DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 18/689,775 filed on 3/6/2024.
Claims 1-9 have been examined and are pending in this application. As per Preliminary Amendment filed on 3/6/2024, claims 1-9 have been amended. Claims 1-9 have been examined and are pending.
The examiner notes the IDS filed on 3/6/2024 has been considered.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1 and 8 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Goldschlag et al (US 2011/0276683 A1).
Regarding Claim 1;
Goldschlag discloses a network system, comprising:
a node including a communication circuit, a processor operatively connected with the communication circuit, and a memory storing an access control application (FIG. 1 – Mobile Device and [0055] – Mobile Device 1000... It can include an internal processor connected to one or more memory devices that store data and programs. The internal processor can execute programs stored in the memory devices to perform the functions);
a destination network the node wants to access (FIG. 1 – Server and [0056] and [0059]);
a network node located between the node and the destination network and configured to include a memory (FIG. 1 – A Policy Proxy and [0043] - The functionality of the policy proxy can be implemented in a variety of arrangements, such as with a separate network device, by embedding the functionality into an existing network device, such as a network router, switch or firewall, by incorporating the policy proxy functionality into a policy server system, into each server that connects to mobile devices directly or indirectly, in a virtual machine or network appliance, or by any other appropriate mechanism and [0057] - A Policy proxy 1300 is positioned in the communication path between mobile device 1100 and applications server 1200 such that it is enabled to receive, block, intercept, substitute, monitor or alter communications between the applications server 1200 and the mobile device 1100); and
a server including a communication circuit, a processor operatively connected with the communication circuit, and a memory storing a database, the server being communicatively connected with the node and the network node (FIG. 1 – depicts the policy server communicatively connected to the mobile device and server via the policy proxy and [0057] - Policy proxy 1300 can be supplied with one or more policies, or policy elements, from policy server 1400, and can use these policies to permit, limit or prevent the mobile device's 1100 access to the server 1200, to configure the mobile device's 1100 security policy configuration, and for other uses as required.),
wherein the node is configured to:
transmit or drop a data packet depending on whether there is data flow based on dentification information of a target application or identification information including an IP address and port information of the destination network to communicate with the destination network, by means of the access control application ([0066] - ...data packets ... transport communications from both the mobile device 2011-2014 and from applications servers 2020-2022... receive, modify, add, suppress, or deliver data packets... and [0076] – ...application information routing... and [0082] - In typical usage of an exemplary embodiment, a mobile device 2011-2014 initiates a connection to an applications server 2020-2022 or other server 2080 using a network transport protocol capability of the mobile device 2011-2014. );
transmit identification information of a terminated application to the server, when a termination of execution of the target application is detected ([0037] - An exemplary illustrative non-limiting method preferably comprises intercepting a data stream between a data server and the mobile device, identifying the mobile device, identifying a policy in an integrated policy server applicable to the mobile device based on the identity of the mobile device, the policy including one or more policy elements, identifying one or more of the policy elements based on the mobile device, and translating the policy elements into actions involving the data stream between the data server and the mobile device so as to implement at least one aspect of the identified policy. The actions can comprise permitting normal exchange of data between the data server and the mobile device, preventing communication between the data server and the mobile device, or modifying the data stream between the data server and the mobile device and [0066] - receive, modify, add, suppress, or deliver data packets... and [0076] – ...application information routing...);
wherein the server is configured to:
transmit information for deleting a data flow corresponding to the identification information of the terminated application to the network node ([0048] - When required by the policy provided by the policy server, the policy proxy can also alter the configuration of the mobile device and/or the configuration of one or more servers, network devices or other components required for access to the policy-protected network so as to prevent the mobile device gaining access in the future and [0068] - In some exemplary embodiments the policy proxy 2050 can cause the mobile device 2011-2014 configuration, and/or the configuration of various information servers 2080 and other network components, such as servers 2020-2022, to be altered so as to block access to the network by the mobile device 2011-2014, when required by policy and [0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.);
wherein the network node is configured to:
delete data flow corresponding to the information for deleting the data flow ([0042] and [0068] - In some exemplary embodiments the policy proxy 2050 can cause the mobile device 2011-2014 configuration, and/or the configuration of various information servers 2080 and other network components, such as servers 2020-2022, to be altered so as to block access to the network by the mobile device 2011-2014, when required by policy and [0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.).
Regarding Claim 8;
Goldschlag discloses the system of Claim 1.
