Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is a reply to the application filed on 3/25/2024, in which, claim(s) 1-20 are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/11/2024, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Drawings
The drawings filed on 3/25/2024 is/are accepted by The Examiner.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim(s) 1-12 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
Claim limitations “a first PQE module and a second PQE module perform…” in claim 1, and “first environment additional module reviews…, second environment additional module analyzes…” in claim 2 are limitations that invoke 35 U.S.C. 112, sixth paragraph. The written description only implicitly or inherently sets forth the corresponding structure, material, or acts that perform the claimed function.
Pursuant to 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181, applicant should:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112, sixth paragraph; or
(b) Amend the written description of the specification such that it expressly recites the corresponding structure, material, or acts that perform the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) State on the record what corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function.
Dependent claim(s) 3-12 disclose the modules from claims 1-2, configured to perform additional features and thus is rejected under the same rationale.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-3, 6-17 and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krauthamer et al. (US 20210306145 A1; hereinafter Krauthamer) in view of Saavedra et al. (US 20190182213 A1; hereinafter Saavedra).
Regarding claim 1, Krauthamer discloses a system, comprising:
a first technology environment comprising at least one first technology component, the at least one first technology component comprising a first Post-Quantum Encryption (PQE) module (Using End-to-End (E2E) Post Quantum Resistant encryption techniques to protect the data, the Data Security Management System provides the flexibility for multiple data schemes in a distributive environment, wherein each end contains a post quantum cryptographic device for secure communication [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]);
a second technology environment separated from the first technology environment by a communications network, the second technology environment comprising at least one second technology component, the at least one second technology component comprising a second PQE module (the Data Security Management System provides the flexibility for multiple data schemes in a distributive environment, wherein each end contains a post quantum cryptographic device for secure communication [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]); and
wherein the first PQE module and the second PQE module each perform at least one of transmitting and receiving of the communications between the first technology environment and the second technology environment, the communications being encrypted using PQE algorithms (transmitting and receiving of data using PQE algorithms [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]). Krauthamer discloses a communications interface configured to receive and transmit one or more portions of Post Quantum Resistant Encrypted data within a network comprising a plurality of endpoints. Krauthamer does not explicilty discloses a demilitarized zone (DMZ) environment having at least one DMZ processor, wherein the first technology environment, the second technology environment, and the DMZ environment are networked together across the communications network such that communications between the first technology environment and the second technology environment pass through the DMZ environment; however, in a related and analogous art, Saavedra teaches this feature.
In particular, Saavedra teaches a demilitarized zone (DMZ) may be supported by firewall system and may support attachment of up to 9 custom policies or profiles that may bypass the “ANY” zone. For example, a security zone, “ANY” zone, and “DMZ” zone may exist for each interface and may support attachment of profiles. This may be more advanced than conventional firewall zones. The firewall is positioning between the different technology environment and support communication between devices [Saavedra; ¶27, 40, 151-152; Figs. 10-12 and associated text]. It would have been obvious before the effective filing date of the claimed invention to modify Krauthamer in view of Saavedra to use a firewall system to support the DMZ with the motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 2, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the first technology environment further comprises at least one first environment additional module; wherein the second technology environment further comprises at least one second environment additional module (client site network component implemented at least at least a first client site in network communication with a second client site, wherein the first client site and the second client site are at a distance from one another that is such that would usually require long haul network communication, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput, the client site network component configured to connect to at least one network server component implemented at an access point to at least one wide area network, the network server component automatically terminating the bonded/aggregated connection and passing the data traffic to an access point to at least one wide area network, the client site network component configuring a virtual edge providing at least one of transparent lower-link encryption and lower-link encapsulation using a common access protocol for the bonded/aggregated connection [Saavedra; ¶40-43; Figs. 10-12 and associated text]); and
wherein during transmission from the first technology environment to the second technology environment [Saavedra; ¶27, 40, 151-152; Figs. 10-12 and associated text]:
the at least one first environment additional module reviews data received from the at least one first technology component for at least one of malicious and unauthorized activity, resulting in first authorized data (Firewall system may use big data methods for network and application control in a decision tree to augment existing control and data plane functionality for improving the user quality of experience. For example, this may support centralized log data, anomaly detection, and actionable intelligence [Saavedra; ¶139, 151-152; Figs. 10-12 and associated text]);
the first PQE module formats and encrypts the first authorized data using PQE, resulting in an encrypted transmission (a cryptographic security policy for the transmission of data to and from a first node in a network comprising a plurality of nodes is presented, the method comprising: a) receiving a one or more portions of transmitted data from one or more second nodes of said network; b) reassembling said one or more portions of transmitted data into a one or more portions of encrypted data to be decrypted; c) decrypting said one or more portions of encrypted data using one or more cryptographic algorithms to yield one or more portions of data [Krauthamer; ¶102; Figs. 10-12 and associated text]);
