DETAILED ACTION
Response to Amendment
The Amendment filed March 11, 2026 has been entered. Claims 1-20 remain pending in the application.
Regarding the Objections to the Drawings previously set forth in the Non-Final Office Action mailed December 11, 2025, Applicant’s amendments to the Drawings obviate the objections. Accordingly, the objections are withdrawn.
Regarding the Objections to the Claims previously set forth, Applicant’s amendments to the Claims obviate the objections to claims 1, 8, and 15. Accordingly, the objections are withdrawn.
Regarding the claim rejections under 35 U.S.C. 103, Applicant’s amendments to the Claims have modified the scope of the claims and warrant new grounds for rejection as set forth below.
Response to Argument
Applicant’s arguments regarding the rejection of claims 1-20 under 35 U.S.C. 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Interpretation
Claims 1 and 15 recite “determining that the user identity is permitted access is further based on an output from execution of a machine-learning process”. Claim 8 recites “determining that the user identity is permitted access is further based on an output from execution of a data mining process”. The terms “data mining” and “machine learning” only appear exemplarily in ¶0079 (“Security engine 102, in this situation, can use one more data mining processes and/or machine learning processes, to discover patterns, correlations, associated with the traveling corporate executive within massive datasets to determine data…”).
For purposes of examination of the instant application, a “data mining process” shall be interpreted as “any algorithm, process, or calculation that is used to identify patterns or relationships among a set of data”, and “a machine-learning process” shall be interpreted as “any algorithm, process, or calculation which trains a mathematical model to perform a task based on data by optimizing a value and updating at least one internal parameter”. Examiner notes that, while there may be significant overlap, the terms are not synonymous with each other. Additionally, neither term is synonymous with, or fully encompassed by, artificial intelligence or classifiers as described in ¶¶0091-0093 of the accompanying specification.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
MPEP §2161.01 details that “…claims may lack written description when the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. For software, this can occur when the algorithm or steps/procedure for performing the computer function are not explained at all or are not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient). In other words, the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed”
Claims 1 and 15 describe a process of determining whether a user identity has access to a requested resource, “wherein the determining that the user identity is permitted to access the at least one of the data resources is further based on a result from an execution of a machine-learning process.” Claim 8 describes a similar process, “wherein the determining that the user identity is permitted to access the at least one of the data resources is further based on a result from an execution of a data mining process.” (emphasis added) While the accompanying specification makes passing mention of data mining and machine learning (¶0076), there is no description of what type(s) of data mining and/or machine learning may be used. This does not satisfy the requirement that specification provide “sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed.” Id.
Therefore, claims 1, 8, and 15 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.
Claims 2-7, 9-14, and 16-20 are rejected due to their respective dependencies on claims 1, 8, and 15.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3-8, 10-15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20220292168 by Birch (hereinafter “Birch”) in view of US 12489617 to Kumar et al. (hereinafter “Kumar”) and further in view of US 20070083928 to Mattson et al. (hereinafter “Mattson”).
Regarding claim 1, Birch discloses:
Authentication equipment, comprising:
at least one processor (Birch Fig. 1: Third Processing Device(s) 520); and
at least one memory that stores executable instructions (Birch Fig. 1: Third Memory 510 contains Access Application 530) that, when executed by the at least one processor, facilitate performance of operations, comprising:
obtaining, from user input associated with a user identity, authentication data representing a username and password combination (Birch [0062]: “As previously discussed, user credentials may comprise alphanumeric characters (e.g., username/passcode)…”);
determining, based on second metadata (Birch Fig. 3, 750 “access schedules”) associated with the user identity (Birch [0046]: “Each access schedule 440 defines a time period 450 during which user credentials 340 associated with a user 350 are valid for accessing to a computer network 352, application 354 and/or data file 356…”) and associated with data resources stored on the storage server equipment (Birch Fig. 3, 710-760 “a computing network, application, and/or data file”), that the user identity is permitted access to at least one of the data resources (Birch Fig. 3, 760).
Birch does not disclose in response to determining that the username and password combination is valid and is associated with the user identity, determining, based on first metadata associated with the user identity, that the user identity is authorized to access storage server equipment associated with the authentication equipment.
However, analogous art Kumar discloses “In an example, for a passed verification [determining that the username and password combination is valid and is associated with the user identity], the computer platform 110 may next determine the level of access that the computer platform 110 allows to the resources of the computer platform 110 based on one or multiple other criteria [the first metadata] (e.g., permissions associated with the user account, whether the password has expired, usage constraints, time-based constraints, as well as other possible criteria)” (Kumar 5:17-24).
Kumar and Birch are both art analogous to the claimed invention because are directed towards securing computing resources against unauthorized access (Birch [0001], Kumar 1:7-20). It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to use “one or multiple other criteria” to determine the user identity has access to the equipment as taught by Kumar to maintain the principle of least privilege (users should only have access to the resources they need for only as long as they need them).
