CYBERSECURITY POLICY ENFORCEMENT VIA CORRELATION BETWEEN ENTITIES AND RESOURCE ACCESS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed have been fully considered but they are not persuasive. The Applicant argues: “Claim 1 recites: correlating the access properties with entity data of a plurality of second entities in order to identify the first entity among the plurality of second entities, wherein the entity data indicates a source of each of the plurality of second entities at the time of the access event, wherein the source of each of the plurality of second entities is unique among the plurality of second entities; and [emphasis added] The office action points to paragraph [0064] of Zakas as allegedly teaching the claimed sources, noting “examples are given as to the different sources of identified groups, such as in a corporate network, human resource (HR) users may be assigned to group 1, which indicates group 1 users may use email and access the web and HR records, but may not access financial record. Accountants and financial officers assigned to group 2 may access email, web, and financial records, but are not allowed to access HR records. Administrators assigned to group 2 may receive higher QoS level when they login, in order to give their transactions higher priority on the network.” Applicant respectfully disagrees and submits that the alleged sources of the groups of Zakas are not unique among the groups (i.e., the alleged analogs to the claimed sources) as would be required by the claims. In this regard, Zakas teaches: As users log in and log out, the network is provisioned in real-time for each identified user, which may function to prevent a breach in security. By way of example, in a corporate network, human resource (HR) users may be assigned to group 1 , which indicates that group 1 users may use email and access the web and HR records, but may not access financial records. Meanwhile, the accountants and financial officers assigned to group 2 may access email, web, and financial records but are not allowed to access HR records. Additionally, administrators assigned to group 3 may receive a higher QoS level when they login, in order to give their transactions higher priority on the network. Other factors may be included when considering role based controls such as time of day and location of the role based user. Thus, separate roles and policies are dynamically enforced for different users within the network according to their role within the organization. Zakas, para. [0065] (emphasis added). The office action asserts that the systems and services accessible to different groups such as email, web access, and HR records are sources of those groups which are comparable to the claimed sources. However, these systems and services are not unique among the groups (i.e., the alleged analog to the claimed second entities). Rather, Zakas specifically teaches overlapping sources, such as both groups 1 and 2 having access to email and web. Thus, the alleged sources of Zakas are not unique among the groups (the alleged analog to the claimed plurality of second entities). That is, these alleged sources are not unique among the groups insofar as different groups may have access to the same sources.” The Examiner respectfully disagrees. Zakas establishes the “entity data” by correlating access properties of a plurality of second entities in order to identify the first entity among a plurality of second entities, a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9. The entity data (role or group) is defined per user, and is associated with a defined source (group 1, group 2, or group 3) since the user has been identified as belonging to the unique source with a specific role that dictates what the user of a group can and cannot do based upon a policy that is to be applied. The source group (i.e., plurality of second entities) is “unique” since it has a specific role based control that is permitted based upon the pre-defined polices, wherein “different sources of identified groups, such as in a corporate network, human resource (HR) users may be assigned to group 1, which indicates group 1 users may use email and access the web and HR records, but may not access financial record. Accountants and financial officers assigned to group 2 may access email, web, and financial records, but are not allowed to access HR records. Administrators assigned to group 2 may receive higher QoS level when they login, in order to give their transactions higher priority on the network, para 0065, lines 1-8”. The Applicant fails to further limit the terms “source” and “unique”, the Examiner’s application of broadest reasonable interpretation of the scope of the teachings of Zakas meet the Applicant’s claimed limitations, rendering the Applicant’s arguments moot. The rejection is hereby maintained by the Examiner. It is further argued by the Applicant: “For context regarding how “unique” might be interpreted given the instant specification, the specification teaches: In some embodiments, the source is determined as or based on a source identifier which uniquely identifies a specific entity (e.g., a specific device, system, or program). For example, access logs may indicate IP addresses of entities which participated in access events, where each IP address is uniquely assigned to a given device at a particular time. That is, in such an embodiment, the source is determined such that only the accessing entity would have that source at the time determined at S320, and no other