the encrypted transmission is routed over the communications network from the first technology environment to the second technology environment through the DMZ environment; the second PQE module receives the encrypted transmission (the transmission of data to and from a first node in a network comprising a plurality of nodes [Krauthamer; ¶102; Figs. 10-12 and associated text], a demilitarized zone (DMZ) may be supported by firewall system and may support attachment of up to 9 custom policies or profiles that may bypass the “ANY” zone. For example, a security zone, “ANY” zone, and “DMZ” zone may exist for each interface and may support attachment of profiles. This may be more advanced than conventional firewall zones. The firewall is positioning between the different technology environment and support communication between devices [Saavedra; ¶27, 40, 151-152; Figs. 10-12 and associated text]);
the second PQE module decrypts the encrypted transmission using PQE, resulted in decrypted data; the at least one second environment additional module analyzes the decrypted data for at least one of malicious and unauthorized activity, resulting in second authorized data (a cryptographic security policy for the transmission of data to and from a first node in a network comprising a plurality of nodes is presented, the method comprising: a) receiving a one or more portions of transmitted data from one or more second nodes of said network; b) reassembling said one or more portions of transmitted data into a one or more portions of encrypted data to be decrypted; c) decrypting said one or more portions of encrypted data using one or more cryptographic algorithms to yield one or more portions of data [Krauthamer; ¶102; Figs. 10-12 and associated text]. Firewall system 200 may use big data methods for network and application control in a decision tree to augment existing control and data plane functionality for improving the user quality of experience. For example, this may support centralized log data, anomaly detection, and actionable intelligence [Saavedra; ¶139, 151-152; Figs. 10-12 and associated text]); and
the second PQE module forwards the second authorized data to the at least one second technology component (client site network component implemented at least at least a first client site in network communication with a second client site, wherein the first client site and the second client site are at a distance from one another that is such that would usually require long haul network communication, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput, the client site network component configured to connect to at least one network server component implemented at an access point to at least one wide area network, the network server component automatically terminating the bonded/aggregated connection and passing the data traffic to an access point to at least one wide area network, the client site network component configuring a virtual edge providing at least one of transparent lower-link encryption and lower-link encapsulation using a common access protocol for the bonded/aggregated connection [Saavedra; ¶40-43; Figs. 10-12 and associated text]. Firewall system may use big data methods for network and application control in a decision tree to augment existing control and data plane functionality for improving the user quality of experience. For example, this may support centralized log data, anomaly detection, and actionable intelligence [Saavedra; ¶139, 151-152; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 3, Krauthamer-Saavedra combination discloses the system of claim 2, wherein the at least one DMZ processor within the DMZ environment decrypts and analyzes the encrypted transmission for at least one of malicious and unauthorized activity prior to forwarding the encrypted transmission to the second PQE module (firewall system may support or include auto signature intelligence and update. For example, Layer 7 DPI may log all malicious and unknown signatures to the cloud, for example, centralized firewall network controller [Saavedra; ¶249; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 6, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the at least one second technology component comprises an Information Technology (IT) component (client site network components, each client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput…[Saavedra; ¶9; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 7, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the DMZ environment is hypervised, such that the DMZ environment supports execution of multiple virtual machines (In one exemplary embodiment of the invention, the COPE may be implemented with virtualization software such as vmWare, vSphere5, Citrix Xen, and so on [Saavedra; ¶256; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 8, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the communications are routed through the DMZ environment by the at least one DMZ processor using a post-quantum encryption tunnel (each end contains a post quantum cryptographic device for secure communication [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]), the DMZ zone with the tunneling protocol allows for provision of network services that the underlying network does not provide directly. A tunneling protocol may use a data portion of a data packet (e.g. payload) to carry the packets that provide the desired service [Saavedra; ¶153, 376]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 9, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the communications are routed through the DMZ environment using a zero-trust quantum-security private tunnel (the cryptographic algorithm utilized by the processing device is a post-quantum cryptographic algorithm. A security policy manager operatively connected to the computing device may be utilized and configured to select the cryptographic algorithm used by the computing device [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]), the DMZ zone with the tunneling protocol allows for provision of network services that the underlying network does not provide directly. A tunneling protocol may use a data portion of a data packet (e.g. payload) to carry the packets that provide the desired service [Saavedra; ¶153, 376]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 10, Krauthamer-Saavedra combination discloses the system of claim 1, wherein at least a portion of the communications are routed from the DMZ environment to an enterprise data analytics platform (embodiments described herein provide a unified firewall manager system that integrates with a virtual network overlay to manage distributed firewalls across an enterprise, groups of sites, single sites, and a combination thereof [Saavedra; ¶28, 91-92]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 11, Krauthamer-Saavedra combination discloses the system of claim 10, wherein the enterprise data analytics platform executes a machine learning algorithm on the at least a portion of the communications, resulting in identification of malicious communications within the communications (application of one or more AI security threat analysis modules and comparison against items in a library of previously scored threats; assigning to the threat one or more scores [Krauthamer; ¶41]).
