SECURE USB

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority No priority claim has been filed. Therefore, the effective filing date of the claims is 29 April 2024. Information Disclosure Statement The Information Disclosure Statement filed on 25 November 2025 complies with all applicable rules and regulations. Therefore, the information referred to therein has been considered. Response to Arguments Applicant's arguments filed 01 December 2025 have been fully considered but they are not persuasive. In response to applicant’s arguments that the cited prior art does not teach “in response to a determination that the device has a device type that is not associated with human interface devices, block the device from communicating with the at least one processor; and in response to a determination that the device has attempted to change from the device type that is associated with human interface devices to the device type that is not associated with human interface devices, disconnecting power from the external peripheral port”, stated on pages 8 and 9, the examiner respectfully disagrees. Powers discloses the USB device may attempt to bypass USB authorization rules or operate as a device other than what is expected by the operating system, wherein the USB device may perform a logical disconnect-and-reconnect, which may cause the operating system to re-enumerate the USB device, wherein upon re-enumeration the USB device may present itself to the operating system as a different type of device (Para. 167). Proxy/firewall units 1048 may cease communication with the attacking or faulty USB device 1024 (e.g., by causing electronic protection units 1044 to terminate power to USB devices 1024) (Para. 169). Powers further discloses a user may determine that only a certain type of device (e.g., a display device, a communication device, an audio device, a storage device, a human interface device) is allowed to communicate with host computing device 1028 (Para. 161). Therefore, the aforementioned limitation is taught by the cited prior art. Also note Hetzler et al. (US 2016/0299865 A1) cited in the Relevant Prior Art section below. Hetzler discloses during operation, the USB device 107A attempts to register as a different device type (for example, a keyboard device) in an attempt to infiltrate the host computer system 101 (413). This registration attempt is identified by the USB filter hub 104 as not being in response to a physical plugging in of the device into the USB filter hub 104, so the USB filter hub 104 notifies the host computer system 101 of the break-in attempt (414) and disables the USB device (415) (Para. 24). Claim Objections Claims 4, 10, and 16 are objected to because of the following informalities: Regarding claim 4, lines 1-2—“the first device type”, lacks sufficient antecedent basis for the claim. For examination purposes, “the first device type” will be interpreted to be referring to “a device type that is associated with human interface devices”. In order to overcome this objection, lines 1-2 may be amended to state --the device type that is associated with human interface devices--, for example. Claims 10 and 16 include similar language and are similarly analyzed. Appropriate correction is required. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-3, 6-9, 12-15, and 18 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Powers et al. (US 2014/0337558 A1). Regarding claim 1, Powers teaches an information handling system, e.g., apparatus 20, host computing device 28 (Fig. 1A, el. 20, 28); system 160 (Fig. 1F, el. 160); host computing device 1028 (Fig. 3, el. 1028), comprising: at least one processor, e.g., one or more processors 88 (Fig. 1B, el. 88); CPU 166 (Fig. 1F, el. 166); host controller 1080 (Fig. 3, el. 1080); a memory, e.g., memory 92 (Fig. 1B, el. 92); mediation module library 162 (Fig. 1 F, el. 162); local memory of mediation unit 1032 (Fig. 1L, el. 1032; Para. 159); Mediation unit 1078 may include logic that carries out the functions ascribed to mediation unit 1032 shown in FIG. 1L (Fig. 3, el. 1078; Para. 190); an external peripheral port configured to couple to external peripheral devices, e.g., USB host interface 56 (Fig. 1B, el. 56); USB A interfaces 1036 (Fig. 3, el. 1036A-D); and a firewall physically coupled between the at least one processor and the external peripheral port, e.g., mediation module 50 (Fig. 1A, el. 50); mediation unit 1032 (Fig. 1L, el. 1032); mediation unit 1078 including proxy/firewall 1048 (Fig. 3, el. 1048A-D; 1078); Mediation unit 1032 operates as a USB firewall with respect to the USB communications between USB device 1024 and host computing device 1028 (Fig. 1L, el. 1024; Para. 146); mediation unit 1032 physically separates USB devices 1024 and host computing device 1028 (Para. 173), wherein the firewall is configured to: receive a plurality of communications associated with a