DETAILED ACTION
This office action is in response to the application filed on 05/31/2024.
Claims 1-20 are presented for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/31/2024 and 08/01/2025 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Interpretation
Regarding Claims 15-20 they recite in part “A computer-readable storage medium comprising executable instructions that, when executed by a processor, causes the processor to:”, however the claims do not recite that the computer readable storage medium excludes signals per se.
A review of the specification in para.0107 states that the computer readable storage medium is physical hardware media and excludes signals per se. “As used herein, the terms “computer program medium,” “computer-readable medium,” “computer-readable storage medium,” and “computer-readable storage device,” etc., are used to refer to physical hardware media. Examples of such physical hardware media include any hard disk, optical disk, SSD, other physical hardware media such as RAMs, ROMs, flash memory, digital video disks, zip disks, MEMs (microelectronic machine) memory, nanotechnology-based storage devices, and further types of physical/tangible hardware storage media of storage 1020. Such computer-readable media and/or storage media are distinguished from and non-overlapping with communication media, propagating signals, and signals per se. Stated differently, “computer program medium,” “computer-readable medium,” “computer-readable storage medium,” and “computer-readable storage device” do not encompass communication media, propagating signals, and signals per se.” Therefore claims 15-20 are not rejected under 35 USC 101 for statutory class or signal per se.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-3, 5-6, 8-10, 12-13, 15-17, 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Regarding Claims 1, 8, and 15 the claim(s) recite(s) “determining a candidate permission set for a first entity; determining a criticality score indicative of a criticality of the first entity; determining, based on historical usage of a current permission set by the first entity, a stability score indicative of a likelihood that usage of a current permission set by the first entity will change in a predetermined period of time; determining a security gain score indicative of an amount of security improvement achievable by replacing the current permission set with the candidate permission set; and replacing, for the first entity, the current permission set with the candidate permission set based on at least one of: the criticality score, the stability score, or the security gain score.”.
The limitations as drafted above is a process that under broadest reasonable interpretation covers performance of the limitations in the mind but for generic computer components. That is, other than “A system comprising: a processor; a memory device that stores program code structured to cause the processor” and “A computer-readable storage medium comprising executable instructions that, when executed by a processor, causes the processor” The claim comprises limitations that can be performed in the human mine, and/or using pen and paper. In this case, a person can reasonably determine a permissions to grant a user, determine the users importance, determine a user is likely to change behavior, determine a change in security based on different permissions, and grant the new permissions to the user. If a claim under its broadest reasonable interpretation covers performance in the mind but for recitation of generic computer components, then it falls within “mental processes” grouping of abstract idea. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claims only recite the additional elements of “A system comprising: a processor; a memory device that stores program code structured to cause the processor” and “A computer-readable storage medium comprising executable instructions that, when executed by a processor, causes the processor”. Regarding these components, they are generic computer elements recited as performing routine activities. Accordingly, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are therefore directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed in respect to the integration of the abstract idea into a practical application, the elements of “A system comprising: a processor; a memory device that stores program code structured to cause the processor” and “A computer-readable storage medium comprising executable instructions that, when executed by a processor, causes the processor” amount to no more than mere instructions to apply the abstract idea to generic computer elements. Mere instructions to apply the abstract idea to generic/well-known elements and extra solution activities cannot provide an inventive concept. The claims are not patent eligible.
Regarding Claims 2-3, 5-6, 9-10, 12-13, 16-17, 19-20, they recite “wherein said replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of the criticality score, the stability score, and the security gain score; and determining that the combined score satisfies a predetermined permission reduction criterion.” “wherein said determining a security gain score comprises: determining a delta permission set based on a set difference between the current permission set and the candidate permission set; determining the security gain score based on at least one of: an attack path that uses a permission in the delta permission set, a resource characteristic associated with a resource accessible by a permission in the delta permission set, or an ongoing security attack associated with a permission in the delta permission set.” “wherein said determining, based on historical usage of a current permission set by the first entity, a stability score comprises: determining interaction characteristics of the interactions between the first entity and a first resource; determining entity characteristics of the first entity; determining resource characteristics of the first resource; and determining the stability score based on the entity characteristics, the resource characteristics, and the interaction characteristics.” “wherein said determining a candidate permission set for a first entity comprises: determining interactions between the first entity and a first resource associated with the current permission set; and determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources.”
The limitations as drafted above is a process that under broadest reasonable interpretation covers performance of the limitations in the mind. The claims comprise limitations that can be performed in the human mine, and/or using pen and paper. In this case, a person can reasonably determine a combined score of the plurality of scores and compare it to condition, determine a difference between different sets of permissions and determine a change in security based on what is no longer in the permissions, determine characteristics of users and resources and their interactions to determine if a similar change would be performed by the user, and determine similarities in user behavior with that of a similar user and similar resources to determine what should be allowed for a user. If a claim under its broadest reasonable interpretation covers performance in the mind but for recitation of generic computer components, then it falls within “mental processes” grouping of abstract idea. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The claims do not recite additional elements aside from what is the abstract idea. Accordingly, the additional elements do not integrate the abstract idea into a practical application. The claims are therefore directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed in respect to the integration of the abstract idea into a practical application, the claims do not recite additional elements. Mere instructions to apply the abstract idea to generic/well-known elements and extra solution activities cannot provide an inventive concept. The claims are not patent eligible.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 4-5, 8, 11-12, 15, 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alaeddini et al. (hereinafter Ala, US 2023/0315898 A1) in view of Shua et al. (hereinafter Shua, US 2023/0306127 A1) in view of Bishop III et al. (hereinafter Bishop, US 2023/0031049 A1).
