DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/12/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see page 8, filed 2/27/2026, with respect to the objection(s) to the drawings have been fully considered and are persuasive. The associated objection(s) to the drawings has been withdrawn.
Applicant's arguments, see pages 8 and 9, filed 2/27/2026, with respect to the objection(s) to claims 1-14 have been fully considered.
Regarding claims 1 and 2:
The amendments to claim 2 address the list member interpretation issue through the addition of a colon. The objection to claim 2 has been withdrawn. However, the amendments to claim 1 do not include the colon, and the objection to claim 1 is maintained.
Regarding claim 4:
This claim has been cancelled and thus the rejection is moot.
Regarding the argument directed to claim 6:
This objection is withdrawn.
Applicant's arguments, see page 9, filed 2/27/2026, with respect to the objection to the abstract have been fully considered but they are not persuasive.
Examiner notes that the amendment to the abstract has left the problematic wording in place. Specifically, the first sentence of the abstract, “A method for controlling the access of a user to a network includes …”, still repeats the majority of the title. Examiner recommends removing the first sentence of the abstract entirely, as it is redundant given the information given in the title of the application.
Applicant's arguments, see pages 9 and 10, filed 2/27/2026, with respect to the rejection of claim 7 under 35 USC 112(a) have been fully considered and are persuasive. The associated rejections to the listed claim(s) have been withdrawn.
Applicant's arguments, see pages 10 and 11, filed 2/27/2026, with respect to the rejection of claims 1-14 under 35 USC 112(b) have been fully considered and are persuasive. The associated rejections to the listed claim(s) have been withdrawn.
Applicant's arguments, see page 11, filed 2/27/2026, with respect to the rejection of claim 14 under 35 USC 101 have been fully considered and are persuasive. The associated rejections to the listed claim(s) have been withdrawn.
Applicant's arguments, see pages 11-18, filed 2/27/2026, with respect to the rejection of claims 1-14 under 35 USC 102(a)(2) and 103 have been fully considered.
Regarding the argument:
“The applied references, alone or in combination, fail to teach or suggest each and every feature of the claimed invention. …”
Examiner agrees that due to the change in scope p[resented in the current draft of the claims, the previous prior art rejection under 35 USC 102(a)(2) is overcome and is withdrawn.
Regarding the argument:
“… The Examiner alleges that Athavle makes up for deficiencies of Pela. Applicants respectfully disagree.
“That is, Athavle detects suspicious activities of users by their attribution to different user clusters. …
The claimed invention differs from Athavle not only in the newly added features of claim 1 (which correspond to the subject matter of original claim 4). … Whereas Athavle fails when there is only one user, the invention successfully detects suspicious activity. … In contrast, the claimed invention, because each user is analyzed individually, successfully detects suspicious behavior of all affected users.
“The claimed invention also differs from Athavle in that the invention provides for disconnecting the access of the user to the network depending on the result of the comparison. …”
Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The prior art of ATHAVLE is not relied upon in the previous office action to perform detection. This is performed by the prior art of PELA. PELA is able to perform a comparison of a monitoring parameter to detect suspicious activity when that parameter is outside what is expected, and then disconnect the user for whom the parameter applied. ATHAVLE is relied on only to demonstrate that monitoring a number of files “opened” by a user, in the context of anomaly detection, is represented in the prior art. Applicant has not provided any argument denying the applicability of ATHAVLE to the limitation to which it is mapped. The previous rejection is withdrawn as the change in scope requires; however, the application of the prior art as represented in the previous office action is maintained.
Regarding the argument:
“The claimed invention differs from Chavez in that the invention analyzes the individual user behavior while Chavez only analyzes the network activity on the whole. … Moreover, insofar as Chavez mentions the attribute "file status," this implies that Chavez cannot detect user-specific suspicious activity, whereas the claimed invention can.”
Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Similar to the response provided above in reference to the arguments directed to the prior art of ATHAVLE, examiner notes that the prior art of CHAVEZ is not relied upon to perform detection of suspicious activity.
“Moreover, the claimed invention differs from Chavez in that Chavez does not provide for disconnecting the user from the network in case of the detection of suspicious user activity.
“Finally, the invention differs from Chavez by disconnecting the user from the network depending on the result of the comparison and by the newly added features of claim 1. …”
Examiner respectfully disagrees. The previous office action cites CHAVEZ as specifically providing for disconnecting a user in response to detecting unauthorized activity. Applicant’s arguments are generally directed to the manner in which CHAVEZ determines the unauthorized activity, which is not relied upon in the rejection, and already mapped to the prior art of PELA. Given a user for whom suspicious activity is detected, CHAVEZ teaches blocking a user from their connection, which maps appropriately to the claim. This rejection is maintained.
