identifiers, account credentials, authorized users/administrators, access grant information, and/or information indicating with which target system the account 312 is associated)); and
a processing unit linked to the storage unit in an information-exchangeable manner (Kottahachchi: par. 0057, the account management service computers 112 may include at least one memory 122 and one or more processing units (or processor(s)) 124. The processor(s) 124 may be implemented as appropriate in hardware, computer-executable instructions, firmware, or combination thereof) wherein the processing unit comprises:
a credential modification module adapted to use a credential modification algorithm to modify at least one of the credentials in the device information stored in the storage unit (Kottahachchi: par. 0003, the target system may be logged during this time. In some examples, upon the password being checked back in, a security account may be provided that is configured to modify the password so that the user may not be able to log back in without checking out anew password; par. 0058, the password module 208 may be configured to randomly generate each new password upon each instance of a user checking in a password; par. 0061), , and to update the at least one of the credentials, which has been modified, to the storage unit (Kottahachchi: par. 0056, For example, FIG. 2 illustrates an access manager 202, … configured to store account/grant data 204, a security account 206, a password module 208; par. 0058,. The password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password.);
a remote login module adapted to use the accounts and the credentials contained in the device information stored in the storage unit to log in to the managed device (Kottahachchi: par. 0061, the account manager 302 may also be configured with a password module 310. The password module 310 may be configured to log into the accounts 312 of the target system computers 110 on behalf of the account manager 30), wherein, after the credential modification module operates, the remote login module uses the privileged account to log in to the managed device for updating the at least one of the credentials which has been modified to the managed device (Kottahachchi: par. [0058], password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password. Since the security account 206 always has password modification grants …; par. 0029, the security account (i.e., the super root) may not be accessible by a user or an administrator. This security account may be a special account that only provides target system access to the account management service); and
Kottahachchi discloses a storage unit storing a personnel information and a device information, wherein the personnel information corresponds to the authorized person, but does not explicitly disclose
“an identification name and contact details of the authorized person.”;
an account verification module adapted to, based on the authorization relationship stored in the storage unit and the identification name and the contact details contained in the personnel information, contact the authorized person for verifying validities of the accounts contained in the device information through an electronic process.
However, in an analogous art, Urbanek discloses distributed user validation and profile management system, wherein profile includes an identification name and contact details of the authorized person (Urbanek: abstract: validation engine which periodically sends notifications in the form of e-mails to various users within the organization to initiate the process of updating and verifying; Failure of the user to respond to the validation e-mail causes the user validation and profile management system to determine that the user profile is invalid; Col. 3, lines 36-48; Col. 15, lines 43- 45; FIG. 1, the user validation system maintains information about each user, e.g. name, company, division, email address , title, manager, etc. as part of the user profile…).
an account verification module adapted to, based on the authorization relationship stored in the storage unit and the identification name and the contact details contained in the personnel information, contact the authorized person for verifying validities of the accounts contained in the device information through an electronic process (Urbanek: Abstract, "a user validation engine which periodically sends notifications in the form of e-mails to various users within the organization to initiate the process of validating and updating user profile information" and Col. 3, lines 51-53, "particular users may, or in some cases must, verify or validate the status of one or more other users within the organization, such as supervisors or direct reports" ; Col. 3, lines 45-48, "Failure of the user to respond to the validation e-mail causes the user validation and profile management system to determine that the user profile is invalid.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Urbanek with the method and system of Kottahachchi to include “an identification name and contact details of the authorized person.”, an account verification module adapted to, based on the authorization relationship stored in the storage unit and the identification name and the contact details contained in the personnel information, contact the authorized person for verifying validities of the accounts contained in the device information through an electronic process One would have been motivated to provide a distributed user validation and profile management system operates to automatically validate and update user profiles, such as those stored within an organizational security database, to properly reflect the actual positions and rights of various users within the organization to the various organizational assets, such as computer implemented applications (Urbanek: abstract).
Regarding claim 2, the combination of Kottahachchi and Urbanek teaches the automatic account management system of claim 1.
Kottahachchi teaches the processing unit modifies the corresponding one of the credentials by using the credential modification module, and updates the modified one of the credentials to the storage unit (Kottahachchi: par. 0058, Oracle teaches "the password module 208 may be configured to randomly generate each new password"; par. 0060, the account data 304 may include information … account identifiers [i.e. account], account credentials, authorized users/administrators, access grant information, and/or information indicating with which target system the account 312 is associated);
the processing unit also uses the remote login module to log in to the managed device with the privileged account, updating the modified one of the credentials to the managed device (Kottahachchi: par. [0058], password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password. Since the security account 206 always has password modification grants …; par. 0029, the security account (i.e., the super root) may not be accessible by a user or an administrator. This security account may be a special account that only provides target system access to the account management service; par. 0061).