Regarding Claim 1, Ala discloses A method comprising: determining a candidate permission set for a first entity (Ala: para.0024 “The recommendations component may then evaluate the inputs to determine whether the available policy set includes one or more matching policy subsets, which are subsets that cover all the selected permissions without allowing any additional permissions” para.0030 “The available policy set 101 may include, for example, one or more existing service-generated policies that are generated by the identity management service. The available policy set 101 may also include, for example, one or more existing customer-generated policies that are available to the identity 100, such as one or more existing customer-generated policies that are within a same customer account as the identity 100.” A set of candidate permission sets, i.e. policies that cover permissions for entities, are determined.);
determining, based on historical usage of a current permission set by the first entity, a stability score indicative of a likelihood that usage of a current permission set by the first entity will change in a predetermined period of time (Ala: para.0031 “ In one specific example, the selected permissions 102 may also include, for example, permissions that are estimated to have greater than a threshold probability of being used, by the identity 100, in a future time period. For example, in some cases, machine learning components that employ a machine learning model may evaluate a given identity's current attached permissions and prior usage of the current attached permissions. In some examples, based at least in part on the current attached permissions and prior usage of the current attached permissions, the machine learning model may be configured to identify permissions that have not been used, by the given identity, within a previous prior time window (e.g., within the past 90 days) but that are nevertheless likely to be used in the future…. For example, if a given identity were to use a particular permission every 150 days, this usage pattern may strongly suggest that the permissions may be used again at the next 150 day interval, even if the permission has not been used within the past 90 days.” It can be determined that there is a threshold probability that based usage of the current permission set will change in the next 150 days.);
recommending, for the first entity, the current permission set with the candidate permission set based on at least one of: the criticality score, the stability score (Ala: para.0023 “The selected permissions may also include, for example, permissions that are estimated to have greater than a threshold probability of being used, by the identity, within a future time period.” para.0032 “The recommendations component 110 may then evaluate the inputs to make a determination 111 of whether the available policy set 101 includes one or more matching policy subsets, which are subsets that cover all the selected permissions 102 without allowing any additional permissions.” Para.0033 “ By contrast, if the available policy set 101 includes multiple matching policy subsets, then one of the multiple matching policy subsets may be selected for recommendation based on various criteria. In some examples, a matching policy subset that includes the fewest number of policies may be recommended.” Based on the stability score, selected permissions are determined, and used to determine which candidate permission should be applied), or the security gain score.
However Ala does not explicitly disclose determining a criticality score indicative of a criticality of the first entity; determining a security gain score indicative of an amount of security improvement achievable by replacing the current permission set with the candidate permission set; replacing, for the first entity, the current permission set with the candidate permission set based on at least one of: the criticality score, the stability score, or the security gain score.
Shua discloses determining a security gain score indicative of an amount of security improvement achievable by replacing the current permission set with the candidate permission set (Shua: para.0075 “A risk margin for an identity may refer to a level of risk associated with a specific identity, e.g., a degree to which one or more resources (e.g., a cloud resource) may be exposed to one or more threats and/or vulnerabilities due to one or more activities performed by or otherwise associated with an identity. … A risk margin for an identity may be associated with a risk that a cloud resource may be compromised due to one or more (e.g., inadvertently authorized) activities.” Para.0101 “By way of a non-limiting example, in FIGS. 3A-3B, the at least one processor (e.g., processor 202 of permission server 114) may calculate an average risk margin for each candidate clustering scheme (e.g., see candidate clustering schemes 400 to 406 in FIG. 4) based on at least reduced permission policy 306. For example, the average risk margin for candidate clustering scheme 404 may account for gap 308 under reduced permission policy 306 being smaller than gap 304 under (e.g., non-reduced) permission policy 300 by distance 310.” Para.0112 “In a second ML approach, at least three different candidate solutions may be used resolve a tradeoff between reducing average risk margin and a number of permission policies (e.g., a loose solution, a medium solution, and a tight solution). A loose solution (e.g., having a risk margin below an upper threshold amount, for example below 80%) may be substantially easy implement and manage, incurring a relatively low management cost due to a relatively small number of policies, and may correspond to a relatively modest improvement in average risk margin. For example, a loose solution may be associated with a minimal number of permission policies for delivering an improvement in average risk margin above a low threshold amount (e.g., a 50% improvement in risk margin).” An percentage change average risk margin is determined based on reduced permission policies that would be applied in step 1008-1012 in Fig. 10.)
replacing, for the first entity, the current permission set with the candidate permission set based on at least one of: the criticality score, the stability score, or the security gain score (Shua: para.0130 “Process 1100 may include a step 1110 of determining an ideal number of clusters…. Process 1100 may include a step 1112 of selecting clusters associated with POLP permission policies. By way of a non-limiting example, in FIGS. 3A-3B, the at least one processor may select a cluster based on reduced permission policy 306. Process 1100 may include a step 1114 of applying or recommending application of permission policies based on a selection of clusters with associated with POLP permission policies. ” Step 1110 of Fig. 11 after obtaining an ideal number of clusters i.e. the selected clustering scheme as in Fig. 10, based on the improvement in average risk improvement, the reduced permission policy of at least one of the clusters that was in the selected clustering scheme, is selected for application in step 1114 Fig. 11.).