Regarding the argument:
“Covell focuses on the authentication of users of a network which is based on the evaluation of the detected user behavior while being connected to the network. …
“The claimed invention differs from Covell in several aspects. First, Covell focuses on the quality of the general user interaction with the network content which takes into account the categories of the network files and the user-specific role. In contrast, the invention is based on the quantity of user interactions.”
Examiner notes that these arguments merely summarize the prior art of COVELL and its general differences to the claimed invention without any particular argument against the limitations to which the prior art has been applied.
“Second, in case of a detected suspicious activity, Covell requires a re- authentication by the user. … In contrast, the invention provides for immediate disconnection of the user to the network, thus enables a safe protection of the network, even and in particular against intentional misbehavior.”
Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Similar to above responses, COVELL is not relied upon to perform a disconnection of the user, as this limitation is already mapped to the prior art of PELA. COVELL is relied upon only to demonstrate that predefined threshold (limit) values is represented in the prior art. Applicant has not provided any argument denying the applicability of COVELL to the limitation to which it is mapped. This rejection is maintained.
Regarding the argument:
“Kang does not mention a behavior analysis of a user of a network. In addition, Kang only focuses on the first login of the user and not on evaluating the user behavior after the log in.”
This argument is directed to a cancelled claim and is moot.
Regarding the argument:
“Wenig focuses on the monitoring of the user behavior of distributed application, e.g., when visiting an online store, in order to offer the user improved advertisement.”
Applicant has not provided a specific argument directed to the application of the prior art to the claim limitation to which it is mapped. This rejection is maintained.
Regarding the argument:
“Salpico does not mention an analysis of user behavior of a network.”
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The claim limitations to which SALPICO is mapped make no mention of user behavior analysis. This rejection is maintained.
Regarding the argument:
“Finally, Lam focuses on the device compliance, in particular in the context of installed programs on the device or the update status of antivirus software. Lam does not mention the analysis of user behavior.”
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The claim limitations to which LAM is mapped make no mention of user behavior analysis. This rejection is maintained.
Regarding the argument:
“The applied references also do not mention a quantitative analysis of the individual user's behavior according to the claimed invention. They instead rely on a relative analysis. …”
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Neither the claims nor specification contain the term “quantitative analysis.” This rejection is maintained.
“… The methods of the prior art fail when there is only one user in the network and they also fail in case of a valid user with malicious intent or when several users are affected with malware at the same time. In contrast, the claimed invention is able to detect suspicious activity in any of these cases and thus enables a safer and more efficient protection of the network.”
Applicant has not provided sufficient argument or explanation why this would be the case, nor is this argument directed to any particular application of prior art cited in the previous office action.
Specification
The abstract of the disclosure is objected to because:
It repeats information given in the title. Specifically, the first sentence of the abstract, “A method for controlling the access of a user to a network includes …” repeats the title nearly verbatim.
A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
Claim Objections
Claims 1-14 are objected to because of the following informalities:
Regarding claim 1:
Claim 1 recites, “… a monitoring parameter corresponding to the access of the user to at least one program and/or at least one service and/or at least one file of the network and/or location information associated with the network and/or the user;”. The construction of the claims leaves room for misinterpretation. It is not clear whether the first element of the list is “the access of the user to at least one program,” or if it is simply, “at least one program.” Put another way, the claim would be better understood with the inclusion of a colon, and it is unclear where it would be placed (i.e. “a monitoring parameter corresponding to:” or “a monitoring parameter corresponding to the access of the user to:”). While this does not warrant a rejection under 35 USC 112(b), applicant is encouraged to amend the claim such that the listing is clear in what its elements are.
Regarding claims 2, 3, and 6-14:
They are objected to for being dependent on one or more objected-to claims. These objections could be overcome by overcoming the objections to any claims upon which these claims depend, or by amending the claim such that they are no longer dependent on any objected-to claims.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 8, 9, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1), and further in view of ATHAVLE (Doc ID US 10841321 B1).