Urbanek teaches that the account verification module finds out one of the accounts has lost its validity (Urbanek: abstract, "Failure of the user to respond to the validation e-mail causes the user validation and profile management system to determine that the user profile is invalid");
The combination of Oracle and Urbanek does not explicitly teach if the account verification module of the processing unit finds out one of the accounts has lost its validity, then modifies the corresponding credentials (i.e. trigger-response link between invalid account detection and credential modification).
However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Oracle and Urbanek such that when the account verification module determines an account has lost its validity (as taught by Urbanek), the system responds by modifying the credential for that account using the credential modification module (as taught by Kottahachchi). One would have been motivated to do so because this applies a known technique (Oracle's credential modification capability) to a known situation (Urbanek's detection of invalid accounts) to yield a predictable result (preventing the invalid user from accessing the system with the old password, thereby enhancing security).
Regarding claim 10, the combination of Kottahachchi and Urbanek teaches the automatic account management system of claim 1. The combination of Kottahachchi and Urbanek further teaches wherein the network environment further comprises another managed device, and the processing unit further comprises a modified credential process module (Kottahachchi: par. 0036, one or more target system computers 110; par. 0077, the process may receive information for a plurality of different accounts associated with a plurality of different target systems; par. 0013, different accounts may be associated with different target systems and/or different types of target systems; par. 0058, "the password module 208... may be configured to randomly generate each new password upon each instance of a user checking in a password; par. 0061, "the password module 310 may be configured to log into the accounts 312 of the target system computers 110 on behalf of the account manager 302" and "when a password policy changes... the password module 310 may be configured to log into the target system 110, update the application account password");
when the credential modification module modifies one of the credentials, the modified credential process module correspondingly updates the modified one of the credentials to the another managed device through the remote login module by following a predetermined triggering rule (Kottahachchi: abstract, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed; par. 0077, the process may receive information for a plurality of different accounts associated with a plurality of different target systems; par. 0013; par. 0061; Abstract, "password policies for the security account may be managed. As such, when a password policy changes, the target system... may be dynamically updated"; par. 0011, "The feature of the account used by the first application may be a password policy... the password policy may be a password construction rule and/or a password lifecycle rule").
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), further in view of Anderson et al. (“Anderson,” US 6,144,959)
Regarding claim 3, the combination of Kottahachchi and Urbanek teachesthe automatic account management system of claim 1. The combination Kottahachchi and Urbanek further disclose wherein,
the account verification module of the processing unit finds out one of the accounts has lost its validity (Urbanek: abstract, "Failure of the user to respond to the validation e-mail causes the user validation and profile management system to determine that the user profile is invalid");
the storage unit stores device information including accounts and credentials (Kottahachchi: par. 0060, the account data 304 may include information … account identifiers, account credentials, authorized users/administrators, access grant information, and/or information indicating with which target system the account 312 is associated).
The combination of Kottahachchi and Urbanek does not teach,
the processing unit deletes or disables the account which has lost its validity and the corresponding one of the credentials from the device information of the storage unit.”
However, in an analogous art, Anderson discloses “deleting the account and corresponding credential from storage when a condition is met (Anderson: Col 9, lines 24-35, The login process 207 may also include a time stamp mechanism 215 used for deleting credential information on the local workstation or deleting accounts created in the local access database 203. An administrator may set a persistence parameter which represents the length of time that a user account may resid in the local access database 203. This persistence parameter 30 value may be a predetermined time determined by an administrator. When the persistence parameter value is exceeded, that is, the user account has existed on client 102A longer than the value of the persistence parameter, the user account 203 is deleted from the local access database 203).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Anderson with the method and system of Kottahachchi and Urbanek to include the processing unit deletes or disables the account which has lost its validity and the corresponding one of the credentials from the device information of the storage unit. One would have been motivated to do so because Anderson teaches that “deletion of accounts prevents a large number of user accounts from accumulation” and “prevent users from gaining access without first authenticating … since the credentials needed to access the account are deleted from the local access database (Anderson: Col. 13, lines 39-44).