Therefore it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala with Shua in order to incorporate determining a security gain score indicative of an amount of security improvement achievable by replacing the current permission set with the candidate permission set; replacing, for the first entity, the current permission set with the candidate permission set based on at least one of: the criticality score, the stability score, or the security gain score.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security based on allowed permissions to entities (Shua: para.0075).
However Ala-Shua does not explicitly disclose determining a criticality score indicative of a criticality of the first entity.
Bishop discloses determining a criticality score indicative of a criticality of the first entity (Bishop: para.0005 “which uses a specially structured machine learning model along with linear regression in order to iteratively determine priorities for different computing applications”para.0006 “to determine user priorities and/or user-specific application priorities…. For example, the application and/or user prioritization system may automatically generate a response indicating that a given application is more critical for a given user than another application for that user.” para.0007 “In some cases, the resource management system may use application and/or user prioritizations to automatically grant users' permission to access computing devices and/or installed applications, such that users are able to complete tasks in a timely manner with little or none of the delays exhibited by previous technology.” Based on priorities of users and applications, an entities criticality may be determined and used to grant permissions).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua with Bishop in order to incorporate determining a criticality score indicative of a criticality of the first entity.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of automatically granting permission based on criticality/priority (Bishop: para.0006).
Regarding Claim 4, Ala-Shua-Bishop discloses claim 1 as set forth above.
However Ala-Shua does not explicitly disclose wherein said determining a criticality score comprises: providing, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with, the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity, an activity pattern associated with the first entity, a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity; and receiving, from the classifier model, the criticality score.
Bishop discloses wherein said determining a criticality score comprises: providing, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with (Bishop: para.0010 “The memory stores user affinities that include, for each of the users, an affinity score corresponding to a predetermined ability level of the user to engage in an activity associated with one or more of the computing applications. The prioritization system determines, by performing a cluster analysis of the access record and the permission record, a usage cluster that includes, for each of the users, the previous usage of each of the computing applications that the user is permitted to access. The prioritization system determines, by performing a cluster analysis of the usage cluster and the user affinities, a usage affinity cluster that includes, for each of the users, the affinity scores corresponding to the predetermined ability levels of the user to engage in activities associated with the computing applications that the user is permitted to access. The prioritization system determines, based at least in part on the usage affinity cluster, a priority score for each of the users.” Para.0057 “ Machine learning 212 performs cluster analysis using the machine learning model 236 of the data received from the indexed analysis temporary storage 210. Cluster analysis may be configured to reduce the cluster size in order to determine values of the factors 226 and weights 228 to provide to the indexed machine learning models 214, which provides working storage for the results 234, factors 226, and weights 228.” Cluster analysis is performed using a machine learning model based on user characteristics of usage, i.e. historical activity with a resource, as well as user affinities, i.e. entity characteristics),
the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity (Bishop: para.0083 “For example, the affinity score 518 a,b may correspond to how often the user 502 performs an activity 514 a,b (e.g., performing a particular type of analysis, generating a certain type of work product, etc.)” type of activity),
an activity pattern associated with the first entity (Bishop: para.0010 “ by performing a cluster analysis of the access record and the permission record, a usage cluster that includes, for each of the users, the previous usage of each of the computing applications that the user is permitted to access.” Past usage, i.e. pattern),
a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity (Bishop: para.0061 “ As described above, the application data 124 generally includes characteristics of each of the computing applications 112 a-c and users 164 of the computing applications 112 a-c.” both entity and resource characteristics);
and receiving, from the classifier model, the criticality score (Bishop: para.0010 “The prioritization system determines, based at least in part on the usage affinity cluster, a priority score for each of the users.” Para.0057 “ Machine learning 212 performs cluster analysis using the machine learning model 236 of the data received from the indexed analysis temporary storage 210. “ The prioritization system using machine learning model 130 in Fig. 1, obtains the priority scores. ).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua with Bishop in order to incorporate wherein said determining a criticality score comprises: providing, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with, the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity, an activity pattern associated with the first entity, a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity; and receiving, from the classifier model, the criticality score.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of automatically granting permission based on criticality/priority (Bishop: para.0006).
Regarding Claim 5, Ala-Shua-Bishop discloses claim 1 as set forth above.