entity would have that source. Alternatively, uniqueness may be defined with respect to a given computing environment or set of computing environments such that a source identifier uniquely identifies an entity when only one entity within the computing environment or set of computing environments has that source identifier at any given time. In other words, the source of each entity among a set of entities in a computing environment or set of computing environments is unique among that set of entities such that no two entities among the set of entities have the same source (e.g., as indicated by their respective source identifiers). Specification, para. [0059] (emphasis added). The specification provides examples of what may constitute “unique” for sources of entities. Applicant submits that both examples are related in that only one entity has the same source identifier (i.e., an identifier representing a source of the entity), at least at a given time. Zakas, in contrast, appears to suggest that different groups (alleged entities) may have access to the same services/systems (alleged sources), which means that the services/systems of Zakas are not all unique to their respective groups. Thus, applicant submits that Zakas does not teach at least these features.” The Examiner notes the claim only recites of the language “wherein the entity data indicates a source of each of the plurality of second entities is unique among the plurality of second entities”. The Applicant’s claims fail to further define the source, but merely referencing that the each of the plurality of second entities are “unique”. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., “the source is determined such that only the accessing entity would have that source at the time determined, and no other entity would have that source” ; “such that a source identifier uniquely identifies an entity when only one entity within the computing environment or set of computing environments has that source identifier at any given time”; and “an identifier representing a source of the entity”) are not recited in the rejected claims. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). The Examiner refers the Applicant to the arguments cited above with respect to Zakas use of “entity data indicates a source of each of the plurality of second entities is unique among the plurality of second entities.” The Applicant’s arguments are found to be moot, the current grounds of the rejection is hereby maintained. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zakas, WO 2006/031302 A1. As per claim 1, it is taught of a method for policy enforcement, comprising: extracting access properties (central manager receives all the user’s information (i.e., access properties) from the observed traffic) for an access event (every time a user logs into the network) from access data indicating the access event (observed traffic), wherein the access properties include a time of the access event (time of day) and a source of a first entity which initiated the access event (computer’s IP address, machine address, network location)(central manager receives all the user’s information including characteristics of the packet including user computer’s IP address, machine address, network location, time of day, user ID and/or other information, para 0063, lines 8-12); correlating the access properties with entity data of a plurality of second entities in order to identify the first entity among the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9), wherein the entity data indicates a source (group 1, group 2, or group 3) of each of the plurality of second entities at the time of the access event, wherein the source of each of the plurality of second entities is unique among the plurality of second entities (examples are given as to the different sources of identified groups, such as in a corporate network, human resource (HR) users may be assigned to group 1, which indicates group 1 users may use email and access the web and HR records, but may not access financial record. Accountants and financial officers assigned to group 2 may access email, web, and financial records, but are not allowed to access HR records. Administrators assigned to group 2 may receive higher QoS level when they login, in order to give their transactions higher priority on the network, para 0065, lines 1-8); and applying a security policy based on the access event and the first entity identified as the first entity which initiated the access event (once a user profile (i.e., entity data) is found, a role will define a user’s permissions and corresponding rules (i.e., applying a security policy based upon the detected login). Role-based rules (i.e., security policy) are retrieved from within the master directory and is distributed to traffic sensors were the rules and policies are enforced, para 0063, lines 20-31 and separate roles and policies are dynamically enforced for different users according to their role within the organization, para 0065, lines 9-11). As per claim 2, it is disclosed wherein the entity data includes a plurality of network addresses of the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9 and they each have a corresponding IP address, machine address, and network location, para 0063, lines 8-12). As per claim 3, it is taught wherein the source of the first entity is a network address of the first entity, wherein correlating the access properties (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9) with the entity data (group 