Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The claims 6/18/24 are pending.
Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in India on 5/3/2023. It is noted, however, that applicant has not filed a certified copy of the India Application 202441035160 application as required by 37 CFR 1.55. Attempt to retrieve the foreign priority document electronically failed on 10/03/2024.
Specification
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01. Particularly, paragraphs [0078] disclosing “www.zscaler.com”.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/18/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Virgen et al. (US Pub No 2021/0136066) in view of Tiwari et al. (US Pub No 2018/0034641).
Virgen teaches claim:
1. A method comprising steps of:
monitoring access to one or more private applications (e.g., monitoring user activity including authentication attempt to one of the user accounts 116 associated with an application 106 @ ¶ 0047-0048);
responsive to a request to access the one or more private applications, determining an Authentication Level (AL) of a user associated with the request, (e.g., “ In response to detecting an authentication attempt, operation 308 includes retrieving information related to the authentication attempt from the application 106 and/or one or more user devices from the list of user devices 118” @ ¶ 0049 & Fig. 3 and determining the user’s authentication level based on the device, location, calendar or an aggregate scoring ¶ 0052-0057 & Fig. 4) [wherein determining the AL of the user comprises referencing one or more AL trees]; and
responsive to determining an AL of the user, performing one or more actions based thereon, wherein the one or more actions comprises one of allowing access to the one or more private applications and denying access to the one or more private applications (e.g., “Operation 410 includes comparing the aggregate score 202 to the score threshold 210. If the aggregate score 202 is less than the score threshold 210 (410: NO), the authenticator 102 can determine that there is a security risk and the method 400 can proceed to operation 312 of FIG. 3 and perform a mitigation action 212. If the aggregate score 202 is greater than the score threshold 210 (410: YES), the authenticator 102 can determine that there is no security risk and the method 400 can return to operation 304 of FIG. 3.” @ ¶ 0057, Fig. 4 #410 & Fig. 5).
Virgen discloses the claimed subject matter as discussed above and further discloses using decision tree for the security risk rule engine (¶ 0041), but does not explicitly discloses wherein determining the AL of the user comprises referencing one or more AL trees. However, analogous art from the same field of endeavor teaching accessing SaaS, Tiwari teaches this limitation with a “hierarchical authentication process involves identifying the authenticated parent node and as well as a participating node up to the root node“ (¶ 0027). Therefore, based on Virgen in view of Tiwari, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Tiwari to the system of Virgen in order to provide a framework for hierarchical certificate ensuring authentication and non-repudiation for SaaS (¶ 0007) . Hence, it would have been obvious to combine the references to obtain the invention as specified in the instant claim.
The references above further teach claim:
2. The method of claim 1, wherein referencing one or more AL trees is based on any of a geographic location of the user and an application segment associated with the one or more private applications (e.g., decision tree using location @ Virgen ¶ 0040-0041).
The references above further teach claim:
3. The method of claim 1, wherein access to each of the one or more private applications is based on an AL required by each of the one or more private applications (e.g., comparing score against threshold for teaches a required authentication level @ Virgen ¶ 0057-0058).
The references above further teach claim:
4. The method of claim 3, wherein responsive to determining the AL of the user is a lower AL than that required by the one or more private applications, the one or more actions comprise prompting the user to authenticate to a required AL based on the one or more private applications (e.g., performing mitigation action when score is lower than required authentication level @ Virgen ¶ 0057 and the mitigation action 212 can include, for example, sending a notification, device lock, an account lock, or another mitigation action that prevents a potentially malicious user from utilizing a compromised device or accessing a compromised account. An account lock can include restricting access to the account associated with the attempted authentication, where the restricted access can require additional verification to restore access to the account such as, but not limited to, providing answers to security questions, performing multi-factor authentication, suspending the account for a predetermined period of time, and the like.” @ Virgen ¶ 0040).
The references above further teach claim:
5. The method of claim 1, wherein each of the one or more AL trees comprises one or more parent ALs and one or more child Als (e.g., parent node and child node @ Tiwari ¶ 0025-0027). The motivation to combine Tiwari to Virgen is similar to claim 1 above.
The references above further teach claim:
6. The method of claim 5, wherein each of the one or more parent ALs and one or more child ALs have a timeout period associated therewith (e.g., “suspending the account for a predetermined period of time” @ Virgen ¶ 0040 and security risk associated with attempts outside of allowed calendar time @ Virgen ¶ 0050 and uses the authentication token to validate and verify authenticity of the users to access the requested SaaS instance 504 @ Tiwari ¶ 0090, together teaches a timeout period as claimed).
The references above further teach claim:
7. The method of claim 6, wherein the steps comprise: responsive to the timeout period of the AL of the user expiring, automatically demoting the AL of the user to a child AL of the AL of the user (e.g., reducing the aggregate score relating to the expired calendar time @ Virgen ¶ 0026, 0034 & 0037).
The references above further teach claim:
8. The method of claim 6, wherein the determining comprises determining the AL of the user is a higher AL than an AL required by the one or more private applications, and wherein the steps comprise allowing access to the one or more private applications based thereon (e.g., allowing access based on comparison against minimum authentication level threshold @ Virgen ¶ 0038-0043).
The references above further teach claim:
9. The method of claim 8, wherein responsive to a timeout period of the AL of the user expiring, continuing a session for the user based on a child AL of the AL of the user being at or above an AL required by the one or more private applications (e.g., allowing access using the identity of the child node @ Virgen ¶ 0027).
The references above further teach claim:
10. The method of claim 1, wherein responsive to determining the AL of the user, the one or more actions comprise allowing access to one or more applications requiring a lower AL than the AL of the user (e.g., allowing access based on comparison against minimum authentication level threshold, teaches the user having higher authentication level than the application @ Virgen ¶ 0038-0043).
Claims 11-20 recites substantially similar limitations as claims 1-9, but for recitation in the form of “a non-transitory computer-readable medium”. Accordingly, claims 11-20 are rejected for similar reasoning per claims 1-9.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Relevant prior art, Koul et al. (US pub No 2019/0253457), teaches using a multi-head tree to represent a root-tenant security configuration for a PaaS and SaaS.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAU LE whose telephone number is (571)270-7217. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHAU LE/Primary Examiner, Art Unit 2408