Ala further discloses wherein said determining, based on historical usage of a current permission set by the first entity, a stability score comprises: determining interaction characteristics of the interactions between the first entity and a first resource (Ala: para.0031 “ For example, in some cases, machine learning components that employ a machine learning model may evaluate a given identity's current attached permissions and prior usage of the current attached permissions.” Interactions between the identity and usage of the permissions for the resources are determined.);
determining entity characteristics of the first entity (Ala: para.0031 “As another example, a pattern may identify that Service X and Service Y have been frequently used together by a large quantity of identities. Now suppose that a given identity has used Service X several times within the past 90 days but has never used Service Y. In this example, the given identity may be considered to have a high probability of using Service Y in the future (because Service Y is frequently used with Service X) even though the given identity has never used Service Y in the past.” The identity has never used service Y);
determining resource characteristics of the first resource (Ala: para.0031 “As another example, a pattern may identify that Service X and Service Y have been frequently used together by a large quantity of identities. Now suppose that a given identity has used Service X several times within the past 90 days but has never used Service Y. In this example, the given identity may be considered to have a high probability of using Service Y in the future (because Service Y is frequently used with Service X) even though the given identity has never used Service Y in the past.” Service X is used frequently with service Y); and
determining the stability score based on the entity characteristics, the resource characteristics, and the interaction characteristics (Ala: para.0031 “ In one specific example, the selected permissions 102 may also include, for example, permissions that are estimated to have greater than a threshold probability of being used, by the identity 100, in a future time period. For example, in some cases, machine learning components that employ a machine learning model may evaluate a given identity's current attached permissions and prior usage of the current attached permissions. In some examples, based at least in part on the current attached permissions and prior usage of the current attached permissions, the machine learning model may be configured to identify permissions that have not been used, by the given identity, within a previous prior time window (e.g., within the past 90 days) but that are nevertheless likely to be used in the future….As another example, a pattern may identify that Service X and Service Y have been frequently used together by a large quantity of identities. Now suppose that a given identity has used Service X several times within the past 90 days but has never used Service Y. In this example, the given identity may be considered to have a high probability of using Service Y in the future (because Service Y is frequently used with Service X) even though the given identity has never used Service Y in the past.” Because the entity has never used service Y, but X and Y are used together frequently, and entity uses service X, the stability score can be determined that because of all of these factors, the stability score, i.e. that the current permission set usage will change as in claim 1, of the user changing his/her behavior during the current permission set by using service Y, is greater than a threshold probability.).
Regarding Claims 8 and 12, they teach all of the same steps as claim 1, and 5 but in A system comprising: a processor; a memory device that stores program code structured to cause the processor to (Ala: para.0124), therefore the supporting rationale for the rejection to claims 1 and 5 apply equally as well to that of claims 8 and 12.
Regarding Claim 11, Ala-Shua-Bishop discloses claim 8 as set forth above.
However Ala-Shua does not explicitly disclose provide, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with, the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity, an activity pattern associated with the first entity, a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity; and receive, from the classifier model, a criticality score indicative of the criticality of the first entity, wherein the program code is structured to further cause the processor to replace, for the first entity, the current permission set with the candidate permission set further based on the criticality score.
Bishop discloses wherein said determining a criticality score comprises: providing, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with (Bishop: para.0010 “The memory stores user affinities that include, for each of the users, an affinity score corresponding to a predetermined ability level of the user to engage in an activity associated with one or more of the computing applications. The prioritization system determines, by performing a cluster analysis of the access record and the permission record, a usage cluster that includes, for each of the users, the previous usage of each of the computing applications that the user is permitted to access. The prioritization system determines, by performing a cluster analysis of the usage cluster and the user affinities, a usage affinity cluster that includes, for each of the users, the affinity scores corresponding to the predetermined ability levels of the user to engage in activities associated with the computing applications that the user is permitted to access. The prioritization system determines, based at least in part on the usage affinity cluster, a priority score for each of the users.” Para.0057 “ Machine learning 212 performs cluster analysis using the machine learning model 236 of the data received from the indexed analysis temporary storage 210. Cluster analysis may be configured to reduce the cluster size in order to determine values of the factors 226 and weights 228 to provide to the indexed machine learning models 214, which provides working storage for the results 234, factors 226, and weights 228.” Cluster analysis is performed using a machine learning model based on user characteristics of usage, i.e. historical activity with a resource, as well as user affinities, i.e. entity characteristics),
the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity (Bishop: para.0083 “For example, the affinity score 518 a,b may correspond to how often the user 502 performs an activity 514 a,b (e.g., performing a particular type of analysis, generating a certain type of work product, etc.)” type of activity),
an activity pattern associated with the first entity (Bishop: para.0010 “ by performing a cluster analysis of the access record and the permission record, a usage cluster that includes, for each of the users, the previous usage of each of the computing applications that the user is permitted to access.” Past usage, i.e. pattern),
a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity (Bishop: para.0061 “ As described above, the application data 124 generally includes characteristics of each of the computing applications 112 a-c and users 164 of the computing applications 112 a-c.” both entity and resource characteristics);
and receive, from the classifier model, a criticality score indicative of the criticality of the first entity, wherein the program code is structured to further cause the processor to replace, for the first entity, the current permission set with the candidate permission set further based on the criticality score (Bishop: para.0010 “The prioritization system determines, based at least in part on the usage affinity cluster, a priority score for each of the users.” Para.0057 “ Machine learning 212 performs cluster analysis using the machine learning model 236 of the data received from the indexed analysis temporary storage 210. “ The prioritization system using machine learning model 130 in Fig. 1, obtains the priority scores. : para.0087 “In some cases, the priority score 530 for a given user 502 may be compared to a priority threshold value 532. If the priority score 530 is greater than the priority threshold value 532, an administrator may be notified, such that appropriate actions may be taken, and/or an action may be taken automatically (e.g., using the resource management system 702 of FIG. 7 ). For instance, this scenario may correspond to the user 164 that corresponds to user 502 having an outsized responsibility, such that greater support should be provided to the user 164 and/or such that additional users 164 should be trained to provide a backup in case this user 164 becomes unavailable.” Para.0006 “As another example, the application and/or user prioritization system may identify one or more users who should be prioritized, for example, by providing additional support to the users (e.g., additional access to infrastructure, software access, training, etc.).” greater access to infrastructure and software can be allocated to the user, i.e. a candidate permission set over his/her current permission set).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua with Bishop in order to incorporate provide, to a classifier model, entity characteristics associated with the first entity and historical activity comprising a resource or a second entity the first entity interacts with, the classifier model trained to determine the criticality of the first entity based on at least one of: an entity type associated with the first entity, an activity type associated with the first entity, an activity pattern associated with the first entity, a resource characteristic associated with the resource in the historical activity, or an entity characteristic associated with the second entity in the historical activity; and receive, from the classifier model, a criticality score indicative of the criticality of the first entity, wherein the program code is structured to further cause the processor to replace, for the first entity, the current permission set with the candidate permission set further based on the criticality score.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of automatically granting permission based on criticality/priority (Bishop: para.0006).
