Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsInternational Business Machines Corporation › 18746258
Last updated: April 19, 2026
Application No. 18/746,258

ONE-TIME VIRTUAL PRIVATE NETWORK

Final Rejection §103
Filed
Jun 18, 2024
Examiner
NGUYEN, ANH
Art Unit
2458
Tech Center
2400 — Computer Networks
Assignee
International Business Machines Corporation
OA Round
2 (Final)
79%
Grant Probability
Favorable
3-4
OA Rounds
2y 9m
To Grant
99%
With Interview

Interview Optional

+24.9% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 359 resolved cases, 2023–2026

Examiner Intelligence

NGUYEN, ANH View full profile →
Grants 79% — above average
79%
Career Allow Rate
282 granted / 359 resolved
+20.6% vs TC avg
Strong +25% interview lift
Without
With
+24.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
23 currently pending
Career history
382
Total Applications
across all art units

Statute-Specific Performance

§101
12.8%
-27.2% vs TC avg
§103
58.6%
+18.6% vs TC avg
§102
9.0%
-31.0% vs TC avg
§112
12.1%
-27.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 359 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the amendment filed on 1/29/2026. Claims 1-20 are rejected. Claims 1, 9, and 17 have been amended. Information Disclosure Statement The information disclosure statement (IDS) submitted on 11/21/25 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Response to Arguments Applicant’s arguments with respect to claims 1, 9, and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5, 9-11, 13, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable by Khare et al. (US 20240380752 A1), hereafter Khare in view of Akkarakaran et al. (US 20250267139 A1), hereafter Akkarakaran and further in view of Dintenfass (US 20180324186 A1). Regarding claim 1, Khare teaches a computer-implemented method, comprising: receiving an authentication request from a client to access a private network for a pre-defined transaction defined by the client ([0044] The online system 130 receives 510 a request for access to one or more systems from a user. The request is received responsive to the user performing authentication using an authentication device, for example, a workstation that provides smart card based authentication); [0021] fig. 1, the network 150 can be a private network or a virtual private network; [0026] The user is allowed to access various computing systems and computing resources accessible by the online system during the time period that the short term authentication token is valid (pre-defined transaction)); validating the client for the pre-defined transaction ([0031] The remote access interface 210 validates the access token T1 and allows the user to login to the remote access interface 210 responsive to successful validation of the token), wherein the validating comprises determining access rights, linked to a digital identity of the client, to access at least one protected resource in the private network ([0031] the credentials received from the authentication device (linked to a digital identity of the client) are provided by the remote access interface 210 to an authentication service); granting a temporary access for the client to perform the pre-defined transaction in the private network, responsive to validating the client for the pre-defined transaction ([0045] The online system provides the temporary certificate to a personalized virtual machine. The online system provides the user with access to the personalized virtual machine); and terminating the temporary access granted to the client to the private network [responsive to a policy configuration] associated with the pre-defined transaction ([0047] Once the expiry time of the temporary certificate expires, the online system denies any subsequent requests from the user to connect to any of the plurality of systems until the user repeats the above process). Khare does not teach “responsive to a policy configuration”; comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Akkarakaran teaches responsive to a policy configuration ([0088] If the current time exceeds the token expiration time, the system initiates token expiration handling. This could involve notifying the user, terminating the session, or prompting for reauthentication, depending on the system's policies); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare disclosure, the token expiration is based on a policy, as taught by Akkarakaran. One would be motivated to do so to protect users' personal information and ensure that only authorized individuals can access certain features or data. Khare and Akkarakaran do not explicitly teach comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Dintenfass teaches comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client ([0046] compare the received limited authentication challenge response (comparing the pre-defined transaction) with authentication data of the third user stored in the database to determine that the received limited authentication challenge response is acceptable). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare and Akkarakaran disclosure, authentication challenge response with authentication data, as taught by Dintenfass. One would be motivated to do so for authorizing access to safeguarded resources. Regarding claims 2, 10, and 18, Khare, Akkarakaran, and Dintenfass teach all limitations of parent claims 1, 9, and 17, Khare further teaches: receiving a request from an authorization provider to validate a client key associated with the client for issuing a token, wherein the token is configured to authorize the pre-defined transaction ([0031] The remote access interface receives a request from the user to gain access to one or more computing systems. The request is sent by the user based on an authentication performed by the user via the authentication device. The remote access interface 210 receives an access token T1, for example, a SAML token generated by the authentication service. The access token T1 represents the user identity); and authorizing issuance of the token to the client based on validating the client key associated with the client ([0031] The remote access interface validates the access token T1 and allows the user to login to the remote access interface responsive to successful validation of the token). Regarding claims 3, 11, and 19, Khare, Akkarakaran, and Dintenfass teach all limitations of parent claims 1, 9, and 17, wherein Khare further teaches the authentication request from the client includes a single-use token indicating the policy configuration associated with the pre-defined transaction ([0040] The single sign-on service validates the received access token T1 and returns a SAML token T2 that can be used for web authentication). Regarding claims 5 and 13, Khare, Akkarakaran, and Dintenfass teach all limitations of parent claims 1 and 9, wherein Akkarakaran further teaches the policy configuration authorizes the client to only perform actions that are necessary to complete the pre-defined transaction ([0107] If the current run time exceeds the session run time, the system initiates session expiration handling. This could involve notifying the user, terminating the session, or prompting for reauthentication, depending on the system's policies). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare and Dintenfass disclosure, the token expiration is based on a policy, as taught by Akkarakaran. One would be motivated to do so to protect users' personal information and ensure that only authorized individuals can access certain features or data. Regarding claim 9, Khare teaches a computer system for one-time virtual private network (OTVPN) tunneling, comprising: one or more processors, one or more computer-readable memories, one or more computer- readable tangible storage media, and program instructions stored on at least one of the one or more computer-readable tangible storage media for execution by at least one of the one or more processors via at least one of the one or more memories ([0062] program modules are stored on the storage device, loaded into the memory, and executed by the processor), wherein the computer system is capable of performing a method comprising: receiving an authentication request from a client to access a private network for a pre- defined transaction defined by the client ([0044] The online system 130 receives 510 a request for access to one or more systems from a user. The request is received responsive to the user performing authentication using an authentication device, for example, a workstation that provides smart card based authentication); [0021] fig. 1, the network 150 can be a private network or a virtual private network; [0026] The user is allowed to access various computing systems and computing resources accessible by the online system during the time period that the short term authentication token is valid (pre-defined transaction)); validating the client for the pre-defined transaction ([0031] The remote access interface 210 validates the access token T1 and allows the user to login to the remote access interface 210 responsive to successful validation of the token), wherein the validating comprises determining access rights, linked to a digital identity of the client, to access at least one protected resource in the private network ([0031] the credentials received from the authentication device (linked to a digital identity of the client) are provided by the remote access interface 210 to an authentication service); granting a temporary access for the client to perform the pre-defined transaction in the private network, responsive to validating the client for the pre-defined transaction ([0045] The online system provides the temporary certificate to a personalized virtual machine. The online system provides the user with access to the personalized virtual machine); and terminating the temporary access granted to the client to the private network [responsive to a policy configuration] associated with the pre-defined transaction ([0047] Once the expiry time of the temporary certificate expires, the online system denies any subsequent requests from the user to connect to any of the plurality of systems until the user repeats the above process). Khare does not teach responsive to a policy configuration; comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Akkarakaran teaches responsive to a policy configuration ([0088] If the current time exceeds the token expiration time, the system initiates token expiration handling. This could involve notifying the user, terminating the session, or prompting for reauthentication, depending on the system's policies). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare disclosure, the token expiration is based on a policy, as taught by Akkarakaran. One would be motivated to do so to protect users' personal information and ensure that only authorized individuals can access certain features or data. Khare and Akkarakaran do not explicitly teach comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Dintenfass teaches comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client ([0046] compare the received limited authentication challenge response (comparing the pre-defined transaction) with authentication data of the third user stored in the database to determine that the received limited authentication challenge response is acceptable). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare and Akkarakaran disclosure, authentication challenge response with authentication data, as taught by Dintenfass. One would be motivated to do so for authorizing access to safeguarded resources. Regarding claim 17, Khare teaches a computer program product for one-time virtual private network (OTVPN) tunneling, comprising: one or more computer-readable storage media and program instructions collectively stored on the one or more computer-readable storage media ([0061] The storage device is a non-transitory computer-readable storage medium), the program instructions executable by a processor to cause the processor to perform a method comprising: receiving an authentication request from a client to access a private network for a pre- defined transaction defined by the client ([0044] The online system 130 receives 510 a request for access to one or more systems from a user. The request is received responsive to the user performing authentication using an authentication device, for example, a workstation that provides smart card based authentication); [0021] fig. 1, the network 150 can be a private network or a virtual private network; [0026] The user is allowed to access various computing systems and computing resources accessible by the online system during the time period that the short term authentication token is valid (pre-defined transaction)); validating the client for the pre-defined transaction ([0031] The remote access interface 210 validates the access token T1 and allows the user to login to the remote access interface 210 responsive to successful validation of the token); granting a temporary access for the client to perform the pre-defined transaction in the private network responsive to validating the client for the pre-defined transaction ([0045] The online system provides the temporary certificate to a personalized virtual machine. The online system provides the user with access to the personalized virtual machine); and terminating the temporary access granted to the client to the private network [responsive to a policy configuration] associated with the pre-defined transaction ([0047] Once the expiry time of the temporary certificate expires, the online system denies any subsequent requests from the user to connect to any of the plurality of systems until the user repeats the above process). Khare does not teach responsive to a policy configuration; comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Akkarakaran teaches responsive to a policy configuration ([0088] If the current time exceeds the token expiration time, the system initiates token expiration handling. This could involve notifying the user, terminating the session, or prompting for reauthentication, depending on the system's policies). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare disclosure, the token expiration is based on a policy, as taught by Akkarakaran. One would be motivated to do so to protect users' personal information and ensure that only authorized individuals can access certain features or data. Khare and Akkarakaran do not explicitly teach comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client. Dintenfass teaches comparing the pre-defined transaction defined by the client with the access rights linked to the digital identity of the client to determine whether the pre-defined transaction is within outer limits of the access rights linked to the digital identity of the client ([0046] compare the received limited authentication challenge response (comparing the pre-defined transaction) with authentication data of the third user stored in the database to determine that the received limited authentication challenge response is acceptable). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare and Akkarakaran disclosure, authentication challenge response with authentication data, as taught by Dintenfass. One would be motivated to do so for authorizing access to safeguarded resources. Claims 4, 6-8, 12, 14-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable by Khare in view of Akkarakaran and in view of Dintenfass (US 20180324186 A1) and further in view of Bradley et al. (US 20170366646 A1), here after Bradley Regarding claims 4, 12, and 20, Khare, Akkarakaran, Dintenfass teach all limitations of parent claims 1, 9, and 17, Khare does not explicitly teach the private network further comprises: generating a one-time virtual private network (OTVPN) tunnel, wherein the OTVPN tunnel is configured to limit the client to the pre-defined transaction. Bradley teaches generating a one-time virtual private network (OTVPN) tunnel, wherein the OTVPN tunnel is configured to limit the client to the pre-defined transaction ([0055] the enrollment package establishes a temporary VPN connection (OTVPN) with the client device and the domain controller using the VPN settings, certificates, credentials obtained earlier by the client device). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Khare disclosure, temporary virtual network connection to connect the client devices to the network, as taught by Bradley. One would be motivated to do so to determine whether the client device complies with management policies before placing the enrollment package in the command queue for retrieval by the client device. Regarding claims 6 and 14, Khare, Akkarakaran, Dintenfass and Bradley teach all limitations of parent claims 4 and 12, wherein Khare further teaches the OTVPN tunnel is terminated responsive to a trigger condition in the policy configuration, wherein the trigger condition includes reaching a fixed number of requests on a server side ([0039] Once the certificate expiry time reaches, the certificate validity is expired and the certificate cannot be used for SSH authentication. As an optional feature, the online system may keep the certificate expiry time same as the personalized VM expiry so that both expire at same time). Regarding claims 7 and 15, Khare, Akkarakaran, Dintenfass, and Bradley teach all limitations of parent claims 4 and 12, wherein Khare further teaches the OTVPN tunnel is terminated responsive to a trigger condition in the policy configuration, wherein the trigger condition includes reaching a fixed number of requests on a client side ([0047] Once the expiry time of the temporary certificate expires, the online system denies any subsequent requests from the user to connect to any of the plurality of systems until the user repeats the above process). Regarding claims 8 and 16, Khare, Akkarakaran, Dintenfass, and Bradley teach all limitation of parent claims 4 and 12, wherein Khare further teaches the OTVPN tunnel is terminated responsive to a trigger condition in the policy configuration, wherein the trigger condition includes detecting an action by the client that deviates from a set of actions the client is allowed to perform during the pre-defined transaction ([0015] the authentication device creates a session with the user allowing the user to perform certain actions that provide the user with authentication. The session is closed after an authentication token is generated for the user). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANH NGUYEN/Primary Examiner, Art Unit 2458
Read full office action