Neither Kumar nor Birch disclose that the determination whether to allow access is based on a machine-learning process.
However, Mattson describes determining that the user identity is permitted to access the at least one of the data resources (Mattson [0014]: “a method of detecting and preventing intrusion in a data at rest system”) is further based on a result from an execution of a machine-learning process (Mattson [0073]: “Examples of intrusion detection procedures may include, but are not limited to… commencing inference analysis.”) Inference analysis includes data mining and machine learning techniques (Mattson [0074]: “Inference analysis may include the use of data mining and machine learning technologies and techniques such as Bayes' theorem.” See also Mattson [0076]: “The goal of inference is typically to find the distribution of a subset of the variables, conditional upon some other subset of variables with known values (the evidence), with any remaining variables integrated out.”)
Mattson is art analogous to the claimed invention because both are directed towards securing computer resources from unauthorized access (Mattson [0002]: “The present invention generally relates to systems and methods of detecting and preventing intrusion in a database, file system or other data at rest system.”). It would have been obvious to a person having ordinary skill in the art, prior to the effective filing date of the claimed invention, to use data mining processes, like those taught by Mattson, to help determine whether to grant access in order to protect the system from “… attacks from persons who have access to a valid user-ID and password… Such persons can be tempted to access improper amounts of data, by-passing the security.” Mattson [0003]. Such attacks can be prevented by analyzing historical behavior (cf. Mattson [0011]: “A variation of conventional intrusion detection is detection of specific patterns of information access known as inference detection.”) using the specific techniques therein described.
Regarding claim 3, Birch in view of Kumar and Mattson discloses:
The authentication equipment of claim 1, wherein the first metadata comprises one or more permissions for access to the data resources stored on the storage server equipment (Kumar 5:17-24: “…the computer platform 110 may next determine the level of access that the computer platform 110 allows to the resources of the computer platform 110 based on one or multiple other criteria (e.g., permissions associated with the user account… as well as other possible criteria)”).
Regarding claim 4, Birch in view of Kumar and Mattson discloses:
The authentication equipment of claim 1, wherein the second metadata represents at least one defined time range (Birch [0063]: “At Event 720, access schedules are received and stored in computing memory”) during which the user identity is able to access at least one of the data resources stored on the storage server equipment (Birch [0063]: “Each access schedule defines a time period during which one or more user credentials associated with a user are valid for accessing at least one computer network, application and/or data file”).
Regarding claim 5, Birch in view of Kumar and Mattson discloses:
The authentication equipment of claim 4, wherein the at least one defined time range is determined based on a quality of service metric data (Birch [0063]: “The time period typically includes, but may not be limited to, the user's standard work hours”) representative of a quality of service metric (“work hours”) associated with the user identity.
Regarding claim 6, Birch in view of Kumar and Mattson discloses:
The authentication equipment of claim 5, wherein the at least one defined time range is determined based on a historical pattern of use of the at least one of the data resources in association with the user identity (Birch [0063]: “The time period typically includes, but may not be limited to, the user's standard work hours”).
Regarding claim 7, Birch in view of Kumar and Mattson discloses:
The authentication equipment of claim 1, wherein the first metadata and the second metadata are associated with the data resources stored on the storage server equipment (Birch [0062]: “At Event 710, user credentials are received and stored in computing memory. Each user credential is associated with one of a plurality of users and is configured to be input by the user to grant the user access to an associated computer network (and/or sub-computing networks, directories or the like”), application and/or data file).
Regarding claim 8, Birch discloses:A method, comprising:
receiving, by an authentication server comprising at least one processor (Birch [0036]: “These computer program instructions may be provided to a processor…”) from user input associated with a user identity, authentication data representing at least one user access credential (Birch [0064]: “At Event 730, a user input is received from a user desiring access to a corresponding computer network, application, or data file. The user input comprises the assumed user credentials which the user has preconfigured for accessing the computer network, application, or data file…”); and
determining, based on second metadata (Birch Fig. 3, 750 “access schedules”) associated with the user identity (Birch [0046]: “Each access schedule 440 defines a time period 450 during which user credentials 340 associated with a user 350 are valid for accessing to a computer network 352, application 354 and/or data file 356…”) and with data resources stored on the storage server equipment (Birch Fig. 3, 710-760 “a computing network, application, and/or data file”), that the user identity is permitted access to at least one of the data resources (Birch Fig. 3, 760).
Birch does not disclose in response to determining that the at least one user access credential is valid and is associated with the user identity, determining, based on first metadata, that the user identity is authorized to access storage server equipment associated with the authentication equipment.
