METHOD AND APPARATUS FOR PROVIDING SECURITY SERVICE, AND ELECTRONIC DEVICE AND COMPUTER STORAGE MEDIUM

DETAILED ACTION -Claims 1, 5, 7, 10, 14 are amended. -Claim 3, 9, 13 and 17 are cancelled. -Claims 22-24 are new. -The objection to the abstract is withdrawn based on the corrected abstract. -The 112(b) rejection is withdrawn based on the claim amendments. -Claims 1-2, 5-8, 10-12, 14-16 and 18-24 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s Remarks filed on 2/9/2026 have been fully considered. With respect to the argument that the output of Whalen’s model are the constraints and that it does not provide a solution to the constraint, Examiner respectfully disagrees. Whalen’s security model includes logic problems comprising a set of constraints, in the constraint solver's format, therefore Whalen’s model includes the constraints and provides solutions to meet the constraints with the constraint solver. With respect to the argument that Whalen does not teach input and output as in the claims, Examiner respectfully disagrees. In Whalen, a request for computing resources is received (i.e. the input to model) including order information of a host and asset information of the host, i.e. the resource allocation system 120 receives at least the communications that contain requests, commands, instructions, and the like (collectively herein, “requests”), to allocate, launch, execute, run, or otherwise provide, for use by an identifiable user (e.g., the requesting user or another specified user), one or more virtual computing resources in the computing environment and provides a security configuration or security service information for requested virtual computing resources (i.e. output to the model) where the security configuration provides security and protection by controlling how end users can access the virtual computing resources for example by whether the request should be allowed or denied. Therefore, Whalen discloses Feature A. With respect to arguments regarding feature B, they are not persuasive. Applicant’s characterization of categories in the reference does not correspond to how they are mapped. The columns protected criteria 724, modification schedule 726, security information management 728 and memory management 730 are not mapped to the claimed categories of security service. Instead, the categories of security services are mapped to the elements listed under these columns, for example under column 724 “protected criteria” and column 728 “security management information”. As can be seen from Fig.7, the vertical arrow labeled 740 teaches that there is “incremental security based on sensitivity of data or security level” and as can be seen in Fig. 7, the incremental security is implemented by using a greater number of categories of security services. Therefore, Aissi teaches the argued elements of Feature B. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 4-8, 10-12, 14-16 and 18-24 are rejected under 35 U.S.C. 103 as being unpatentable over Whalen et al (US Patent No.11,093,641) in view of Aissi et al (US Pub.No.2014/0331279). Re Claim 1. Whalen discloses a method for providing a security service, performed by an electronic device, comprising: creating a host security model under a constraint of custom normalized statements (i.e. an embodiment of the provided system implements automated methods for parsing a security policy into its encoded permissions (i.e., principal user, action requested, resource to be accessed, and conditions to be satisfied by the request) and then generating logic problems comprising a set of constraints, in the constraint solver's format, that correspond to the permissions) [Whalen, (14)]; acquiring host information for a tenant (i.e. the client may use the user interface 108 to configure a virtual network, launch virtual computing resources 142 and connect them to the virtual network and/or the external communication network 104, and create security policies 116 that govern how end users can access the virtual computing resources) [Whalen, (57)], wherein the host information at least comprises: order information of a host and asset information of the host; inputting the host information into the security model (i.e. the resource allocation system 120 receives at least the communications that contain requests, commands, instructions, and the like (collectively herein, “requests”), to allocate, launch, execute, run, or otherwise provide, for use by an identifiable user (e.g., the requesting user or another specified user), one or more virtual computing resources in the computing environment) [Whalen, (60)], to obtain for the security model to output security service information outputted by the security model required by the host; and providing, based on the security service information, a security service security protection and reinforcement corresponding to the security service information to the host of the tenant (i.e. The available resources may be provided in a limited manner to one or more users that submit requests for virtual computing resources within the computing environment 101; such resources that are allocated to and/or in use by a particular user are represented by virtual resources 142. Various functions related to processing requests to use virtual resources, to otherwise managing the allocation and configuration of the available resources and allocated virtual resources 142, and to limiting the amount of virtual resources 142 that are allocated to a particular user in accordance with the present systems, may be performed by one or more services executing within the computing environment 101 and/or outside of it (i.e., in the data processing architecture of the computing resource service provider environment 100). For example, security policies 116 may include a resource security policy that is applicable to the resource type associated with a virtual resource 142, and services 132 processing requests to access the virtual resource 142 may use the resource security policy to determine whether the request should be allowed or denied…….. ………………….the resource allocation system 120 may include a request processor 170 which is configured by executable program instructions to receive a request for virtual computing resources, parse the request into delivery and other parameters, determine