Regarding claim 12, Krauthamer-Saavedra combination discloses the system of claim 1, wherein the DMZ environment is cloud-based (could network [Saavedra; ¶15, 29-30]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claims 13 and 20, Krauthamer discloses a method comprising:
receiving, at a first PQE (Post Quantum Encryption) module embedded within a first technology component, first data from the first technology component, the first data having been analyzed for at least one of malicious and unauthorized activity (Using End-to-End (E2E) Post Quantum Resistant encryption techniques to protect the data, the Data Security Management System provides the flexibility for multiple data schemes in a distributive environment, wherein each end contains a post quantum cryptographic device for secure communication, a cryptographic security policy for the transmission of data to and from a first node in a network comprising a plurality of nodes is presented, the method comprising: a) receiving a one or more portions of transmitted data from one or more second nodes of said network; b) reassembling said one or more portions of transmitted data into a one or more portions of encrypted data to be decrypted; c) decrypting said one or more portions of encrypted data using one or more cryptographic algorithms to yield one or more portions of data [Krauthamer; ¶41-46, 88-89, 102; Figs. 10-12 and associated text]);
formatting the first data, resulting in formatted first data (the cryptographic algorithm utilized by the processing device is a post-quantum cryptographic algorithm. A security policy manager operatively connected to the computing device may be utilized and configured to select the cryptographic algorithm used by the computing device [Krauthamer; ¶88-89, 102; Figs. 10-12 and associated text]);
encrypting the formatted first data using PQE, resulting in encrypted data (the security policy manager is configured to perform a number of functions, at least one of them being: a) enabling use of the one or more post-quantum cryptographic algorithms; b) initiating the creation of one or more keys to be used in the one or more post-quantum cryptographic algorithms; c) enabling the use of the one or more keys used by the processing device to encrypt the one or more portions of data; and d) managing the one or more keys[Krauthamer; ¶88-89, 102; Figs. 10-12 and associated text]); and
transmitting the encrypted data from the first PQE module to a second PQE module via a communications network (Using End-to-End (E2E) Post Quantum Resistant encryption techniques to protect the data, the Data Security Management System provides the flexibility for multiple data schemes in a distributive environment, wherein each end contains a post quantum cryptographic device for secure communication [Krauthamer; ¶41-46, 88-89; Figs. 1, 10-12 and associated text]). Krauthamer discloses a communications interface configured to receive and transmit one or more portions of Post Quantum Resistant Encrypted data within a network comprising a plurality of endpoints. Krauthamer does not explicilty discloses wherein the encrypted data is further analyzed by at least one DMZ processor within a DMZ environment before arriving at the second PQE module; however, in a related and analogous art, Saavedra teaches this feature.