1, group 2, or group 3) further comprises matching the network address of the accessing entity to a first network address of the plurality of network addresses of the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9 and they each have a corresponding IP address, machine address, and network location and group data contains IP addresses, machine address, and network location associated with their respective grouping, para 0063, lines 8-12). As per claim 4, it is disclosed of further comprising: sending a notification indicating the first entity which initiated the access event (any time a user longs into a network (i.e., first entity which initiated the access event), a central manager receives (via notification) all the user’s information (i.e., first entity) from the observed traffic, para 8-16). As per claim 5, it is taught wherein the first entity initiated the access event via an intermediary, further comprising: identifying the intermediary based on the extracted access properties (central manager monitors and controls functions of the traffic sensors, a master directory is used to manage network permissions for unknown users (i.e., intermediaries) and assets of the network, para 0039, lines 1-5); and analyzing data of the intermediary in order to identify the source of the first entity and the time of the access event (the traffic sensor characterizes every packet accurately and identifies the source of the first entity and time of the access event, which includes the unknown (i.e., intermediary) data, para. 0037, lines 1-13). As per claim 6, it is disclosed where the intermediary (the traffic sensor characterizes every packet accurately and identifies the source of the first entity and time of the access event, which includes the unknown (i.e., intermediary) data, para. 0037, lines 1-13) is a secrets manager (high valued data is identified in the traffic that includes confidential data formats (i.e., secrets manager), such as social security numbers, credit card numbers, etc) that is traversing the network unencrypted, para. 0052, lines 1-4), wherein the data of the intermediary includes an access log of the secrets manager, wherein the access log of the secrets manager indicates the first entity as an entity which used the secrets manager during the access event (packet capture data (i.e., access logs from the sensors) is sent back to the central manager whereby an administrator can view the context in which the sensitive data was transferred, including the sender (i.e., first entity) and recipient, and what application was used to transfer the data, para. 0052, lines 10-17). As per claim 7, it is taught of further comprising: detecting a violation of the security policy based on the identified first entity (watch lists can be set up to indicate sensitive traffic is attempting to traverse the network in which various actions are defined if protected information is discovered within the watch list rules (i.e., violation of the security policy), para 0056, lines 1-6 and authorized users can set up certain kinds of violations (of established policies) that are to be monitored for by the traffic sensors, which are then logged for occurrences of events by particular entities, para 0066, lines 2-6). As per claim 8, it is disclosed of further comprising: performing at least one remediation action based on the detected violation of the security policy (actions and countermeasures (i.e., remediations) are taken if there is a detected violation of the security policy if the detected information is contained within a watch list, para 0056, lines 8-15). As per claim 9, it is taught of further comprising: determining that the identified accessing entity is inactive, wherein the violation of the security policy is detected based on the inactive accessing entity initiating the access event (identification of zero-day or un-cataloged attacks and exploits (i.e., accessing entity is inactive) is analyzes for all inbound and outbound network packets (i.e., access events), they are security vulnerabilities (i.e., violations of the security policy), para 0048, lines 1-7). As per claim 10, it is disclosed of a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process (para 0029, lines 9-14), the process comprising: extracting access properties (central manager receives all the user’s information (i.e., access properties) from the observed traffic) for an access event (every time a user logs into the network) from access data (observed traffic) indicating the access event, wherein the access properties include a time of the access event (time of day) and a source of a first entity which initiated the access event (computer’s IP address, machine address, network location)(central manager receives all the user’s information including characteristics of the packet including user computer’s IP address, machine address, network location, time of day, user ID and/or other information, para 0063, lines 8-12); correlating the access properties with entity data of a plurality of second entities in order to identify the first entity among the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9), wherein the entity data indicates a source (group 1, group 2, or group 3) of each of the plurality of second entities at the time of the access event, wherein the source of each of the plurality of second entities is unique among the plurality of second entities (examples are given as to the different sources of identified groups, such as in a corporate network, human resource (HR) users