whether the request can be fulfilled, and if the request can be fulfilled, provide a virtual computing resource 142 configured for use according to the parameters of the request) [Whalen, (59), (61)], wherein the order information at least comprises: a value of Global Order (GO) constraining whether the tenant orders a global service, wherein in response to the value of the GO being a first value, indicating that the tenant orders the security service; and in response to the value of the GO being a second value, indicating that the tenant does not order the security service (i.e. The condition 210 element may be one or more conditions that specify when a policy is in effect. In some embodiments, the condition element is optional and may be omitted in some permissions. Conditions may be described as Boolean expressions that may be used to determine whether the policy is in effect (i.e., if the expression evaluates to TRUE) or not in effect (i.e., if the expression evaluates to FALSE). Policies that are not in effect may be unenforced or ignored by an authorization module) [Whalen, (72)]; Whalen does not disclose all the above in one embodiment, however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to combine the various embodiments because it is suggested by Whalen: any combination of the above-described elements in all possible variations thereof is encompassed by the scope of the present disclosure unless otherwise indicated herein or otherwise clearly contradicted by context [Whalen, (264)], Whalen does not explicitly disclose whereas Aissi does: and a value of Ln constraining a level of the security service ordered by the tenant, wherein n represents that the security service ordered by the tenant belongs to a n-th level, and n is configured to determine a number of categories of security service modules providing the security service, wherein a greater value of n indicates a higher level of the security service and a greater number of categories of security service modules providing the security service (i.e. request a security policy for managing one or more services for the applications. The request can indicate security services or type of security, a type of security policy to implement, a level of security, information used to determine a level or profile of security for the applications, or a combination thereof. The security services engine 132 can determine the type of security services to provide based on the information provided by the applications 114, 116. For example, when the application 114 is a payment application, the request 122 may indicate a request for a high level of security…………... As shown by the examples in FIGS. 6 and 7, a security policy may be applicable based on a variety criteria including the type of an application, the operations performed by the application, the request 126, or other information indicating the nature of the operations performed by the application.………… the security policies 602-608 may be used by the security engine 112 to determine security services to select for applications. For example, the secure operating environment 112 may chose a security policy to implement for an application based on the security profile that best fits the functions being performed for the application and/or the type of data processed for the application.………the security policies 702-708 may indicate security services that may be performed for the security policies. FIG. 7 shows an incremental change 740 in security corresponding to a change in security profile selected for managing security in a secure operating environment) [Aissi, para.0081, 0150, 0161, Fig. 7 shows that the number of categories of security services increases with the sensitivity/security level]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Whalen with Aisssi because The security services selector 356 may choose one or more security services based on security capabilities that enable suitable protection of operations performed by an application. In some instances, a security service may be selected from security capabilities of one or both of the secure operating environment 110 and the host operating environment 102 based on the security capabilities that meet the criteria or that support a security service requested by an application [Aissi, para.00107]. Re Claim 2. Whalen in view of Aissi discloses the method for providing the security service of claim 1, wherein inputting the host information into the security model comprises at least one of: inputting the order information represented by a first normalized statement into the security model; or inputting the asset information represented by a second normalized statement into the security model (i.e. The policy parser 160 may be a component or module that receives a security policy (e.g., a security policy received from a client in connection with an API call or obtained via a policy management service) and obtains one or more permission statements from the policy……………….the permission statements 174, 176 may each be associated with the granting or denying access to computing resource) [Whalen, (27)]. Re Claim 4. Whalen in view of Aissi discloses the method for providing the security service of claim 1, wherein the asset information comprises: a set of assets of a plurality of hosts to be maintained (i.e. the client may use the user interface 108 to configure a virtual network, launch virtual computing resources 142 and connect them to the virtual network and/or the external communication network 104, and create security policies 116 that govern how end users can access the virtual computing resources) [Whalen, (57), also (68)]. Re Claim 5. Whalen in view of Aissi discloses the method for providing the security service of claim 1, wherein inputting the host information into the security model, for the security model to output the security service information required by the host further comprises: inputting the host information into the security model, to obtain the security service information outputted by the security model and represented by a third normalized statement (i.e. propositional logical expression 214 may comprise a set of logical expressions which represent the permission 202. Propositional logical expressions may be evaluated to determine whether a formula is satisfiable. For