DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to Applicant’s communication filed on 12/04/2025. Claims 1-18 have been examined.
Response to Arguments
With regards to 101 rejection, Applicant amendment overcome the rejection. Therefore, the rejection is withdrawn.
With regards to 112 rejection, Applicant amendment overcome the rejection. Therefore, the rejection is withdrawn.
Applicant argument #1
Applicant argues that Kaimal does not disclose transitioning to a second security state in response to a request to open an outbound network connection , wherein the computer system in the second state allows outbound network connections and disallows inbound network connections.
Examiner response to Applicant argument #1
Examiner respectfully disagrees. Kaimal teaches whenever the Policy Manager receives a policy evaluation request for a WebSocket connection. the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, syncsec_status (synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. the reverse proxy 218 may allow the WebSocket traffic to flow to the WebSocket server 212 if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource 214 . The WebSocket server may drop incoming traffic when the web socket connection is slow. (See ¶0221, ¶0111, ¶0218).
Kaimal further teaches the security management facility may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility may be able discover threats that were not detected on one of the compute instances 10-26, or policy violation, such transmittal of information that should not be communicated unencrypted. (¶0068)
Therefore, Kaimal teaches the policy manager receive a policy evaluation request for a WebSocket connection ( open an outbound connection). The system evaluate this request and transitions the network environment to allow or block the connections based on security policies . For example , the system may allow the WebSocket traffic if user has been authenticated and the user is permitted to access the protected resource. The WebSocket server may drop incoming traffic when the WebSocket connection is slow.
Based on the broadest reasonable interpretation of the claim language, the examiner interprets transitioning to a second security state in response to a request to open an outbound network connection , wherein the computer system in the second state allows outbound network connections and disallows inbound network as equivalent to in response to receiving a request for WebSocket connection , the system evaluate the request based on security policies by allowing WebSocket traffic (outbound connections) if user has been authenticated and disallowing (dropping) incoming traffic (inbound connections ) when the WebSocket connection is slow.
Applicant argument #2
Applicant argues that Kaimal does not disclose transitioning the computer system to a third security state in response to request to execute a server that requires network access , the computer system in the third state allows the server only to establish local network connections.
Examiner response to Applicant argument #2
Applicant relied on his argument is that Kaimal does not teach or suggest transitioning into a third security state that allows a server only to establish local connections – See Remarks – Page 8 . The examiner respectfully disagrees.
Kaimal further teaches receiving a request at an endpoint for access to a first application remotely hosted on a network. This may occur, e.g., in response to a user locally selecting and launching the application within a user interface of the endpoint, the first application may be a ZTNA application or other application hosted through a ZTNA gateway (¶ 0227).
Kaimal further teaches the local security agent may intercept network-bound traffic from the application and coordinate transfer of that traffic over a secure channel that it established between the endpoint 144 and the gateway 210 rather than allowing the network-bound traffic to be delivered directly over the network from the application. Return traffic from the protected resource 214 may be communicated over the established secure channel to the agent 252 where it is converted to application-specific form and delivered locally to the application 228 executing on the endpoint 144, The endpoints may include a server. The endpoint may be coupled to the
enterprise network through a virtual private network or a wireless network (¶0091, ¶0118).
Therefore, Kaimal discloses intercepting requests and allowing the traffic to be established over secure channel rather than allowing the traffic to be delivered directly over the network. The return traffic is received by the agent over the secure channel and then delivered locally to the server on the endpoint. The agent acts as local intermediary for the server executing on the endpoint. This will ensure that the server network interaction is restricted to a local connection with the agent.
Based on the broadest reasonable interpretation of the claim language, the examiner interprets transitioning into a third security state that allows a server only to establish local connections as equivalent to transitioning to a state that allow the server on the endpoint to only establish local connection with the agent for the traffic to be delivered locally rather than allowing traffic to be delivered over the network.