Regarding Claims 15, 18-19, they teach all of the same steps as claims 1 and 4-5 but in A computer-readable storage medium comprising executable instructions that, when executed by a processor, causes the processor to (Ala: para.0136), therefore the supporting rationale for the rejection to claims 1, 4-5 apply equally as well to that of claims 15, 18-19.
Claim(s) 2-3, 9-10, 16-17, is/are rejected under 35 U.S.C. 103 as being unpatentable over Alaeddini et al. (hereinafter Ala, US 2023/0315898 A1) in view of Shua et al. (hereinafter Shua, US 2023/0306127 A1) in view of Bishop III et al. (hereinafter Bishop, US 2023/0031049 A1) in view of Rabin et al. (hereinafter Rabin, US 2021/0203687 A1).
Regarding Claim 2, Ala-Shua-Bishop discloses claim 1 as set forth above.
Ala discloses replacing, for the first entity, the current permission set with the candidate permission set comprises: determining the stability score (Ala: para.0031 “ In one specific example, the selected permissions 102 may also include, for example, permissions that are estimated to have greater than a threshold probability of being used, by the identity 100, in a future time period. For example, in some cases, machine learning components that employ a machine learning model may evaluate a given identity's current attached permissions and prior usage of the current attached permissions. In some examples, based at least in part on the current attached permissions and prior usage of the current attached permissions, the machine learning model may be configured to identify permissions that have not been used, by the given identity, within a previous prior time window (e.g., within the past 90 days) but that are nevertheless likely to be used in the future…. For example, if a given identity were to use a particular permission every 150 days, this usage pattern may strongly suggest that the permissions may be used again at the next 150 day interval, even if the permission has not been used within the past 90 days.” It can be determined that there is a threshold probability that based usage of the current permission set will change in the next 150 days.) and
determining that the stability score satisfies a predetermined permission reduction criterion (Ala: para.0031 “ In one specific example, the selected permissions 102 may also include, for example, permissions that are estimated to have greater than a threshold probability of being used, by the identity 100, in a future time period.” The probability meets a threshold probability).
However Ala does not explicitly disclose replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of the criticality score, the stability score, and the security gain score; and determining that the combined score satisfies a predetermined permission reduction criterion.
Shua discloses determining a security gain score (Shua: para.0075 “A risk margin for an identity may refer to a level of risk associated with a specific identity, e.g., a degree to which one or more resources (e.g., a cloud resource) may be exposed to one or more threats and/or vulnerabilities due to one or more activities performed by or otherwise associated with an identity. … A risk margin for an identity may be associated with a risk that a cloud resource may be compromised due to one or more (e.g., inadvertently authorized) activities.” Para.0101 “By way of a non-limiting example, in FIGS. 3A-3B, the at least one processor (e.g., processor 202 of permission server 114) may calculate an average risk margin for each candidate clustering scheme (e.g., see candidate clustering schemes 400 to 406 in FIG. 4) based on at least reduced permission policy 306. For example, the average risk margin for candidate clustering scheme 404 may account for gap 308 under reduced permission policy 306 being smaller than gap 304 under (e.g., non-reduced) permission policy 300 by distance 310.” Para.0112 “In a second ML approach, at least three different candidate solutions may be used resolve a tradeoff between reducing average risk margin and a number of permission policies (e.g., a loose solution, a medium solution, and a tight solution). A loose solution (e.g., having a risk margin below an upper threshold amount, for example below 80%) may be substantially easy implement and manage, incurring a relatively low management cost due to a relatively small number of policies, and may correspond to a relatively modest improvement in average risk margin. For example, a loose solution may be associated with a minimal number of permission policies for delivering an improvement in average risk margin above a low threshold amount (e.g., a 50% improvement in risk margin).” An percentage change average risk margin is determined based on reduced permission policies that would be applied in step 1008-1012 in Fig. 10.)
determining that the security gain score satisfies a predetermined permission reduction criterion. (Shua: Para.0112 “In a second ML approach, at least three different candidate solutions may be used resolve a tradeoff between reducing average risk margin and a number of permission policies (e.g., a loose solution, a medium solution, and a tight solution). A loose solution (e.g., having a risk margin below an upper threshold amount, for example below 80%) may be substantially easy implement and manage, incurring a relatively low management cost due to a relatively small number of policies, and may correspond to a relatively modest improvement in average risk margin. For example, a loose solution may be associated with a minimal number of permission policies for delivering an improvement in average risk margin above a low threshold amount (e.g., a 50% improvement in risk margin).” The improvement scores are used to determine an acceptable trade off in improvement in risk margin to cost).
Therefore it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala with Shua in order to incorporate determining a security gain score, determining that the security gain score satisfies a predetermined permission reduction criterion.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security based on allowed permissions to entities (Shua: para.0075).
However Ala-Shua does not explicitly disclose replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of the criticality score, the stability score, and the security gain score; and determining that the combined score satisfies a predetermined permission reduction criterion.