device, e.g., USB devices 1024 (Fig. 1L, el. 1024), coupled to the external peripheral port, wherein each communication has a type associated therewith, e.g., proxy/firewall units 1048 may determine whether USB device 1024A is authorized to communicate with host computing device 1028 using one or more descriptors associated with USB device 1024A, wherein USB devices (such as USB devices 1024) commonly include and utilize one or more descriptors, which may provide a variety of identifying characteristics of the USB devices (Para. 157); proxy/firewall units 1048 may use any portion of data contained in the descriptors to determine identifying characteristics associated with USB devices 1024 (Para. 158); a user may determine that only a certain type of device (e.g., a human interface device) is allowed to communicate with host computing device 1028 (Para. 161); in response to a determination that the device has a device type that is associated with human interface devices, allow the device to communicate with the at least one processor, e.g., a user may determine that only a certain type of device (e.g., a human interface device) is allowed to communicate with host computing device 1028, wherein proxy/firewall units 1048 may store a list of authorized device types, and use such a list to authorize or reject USB devices when connected in the same way described above (Para. 161); in response to a determination that the device has a device type that is not associated with human interface devices, block the device from communicating with the at least one processor, e.g., a user may determine that only a certain type of device (e.g., a display device, a communication device, an audio device, a storage device, a human interface device) is allowed to communicate with host computing device 1028, wherein proxy/firewall units 1048 may store a list of authorized device types, and use such a list to authorize or reject USB devices when connected in the same way described above (Para. 161); and in response to a determination that the device has attempted to change from the device type that is associated with human interface devices to the device type that is not associated with human interface devices, disconnecting power from the external peripheral port, e.g., mediation module 50 may detect whether USB device 24 is identifying itself appropriately, and disable USB device 24 if USB device 24 is not identifying itself appropriately, wherein for example, mediation module 50 may determine whether USB device 24 is sending the appropriate descriptor data to host device 28, and disable USB device 24 if USB device 24 is using the appropriate descriptor data, wherein mediation module 50 may disable USB device 24 by removing power from USB device 24 (Para. 58); Proxy/firewall units 1048 may use any such descriptors to determine identifying characteristics associated with USB devices 1024 when determining whether USB devices 1024 are authorized to communicate with host computing device 1028, wherein proxy/firewall units 1048 may use any portion of data contained in the descriptors to determine identifying characteristics associated with USB devices 1024 (Para. 158); a user may determine that only a certain type of device (e.g., a display device, a communication device, an audio device, a storage device, a human interface device) is allowed to communicate with host computing device 1028 (Para. 161); if proxy/firewall units 1048 determine that a connected USB device 1024 is not authorized to communicate with host computing device 1028, proxy/firewall units 1048 may prevent the connected USB device 1024 from communicating with host computing device 1028, wherein proxy/firewall units 1048 may remove power from USB devices 1024 using electronic protection units 1044 (Para. 162); the USB device may attempt to bypass USB authorization rules or operate as a device other than what is expected by the operating system, wherein the USB device may perform a logical disconnect-and-reconnect, which may cause the operating system to re-enumerate the USB device, wherein upon re-enumeration the USB device may present itself to the operating system as a different type of device (Para. 167); proxy/firewall units 1048 may cease communication with the attacking or faulty USB device 1024 (e.g., by causing electronic protection units 1044 to terminate power to USB devices 1024) (Para. 169). Regarding claim 2, Powers teaches the information handling system of claim 1, wherein the firewall comprises a microcontroller, e.g., proxy/firewall units 1048 may incorporate any combination of hardware (e.g., microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components) and/or software for mediating data (Powers-Para. 197). Regarding claim 3, Powers teaches the information handling system of claim 1, wherein the external peripheral port is a Universal Serial Bus (USB) port, e.g., USB host interface 