Applicant’s arguments, see Remarks – page 16 , filed on 12/04/2025 with respect to the rejection of amended claim 16 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Nath.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1,2,5,9-15,17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kaimal et al. Publication No. US 2023/0121834 A1 ( Kaimal hereinafter) in view of Comay et al. Publication No. US 2023/0009167 A1 ( Comay hereinafter)
Regarding claim 1,
Kaimal teaches a method for computer security in a computer system having one or more network interfaces, the method comprising:
transitioning the computer system to a second security state in response to a request to open an outbound network connection, wherein the computer system in the second state allows outbound network connections and disallows inbound network connections (¶ 0041 & 0052 -In an embodiment, the security management facility 122 may provide for email security and control, for example to target spam, viruses, spyware, and phishing, to control email content, and the like. Email security and control may protect against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtering, and more – ¶ 0068 - The security management facility 122 may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility 122 may be able discover threats that were not detected on one of the compute instances 10-26, or policy violation, such transmittal of information that should not be communicated unencrypted. ¶ 0221 - The Policy Manager may be responsible for checking policy status with a policy agent. The Policy Manager may, for example, communicate with the policy agent using REST APis. Whenever the Policy Manager receives a policy evaluation request for a WebSocket connection, the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, syncsec status ( synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. The web socket connection may perform policy evaluation requests for incoming packets under certain conditions, such as when the last policy evaluated time is more than 5 mins or any other suitable timeframe - ¶0111 & ¶0218 - the reverse proxy 218 may allow the WebSocket traffic to flow to the WebSocket server 212 if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource 214 . The WebSocket server may drop incoming traffic when the web socket connection is slow.);
transitioning the computer system to a third security state in response to a request to execute a server that requires network access, wherein the computer system in the third state allows the server only to establish local network connections (¶ 0054 -the security management facility 122 may provide for network access control, which generally controls access to and use of network connections. Network control may stop unauthorized, guest, or non-compliant systems from accessing networks, and may control network traffic that is not otherwise controlled at the client level. In addition, network access control may control access to virtual private networks (VPN), where VPNs may, for example, include communications networks tunneled through other networks and establishing logical connections acting as virtual networks – ¶ 0227 -"As shown in step 2104, the method 2100 may include receiving a request at an endpoint for access to a first application remotely hosted on a network. This may occur, e.g., in response to a user locally selecting and launching the application within a user interface of the endpoint, or otherwise receiving a request for the application by a user or process on the endpoint. In general, the endpoint may be any of the endpoints described herein, and the first application may be a ZTNA application or other application hosted through a ZTNA gateway -¶ 0240 -The agent configurator 2214 may be responsible for setting a configuration of the agent 2204 according to a ZTNA policy, which may be stored locally or received form the central management facility 2208, e.g., in XML format or using any other suitable syntax or structure. A thread on the endpoint may monitor for policy changes so that a local policy cache can remain current with updates from the central management facility 2208. The ZTNA policy may, for example, include a list of gateways and applications available to enterprise endpoints, which may be converted to an in-memory map and sent to the DNS handler 2224 for use in creating connections when an application is locally requested on the endpoint 2202 -See Also ¶ 0091 & ¶ 0118) ;
transitioning the computer system to a fourth security state in response to a request to execute a server that requires external network access, wherein the computing system in the fourth state allows remote inbound network connections from network addresses identified in a white list (¶ 0059-an embodiment, a policy database may include a block list, a blacklist, an allowed list, a whitelist, and more. As a few non-limiting examples, policies may include a list of enterprise facility 102 external network locations/applications that may or may not be accessed by compute instances, a list of types/classifications of network locations or applications that may or may not be accessed by compute instances, and contextual rules to evaluate whether the lists apply. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client facility, a security management facility 122 may access the rules within a policy facility to determine if the requested access is related to a sporting website."; ¶ 0070 -the network access facility 94 may have access to policies that include one or more of a block list, an allowed list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. Additionally, the network access facility 94 may use rule evaluation to parse network access requests and apply policies. The network access rule facility 94 may have a generic set of policies for all compute instances, such as denying access to certain types of websites, controlling instant messenger accesses, or the like.").
However, Kaimal does not explicitly teach
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces;
Comay teaches
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces (¶ 0028 - Referring to FIG. 3, at block 310, method 300 detects a connection of an endpoint device 110 at a network switch 130 coupled to a network 150. At block 320, method 300 restricts access of the endpoint device 110 to prevent the endpoint device 110 from accessing resources 140 of the network. In one embodiment, access control list manager 210 preconfigures network switch 130 with an access control list 242 that restricts the access of endpoint device 110 to all of network resources 140. Initially, upon connection, the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated. This may prevent the endpoint device 110 from accessing any network resources 140 except for the NAC device 120) ;
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Comay. The motivation for doing so is to allow the system to restrict the access of endpoint device to all of network resources until the device is authenticated ( Comay - ¶ 0028).
Regarding claim 2,
Kaimal further teaches
transitioning the computer system to a fifth security state in response to a request to allow universal network access, wherein the computing system in the fifth state allows only authenticated network connections (¶ 0108 -embodiments, the gateway 210 may operate as a data plane element for the ZTNA system, and may handle traffic destined for protected resources 214 while facilitating user authentication for connecting to the resource (typically an application) as well as applying policies for authorizing such requests. The gateway 210 may also be adapted for operation in a managed enterprise network environment that provides centralized threat management. In embodiments, the gateway 210 may receive configuration, policy, threat management, and enterprise network management data from a control plane element, such as threat management facility 100 - ¶ 0109 - The reverse proxy 218 may further coordinate with authentication and authorization services to facilitate authenticating users as well as verifying if a request for access is allowed based on access and/or security policies associated with the protected resource 214 – ¶ 0111 - the reverse proxy 218 may allow the WebSocket traffic to flow to the WebSocket server 212 if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource 214 – See ¶ 0215, ¶ 0252- ¶ 0253).