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), and Anderson et al. (“Anderson,” US 6,144,959), and further in view of Hockings et al. (“Hockings,” US 8,572,709)
Regarding claim 4, the combination of Kottahachchi, Urbanek, and Anderson teaches the automatic account management system of claim 3. The combination of Kottahachchi, Urbanek, and Anderson teaches wherein “wherein the account which has lost its validity (Urbanek: abstract, "Failure of the user to respond to the validation e-mail causes the user validation and profile management system to determine that the user profile is invalid"), using the remote login module to log in to the managed device with the privileged account (Kottahachchi: par. [0058], password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password. Since the security account 206 always has password modification grants …; par. 0029, the security account (i.e., the super root) may not be accessible by a user or an administrator. This security account may be a special account that only provides target system access to the account management service; par. 0061) but does not explicitly disclose “deleting or disabling the account which has lost it validity.”
However, in an analogous art, Hockings discloses deleting an account on a target platform via administrative access (Hockings: Col. 6, lines 45-48, The E-SSO adapter functions as a trusted virtual administrator on the target platform, performing such tasks as creating user IDs, deleting IDs, and managing user account credentials. Col. 6, lines 56-57, The following actions may be performed on an account: add, modify, change password, delete and search).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hockings with the method and system of Kottahachchi, Urbanek, and Anderson to include “deleting or disabling the account which has lost it validity.” One would have been motivated to do so because Hockings teaches that “access top share account 704 is revoked by removing the user from the shared account role 708” (Hockings: Col. 8, lines 44-45).
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), and Alexion-Tiernan et al. (“Alexion-Tiernan,” US 2007/0005738), and further in view of Kishore et al. (“Kishore,” US 8,621,211)
Regarding claim 5, the combination of Kottahachchi and Urbanek teaches the automatic account management system of claim 1. Kottahachchi and Urbanek do not explicitly discloses wherein the device information stored in the storage unit also comprises a basic data of the managed device; the processing unit further comprises a device detect module, wherein the devices comprises an unmanaged device; the device detect module actively looks for the unmanaged device among the devices in the network environment through a device detecting method; if the device detect module finds the unmanaged device, the processing unit adds another device information into the storage unit, writing the basic data of the unmanaged device into the another device information, and the unmanaged device becomes another managed device.
However, in an analogous art, Alexion-Tiernan discloses
wherein the device information stored in the storage unit also comprises a basic data of the managed device (Alexion-Tiernan: par. 0033, The report may comprise an analysis of the network scan including the number of devices detected, the number of unmanaged and managed devices, the operating systems installed on the devices and if the operating systems are current with respect to patches and upgrades, the software installed on each device, etc..);
the processing unit further comprises a device detect module, wherein the devices comprises an unmanaged device (Alexion-Tiernan: par. 0010, The devices connected to the network 100 may be both managed and unmanaged. A managed device is a device that has management agent software installed [] In contrast, for unmanaged devices an administrator must take steps to ensure that the device remain up-to-date; abstract: the devices are further separated into managed and unmanaged devices; pars. 0028-0029, the device locator 310 identifiers the devices connected the network.);
the device detect module actively looks for the unmanaged device among the devices in the network environment through a device detecting method (Alexion-Tiernan: par. 0029, In one embodiment, the device locator may first generate all possible network addresses in the network. These addresses may be generated from the available subnets existing on the network; par. 0030, The device locator 310, using the IP addresses, may then verify that these addresses correspond to an actual device. The device locator 310 may ping, or otherwise attempt to contact, a device at each IP address.);
if the device detect module finds the unmanaged device, the processing unit adds another device information into the storage unit, writing the basic data of the unmanaged device into the another device information (Alexion-Tiernan: par. 0021, Those devices without a registry entry and corresponding active process may be added to a list of unmanaged devices; par. 0022, "the unmanaged devices are scanned for particular software updates and particular applications").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Alexion-Tiernan with the method and system of Kottahachchi and Urbanek to include wherein the device information stored in the storage unit also comprises a basic data of the managed device ; the processing unit further comprises a device detect module, wherein the devices comprises an unmanaged device; the device detect module actively looks for the unmanaged device among the devices in the network environment through a device detecting method. One would have been motivated to provide the information indicating the device`s operating system and applications is retrieved from each unmanaged device, and the report containing the retrieved information from each unmanaged device is generated, thus avoiding the risk to the computer network, and hence facilitating easier scanning of the computer network (Alexion-Tiernan: abstract, pars. 0003-0004).
Alexion-Tiernan discloses if the device detect module finds the unmanaged device, the processing unit adds another device information into the storage unit, writing the basic data of the unmanaged device into the another device information but does not explicitly disclose “the unmanaged device becomes another managed device.”