Goldschlag further discloses wherein the node is configured to: detect an access release event and request the server to end control flow ([0066] and [0073] [0073] – Policy results interceptor. The policy proxy 2050 can also function as a policy results interceptor...configuration results are redirected to additional and/or alternative applications servers and/or policy servers and [0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.), wherein the server is configured to: remove control flow identified and found based on control flow identification information requested by the node ([0037] - An exemplary illustrative non-limiting method preferably comprises intercepting a data stream between a data server and the mobile device, identifying the mobile device, identifying a policy in an integrated policy server applicable to the mobile device based on the identity of the mobile device, the policy including one or more policy elements, identifying one or more of the policy elements based on the mobile device, and translating the policy elements into actions involving the data stream between the data server and the mobile device so as to implement at least one aspect of the identified policy. The actions can comprise permitting normal exchange of data between the data server and the mobile device, preventing communication between the data server and the mobile device, or modifying the data stream between the data server and the mobile device and [0066] - receive, modify, add, suppress, or deliver data packets...); and request the network node for relaying all dependent data flow to remove data flow, when the control flow is removed ([0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.), and wherein the network node is configured to: remove the data flow, such that the application is in a state in which it is no longer able to transmit the data packet to the destination network ([0066] - receive, modify, add, suppress, or deliver data packets... and [0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.),.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 3 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldschlag et al (US 2011/0276683 A1) in view of Anderson (US 2006/0041936 A1).
Regarding Claim 3;
Goldschlag discloses the system of Claim 1.
Goldschlag further discloses concepts of drop... ([0066] – suppress); identify the data packet is included in an inspection target based on a data packet inspection rule database (DB) included in the data flow, when there is the data flow ([0066] and [0079] - The term "rules", as used herein, refers to any method of describing the relationship between specific data inputs and an action or other behavior on the part of a policy proxy and [0080] - Other exemplary embodiments specify rules using other mechanisms, such as table lookups, associative arrays, hashes, comma-delimited lists, name-value pairs, tagged data, predefined value sequences); forward the data packet, when it is not included in the inspection target ([0066]- deliver data packet and [0079] - The term "rules", as used herein, refers to any method of describing the relationship between specific data inputs and an action or other behavior on the part of a policy proxy... and [0080] - Other exemplary embodiments specify rules using other mechanisms, such as table lookups, associative arrays, hashes, comma-delimited lists, name-value pairs, tagged data, predefined value sequences); and perform data packet processing, when it is included in the inspection target ([0066] – modify and [0079] - The term "rules", as used herein, refers to any method of describing the relationship between specific data inputs and an action or other behavior on the part of a policy proxy... and [0080] - Other exemplary embodiments specify rules using other mechanisms, such as table lookups, associative arrays, hashes, comma-delimited lists, name-value pairs, tagged data, predefined value sequences).
Goldschlag fails to explicitly disclose wherein the network node is configured to: identify whether there is data flow in a data table stored in the database, based on the IP address of the node, the IP address of the destination network, and the port information, among data packets received from the node; [[drop]] the received data packet, when there is no the data flow.
However, in an analogous art, Anderson teaches wherein the network node is configured to: identify whether there is data flow in a data table stored in the database, based on the IP address of the node, the IP address of the destination network, and the port information, among data packets received from the node ([0073] - Refer again to step 904 where the user selects a display option. If the user selects the option to display the data flow vulnerability table (branch 940), program function 160 reads the data flow checking table 514 to determine the data flows permitted through each interface (step 942). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface); drop the received data packet, when there is no the data flow ([0003]- filtering and blocking data which flows to and through the network and [0073] – ...data flows permitted...).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Anderson to the data flow of Goldschlag to include wherein the network node is configured to: identify whether there is data flow in a data table stored in the database, based on the IP address of the node, the IP address of the destination network, and the port information, among data packets received from the node; drop the received data packet, when there is no the data flow.
One would have been motivated to combine the teachings of Anderson to Goldschlag to do so as it provides / allows graphically present data flows, vulnerabilities and misconfigurations of a firewall (Anderson, [0001])
Regarding Claim 7;
Goldschlag discloses the system of Claim 1.
Goldschlag further discloses wherein the node is configured to: detect a control flow update event and request the server to update control flow ([0054] - Policy Management Protocols for interaction between policy servers and Protocol devices receiving policies. These can provide means to transfer policies to receiving devices, to manage policies on those devices, or enable other policy-related activities and [0073] – Policy results interceptor. The policy proxy 2050 can also function as a policy results interceptor...configuration results are redirected to additional and/or alternative applications servers and/or policy servers.); and end the application or block all network access of the application, when the result of updating [a] control flow is inaccessible ([0066] - Policy proxies can also receive, modify, add, suppress, or deliver data packets comprising exchanges other than policy transport communications, such as data communications when enforcing policy limitations or data deletion requirements on a mobile device, or when acting as a firewall, or to prevent communication between non-compliant mobile devices and enterprise servers),
Goldschlag fails to explicitly disclose wherein the server is configured to: identify whether there is control flow in a control flow table based on control flow identification information requested by the node; return inaccessible information to the node, when there is no the control flow; and update an update time, when there is the control flow, and search for data flow dependent on the control flow.