Regarding claim 5,
Kaimal further teaches
in the second security state, receiving the request to open the outbound network connection from a program executing on the computer system ((¶ 0052 -In an embodiment, the security management facility 122 may provide for email security and control, for example to target spam, viruses, spyware, and phishing, to control email content, and the like. Email security and control may protect against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtering, and more – ¶ 0068 - The security management facility 122 may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility 122 may be able discover threats that were not detected on one of the compute instances 10-26, or policy violation, such transmittal of information that should not be communicated unencrypted. ¶ 0221 - The Policy Manager may be responsible for checking policy status with a policy agent. The Policy Manager may, for example, communicate with the policy agent using REST APis. Whenever the Policy Manager receives a policy evaluation request for a WebSocket connection, the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, sync sec status ( synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. The web socket connection may perform policy evaluation requests for incoming packets under certain conditions, such as when the last policy evaluated time is more than 5 mins or any other suitable timeframe -See Also ¶ 0094);
Regarding claim 9.
Kaimal further teaches
allowing a network connection only when one or more properties of the connection are identified as allowable in a white list, wherein the one or more properties include one or more of network program identity, network address, port, time of day, location, and connection type (¶ 0059 -Exemplary rules include access pe1missions associated with networks, applications, compute instances, users, content, data, and the like. The policy management facility 112 may use a database, a text file, other data store, or a combination to store policies. In an embodiment, a policy database may include a block list, a blacklist, an allowed list, a whitelist, and more. As a few non-limiting examples, policies may include a list of enterprise facility 102 external network locations/applications that may or may not be accessed by compute instances, a list of types/classifications of network locations or applications that may or may not be accessed by compute instances, and contextual rules to evaluate whether the lists apply. For example, there may be a rule that does not permit access to sporting websites. ¶ 0060 - The policy management facility 112 may include access rules and policies that are distributed to maintain control of access by the compute instances 10-26 to network resources. Exemplary policies may be defined for an enterprise facility, application type, subset of application capabilities, organization hierarchy, compute instance type, user type, network location, time of day, connection type, or any other suitable definition -See Also ¶ 0070).
Regarding claim 10.
Kaimal further teaches
transitioning between network security states according to a security policy (¶ 0138 - The gateway may also or instead evaluate a security policy for managing user access to the application, e.g., according to any security rules or policies maintained by a threat management facility associated with the user and/or application – ¶ 0089 – The threat management facility may be configured to receive the filtered event stream from the endpoint, detect malware on the endpoint based on the filtered event stream, and remediate the endpoint when malware is detected, the threat management facility further configured to modify security functions within the enterprise network based on a security state of the endpoint – See Also _ ¶ 0090).
Regarding claim 11.
Kaimal further teaches
wherein the transitioning between network security states according to a security policy includes accessing a file that specifies one or more security states and, for each security state, a transition to one of the other security states, wherein each transition is associated with one or more conditions that cause the transition to occur (¶ 0141 - FIG. 8 shows a method for using intermediate representations of security policies. In general, an administrator may specify a security policy at a user interface, and the security policy is then be applied at a gateway or other security appliance, network device, or the like. A security policy may refer to any configuration object specifying one or more conditions for allowing user access to a resource. the security policy may have a human-readable representation used within the user inter - face to support administrative interactions with elements of the security policy, as well as a machine-executable representation for use by the gateway in implementing the security policy. An intermediate form of the security policy may usefully provide a common representation that can conveniently converted for use in either/both of these contexts, thus supporting concurrent use of a security policy by machine and human actors, and generally preventing loss of fidelity in policy representation and evaluation).
Regarding claim 12.
Kaimal further teaches
wherein the transitioning between network security states according to a security policy includes accessing a file that specifies one or more security states and, for each security state, one or more networking operations that are allowed or disallowed (¶ 0094 - The key management system 412 may support management of keys for the endpoint 402 in order to selectively permit or prevent access to content on the endpoint 402 on a file-specific basis, a process specific basis, an application-specific basis, a user-specific basis, or any other suitable basis in order to prevent data leakage, and in order to support more fine-grained and immediate control over access to content on the endpoint 402 when a security compromise is detected. Thus, for example, if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, e.g., data leakage or other malicious activity) .
Regarding claim 13.
Kaimal further teaches
wherein the transitioning between network security states according to a security policy include accessing a file that identifies the whitelist; and restricting network communication according to the white list (¶ 0059 – The policy management facility 112 may use a database, a text file, other data store, or a combination to store policies. In an embodiment, a policy database may include a whitelist, and more. As a few non-limiting examples, policies may include a list of enterprise facility 102 external network locations/applications that may or may not be accessed by compute instances, a list of types/classifications of network locations or applications that may or may not be accessed by compute instances, and contextual rules to evaluate whether the lists apply. For example, there may be a rule that does not permit access to sporting websites. ¶ 0069- A network access facility may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 94 may restrict user access under certain conditions, such as the user's location, usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration, or the like - ¶ 0153 - A policy file may be composed of one or more rules specifying conditions for granting access to an entity for one or more applications. Each of the one or more rules may include an assignment of the policy to one or more resources, including applications, networks, servers, remote devices, and the like).
Regarding claim 14.