Prosecution Timeline

Jun 18, 2024
Application Filed
Oct 28, 2025
Non-Final Rejection — §103
Jan 27, 2026
Applicant Interview (Telephonic)
Jan 27, 2026
Examiner Interview Summary
Jan 29, 2026
Response Filed
Feb 21, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/624,121
Patent 12602480
DATA MANAGEMENT APPARATUS AND DATA MANAGEMENT METHOD
2y 5m to grant Granted Apr 14, 2026
18/748,377
Patent 12603908
SYSTEM FOR DETECTING ANOMALOUS NETWORK PATTERNS BASED ON ANALYZING NETWORK TRAFFIC DATA AND METHOD THEREOF
2y 5m to grant Granted Apr 14, 2026
18/647,627
Patent 12587558
SYSTEM AND METHOD OF ARTIFICIAL INTELLIGENCE ASSISTED CYBER THREAT IDENTIFICATION VIA WEBSERVER LOGS
2y 5m to grant Granted Mar 24, 2026
17/119,797
Patent 12578895
USING NETWORK DEVICE REPLICATION IN DISTRIBUTED STORAGE CLUSTERS
2y 5m to grant Granted Mar 17, 2026
17/926,502
Patent 12581310
PAIRING OF USER DEVICE WITH REMOTE SYSTEM
2y 5m to grant Granted Mar 17, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
79%
Grant Probability
99%
With Interview (+24.9%)
2y 9m
Median Time to Grant
Moderate
PTA Risk
Based on 359 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month