56 (Powers-Fig. 1B, el. 56); USB A interfaces 1036 (Powers-Fig. 3, el. 1036A-D). Regarding claim 6, Powers teaches the information handling system of claim 1, wherein the firewall is further configured to: examine traffic outbound from the at least one processor to the external peripheral port to determine whether the traffic includes information other than approved keyboard LED controls, mouse settings, commands, and acknowledgments, e.g., proxy/firewall units 1048 may be responsible for verifying data transfers between host computing device 1028 and USB devices 1024, wherein proxy/firewall units 1048 may protect host computing device 1028 against protocol attacks from USB devices 1024, such as eavesdropping, by only forwarding data to a USB device 1024 if the data is addressed to the USB device 1024 by host computing device 1028 (Powers-Para. 164); proxy/firewall units 1048 may monitor and analyze the contents of the packets communicated between USB devices 1024 and host computing device 1028 and identify malformed packets, or packets that contain known malware (Powers-Para. 166); and in response to a determination that the traffic does include information other than approved keyboard LED controls, mouse settings, commands, and acknowledgments, block the traffic, e.g., proxy/firewall units 1048 may be responsible for verifying data transfers between host computing device 1028 and USB devices 1024, wherein proxy/firewall units 1048 may protect host computing device 1028 against protocol attacks from USB devices 1024, such as eavesdropping, by only forwarding data to a USB device 1024 if the data is addressed to the USB device 1024 by host computing device 1028 (Powers-Para. 164); proxy/firewall units 1048 may monitor and analyze the contents of the packets communicated between USB devices 1024 and host computing device 1028 and identify malformed packets, or packets that contain known malware (Powers-Para. 166). Regarding claim 7, the claim is analyzed with respect to claim 1. Examiner note: claim 7 includes contingent limitations— "in response to a determination that the device has a device type that is associated with human interface devices, the firewall allowing the device to communicate with the at least one processor”; “in response to a determination that the device has a device type that is not associated with human interface devices, the firewall blocking the device from communicating with the at least one processor”; and “in response to a determination that the device has attempted to change from the device type that is associated with human interface devices to the device type that is not associated with human interface devices, the firewall disconnecting power from the external peripheral port”. See MPEP 2111.04(II)—"The broadest reasonable interpretation of a method (or process) claim having contingent limitations requires only those steps that must be performed and does not include steps that are not required to be performed because the condition(s) precedent are not met.” In this case, if the device has a device type associated with HIDs, then the firewall would not block the device from communicating with the at least one processor and that limitation would not be required. If the device has a device type that is not associated with HIDs, then the firewall would not allow the device to communicate with the at least one processor and there would be not attempt to change to the device type that is not associated with human interface devices. Therefore, those two limitations would not be required. Regarding claim 8, the claim is analyzed with respect to claim 2. Regarding claim 9, the claim is analyzed with respect to claim 3. Regarding claim 12, the claim is analyzed with respect to claim 6. Regarding claim 13, the claim is analyzed with respect to claim 1. Powers further teaches an article of manufacture comprising a non-transitory, computer-readable medium, e.g., memory 92 (Powers-Fig. 1B, el. 92); mediation module library 162 (Powers-Fig. 1 F, el. 162); local memory of mediation unit 1032 (Powers-Fig. 1L, el. 1032; Para. 159); Mediation unit 1078 may include logic that carries out the functions ascribed to mediation unit 1032 shown in FIG. 1L (Powers-Fig. 3, el. 1078; Para. 190), having computer-executable instructions thereon that are executable by a firewall, e.g., mediation module 50 (Powers-Fig. 1A, el. 50); mediation unit 1032 (Powers-Fig. 1L, el. 1032); mediation unit 1078 including proxy/firewall 1048 (Powers-Fig. 3, el. 1048A-D; 1078); Mediation unit 1032 operates as a USB firewall with respect to the USB communications between USB device 1024 and host computing device 1028 (Powers-Fig. 1L, el. 1024; Para. 146); mediation unit 1032 physically separates USB devices 1024 and host computing device 1028 (Powers-Para. 173), of an information handling system, e.g., apparatus 20, host computing device 28 (Powers-Fig. 