Kaimal further teaches
wherein the transitioning between network security states according to a security policy includes accessing a file that identifies multiple security states, transitions between security states, and conditions under which the transitions occur (¶ 0153 – A policy file may be composed of one or more rules specifying conditions for granting access to an entity for one or more applications. Each of the one or more rules may include an assignment of the policy to one or more resources, including applications, networks, servers, remote devices, and the like).
wherein each condition specifies an event which, when it occurs, causes a transition from one state to another; and transitioning from a first one of the multiple security states to a second one of the multiple security states when one of the specified events occurs (¶ 0073 -There may be a variety of events collected. Events may include, for example, events generated by the enterprise facility 102 or the compute instances 10-26, such as by monitoring streaming data through a gateway such as firewall 10 and wireless access point 11, monitoring activity of compute instances, monitoring stored files/data on the compute instances 10-26 such as desktop computers, laptop computers, other mobile computing devices, and cloud computing instances 19, 109. Events may range in granularity. An exemplary event may be communication of a specific packet over the network. Another exemplary event may be identification of an application that is communicating over a network - ¶ 0107- The configuration and policy service 208 may facilitate adding a gateway by providing data structures that define application-to-front end security, threat management policy, and related configuration details (e.g., default parameter values, static parameters, and the like). The configuration and policy service 208 may also or instead use policy objects, such as reusable objects in application policy rules. Exemplary policy objects include at least two types of policy objects; lists and expressions. In embodiments, lists can be used to store sequences of values, whereas expressions can store sequences of conditions to be evaluated. Other aspects of configuration and policy may include application details of the protected resource, such as FQDN and/or IP addresses, port numbers, protocols, and gateway identifiers to identify one or more gateways to be used for accessing an application. As an example, an application policy may include details of constraints under which access to an application (e.g., protected resource 214) is allowed or denied").
Regarding claim 15.
Kaimal further teaches
transitioning from a less restrictive security state to a more restrictive security in response to an event (¶ 0076 -when a threat or other policy violation is detected by the security management facility 122, the remedial action facility 128 may be used to remediate the threat. Remedial action may take a variety of forms, nonlimiting examples including collecting additional data about the threat, terminating or modifying an ongoing process or interaction, sending a warning to a user or administrator, downloading a data file with commands, definitions, instructions, or the like to remediate the threat, requesting additional information from the requesting device, such as the application that initiated the activity of interest, executing a program or application to remediate against a threat or violation, increasing telemetry or recording interactions for subsequent evaluation, ( continuing to) block requests to a particular network location or locations, scanning a requesting application or device, quarantine of a requesting application or the device, isolation of the requesting application or the device, deployment of a sandbox, blocking access to resources, e.g., a USB port, or other remedial actions. More generally, the remedial action facility 92 may take any steps or deploy any measures suitable for addressing a detection of a threat, potential threat, policy violation or other event, code or activity that might compromise security of a computing instance 10-26 or the enterprise facility 102").
Regarding claim 17,
Kaimal teaches a computing system comprising
a processor and memory that stores instructions that are configured , when executed by the processor (¶ 0157), to perform process :
transitioning the computer system to a second security state in response to a request to open an outbound network connection, wherein the computer system in the second state allows outbound network connections and disallows inbound network connections (¶ 0041 & 0052 -In an embodiment, the security management facility 122 may provide for email security and control, for example to target spam, viruses, spyware, and phishing, to control email content, and the like. Email security and control may protect against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtering, and more – ¶ 0068 - The security management facility 122 may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility 122 may be able discover threats that were not detected on one of the compute instances 10-26, or policy violation, such transmittal of information that should not be communicated unencrypted. ¶ 0221 - The Policy Manager may be responsible for checking policy status with a policy agent. The Policy Manager may, for example, communicate with the policy agent using REST APis. Whenever the Policy Manager receives a policy evaluation request for a WebSocket connection, the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, syncsec status ( synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. The web socket connection may perform policy evaluation requests for incoming packets under certain conditions, such as when the last policy evaluated time is more than 5 mins or any other suitable timeframe - ¶0111 & ¶0218 - the reverse proxy 218 may allow the WebSocket traffic to flow to the WebSocket server 212 if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource 214 . The WebSocket server may drop incoming traffic when the web socket connection is slow.);
transitioning the computer system to a third security state in response to a request to execute a server that requires network access, wherein the computer system in the third state allows the server only to establish local network connections (¶ 0054 -the security management facility 122 may provide for network access control, which generally controls access to and use of network connections. Network control may stop unauthorized, guest, or non-compliant systems from accessing networks, and may control network traffic that is not otherwise controlled at the client level. In addition, network access control may control access to virtual private networks (VPN), where VPNs may, for example, include communications networks tunneled through other networks and establishing logical connections acting as virtual networks – ¶ 0227 -"As shown in step 2104, the method 2100 may include receiving a request at an endpoint for access to a first application remotely hosted on a network. This may occur, e.g., in response to a user locally selecting and launching the application within a user interface of the endpoint, or otherwise receiving a request for the application by a user or process on the endpoint. In general, the endpoint may be any of the endpoints described herein, and the first application may be a ZTNA application or other application hosted through a ZTNA gateway -¶ 0240 -The agent configurator 2214 may be responsible for setting a configuration of the agent 2204 according to a ZTNA policy, which may be stored locally or received form the central management facility 2208, e.g., in XML format or using any other suitable syntax or structure. A thread on the endpoint may monitor for policy changes so that a local policy cache can remain current with updates from the central management facility 2208. The ZTNA policy may, for example, include a list of gateways and applications available to enterprise endpoints, which may be converted to an in-memory map and sent to the DNS handler 2224 for use in creating connections when an application is locally requested on the endpoint 2202 -See Also ¶ 0091 & ¶ 0118) ;