example, propositional logic may be used to determine whether it is satisfiable that a resource is allowed under a first propositional logical expression corresponding to a first security policy comprising a first set of permissions and the resource is not allowed (e.g., explicitly denied and/or not explicitly granted an ALLOW effect) under a second propositional logical expression corresponding to a second security policy comprising a second set of permissions………………the action 208 element may map to an action propositional logic expression 220) [Whalen, (79)] wherein the third normalized statement represents that the security service is formed by orchestrating the security service modules, the security service modules being constituted by different types of security capabilities (i.e. The action 208 may be the specific action or actions that will be allowed or denied by the permission. Different types of services (e.g., having different service namespaces) may support different actions. For example, an identity and account management service may support an action for changing passwords, and a storage service may support an action for deleting objects. An action may be performed in association with the resource and may, for example, be identified by a type of API call, a library call, a program, process, series of steps, a workflow, or some other such action…………………various namespaces may be used in connection with specifying an action. Wildcards may be used to specify multiple actions. For example, an action element described as “Action”:“storage:*” may refer to all APIs supported by a storage service. As a second example, an action element described as “Action”: “iam: *AccessKey*” may refer to actions supported by an identity and access management service in connection with access keys of a service—illustrative examples may include actions related to creating an access key(e.g. “CreateAccessKey”),deleting an access key(e.g.DeleteAccessKey”), listing access keys (e.g.“ListAccessKeys”), updating an existing access key (e.g. “UpdateAccessKey”) [Whalen, (70-71)]. Re Claim 6. Whalen in view of Aissi discloses the method for providing the security service of claim 5, wherein providing, based on the security service information, the security protection and reinforcement corresponding to the security service information to the host of the tenant comprises: obtaining, based on the security service information, a combination of a number of categories of security service modules when the tenant orders the security service under a global service (i.e. a permission 202 may specify a principal 204, a resource 206, an action 208, a condition 210, and an effect 212. In some embodiments, a permission 202 may also specify a plurality of one or more of these elements such as, for example, a set or class of users, a collection of resources, several different actions, and/or multiple conditions. In some embodiments, the permission 202 may specify one or more wildcard or otherwise modifiable characters that may be used to denote that the permission 202 may be modified to make the permission 202 applicable to different users and their associated resources…………. Computing resources of a computing resource service provider may include: compute resources (e.g., virtual machine instances); storage resources (e.g., scalable storage, block storage, and managed file storage systems); database systems (e.g., managed relational database systems); migration services (e.g., applications, services, and hardware for streamlining the transfer of data from one physical data center to another); network and content delivery; developer tools; management tools; security, identity, and access management services; analytics services; artificial intelligence services; and more………… an identity and account management service may support an action for changing passwords) (Whalen, (65, 68, 70), Note: security, identity and access management services disclose a number of security categories/modules]; and providing, according to the combination of the number of categories of the security service modules, corresponding security protection and reinforcement to the host of the tenant (i.e. the resource allocation system 120 may include a request processor 170 which is configured by executable program instructions to receive a request for virtual computing resources, parse the request into delivery and other parameters, determine whether the request can be fulfilled, and if the request can be fulfilled, provide a virtual computing resource 142 configured for use according to the parameters of the request) [Whalen (61)]. Re Claim 16. Whalen in view of Aissi discloses the method for providing the security service of claim 1, wherein the security model outputs the corresponding security service information without occupying resources of the host of tenant (i.e. a resource allocation system 120 operating within the computing environment 101 may cooperate with security policy management service 112 implemented outside of the computing environment 101 to manage the allocation of virtual resources according to security policies) [Whalen, (60), Fig.1B], and is able to perform adaptive expansion and policy updates on security risks of the host of the tenant (i.e. the policy anonymizer service 106 may, by default or by user authorization, access and use the usage data of one user or multiple users to update or interpret a model of a security policy) [Whalen, (62)]. Re Claim 22. Whalen in view of Aissi discloses the method for providing the security service of claim 1, Aissi further discloses: wherein security service modules at a higher level contain security service modules at a lower level [Aissi, Fig. 6, col.630, shows that the highly sensitive profile security modules contain security modules in the sensitive profile and the sensitive profile security modules contain the security module in the important profile]. The same motivation to modify with Aissi, as in claim 1, applies. Re Claims 7, 8, 18-21 and 23. These claims are similar to claims 1-2, 4-6, 16 and 22 respectively, therefore they are similarly rejected. Re Claims 10-12, 14-15 and 24. These claims are similar to claims 1, 16, 2, 5-6 and 22 respectively, therefore they are similarly rejected. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434