Bishop discloses determining a criticality score (Bishop: para.0005 “which uses a specially structured machine learning model along with linear regression in order to iteratively determine priorities for different computing applications” para.0006 “to determine user priorities and/or user-specific application priorities…. For example, the application and/or user prioritization system may automatically generate a response indicating that a given application is more critical for a given user than another application for that user.” para.0007 “In some cases, the resource management system may use application and/or user prioritizations to automatically grant users' permission to access computing devices and/or installed applications, such that users are able to complete tasks in a timely manner with little or none of the delays exhibited by previous technology.” Priorities/criticality of users and applications are determined); and
determining that the criticality score satisfies a predetermined permission reduction criterion (Bishop: para.0087 “In some cases, the priority score 530 for a given user 502 may be compared to a priority threshold value 532. If the priority score 530 is greater than the priority threshold value 532, an administrator may be notified, such that appropriate actions may be taken, and/or an action may be taken automatically (e.g., using the resource management system 702 of FIG. 7 ). For instance, this scenario may correspond to the user 164 that corresponds to user 502 having an outsized responsibility, such that greater support should be provided to the user 164 and/or such that additional users 164 should be trained to provide a backup in case this user 164 becomes unavailable.” Para.0088 “ For example, if a first application priority score 538 a for a first computing application 536 a is greater than the predefined threshold value 540, the response 434 generated by the user-centric prioritization system 402 may indicate that the threshold 540 has been exceeded.” The priority is a representation of criticality as in para.0005-0006, and is used to determine permissions for that entity, i.e. user or application.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua with Bishop in order to incorporate determining a criticality score, and determining that the criticality score satisfies a predetermined permission reduction criterion.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of automatically granting permission based on criticality/priority (Bishop: para.0006).
However Ala-Shua-Bishop does not explicitly disclose replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of the criticality score, the stability score, and the security gain score; and determining that the combined score satisfies a predetermined permission reduction criterion.
Rabin discloses replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of a plurality of risk factor scores (Rabin: para.0062 “To calculate the aggregate scores 202, each sub-score within group 201 may be assigned an absolute or relative weight. For example, the more critical scores may receive a weight of 50, while the less critical scores may receive a weight of 5. The sub-score 202 may then be calculated using the different separate scores, which may be weighted and normalized into a single score.” para.0071 “In step 308, process 300 may calculate a least-privilege damage score for each unused permission. In some embodiments, the least-privilege damage score may be calculated by weighting and combining the potential damage scores from the permission's type, target resources, and special risk factors, calculated in steps 305-307 above.” A plurality of risk factors associated with an entity are weighed and combined into a single combined score.); and
determining that the combined score satisfies a predetermined permission reduction criterion (Rabin: para.0135 “At step 1007, process 1000 may include analyzing the composite exposure assessment. Analyzing the exposure assessment may include comparing the exposure assessment to a reference score or score threshold.” Para.0140 “Generating a security response may include generating a security recommendation 1009. A security recommendation may be a recommendation to reduce a scope of privileges of the entity, for example by reducing the number of privileges, revoking specific privileges, revoking all privileges, revoking access to certain secure resources, etc.” the combined score is compared to a threshold to determine is privileges should be revoked.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Ala-Shua-Bishop with Rabin in order to incorporate replacing, for the first entity, the current permission set with the candidate permission set comprises: determining a combined score based on a weighted combination of the criticality score, the stability score, and the security gain score; and determining that the combined score satisfies a predetermined permission reduction criterion, such that each of the scores in Ala-Shua-Bishop are considered in combination when reducing priveleges.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security while considering the importance of each metric (Rabin: para.0062, para.0002).
Regarding Claim 3, Ala-Shua-Bishop discloses claim 1 as set forth above.
However Ala does not explicitly disclose wherein said determining a security gain score comprises: determining a delta permission set based on a set difference between the current permission set and the candidate permission set; determining the security gain score based on at least one of: an attack path that uses a permission in the delta permission set, a resource characteristic associated with a resource accessible by a permission in the delta permission set, or an ongoing security attack associated with a permission in the delta permission set.
Shua discloses wherein said determining a security gain score comprises: determining a delta permission set based on a set difference between the current permission set and the candidate permission set (Shua: para.0120 “ Gap 308 may correspond to a risk margin indicating a discrepancy between reduced permission policy 306 and associated activities 302. Gap 308 may be smaller than gap 304 by a difference 310, indicating a reduction in risk margin attributable to reduced permission policy 306.” Fig. 3A-3B 310 shows the difference between the current permission policy and reduced permission policy).
Therefore it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala with Shua in order to incorporate wherein said determining a security gain score comprises: determining a delta permission set based on a set difference between the current permission set and the candidate permission set.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security based on allowed permissions to entities (Shua: para.0075).
However, while Ala-Shua-Bishop discloses broadly calculating changes to the risk score, it does not specifically perform determining the security gain score based on at least one of: an attack path that uses a permission in the delta permission set, a resource characteristic associated with a resource accessible by a permission in the delta permission set or an ongoing security attack associated with a permission in the delta permission set.