transitioning the computer system to a fourth security state in response to a request to execute a server that requires external network access, wherein the computing system in the fourth state allows remote inbound network connections from network addresses identified in a white list (¶ 0059-an embodiment, a policy database may include a block list, a blacklist, an allowed list, a whitelist, and more. As a few non-limiting examples, policies may include a list of enterprise facility 102 external network locations/applications that may or may not be accessed by compute instances, a list of types/classifications of network locations or applications that may or may not be accessed by compute instances, and contextual rules to evaluate whether the lists apply. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client facility, a security management facility 122 may access the rules within a policy facility to determine if the requested access is related to a sporting website."; ¶ 0070 -the network access facility 94 may have access to policies that include one or more of a block list, an allowed list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. Additionally, the network access facility 94 may use rule evaluation to parse network access requests and apply policies. The network access rule facility 94 may have a generic set of policies for all compute instances, such as denying access to certain types of websites, controlling instant messenger accesses, or the like.").
However, Kaimal does not explicitly teach
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces;
Comay teaches
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces (¶ 0028 - Referring to FIG. 3, at block 310, method 300 detects a connection of an endpoint device 110 at a network switch 130 coupled to a network 150. At block 320, method 300 restricts access of the endpoint device 110 to prevent the endpoint device 110 from accessing resources 140 of the network. In one embodiment, access control list manager 210 preconfigures network switch 130 with an access control list 242 that restricts the access of endpoint device 110 to all of network resources 140. Initially, upon connection, the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated. This may prevent the endpoint device 110 from accessing any network resources 140 except for the NAC device 120) ;
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Comay. The motivation for doing so is to allow the system to restrict the access of endpoint device to all of network resources until the device is authenticated ( Comay - ¶ 0028).
Regarding claim 18,
Kaimal teaches a non transitory computer-readable storage medium that stores instructions that are configured, when executed by a computing system (¶ 0169), to perform a process
transitioning the computer system to a second security state in response to a request to open an outbound network connection, wherein the computer system in the second state allows outbound network connections and disallows inbound network connections (¶ 0041 & 0052 -In an embodiment, the security management facility 122 may provide for email security and control, for example to target spam, viruses, spyware, and phishing, to control email content, and the like. Email security and control may protect against inbound and outbound threats, protect email infrastructure, prevent data leakage, provide spam filtering, and more – ¶ 0068 - The security management facility 122 may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility 122 may be able discover threats that were not detected on one of the compute instances 10-26, or policy violation, such transmittal of information that should not be communicated unencrypted. ¶ 0221 - The Policy Manager may be responsible for checking policy status with a policy agent. The Policy Manager may, for example, communicate with the policy agent using REST APis. Whenever the Policy Manager receives a policy evaluation request for a WebSocket connection, the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, syncsec status ( synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. The web socket connection may perform policy evaluation requests for incoming packets under certain conditions, such as when the last policy evaluated time is more than 5 mins or any other suitable timeframe - ¶0111 & ¶0218 - the reverse proxy 218 may allow the WebSocket traffic to flow to the WebSocket server 212 if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource 214 . The WebSocket server may drop incoming traffic when the web socket connection is slow.);
transitioning the computer system to a third security state in response to a request to execute a server that requires network access, wherein the computer system in the third state allows the server only to establish local network connections (¶ 0054 -the security management facility 122 may provide for network access control, which generally controls access to and use of network connections. Network control may stop unauthorized, guest, or non-compliant systems from accessing networks, and may control network traffic that is not otherwise controlled at the client level. In addition, network access control may control access to virtual private networks (VPN), where VPNs may, for example, include communications networks tunneled through other networks and establishing logical connections acting as virtual networks – ¶ 0227 -"As shown in step 2104, the method 2100 may include receiving a request at an endpoint for access to a first application remotely hosted on a network. This may occur, e.g., in response to a user locally selecting and launching the application within a user interface of the endpoint, or otherwise receiving a request for the application by a user or process on the endpoint. In general, the endpoint may be any of the endpoints described herein, and the first application may be a ZTNA application or other application hosted through a ZTNA gateway -¶ 0240 -The agent configurator 2214 may be responsible for setting a configuration of the agent 2204 according to a ZTNA policy, which may be stored locally or received form the central management facility 2208, e.g., in XML format or using any other suitable syntax or structure. A thread on the endpoint may monitor for policy changes so that a local policy cache can remain current with updates from the central management facility 2208. The ZTNA policy may, for example, include a list of gateways and applications available to enterprise endpoints, which may be converted to an in-memory map and sent to the DNS handler 2224 for use in creating connections when an application is locally requested on the endpoint 2202 -See Also ¶ 0091 & ¶ 0118) ;
transitioning the computer system to a fourth security state in response to a request to execute a server that requires external network access, wherein the computing system in the fourth state allows remote inbound network connections from network addresses identified in a white list (¶ 0059-an embodiment, a policy database may include a block list, a blacklist, an allowed list, a whitelist, and more. As a few non-limiting examples, policies may include a list of enterprise facility 102 external network locations/applications that may or may not be accessed by compute instances, a list of types/classifications of network locations or applications that may or may not be accessed by compute instances, and contextual rules to evaluate whether the lists apply. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client facility, a security management facility 122 may access the rules within a policy facility to determine if the requested access is related to a sporting website."; ¶ 0070 -the network access facility 94 may have access to policies that include one or more of a block list, an allowed list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. Additionally, the network access facility 94 may use rule evaluation to parse network access requests and apply policies. The network access rule facility 94 may have a generic set of policies for all compute instances, such as denying access to certain types of websites, controlling instant messenger accesses, or the like.").