However, analogous art Kumar discloses “In an example, for a passed verification [determining the at least one user access credential is valid and associated with the user identity], the computer platform 110 may next determine the level of access that the computer platform 110 allows to the resources of the computer platform 110 based on one or multiple other criteria [the first metadata] (e.g., permissions associated with the user account, whether the password has expired, usage constraints, time-based constraints, as well as other possible criteria)” (Kumar 5:17-24).
Kumar and Birch are both art analogous to the claimed invention because are directed towards securing computing resources against unauthorized access (Birch [0001], Kumar 1:7-20). It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to use “one or multiple other criteria” to determine the user identity has access to the equipment as taught by Kumar to maintain the principle of least privilege (users should only have access to the resources they need for only as long as they need them).
Neither Kumar nor Birch disclose that the determination whether to allow access is based on a data mining process.
However, Mattson describes determining that the user identity is permitted to access the at least one of the data resources (Mattson [0014]: “a method of detecting and preventing intrusion in a data at rest system”) is further based on a result from an execution of a data mining process (Mattson [0073]: “Examples of intrusion detection procedures may include, but are not limited to… commencing inference analysis.”) Inference analysis includes data mining and machine learning techniques (Mattson [0074]: “Inference analysis may include the use of data mining and machine learning technologies and techniques such as Bayes' theorem.” See also Mattson [0076]: “The goal of inference is typically to find the distribution of a subset of the variables, conditional upon some other subset of variables with known values (the evidence), with any remaining variables integrated out.”)
Mattson is art analogous to the claimed invention because both are directed towards securing computer resources from unauthorized access (Mattson [0002]: “The present invention generally relates to systems and methods of detecting and preventing intrusion in a database, file system or other data at rest system.”). It would have been obvious to a person having ordinary skill in the art, prior to the effective filing date of the claimed invention, to use data mining processes, like those taught by Mattson, to help determine whether to grant access in order to protect the system from “… attacks from persons who have access to a valid user-ID and password… Such persons can be tempted to access improper amounts of data, by-passing the security.” Mattson [0003]. Such attacks can be prevented by analyzing historical behavior (cf. Mattson [0011]: “A variation of conventional intrusion detection is detection of specific patterns of information access known as inference detection.”) using the specific techniques therein described.
Claim 10 recites essentially the same content as claim 3 and is rejected for the same reasons.
Claim 11 recites essentially the same content as claim 4 and is rejected for the same reasons.
Claim 12 recites essentially the same content as claim 5 and is rejected for the same reasons.
Claim 13 recites essentially the same content as claim 6 and is rejected for the same reasons.
Claim 14 recites essentially the same content as claim 7 and is rejected for the same reasons.
Claim 15 discloses a non-transitory machine-readable medium, comprising executable instructions that, when executed by at least one processor, facilitate performance of operations comprising the method of claim 1. Therefore, claim 15 is rejected for essentially the same reasons as claim 1.
Claim 17 recites essentially the same content as claim 3 and is rejected for the same reasons.
Claim 18 recites essentially the same content as claim 4 and is rejected for the same reasons.
Claim 19 recites essentially the same content as claim 5 and is rejected for the same reasons.
Claim 20 recites essentially the same content as claim 6 and is rejected for the same reasons.
Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Birch in view of Kumar and Mattson as applied to claims 1, 8, and 15 above, and further in view of US 7373515 to Owen et al. (hereinafter “Owen”).
Regarding claim 2, Birch in view of Kumar and Mattson discloses the authentication equipment of claim 1.
Birch in view of Kumar and Mattson does not disclose the remainder of the claim.
However, analogous art Owen discloses the operations compris[ing], prior to determining that the at least one user access credential is valid (Owen Fig. 7: 718 follows all other steps), generating (Owen Fig. 7 704) and transmitting, to a user device associated with the user identity, a first authentication code (Owen Fig. 7 706), and receiving, in response to the transmitting of the first authentication [code], a second authentication code (Owen 16:40-44: The user reads the challenge response from a display of the device and communicates (Step 712) it back to the access authority, which in turn communicates it back to the authentication authority with the secondary ID) that confirms the username and password combination is valid.
Owen is art analogous to the claimed invention because both are directed towards computer security and preventing unauthorized parties from accessing a secured resource (Owen 1:15-19). It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to implement additional authentication via multi-factor authentication as taught by Owen to increase resistance to shoulder-surfing or social engineering attacks, and “to insure that the user 350, is in fact, the user and not a nefarious entity/wrongdoer” (Birch [0059]).
Claims 9 and 16 recite essentially the same content as claim 2 and are rejected for the same reasons.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL HABASHI whose telephone number is (571)272-2245. The examiner can normally be reached M-F: 9 AM-6 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at (571)270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
DH
Examiner
Art Unit 2407
/Catherine Thiaw/Supervisory Patent Examiner, Art Unit 2407 4/30/2026