1A, el. 20, 28); system 160 (Powers-Fig. 1F, el. 160); host computing device 1028 (Powers-Fig. 3, el. 1028), wherein the information handling system includes at least one processor, e.g., one or more processors 88 (Powers-Fig. 1B, el. 88); CPU 166 (Powers-Fig. 1F, el. 166); host controller 1080 (Powers-Fig. 3, el. 1080), and an external peripheral port configured to couple to external peripheral devices, e.g., USB host interface 56 (Powers-Fig. 1B, el. 56); USB A interfaces 1036 (Powers-Fig. 3, el. 1036A-D), and wherein the firewall is physically coupled between the at least one processor and the external peripheral port, e.g., mediation module 50 (Powers-Fig. 1A, el. 50); mediation unit 1032 (Powers-Fig. 1L, el. 1032); mediation unit 1078 including proxy/firewall 1048 (Powers-Fig. 3, el. 1048A-D; 1078); Mediation unit 1032 operates as a USB firewall with respect to the USB communications between USB device 1024 and host computing device 1028 (Powers-Fig. 1L, el. 1024; Para. 146); mediation unit 1032 physically separates USB devices 1024 and host computing device 1028 (Powers-Para. 173), the instructions being executable for: performing the steps. Regarding claim 14, the claim is analyzed with respect to claim 2. Regarding claim 15, the claim is analyzed with respect to claim 3. Regarding claim 18, the claim is analyzed with respect to claim 6. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4, 5, 10, 11, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Powers in view of Liebinger Portela et al. (US 2022/0019549 A1). Regarding claim 4, Powers teaches the information handling system of claim 3. Powers does not clearly teach wherein the first device type has a class code of 03h and a subclass code of either 01h or 02h. Liebinger Portela teaches wherein the first device type has a class code of 03h and a subclass code of either 01h or 02h, e.g., in step 306, gateway program 300 determines information corresponding to a USB device, wherein gateway program 300 determines descriptor information (e.g., an initial set of descriptor values) corresponding to a USB device operatively coupled to system 110, wherein USB descriptor information may include values indicating: a device class and/or a sub-class corresponding to a USB device, wherein a device class value of 03h is associated with keyboards, mice, joysticks, etc. and a sub-class value of 01h is related to a boot interface (Fig. 3, el. 306; Para. 44). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Powers to include wherein the first device type has a class code of 03h and a subclass code of either 01h or 02h, using the known method of using the USB descriptor information to determine that a USB device has a class of 03h and a sub-class or 01h, as taught by Liebinger Portela, in combination with the USB communication mediation system of Powers, for the purpose of providing a more accurate method of determining the USB device type while aiding in the prevention of a malicious actor gaining access to the host device. Regarding claim 5, Powers teaches the information handling system of claim 1. Powers further teaches wherein the firewall is further configured to: examine traffic inbound from the external peripheral port to the at least one processor to determine whether the traffic includes malformed packets or malware, e.g., proxy/firewall units 1048 may determine whether USB devices 1024 are sending the appropriate descriptor data to host computing device 1028, and disable, e.g., remove power from or otherwise cease communication with, USB devices 1024 if they are not using the appropriate descriptor data (Powers-Para. 165); proxy/firewall units 1048 may monitor and analyze the contents of the packets communicated between USB devices 1024 and host computing device 1028 and identify malformed packets, or packets that contain known malware (Powers-Para. 166); and in response to a determination that the traffic does include malformed packets or malware, block the traffic, e.g., proxy/firewall units 1048 may determine whether USB devices 1024 are sending the appropriate descriptor data to host computing device 1028, and disable, e.g., remove power from or otherwise cease communication with, USB devices 1024 if they are not using the appropriate descriptor data (Powers-Para. 165); proxy/firewall units 1048 may monitor and analyze the contents of the packets communicated between USB devices 1024 and host computing device 1028 and identify malformed packets, or packets that contain known malware (Powers-Para. 166). Powers does not explicitly teach wherein the firewall is further configured to: examine traffic inbound from the external peripheral port to the at least one processor to determine whether the traffic includes unapproved keycodes, modifier bytes, or mouse movement bytes; and in response to a determination that the traffic does include unapproved keycodes, modifier bytes, or mouse