However, Kaimal does not explicitly teach
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces;
Comay teaches
starting the computer system in a first security state in which the computer system disallows all network activity on its one or more network interfaces (¶ 0028 - Referring to FIG. 3, at block 310, method 300 detects a connection of an endpoint device 110 at a network switch 130 coupled to a network 150. At block 320, method 300 restricts access of the endpoint device 110 to prevent the endpoint device 110 from accessing resources 140 of the network. In one embodiment, access control list manager 210 preconfigures network switch 130 with an access control list 242 that restricts the access of endpoint device 110 to all of network resources 140. Initially, upon connection, the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated. This may prevent the endpoint device 110 from accessing any network resources 140 except for the NAC device 120) ;
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Comay. The motivation for doing so is to allow the system to restrict the access of endpoint device to all of network resources until the device is authenticated ( Comay - ¶ 0028).
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kaimal in view of Comay further in view of Nambannor Kunnath et al . Publication No. US 2025/0023853 A1 ( Nambannor Kunnath hereinafter).
Regarding claim 3,
Kaimal further teaches
wherein the computing system authenticates network connections by a combination of […] password, and device identifier (¶ 0105 - an administrator may interface with the threat management facility 100 and enter/select details of the gateway. These details may include, without limitation a gateway name, a Fully Qualified Domain Name (FQDN), certificates, a One Time Password (OTP), identity providers to use for authentication- ¶ 0125 - The platform may issue an authentication token and a refresh token to the gateway after the user successfully authenticates. The authentication token may be used by the gateway (or other entities) on behalf of the user to verify the user identity and obtain other user information from the identity management platform.").
However, Kaimal does not explicitly teach authenticates network connections by a combination of username, password, and device identifier
Nambannor Kunnath teaches
authenticates network connections by a combination of username, password, and device identifier(¶ 0042 - The access gateway 140 can perform an initial authentication of a user in response to a request to create a VDI session from a client device 108 associated with the user. The initial authentication can involve authenticate or verifying the client device 108 and/or user credentials. The user credential authentication can involve authenticating one or more authentication factors, such as a username, password, authentication code, or other secondary authentication factors).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Nambannor Kunnath. The motivation for doing so is to allow the system to authenticate network connections (Nambannor Kunnath – ¶ 0042).
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Kaimal in view of Comay further in view of Migault et al. Publication No. US 2021/0006625 A1 ( Migault hereinafter)
Regarding claim 4,
Kaimal further teaches
wherein the computer system disallows inbound network connections (¶ 0052, ¶ 0221);
However, Kaimal does not explicitly teach
disallows inbound network connections by refusing to open listening network ports, dropping all incoming TCP SYN packets, and/or refusing to execute remote login/shell/execution servers
Migault teaches
disallows inbound network connections by refusing to open listening network ports, dropping all incoming TCP SYN packets, and/or refusing to execute remote login/shell/execution servers (¶ 0111 - Upon receiving an ALERT_RESOURCE_LOW alert from SMAS 306, the NFVO 300 instructs the SEM to limit new incoming sessions by the VEN 312. As incoming sessions are determined by the Classifier 314, the SEM typically will refuse any TCP SYN, and only accept already established TCP sessions).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Migault. The motivation for doing so is to allow the system to refuse any TCP SYN, and only accept already established TCP sessions (Migault – ¶ 0042).
Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Kaimal in view of Comay further in view of Chien et al. Publication No. US 2013/0333038 A1 (Chien hereinafter)
Regarding claim 6,
Kaimal further teaches
in the third security state, allowing network connections (¶ 0059 - The threat management facility 100 may include a policy management facility 112 that manages rules or policies for the enterprise facility 102. Exemplary rules include access permissions associated with networks, applications, compute instances, users, content, data, and the like. The policy management facility 112 may use a database, a text file, other data store, or a combination to store policies. In an embodiment, a policy database may include a block list, a blacklist, an allowed list, a whitelist)
However, Kaimal does not explicitly teach
allowing network connections only to network addresses and/or ports identified in a white list
Chien teaches
allowing network connections only to network addresses and/or ports identified in a white list ((Fig.5, ¶ 068- The IP address, port number, and category code are stored in a file, database, and/or other data source that identifies network nodes and files that are valid and/or otherwise trusted. Such a data source is sometimes referred to herein as a white list. A white list is generally distinct from a black list that specifically identifies addresses, nodes, data sources, or other information that is to be blocked or otherwise not trusted. For example, a white list used for certain embodiments of the invention does not include IP addresses for any unauthenticated network nodes or any anonymous proxy servers – ¶ 0069 - The white list may be a subset of an IRNA WHOIS database. It may identify network nodes of only legitimate financial institutions, reputable websites, reputable download websites, reputable antivirus company websites, and/or other service providers otherwise, to include IP addresses and other information associated with one or more internet service providers – See ¶ 0080, ¶ 0094,Claim1).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Chien. The motivation for doing so is to allow the system to identify network nodes of only legitimate financial institutions, reputable websites, reputable download websites, reputable antivirus company websites, and/or other service providers (Chien– ¶ 0069).
Regarding claim 7,
Kaimal does not explicitly teach
receiving the white list from a trusted network host.
However, Chien teaches
receiving the white list from a trusted network host (Fig.5, ¶ 068- The IP address, port number, and category code are stored in a file, database, and/or other data source that identifies network nodes and files that are valid and/or otherwise trusted. Such a data source is sometimes referred to herein as a white list. A white list is generally distinct from a black list that specifically identifies addresses, nodes, data sources, or other information that is to be blocked or otherwise not trusted. For example, a white list used for certain embodiments of the invention does not include IP addresses for any unauthenticated network nodes or any anonymous proxy servers – ¶ 0069 - The white list may be a subset of an IRNA WHOIS database. It may identify network nodes of only legitimate financial institutions, reputable websites, reputable download websites, reputable antivirus company websites, and/or other service providers otherwise, to include IP addresses and other information associated with one or more internet service providers – See ¶ 0080, ¶ 0094,Claim1).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Chien. The motivation for doing so is to allow the system to identify network nodes of only legitimate financial institutions, reputable websites, reputable download websites, reputable antivirus company websites, and/or other service providers (Chien– ¶ 0069).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kaimal in view of Comay further in view of Jain et al. Publication No. US 2023/0269229 A1 ( Jain hereinafter)
Regarding claim 8.
Kaimal does not explicitly teach
in the fourth security state, disallowing inbound SSH connections from remote hosts; and transitioning to a fifth security state, in which the computing system allows inbound SSH connections from remote hosts.
However, Jain teaches
in the fourth security state, disallowing inbound SSH connections from remote hosts; and transitioning to a fifth security state, in which the computing system allows inbound SSH connections from remote hosts (Fig.8, ¶ 0059 - a high level set of firewall rules can be defined at node 302, which are applicable to all the resources in their hierarchy. For example, security administration at organization level may decide to block internet access from certain countries. However, evaluation of firewall rules can be delegated to a lower level. For example, organization security administration can allow SSH traffic based on the team requirements and delegate specification of SSH firewall rules to security administrators of teams (e.g., node 304). Administrators of the finance department might decide to block SSH traffic, while administrators of web service might allow SSH traffic for its resources).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Jain. The motivation for doing so is to allow the system to allow/disallow SSH traffic based on the requirements (Jain– ¶ 0059).
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Kaimal in view of Nath et al. Publication No. US 2010/0199088 A1 (Nath hereinafter) further in view of Comay
Regarding claim 16.