In particular, Saavedra teaches a demilitarized zone (DMZ) may be supported by firewall system and may support attachment of up to 9 custom policies or profiles that may bypass the “ANY” zone. For example, a security zone, “ANY” zone, and “DMZ” zone may exist for each interface and may support attachment of profiles. This may be more advanced than conventional firewall zones. The firewall is positioning between the different technology environment and support communication between devices [Saavedra; ¶27, 40, 151-152; Figs. 10-12 and associated text]. It would have been obvious before the effective filing date of the claimed invention to modify Krauthamer in view of Saavedra to use a firewall system to support the DMZ with the motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 14, Krauthamer-Saavedra combination discloses the method of claim 13, wherein the DMZ environment is cloud-based and hypervised, such that the at least one DMZ processor supports execution of multiple virtual machines (In one exemplary embodiment of the invention, the COPE may be implemented with virtualization software such as vmWare, vSphere5, Citrix Xen, and so on [Saavedra; ¶256; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 15, Krauthamer-Saavedra combination discloses the method of claim 13, wherein the DMZ environment is physical and hypervised, such that the at least one DMZ processor supports execution of multiple virtual machines (the firewall may be a combination of communication interfaces implemented as hardware, software, and combination thereof., the COPE may be implemented with virtualization software such as vmWare, vSphere5, Citrix Xen, and so on [Saavedra; ¶127, 256; Figs. 10-12 and associated text]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 16, Krauthamer-Saavedra combination discloses the method of claim 13, wherein the encrypted data is routed through the communications network using a post-quantum encryption tunnel (each end contains a post quantum cryptographic device for secure communication [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]), the DMZ zone with the tunneling protocol allows for provision of network services that the underlying network does not provide directly. A tunneling protocol may use a data portion of a data packet (e.g. payload) to carry the packets that provide the desired service [Saavedra; ¶153, 376]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 17, Krauthamer-Saavedra combination discloses the method of claim 13, wherein the encrypted data is routed through the communications network using a zero-trust quantum-security private tunnel (the cryptographic algorithm utilized by the processing device is a post-quantum cryptographic algorithm. A security policy manager operatively connected to the computing device may be utilized and configured to select the cryptographic algorithm used by the computing device [Krauthamer; ¶41-46, 88-89; Fig. 1 and associated text]), the DMZ zone with the tunneling protocol allows for provision of network services that the underlying network does not provide directly. A tunneling protocol may use a data portion of a data packet (e.g. payload) to carry the packets that provide the desired service [Saavedra; ¶153, 376]). The motivation to support communication but also to manage a plurality of assets of the client site network component [Saavedra; ¶27].
Regarding claim 19, Krauthamer-Saavedra combination discloses the method of claim 13, wherein at least a portion of the encrypted data is routed from the DMZ environment to a second aggregation and analysis platform prior to the encrypted data being forwarded to the second PQE module (client site network component implemented at least at least a first client site in network communication with a second client site, wherein the first client site and the second client site are at a distance from one another that is such that would usually require long haul network communication, the client site network component bonding or aggregating one or more diverse network connections so as to configure a bonded/aggregated connection that has increased throughput, the client site network component configured to connect to at least one network server component implemented at an access point to at least one wide area network, the network server component automatically terminating the bonded/aggregated connection and passing the data traffic to an access point to at least one wide area network, the client site network component configuring a virtual edge providing at least one of transparent lower-link encryption and lower-link encapsulation using a common access protocol for the bonded/aggregated connection [Saavedra; ¶40-43; Figs. 10-12 and associated text]).
Claim(s) 4-5 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krauthamer-Saavedra combination in view of Datta Ray et al. (US 20140380488 A1; hereinafter Datta).
Regarding claim 4, Krauthamer-Saavedra combination does not explicilty discloses the system of claim 1, wherein the at least one first technology component comprises an Operational Technology (OT) component; however, in a related and analogous art, Datta teaches this feature.
In particular, Datta teaches an enterprise-wide computer network is considered as the aggregation of hardware and software comprising subsystems that include: (a) One or more operations technology (OT) systems supporting the various business processes of an enterprise; and (b) One or more information technology (IT) systems supporting all other business and information processing needs of the enterprise [Datta; ¶71-72]. It would have been obvious before the effective filing date of the claimed invention to modify Krauthamer-Saavedra combination in view of Datta with the motivation to improve the integrity, repeatability, effectiveness, and timeliness of security and business risk analysis from various sources, reliance on formal and automated methods [Datta; ¶7].
Regarding claims 5 and 18, Krauthamer-Saavedra-Datta combination discloses the system of claim 4, wherein the at least one first technological component comprises at least one of: fuel operational equipment, navigation vessel equipment, and liquid navigation equipment (fuel, vessel, port, etc., [Datta; ¶193, 261-279]). The motivation to improve the integrity, repeatability, effectiveness, and timeliness of security and business risk analysis from various sources, reliance on formal and automated methods [Datta; ¶7].
Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998. The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DAO Q HO/Primary Examiner, Art Unit 2432