Rabin discloses determining the security score based on at least one of: an attack path that uses a permission in the delta permission set, a resource characteristic associated with a resource accessible by a permission in the delta permission set (Rabin: para.0091 “As disclosed herein, these individual factor scores may be grouped together into a group or aggregate score for the entity. Scores related to permissions themselves, such as permission category, frequency of use, number of permissions actually used by the entity, may be grouped into a “permission” factor group score. Similarly, scores related to the target resources, such as those relating to the resource's service, the type of target resource, a sensitivity of the target resource, the size of the resource, and others, may be grouped into a “target resources” factor group score.” para.0101 “As illustrated by FIG. 7, an exemplary composite exposure assessment may be calculated from three factor group scores: a permission type score, target resources score, and a special risk factors score.” characteristics for the target resource for a permission are used for the exposure assessment calculation, Fig. 7-8.)
or an ongoing security attack associated with a permission in the delta permission set.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua-Bishop with that of Rabin in order to incorporate determining the security score based on at least one of: an attack path that uses a permission in the delta permission set, a resource characteristic associated with a resource accessible by a permission in the delta permission set, and apply this to the security gain score as in Shua, that already considers differences in access to resources and actions performed, and calculated updated risk margin scores based on changes in permissions granted, such that the characteristics of said resources are considered in its security measurement.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security while considering the importance of each metric (Rabin: para.0062, para.0002).
Regarding Claims 9-10, 16-17, they do not teach nor further define over the limitations of claims 2-3, therefore the supporting rationale for the rejections to claims 2-3 apply equally as well to that of claims 9-10, 16-17.
Claim(s) 6, 13, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alaeddini et al. (hereinafter Ala, US 2023/0315898 A1) in view of Shua et al. (hereinafter Shua, US 2023/0306127 A1) in view of Bishop III et al. (hereinafter Bishop, US 2023/0031049 A1) in view of Rungta et al. (hereinafter Rungta, US 2023/0370473 A1).
Regarding Claim 6, Ala-Shua-Bishop discloses claim 1 as set forth above.
However Ala-Shua-Bishop does not explicitly disclose wherein said determining a candidate permission set for a first entity comprises: determining interactions between the first entity and a first resource associated with the current permission set; and determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources.
Rungta discloses wherein said determining a candidate permission set for a first entity comprises: determining interactions between the first entity and a first resource associated with the current permission set (Rungta: para.0027 “When a new user or resource is added to the policy, the initial scoping can be determined in a number of different ways. For example, the initial access may be full access granted as discussed herein, with the eventual set of permissions being adjusted based upon actual usage.” During initial scoping, the user is granted a current permission set, and usage of resources is observed.); and
determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources (Rungta: para.0027 “When a new user or resource is added to the policy, the initial scoping can be determined in a number of different ways. For example, the initial access may be full access granted as discussed herein, with the eventual set of permissions being adjusted based upon actual usage. In some embodiments an attempt will be made to classify or group the new user or resource with similar users or resources, and apply scoping and permissions similar to those applied for the other users or resources. In some embodiments an initial scope between the two may be granted, such as where the granted permissions are all granted but not all the denied permissions for similar users or resources may be denied. There may be certain types of access that are less critical, or more critical, and these can be configured to either be more or less conservative when it comes to initial restrictions in at least some embodiments.” Para.0043 “In this example, a set of historical usage data can be obtained 502 with respect to a set of resources, such as the log data generated in the example process 400 of FIG. 4. This can include information about each action or request received, granted, and/or denied over at least a specified period of time, where the access was to the set of resources and processed using a specified access policy.” para.0011 “An initial access policy may be implemented to determine whether to grant access requests received over a period of time. Information about access requests received over that period of time can be logged, then analyzed to determine patterns of access to the corresponding resources. Actions represented in the log data can be mapped to the permissions of the access policy, and permissions that were utilized to grant access over that period can be determined.” Based on interaction data of similar users and similar resources, patterns of access to particular resources are learned, and used to recommend an access policy in step 518 of Fig. 5).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua-Bishop with that of Rungta in order to incorporate wherein said determining a candidate permission set for a first entity comprises: determining interactions between the first entity and a first resource associated with the current permission set; and determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of determining permissions that should be applied to particular users (Rungta: para.0002).
Regarding Claims 13, 20 they do not teach nor further define over the limitations of claim 6 therefore the supporting rationale for the rejections to claim 6 apply equally as well to that of claims 13 and 20.
Claim(s) 7, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alaeddini et al. (hereinafter Ala, US 2023/0315898 A1) in view of Shua et al. (hereinafter Shua, US 2023/0306127 A1) in view of Bishop III et al. (hereinafter Bishop, US 2023/0031049 A1) in view of Rungta et al. (hereinafter Rungta, US 2023/0370473 A1) further in view of Pugalia et al. (hereinafter Pug, US 11,218,511 B1).
Regarding Claim 7, Ala-Shua-Bishop-Rungta discloses claim 6 as set forth above.
However Ala-Shua-Bishop does not explicitly disclose wherein said determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources comprises: determining entity characteristics of the first entity; determining resource characteristics of the first resource; providing the entity characteristics and resource characteristics to a factorization machine trained on training data comprising characteristics associated with the second entities and characteristics associated with the second resources; and receiving, from the factorization machine, the candidate permission set.