Kaimal teaches a method for computer network security in a computer system, the method comprising:
receiving a computer-readable network security policy [..], and for each transition, one or more conditions under which the transition is to be executed, wherein each of the multiple network security states allows or disallows specified types of network access or communication, and wherein each security state allows a greater level of network communication than is allowed in its predecessor state (¶ 0138 - The gateway may also or instead evaluate a security policy for managing user access to the application, e.g., according to any security rules or policies maintained by a threat management facility associated with the user and/or application- ¶ 0146- The executable form may be sent to a gateway as a changelog documenting incremental changes or updates to prior security policies. Where no prior security policy is present, the changelog may completely restate the current security policy for the gateway. The gateway may have a cloud agent component configured to receive the executable form. Where an incremental changelog used, other components of the security policy may be retained in the intermediate form to facilitate, e.g. subsequent display to an administrator or conversion to an executable form (or new changelog therefor) as the security policy is revised over time. While the threat management facility may send the executable; form to the network appliance, in some embodiments the threat management facility may alternatively send the intermediate form to the network appliance. The network appliance may then convert the intermediate form to the executable form; ¶ [0153]-A policy file may be composed of one or more rules specifying conditions for granting access to an entity for one or more applications. Each of the one or more rules may include an assignment of the policy to one or more resources, including applications, networks, servers, remote devices, and the like) - See Also - ¶ 0249, ¶ 0059-¶ 0060, ¶ 0117 and Fig.9 shows policy file that includes a second state with wildcard [*] that is greater level of access than the first state which specified the groups which is greater than default allow =false )
receiving an indication that a condition has been met, wherein the condition is associated with a transition from the initial security state to a second one of the multiple security states; and in response to an indication that the condition has been met, transitioning to the second security state by allowing one or more types of network communication that are associated with the second security state by the security policy , wherein the condition is a request to open an outbound connection , ad wherein the computer system in the second state allow outbound network connection and disallows inbound network connections (¶ 0141 - an administrator may specify a security policy at a user interface, and the security policy is then be applied at a gateway or other security appliance, network device, or the like. A security policy may refer to any configuration object specifying one or more conditions for allowing user access to a resource. In this context, the security policy may have a human-readable representation used within the user interface to support administrative interactions with elements of the security policy, as well as a machine-executable representation for use by the gateway in implementing the security policy –¶ 0041, ¶ 0068 - The security management facility may scan an outgoing file and verify that the outgoing file is permitted to be transmitted according to policies. By checking outgoing files, the security management facility may be able discover threats that were not detected on one of the compute instances or policy violation, such transmittal of information that should not be communicated unencrypted. ¶ 0221 - Whenever the Policy Manager receives a policy evaluation request for a WebSocket connection, the Policy Manager may send a corresponding REST API request to the policy agent with connection cookie, anti-virus status, syncsec status ( synchronized security heartbeat status), and application identifier (such as a 128-bit universally unique identifier) for which the policy evaluation request is done. The web socket connection may perform policy evaluation requests for incoming packets under certain conditions, such as when the last policy evaluated time is more than 5 mins or any other suitable timeframe - ¶0111 & ¶0218 - the reverse proxy may allow the WebSocket traffic to flow to the WebSocket server if the user has been authenticated. The WebSocket server 212 may apply further authorization checks to see if the user is permitted access to the protected resource . The WebSocket server may drop incoming traffic when the web socket connection is slow.);
However, Kaimal does not explicitly teach
policy that specifies multiple successive network security states including an initial network security state and a last network security transitions between each pair of successive security state. wherein the initial security state disallows all network communication; and
causing the computer system to operate in initial security state by disallowing all network communication.
Nath teaches
policy that specifies multiple successive network security states including an initial network security state and a last network security, transitions between each pair of successive security states, one or more conditions under which the transition is to be executed, wherein each of the multiple network security states allows or disallows specified types of network access or communication (¶0046 - The process-driven security policy 100 includes a plurality of different states. As shown in FIG. 1, the process-driven security policy 100 can include state A 102, state B 104, state C 106, and state D 108. Each of these different states can be associated with one or more access restrictions – ¶0049 - a file currently in state A 102 can transition to state B 104 or state D 108, depending upon process-related conditions (e.g., events). Similarly, a file in state D 108, depending upon process considerations - ¶0052 - when the decision 202 determines that an event has been received, then the transition process 200 determines 204 whether the event causes a state transition. Here, the rules by which transitions between states occur, i.e., transition rules, can be specified by the process driven security policy - ¶0048, Abstract - access restrictions on electronic files can be dependent on the state of the process-driven
security policy – ¶0012 - As an electronic file transitions through a process, access restrictions can automatically change. The process can be defined by a number of states, with each state having different security policies associated therewith. The security policies control which users are permitted to access the electronic files – ¶ 0047 - access restrictions will designate which users (or groups of users) are able to access secure documents, whether certain clearance levels are needed, whether off-line access is permitted, and which of various other possible criteria or considerations are utilized. A set of access restrictions for the various states can be referred to as a security policy).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Nath. The motivation for doing so is to allow the system to provide more effective ways for security systems to permit security criteria imposed on electronic resources to be changed, thereby altering the security used to protect the electronic resources ( Nath - ¶ 0010).
Comay teaches
wherein the initial security state disallows all network communication; and causing the computer system to operate in initial security state by disallowing all network communication (¶ 0028 - Referring to FIG. 3, at block 310, method 300 detects a connection of an endpoint device 110 at a network switch 130 coupled to a network 150. At block 320, method 300 restricts access of the endpoint device 110 to prevent the endpoint device 110 from accessing resources 140 of the network. In one embodiment, access control list manager 210 preconfigures network switch 130 with an access control list 242 that restricts the access of endpoint device 110 to all of network resources 140. Initially, upon connection, the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated. This may prevent the endpoint device 110 from accessing any network resources 140 except for the NAC device 120);
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kaimal to include the teachings of Comay. The motivation for doing so is to allow the system to restrict the access of endpoint device to all of network resources until the device is authenticated ( Comay - ¶ 0028).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/YOUNES NAJI/
Primary Examiner, Art Unit 2445