movement bytes, block the traffic. Liebinger Portela teaches wherein the firewall, e.g., gateway program 300 (Fig. 1, el. 300), is further configured to: examine traffic inbound from the external peripheral port, e.g., a plurality of USB ports represented by USB port 115-1, USB port 115-2, USB port 115-3, and USB port 115-N (Fig. 1, el. 115-1 to 115-N), to the at least one processor, e.g., processor(s) 401 (Fig. 4, el. 401), to determine whether the traffic includes unapproved keycodes, modifier bytes, or mouse movement bytes, e.g., referring to step 312, in a further embodiment if gateway program 300 determines that a suspect USB HID must be utilized for inputting a response to a validation challenge, then gateway program 300 can constrain the received input to a limited number of inputs in response to each event within a validation challenge, wherein if a USB keyboard is being verified, then gateway program may dictate that a single key response is input during each event of a validation challenge, such as in response to visual time window, displayed characters change color but only one color correctly indicates the validation challenge response character (Fig. 3, el. 312; Para. 57); responsive to determining that a validation challenge is not passed (No branch, decision step 313), gateway program 300 blocks a USB port—unapproved keycodes-- (step 314) (Fig. 3, el. 313, 314; Para. 59); and in response to a determination that the traffic does include unapproved keycodes, modifier bytes, or mouse movement bytes, block the traffic, e.g., referring to step 312, in a further embodiment if gateway program 300 determines that a suspect USB HID must be utilized for inputting a response to a validation challenge, then gateway program 300 can constrain the received input to a limited number of inputs in response to each event within a validation challenge, wherein if a USB keyboard is being verified, then gateway program may dictate that a single key response is input during each event of a validation challenge, such as in response to visual time window, displayed characters change color but only one color correctly indicates the validation challenge response character (Fig. 3, el. 312; Para. 57); responsive to determining that a validation challenge is not passed (No branch, decision step 313), gateway program 300 blocks a USB port—unapproved keycodes-- (step 314) (Fig. 3, el. 313, 314; Para. 59). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Powers to include wherein the firewall is further configured to: examine traffic inbound from the external peripheral port to the at least one processor to determine whether the traffic includes unapproved keycodes, modifier bytes, or mouse movement bytes; and in response to a determination that the traffic does include unapproved keycodes, modifier bytes, or mouse movement bytes, block the traffic, using the known method of using an unverified keyboard to respond to a challenge that requires a particular key press and blocking the USB port if the challenge is not passed, as taught by Liebinger Portela, in combination with the USB communication mediation system of Powers, for the purpose of providing a more accurate method of determining the USB device type while aiding in the prevention of a malicious actor gaining access to the host device. Regarding claim 10, the claim is analyzed with respect to claim 4. Regarding claim 11, the claim is analyzed with respect to claim 5. Regarding claim 16, the claim is analyzed with respect to claim 4. Regarding claim 17, the claim is analyzed with respect to claim 5. Relevant Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hetzler et al. (US 2016/0299865 A1)—Hetzler discloses during operation, the USB device 107A attempts to register as a different device type (for example, a keyboard device) in an attempt to infiltrate the host computer system 101 (413). This registration attempt is identified by the USB filter hub 104 as not being in response to a physical plugging in of the device into the USB filter hub 104, so the USB filter hub 104 notifies the host computer system 101 of the break-in attempt (414) and disables the USB device (415) (Para. 24). Rodriguez Bravo et al. (US 2021/01433319 A1)—Rodriguez Bravo discloses security screening may be accomplished with respect to the various descriptors stored on USB devices and readable when plugged into a USB port on a computing device. Some embodiments of the present invention use descriptors to identify potential USB HID threats. Standard USB device descriptor fields may include, for example: (i) class; (ii) subclass; (iii) vendor; (iv) product; and/or (v) version (Para. 37). Beitler et al. (US 2018/0270194 A1)—Beitler discloses USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized (Abstract). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 29 December 2025 /Jeremy S Duffield/Primary Examiner, Art Unit 2498