Rungta discloses wherein said determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources comprises: determining entity characteristics of the first entity (Rungta: para.0042 “As mentioned, this can include determining the type of access requested, then consulting the policy to see whether that type of access is permitted for that user, type of user… Regardless of whether the access is granted in at least some embodiments, data for the access request can be written 418 to an access log or other such location for subsequent analysis. As mentioned, the log data can be stored indefinitely or for a monitoring period of time, among other such options.” para.0043 “In this example, a set of historical usage data can be obtained 502 with respect to a set of resources, such as the log data generated in the example process 400 of FIG. 4…. Such a process can be used to determine at least which permissions were utilized over that period of time, and in some cases the extent to which those permissions were utilized. The extent information may be particularly useful when processing the information using machine learning to recognize usage patterns or otherwise classify the various permission options.” Para.0025 “ For example, the access patterns of a set of user can be monitored over time and used to train a machine learning model. The access granted under a policy can be monitored over a specific period of time, and that information processed using the machine learning model to determine which permissions should be maintained or denied for the policy.” Log data is maintained and used in machine learning, such as type of user);
determining resource characteristics of the first resource (Rungta: para.0043 “The data can represent a set of actions that were performed, and those actions can be mapped 506 to permissions of the access policy. For example, a writing of data to a resource might be analyzed to determine whether it was, or should properly have been, granted access under a write permission, a modify permission, a full control permission, or a put permission.” How the resource was used is determined, thereby showing resource characteristics.);
providing the entity characteristics and resource characteristics to a machine learning model trained on training data comprising characteristics associated with the second entities and characteristics associated with the second resources (Rungta: para.0025 “For example, the access patterns of a set of user can be monitored over time and used to train a machine learning model. The access granted under a policy can be monitored over a specific period of time, and that information processed using the machine learning model to determine which permissions should be maintained or denied for the policy.” The machine learning model trained over time for a set of users and their activity, such as the log data in para.0043); and
receiving, from the machine learning model, the candidate permission set (Rungta: para.0025 “ In at least some embodiments the recommended policies can be generated at least in part using machine learning. For example, the access patterns of a set of user can be monitored over time and used to train a machine learning model. The access granted under a policy can be monitored over a specific period of time, and that information processed using the machine learning model to determine which permissions should be maintained or denied for the policy. ” para.0043-0044 “Such a process can be used to determine at least which permissions were utilized over that period of time, and in some cases the extent to which those permissions were utilized. The extent information may be particularly useful when processing the information using machine learning to recognize usage patterns or otherwise classify the various permission options…. In this example the utilized permissions can be utilized to generate 510 a new access policy to be recommended for the set of resources. …As mentioned, there may be embodiments where the scope is broadened, or where certain permission scope is broadened for a policy while others are decreased in scope, among other such options. Certain embodiments that utilize machine learning may also recommend alternative permissions that may have different scope that may be permissible under the relevant policy logic.” A machine learning model is used to process the historical information to obtain a candidate permission set).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ala-Shua-Bishop with that of Rungta in order to incorporate wherein said determining the candidate permission set based on interactions between second entities and second resources, similarities between the first entity and the second entities, and similarities between the first resource and the second resources comprises: determining entity characteristics of the first entity; determining resource characteristics of the first resource; providing the entity characteristics and resource characteristics to a machine learning model trained on training data comprising characteristics associated with the second entities and characteristics associated with the second resources; and receiving, from the machine learning model, the candidate permission set.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of determining permissions that should be applied to particular users (Rungta: para.0002).
However Ala-Shua-Bishop-Rungta does not explicitly disclose providing the entity characteristics and resource characteristics to a factorization machine trained on training data comprising characteristics associated with the second entities and characteristics associated with the second resources; receiving, from the factorization machine, the candidate permission set.
Pug discloses providing the input data to a factorization machine trained on training data comprising labeled historical data (Pug: col. 13 lines 45-58 “As indicated at 820, a supervised learning technique may be applied to the recorded modifications to train a machine learning (ML) model to produce suggested corrections for access management policies, in some embodiments. For example, the truth labels indicated by the recorded modifications to portions of a policy may be used to train the machine learning model to solve a classification problem (e.g., class of suggestion) according to various supervised learning techniques, such as Factorization Machines Algorithm” col. 13 lines 59-col. 14 line 9 “As indicated at 830, the machine learning model may be applied to an error identified in an access management policy to generate a suggested correction for the error in the access management policy,” a factorization machine based machine learning model is trained on historical information, and an error in access management is input to the machine learning model.);
receiving, from the factorization machine, the candidate permission set (Pug: col. 13 lines 59-col. 14 line 9 “As indicated at 830, the machine learning model may be applied to an error identified in an access management policy to generate a suggested correction for the error in the access management policy,” the factorization machine outputs the corrections to the management policy, i.e. candidate permission set.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Ala-Shua-Bishop-Rungta with that of Pug in order to incorporate providing the input data to a factorization machine trained on training data comprising labeled historical data, receiving, from the factorization machine, the candidate permission set, and apply this concept to the providing the entity characteristics and resource characteristics to a machine learning model trained on training data comprising characteristics associated with the second entities and characteristics associated with the second resources, as taught by Rungta.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of known benefits of factorization machines that would improve upon generic machine learning models by incorporating supervised learning (Pug: col. 13 lines 45-58).
Regarding Claim 14 it does not teach nor further define over the limitations of claim 7 therefore the supporting rationale for the rejections to claim 7 apply equally as well to that of claim 14.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ross et al. US 2021/0168150 A1 see para.0134, and Fig. 5 and 9 showing determining criticality of applications and determining degree of privilege for users.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EUI H KIM whose telephone number is (571)272-8133. The examiner can normally be reached 7:30-5 M-R, M-F alternating.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached at 5712725863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EUI H KIM/Examiner, Art Unit 2453
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453