However, in an analogous art, Kishore discloses
“the unmanaged device becomes another managed device.” (Kishore: abstract, "automatically adding each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discoverable.": Col. 2, lines 35-44).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kishore with the method and system of Kottahachchi, Urbanek, and Alexion-Tiernan to include “the unmanaged device becomes another managed device.” One would have been motivated to provide automatic enrollment of discovered devices to reduce administrative burden and ensure prompt management of all network devices (Kishore: Col. 2, lines 35-44).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), and Alexion-Tiernan et al. (“Alexion-Tiernan,” US 2007/0005738), and Kishore et al. (“Kishore,” US 8,621,211), and further in view of Goringe et al. (“Goringe,” US 7,571,239)
Regarding claim 6, the combination of Kottahachchi, Urbanek, Alexion-Tierna, and Kishore teaches the automatic account management system of claim 5. Kottahachchi, Urbanek, Alexion-Tierna, and Kishore do not explicitly disclose
wherein the remote login module of the processing unit further refers to an account credential dictionary to try to log in to the devices; if a privileged account which is capable of logging in to the unmanaged device is found, the privileged account and the corresponding one of the credentials are written into the another device information stored in the storage unit.
However, in an analogous art, Goringer discloses
wherein the remote login module of the processing unit further refers to an account credential dictionary to try to log in to the devices (Goringer: fig. 1, abstract; Col. 7, lines 62-65; "the queue can include credentials that are in common or widespread use in the industry, default credentials in use when a device is initially acquired from a supplier or manufacturer, and/or credentials that are provided by the user in advance."; Col. 4, lines 5-7, "a candidate credential queue 112 listing credentials in order of priority for credential guessing by the credential discovery agent 104."; Col. 6, lines 24-27, "the agent 104 attempts to guess the credential from the credentials listed in the queue 112. When guessing, the agent 104 tries all of the credentials in the queue 112 in order of priority.");
if a privileged account which is capable of logging in to the unmanaged device is found, the privileged account and the corresponding one of the credentials are written into the another device information stored in the storage unit (Goringer: Col. 6, lines 30-32, "When a credential is successfully validated in steps 276, 280, 284 and 288, the credential is stored in the appropriate out-parameter corresponding to the IP address in step 292." , "the corresponding entry in the network access list (and/or credential repository) is assigned the credential state of FOUND CREDENTIAL.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Goringer with the method and system of Kottahachchi, Urbanek, Alexion-Tierna, and Kishoreto include wherein the remote login module of the processing unit further refers to an account credential dictionary to try to log in to the devices; if a privileged account which is capable of logging in to the unmanaged device is found, the privileged account and the corresponding one of the credentials are written into the another device information stored in the storage unit. One would have been motivated to provide the benefits of determining credentials "in significantly less time than conventional techniques," reducing "the amount of user interaction by making educated guesses at the credential," and obviating "the need for the user to manually input an extensive list of credentials."(Goringer: Col. 3, lines 35-45).
Regarding claim 7, the combination of Kottahachchi, Urbanek, Alexion-Tierna, Kishore, and Goringer teaches the automatic account management system of claim 6. The combination of Kottahachchi, Urbanek, Alexion-Tierna, Kishore, and Goringer further teaches, wherein the account credential dictionary is created manually (Goringer: Col. 7, lines 61-65, "the queue can include... credentials that are provided by the user in advance"; lines 63-66, "the user can provide input into the operation of the agent... The user fills in the required credential(s)"), created by referring to the accounts and the credentials in the device information stored in the storage unit (Goringer: Col. 4, lines 3-13, "The credential repository 108 ... is loaded at runtime of the agent 104 to provide an initial population of credentials for IP addresses of network components"; Col. 4, 39-41, "During any individual discovery task, each credential, which is successfully validated by the credential repository is also added to the queue 112"; Col. 2, lines 41-45, "The credential repository holds credentials that have been learned... The repository is used to save the credentials between executions and can have things removed or added to it during agent operation"), or created by searching or intercepting the managed device.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), and further in view of Simakov et al. (“Simakov,” US 2018/0107820).
Regarding claim 8, the combination of Kottahachchi and Urbanek teaches the automatic account management system of claim 1. Kottahachchi and Urbanek do not explicitly disclose wherein the processing unit further comprises an account detect module; when the remote login module logs in to the managed device with the privileged account, the account detect module is adapted to detect whether another account has been added into the managed device, or whether one of the accounts has been deleted; if so, the account detect module notifies the account verification module to verify the validities of the accounts contained in the device information.