may be assigned to group 1, which indicates group 1 users may use email and access the web and HR records, but may not access financial record. Accountants and financial officers assigned to group 2 may access email, web, and financial records, but are not allowed to access HR records. Administrators assigned to group 2 may receive higher QoS level when they login, in order to give their transactions higher priority on the network, para 0065, lines 1-8); and applying a security policy based on the access event and the first entity identified as the first entity which initiated the access event (once a user profile (i.e., entity data) is found, a role will define a user’s permissions and corresponding rules (i.e., applying a security policy based upon the detected login). Role-based rules (i.e., security policy) are retrieved from within the master directory and is distributed to traffic sensors were the rules and policies are enforced, para 0063, lines 20-31 and separate roles and policies are dynamically enforced for different users according to their role within the organization, para 0065, lines 9-11). As per claim 11, it is taught of a system for policy enforcement, comprising: a processing circuitry (para 0029, lines 9-14); and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system (para 0029, lines 9-14) to: extract access properties (central manager receives all the user’s information (i.e., access properties) from the observed traffic) for an access event (every time a user logs into the network) from access data (observed traffic) indicating the access event, wherein the access properties include a time of the access event (time of day) and a source of a first entity which initiated the access event (computer’s IP address, machine address, network location)(central manager receives all the user’s information including characteristics of the packet including user computer’s IP address, machine address, network location, time of day, user ID and/or other information, para 0063, lines 8-12); correlate the access properties with entity data of a plurality of second entities in order to identify the first entity among the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9), wherein the entity data indicates a source (group 1, group 2, or group 3) of each of the plurality of second entities at the time of the access event, wherein the source of each of the plurality of second entities is unique among the plurality of second entities (examples are given as to the different sources of identified groups, such as in a corporate network, human resource (HR) users may be assigned to group 1, which indicates group 1 users may use email and access the web and HR records, but may not access financial record. Accountants and financial officers assigned to group 2 may access email, web, and financial records, but are not allowed to access HR records. Administrators assigned to group 2 may receive higher QoS level when they login, in order to give their transactions higher priority on the network, para 0065, lines 1-8); and apply a security policy based on the access event and the first entity identified as the entity which initiated the access event (once a user profile (i.e., entity data) is found, a role will define a user’s permissions and corresponding rules (i.e., applying a security policy based upon the detected login). Role-based rules (i.e., security policy) are retrieved from within the master directory and is distributed to traffic sensors were the rules and policies are enforced, para 0063, lines 20-31 and separate roles and policies are dynamically enforced for different users according to their role within the organization, para 0065, lines 9-11). As per claim 12, it is disclosed wherein the entity data includes a plurality of network addresses of the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9 and they each have a corresponding IP address, machine address, and network location, para 0063, lines 8-12). As per claim 13, it is taught wherein the source of the first entity is a network address of the first entity, wherein correlating the access properties (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9) with the entity data (group 1, group 2, or group 3) further comprises matching the network address of the accessing entity to a first network address of the plurality of network addresses of the plurality of second entities (a role or group (i.e., entity data among a plurality of second entities) defines various users with a network, when a user logs in, their role is immediately identified using credential information from a master directory, para 0064, lines 5-9 and they each have a corresponding IP address, machine address, and network location and group data contains IP addresses, machine address, and network location associated with their respective grouping, para 0063, lines 8-12). As per claim 14, it is disclosed wherein the system is further configured to: send a notification indicating the first entity which initiated the access event (any time a user longs into a network (i.e., first entity which initiated the access event), a central manager receives (via notification) all the user’s information (i.e., first entity) from the observed traffic, para 8-16). As per claim 15, it is taught wherein the first entity initiated the access event via an intermediary, wherein the system is further configured to: identify the intermediary based on the extracted access properties (central manager monitors and controls functions of the traffic