Regarding claim 1:
PELA teaches:
A method for controlling an access of a user to a network, the method comprising: determining a monitoring parameter corresponding to the access of the user to: at least one program or at least one service or at least one file of the network ([0028] "… with reference to FIGS. 1 and 2, ... a user is associated with Workstation 101 and Location 111.");
comparing the monitoring parameter with a first limit value ([0028] "... if the user accesses the network ..., the software component retrieves the data port connection information ... to determine if the user is authorized to login to the network at that location. …"); and
disconnecting the access of the user to the network depending on the result of the comparison ([0028] "… Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected …"),
ATHAVLE teaches the following limitation(s) not taught by PELA:
wherein said determining the monitoring parameter is dependent on a number of files of the network or of the data processing device opened by the user((35) Col 6 line 35 "… identify a second cluster of users based on ... at least one dynamic attribute …" and (36) line 47 "… dynamic attributes may be based on user behavior. Examples ... include the number of files accessed by a user …"), and
wherein the number of files opened by the user comprises at least one action including opening, reading, writing, renaming, copying or deleting a file of the network or of the data processing device ((36) Col 6 line 47 "… Examples ... include ... the number of file reads performed by a user, the number of file writes ..., the number of files deleted ..., the number of file rename operations …").
Choosing a user-associated parameter to monitor, comparing that parameter to another value, and disconnecting the user based on the comparison are known techniques in the art, as demonstrated by PELA. Further, monitoring the quantity of a user’s file operations are known techniques in the art, as demonstrated by ATHAVLE. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the network access security of PELA with the file operation count of ATHAVLE with the motivation to identify another or additional parameters to monitor which may be used to identify suspicious behavior by a user.
Regarding claim 2:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1, wherein the method controls the access of a user to a data processing device of the network, wherein the monitoring parameter corresponds to the access of the user to: at least one program or at least one service or at least one file of the data processing device (PELA [0028] "… with reference to FIGS. 1 and 2, ... a user is associated with Workstation 101 and Location 111."), or
wherein the access of the user to the data processing device is disconnected depending on the result of the comparison (PELA [0028] "… Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected …").
Regarding claim 8:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1, wherein the disconnection of the access of the user to the network is carried out by at least one step: terminating the current network session of the user (PELA [0028] "… Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected …"); denying the user further access to at least one or all files of the network; or blocking at least one user-defined port of the user for access to the network.
Regarding claim 9:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1, wherein the disconnection of the access of the user to the network occurs by denying at least one access authorization of the user by denying all access authorizations of the user ([0028] "… Workstation 103 and Location 113 are not associated with the user. Thus, the user's access can be disconnected …").
Examiner notes that the broadest reasonable interpretation of "denying access authorization" encompasses disconnecting a user from access to which they had been previously authorized.
Regarding claim 13:
The combination of PELA and ATHAVLE teaches:
A network comprising: at least one data processing device designed to carry out the method according to claim 1 (PELA [0017] "… workstations ..., a security server, ... an administration terminal, ... and the hardware component of the present invention are all in communication via LAN 150.").
Regarding claim 14:
The combination of PELA and ATHAVLE teaches:
A non-transitory computer readable medium comprising program code to carry out the steps of the method according to claim 1 if the computer program code is run on a data processing device of the network (PELA Claim 21 "... computer readable code for ... associating a workstation to a physical location; associating a network user to said workstation; monitoring a computer network …").
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1) and ATHAVLE (Doc ID US 10841321 B1) as applied to claim 1 above, and further in view of CHAVEZ et al (Doc ID US 20220321842 A1).
Regarding claim 3:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
CHAVEZ teaches the following limitations not taught by the combination of PELA and ATHAVLE:
wherein, in the case in which the user deactivates at least one predefined program or a service of the network ([0124] "… For example, if a user deactivated an antivirus program, a workflow may comprise …"), in particular of the data processing device, the monitoring parameter is set to a predefined value such that the disconnection of the access of the user to the network or to the data processing device occurs ([0124] "… a new workflow may comprise instructions as to what actions should be performed. Actions may be, for example, ... block a port or user ...").
Blocking a user’s access in response to the user shutting off a service is a known technique in the art, as demonstrated by CHAVEZ. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the user disconnect based on user actions of CHAVEZ with the motivation to prevent users from disabling network services which may hinder malicious actions. It is obvious to disconnect a user for unauthorized closing of network services.
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1) and ATHAVLE (Doc ID US 10841321 B1) as applied to claim 1 above, and further in view of WENIG et al (Doc ID US 20110029665 A1).