However, in an analogous art, Anderson teaches wherein the server is configured to: identify whether there is control flow in a control flow table based on control flow identification information requested by the node ([0073] - Refer again to step 904 where the user selects a display option. If the user selects the option to display the data flow vulnerability table (branch 940), program function 160 reads the data flow checking table 514 to determine the data flows permitted through each interface (step 942). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface); return inaccessible information to the node, when there is no the control flow ([0003]- filtering and blocking data which flows to and through the network and [0073] – ...data flows permitted..)); and update an update time, when there is the control flow, and search for data flow dependent on the control flow ([0043] - Refer again to decision 508, yes branch, where program function 120 has evaluated the last interface for firewall 21. At that time, program function 120 determines if any rules in the ruleset have not been found to be associated with an interface of firewall 21 (decision 530). If so, program function 130 writes default behavior to data flow checking table 514 (step 532)... then program function 120 has completed its checking, and proceeds to step 602 to invoke program function 130.)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Anderson to the data flow of Goldschlag to include wherein the server is configured to: identify whether there is control flow in a control flow table based on control flow identification information requested by the node; return inaccessible information to the node, when there is no the control flow; and update an update time, when there is the control flow, and search for data flow dependent on the control flow.
One would have been motivated to combine the teachings of Anderson to Goldschlag to do so as it provides / allows graphically present data flows, vulnerabilities and misconfigurations of a firewall (Anderson, [0001])
Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Goldschlag et al (US 2011/0276683 A1) in view of Qiao et al. (US 2020/0214054 A1).
Regarding Claim 9;
Goldschlag discloses the system of Claim 9;
Goldschlag wherein further discloses wherein the access control application of the node is further configured to: delete all data flow corresponding to identification information of the ended application ([0066] - Policy proxies can also receive, modify, add, suppress, or deliver data packets comprising exchanges other than policy transport communications, such as data communications when enforcing policy limitations or data deletion requirements on a mobile device, or when acting as a firewall, or to prevent communication between non-compliant mobile devices and enterprise servers and [0093] - Active intermediation can also, with some protocols such as NFS, be used to delete data from a policy-managed device by altering communication data streams to incorporate commands to delete files, alter the content of files, activate applications to alter stored data, etc.),
Goldschlag fails to explicitly disclose when the ended application is not present in a list of processes which are running to track the end of multiple executable applications.
However, Qiao discloses when the ended application is not present in a list of processes which are running to track the end of multiple executable applications ([0270] - In an example, the UPF may enforce the at least one packet detection rule by matching a user data/traffic packet with service data flow template (e.g. service data flow filter(s) and/or application identifier(s)) and may apply other user plane rules (e.g. forwarding action rule, QoS enforcement rule, and usage reporting rule) to the data/traffic packets matched the packet detection rule. In an example, the UPF may detect a restricted service for the always-on PDU session by the packet detection rule and enforce the at least one forwarding action rule by forwarding, duplicating, dropping or buffering a data/traffic packet respectively)
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Qiao to the data flow of Goldschlag to include when the ended application is not present in a list of processes which are running to track the end of multiple executable applications
One would have been motivated to combine the teachings of Qiao to Goldschlag to do so as it provides / allows policy and charging control for [a] session (Qiao, [0042]).
Allowable Subject Matter
Claims 2 and 4-6 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding Claim 2; the prior art of record as cited within this Office Action, nor those cited, in the additional references cited, alone or in combination, neither anticipates, reasonably teaches, nor renders obvious the feature of: "wherein the server is configured to: identify whether identification information of the access control application is included and whether it is accessible to a network node present between the destination network mapped to the identification information and a network boundary of the node, in an access policy matched with the identification information on control flow; identify whether it is accessible to a network node at the boundary of the destination network the node wants to access in the network node policy to grant access of the node, when it is accessible, and identify whether there is data flow accessible to the IP address and a port of the destination network in a data flow table; generate data flow based on the IP address of the node, the IP address of the destination network, the port information, and data packet inspection information to grant access of the application, when there is no valid data flow in the data flow table, and transmit the generated data flow to the network node and the node; and transmit data flow to the node, when there is the accessible data flow in the data flow table."
Therefore, claim 2 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim(s) 6 inherits the allowable subject matter of claim 2, as claim 6, depends off of claim 2.
Regarding Claim 4; the prior art of record as cited within this Office Action, nor those cited, in the additional references cited, alone or in combination, neither anticipates, reasonably teaches, nor renders obvious the feature of: "wherein the data packet processing includes: inspecting whether a single data packet is identical based on the data packet inspection rule database, when a single inspection of the data packet is performed; storing the transmitted data packet in the memory of the network node up to a data packet transmission end point, when multiple inspections of the data packet are performed, and inspecting whether all the stored data packets are identical based on the data packet inspection rule database; and processing a data packet, a pattern of which is detected, depending on data packet inspection information, when it is identical to the data packet inspection rule database, and wherein the processing of the data packet includes: dropping the data packet, when the data packet should be blocked; replacing the data packet based on replacement information included in the data flow and forwarding the replaced data packet, when there is a need to replace the data packet; and storing the data packet in the memory of the network node depending on a rule included in the data flow and forwarding the data packet, when there is a need to store the data packet.."
Therefore, claim 4 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim(s) 5 inherits the allowable subject matter of claim 4, as claim 5, depends off of claim 4.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KARI L SCHMIDT/ Primary Examiner, Art Unit 2439
Prosecution Insights