sensors, a master directory is used to manage network permissions for unknown users (i.e., intermediaries) and assets of the network, para 0039, lines 1-5); and analyze data of the intermediary in order to identify the source of the first entity and the time of the access event (the traffic sensor characterizes every packet accurately and identifies the source of the first entity and time of the access event, which includes the unknown (i.e., intermediary) data, para. 0037, lines 1-13). As per claim 16, it is disclosed where the intermediary (the traffic sensor characterizes every packet accurately and identifies the source of the first entity and time of the access event, which includes the unknown (i.e., intermediary) data, para. 0037, lines 1-13) is a secrets manager, wherein the data of the intermediary includes an access log of the secrets manager (high valued data is identified in the traffic that includes confidential data formats (i.e., secrets manager), such as social security numbers, credit card numbers, etc) that is traversing the network unencrypted, para. 0052, lines 1-4), wherein the access log of the secrets manager indicates the first entity as an entity which used the secrets manager during the access event (packet capture data (i.e., access logs from the sensors) is sent back to the central manager whereby an administrator can view the context in which the sensitive data was transferred, including the sender (i.e., first entity) and recipient, and what application was used to transfer the data, para. 0052, lines 10-17). As per claim 17, it is taught wherein the system is further configured to: detect a violation of the security policy based on the identified first entity (watch lists can be set up to indicate sensitive traffic is attempting to traverse the network in which various actions are defined if protected information is discovered within the watch list rules (i.e., violation of the security policy), para 0056, lines 1-6 and authorized users can set up certain kinds of violations (of established policies) that are to be monitored for by the traffic sensors, which are then logged for occurrences of events by particular entities, para 0066, lines 2-6). As per claim 18, it is disclosed wherein the system is further configured to: perform at least one remediation action based on the detected violation of the security policy (actions and countermeasures (i.e., remediations) are taken if there is a detected violation of the security policy if the detected information is contained within a watch list, para 0056, lines 8-15). As per claim 19, it is taught wherein the system is further configured to: determine that the identified accessing entity is inactive, wherein the violation of the security policy is detected based on the inactive accessing entity initiating the access event (identification of zero-day or un-cataloged attacks and exploits (i.e., accessing entity is inactive) is analyzes for all inbound and outbound network packets (i.e., access events), they are security vulnerabilities (i.e., violations of the security policy), para 0048, lines 1-7). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ives-Halperin et al, WO 2016/022329 A1 is relied upon for disclosing of resource-access allocation engine 304 allocates a set of access rights for the resource. In some instances, each of at least some of the access rights corresponds to a different access parameter, such as a different location (e.g., seat) assignment. Upon allocation, each of some or all of the access rights may have a status as available. A subset of the set of access rights can be immediately (or at a defined time) assigned or reserved according to a base assignment or reservation rule (e.g., assigning particular access rights to particular entities, who may be involved in or related to provision of the resource and/or who have requested or been assigned a set of related access rights, see paragraph 0088. Farino et al, US 2007/0094713 is relied upon for disclosing of implementing policies that associate physical resource access requests or events with network-based resource access requests or events from a given entity or group of entities that are implemented, arbitrated and provide response instructions on a unified physical access and network access control server or similar platform. These policies correlate and specify events in the physical realm that can be tied to events or access of network resources and vice versa. Policies that associated physical resource access requests or events with network-based resource access requests or events from a given entity or group of entities may be implemented, arbitrated and responsive instructions provided on a unified physical access and network access policy server or similar platform, see paragraph 0096. Rojas, U.S. Patent 11,501,586 is relied upon for disclosing of a transferred or lent access right may be encoded in a token. The access right token may include data identifying the access right controller that is lending the access right, identifying the right transferred or lent (e.g., an access right to an event, to a location, an associated start time, an associated end time, and/or an associated time period), data indicating the status of the access right (e.g., transferred, lent, recalled, etc.), and/or data identifying the receiving user. The access right data may be encrypted using a public key, and may be decrypted using a private key, see column 8, lines 28-38. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2407