Regarding claim 6:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
WENIG teaches the following limitations not taught by the combination of PELA and ATHAVLE:
wherein the monitoring parameter is determined over a predefined period of time, which is defined by an administrator of the network or of the data processing device ([0058] "… An administrator may configure the session monitor 46 to conduct user profiling for all users, a particular random set of users, for a particular time period ...").
Monitoring aspects of a user’s network access over time is a known technique in the art, as demonstrated by WENIG. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the user monitoring time period of WENIG with the motivation to ensure a sufficient amount of data is gathered prior to making a decision of whether to allow continued access to a user. It is obvious to avoid false positives by measuring a monitored parameter over time.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1) and ATHAVLE (Doc ID US 10841321 B1) as applied to claim 1 above, and further in view of COVELL et al (Doc ID US 20230058138 A1).
Regarding claim 7:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
COVELL teaches the following limitations not taught by the combination of PELA and ATHAVLE:
wherein the first limit value is predefined by an administrator of the network or of the data processing device, or is determined by a learning phase over a user-defined period of time ([0026] "... authentication manager 110 can ... set risk threshold for each topic. For example, authentication manager 110 can ... classify interactions ... by respective topics that each have corresponding levels of risk. For example, topics can include “system access” and requests thereof, “sensitive data” and requests thereof ...").
Using administrator input as a monitoring parameter is a known technique in the art, as demonstrated by COVELL. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the administrator input of COVELL with the motivation to make the system flexible so that administrators can choose the most appropriate elements of their network to monitor.
Claims 10 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1) and ATHAVLE (Doc ID US 10841321 B1) as applied to claim 1 above, and further in view of SALPICO (Doc ID US 20170187703 A1).
Regarding claim 10:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
SALPICO teaches the following limitations not taught by the combination of PELA and ATHAVLE:
wherein, before the determination of the monitoring parameter, a user group is created, and wherein each member of the user group is denied write or read authorization or any access authorization ([0027] "e) if said identifier of the user is in the database as an identifier of a denied user ..., denying said device's network access …"), and
upon disconnection of the access of the user to the network or to the data processing device, the user is assigned to the user group ([0031] "g) if all the verifications ... are positive ..., providing (allowing) network access, otherwise, storing the identification of the user in the internal database as an unauthorized user and denying said user's network access …").
Storing banned users in a group to be referenced later is a known technique in the art, as demonstrated by SALPICO. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the user blacklist of SALPICO with the motivation to maintain a listing of users who were disconnected from the network so that they may be more efficiently blocked from accessing the network in the future.
Regarding claim 12:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
SALPICO teaches the following limitations not taught by the combination of PELA and ATHAVLE:
further comprising: performing a query as to whether the user is present in an existing user database of the network or of the data processing device ([0029] "f1) verifying that the identifier of the user is in the database as an identifier of an authorized user …"); and
disconnecting the access of the user to the network or to the data processing device if the user is not present in the user database ([0031] "g) if all the verifications ... are positive ..., providing (allowing) network access, otherwise, ... denying said user's network access …").
Disconnecting users not on a whitelist is a known technique in the art, as demonstrated by SALPICO. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the user whitelist of SALPICO with the motivation to maintain a listing of users who are authorized on the network so that unknown users may be disconnected after a simple check.
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over PELA (Doc ID US 20070162954 A1) and ATHAVLE (Doc ID US 10841321 B1) as applied to claim 1 above, and further in view of LAM et al (Doc ID US 20180176254 A1).
Regarding claim 11:
The combination of PELA and ATHAVLE teaches:
The method according to claim 1,
LAM teaches the following limitations not taught by the combination of PELA and ATHAVLE:
The method according to claim 1, wherein a warning signal is outputted to the user or to an administrator of the network or of the data processing device, depending on a comparison of the monitoring parameter with a second limit value which is different from the first limit value or which is smaller than the first limit value ([0040] "At block 224, ... The remediation action can include ... changing the network access of a device ..., and sending a notification …", [0042] "At block 230, whether the compliance level is above a second threshold is determined.", and [0044] "At block 234, ... actions based on compliance are optionally performed. The actions may include the actions ... with respect to block 224 ...").
Using a second threshold at which to produce a warning is a known technique in the art, as demonstrated by LAM. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the network access security method of PELA and ATHAVLE with the multiple thresholds of LAM with the motivation to provide a warning of user behavior prior to a disconnection. It is obvious to have a less severe threshold in the event a user’s activities may need to be addressed, but may not require being disconnected from the network.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BB/Examiner, Art Unit 2437
/BENJAMIN E LANIER/Primary Examiner, Art Unit 2437