However, in an analogous art, Simakov discloses
wherein the processing unit further comprises an account detect module (Simakov: par. 0006, The visibility is based on periodic scans of the local users' directory, such as the Windows Security Account Manager (SAM), using the standard protocol messages and APIs of a remote admin interface, such as SAMs Remote (SAMR) protocol; abstract, "gain[s] visibility to local users' logons, group membership, password changes, and other parameters." par. [0044], By periodically querying the monitored machines using of some domain user credentials, defenders can learn the current state of local users in a machine as well as identify changes to that state by comparing current to previous results.);
when the remote login module logs in to the managed device with the privileged account, the account detect module is adapted to detect whether another account has been added into the managed device, or whether one of the accounts has been deleted (Kottahachchi: par. [0058], password module 208 may be responsible for implementing the security account 206 to log into the account 212 for modifying the password. Since the security account 206 always has password modification grants …; par. 0029, the security account (i.e., the super root) may not be accessible by a user or an administrator. This security account may be a special account that only provides target system access to the account management service; par. 0061, password module 310 may be configured to log into the accounts 312 of the target system computers 110 on behalf of the account manager 30; Simakov: par. [0044], By periodically querying the monitored machines using of some domain user credentials; par. 0043, In some embodiments, any domain user may have the capability to query any computing device; par. 0083, FIGS. l0A and l0B illustrate detection of an anomaly involving a local user added to a privileged local group. .. Comparing the current member list for the admin group to the prior member list shows that new member 1001 has been added to admin group; par. 0084 FIGS. 11A and 11B illustrate detection of an anomaly involving a local user who is removed from a privileged local group)
if so, the account detect module notifies the account verification module to verify the validities of the accounts contained in the device information (Simakov: par. 0083: A defender monitoring the activity on the local machine may further investigate this new member and verify whether that user was properly added to the admin group; par. 0084, A defender monitoring the activity on the local machine may further investigate this new member and verify whether that user was properly added to the admin group; abstract, Security applications enabled by this visibility include, but are not limited to, abnormal logons detection, abnormal group addition and removal detection, and abnormal password changes detection).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Simakov with the method and system of Kottahachchi and Urbanek to include wherein the processing unit further comprises an account detect module; when the remote login module logs in to the managed device with the privileged account, the account detect module is adapted to detect whether another account has been added into the managed device, or whether one of the accounts has been deleted; if so, the account detect module notifies the account verification module to verify the validities of the accounts contained in the device information. One would have been motivated to provide the method which enables detecting a suspicious local activity using a remote admin interface protocol, so that defenders use remote admin interface protocol capabilities to gain visibility to local user's activities (Simakov: par. 0044).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Kottahachchi et al. (“Kottahachchi,” US 2013/0086658), in view of Urbanek et al. (“Urbanek,” US 7,921,201), and further in view of Brown et al. (“Brown,” US 9,203,616)
Regarding claim 9, the combination of Kottahachchi and Urbanek teach the automatic account management system of claim 1. Kottahachchi and Urbanek do not explicitly disclose wherein the processing unit further comprises a modified credential process module; when the credential modification module modifies one of the credentials, the modified credential process module splits the modified one of the credentials to be kept in different locations.
However, in an analogous art, Brown discloses
wherein the processing unit further comprises a modified credential process module (Brown: Col. 1, line 62 to Col. 3 line 11; an improved technique involves storing one current and one previous version of the secret share in their respective databases. Along these lines, authentication servers split the proactivization process into several phases …. At a second phase, the authentication servers generate a new version of each secret share and store that new version alongside that previous version..,);
when the credential modification module modifies one of the credentials, the modified credential process module splits the modified one of the credentials to be kept in different locations (Brown: Col. 1, line 62 to Col. 3 line 11; Col. 1, lines 36-45, To further improve security, some systems mathematically split each password hash into two pieces of data ("shares"), such that each share on its own conveys no information about the original password hash. These systems store each share in a different database that may be in a different physical location and protected by different security measures.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brown with the method and system of Kottahachchi and Urbanek to include wherein the processing unit further comprises a modified credential process module; when the credential modification module modifies one of the credentials, the modified credential process module splits the modified one of the credentials to be kept in different locations. One would have been motivated to provide the improved technique which allows for minimal overhead due to synchronization during proactivization, as servers only need to connnunicate with each other before and after the full set of new secret share have been computed (Brown: Col. 3, lines 12-14).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham, can be reached at telephone number 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/Canh Le/
Examiner, Art Unit 2439
December 3rd, 2025
/JAMES R TURCHEN/Primary Examiner, Art Unit 2439