DETAILED ACTION
Notice of AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present office action is responsive to communications received on 1/15/2026. Claims 1-13 are pending.
Response to Arguments
The arguments/remarks filed by the applicant on 1/15/2026 have been fully considered and are responded in the following.
Applicant’s arguments, ‘Schultz fails to disclose or suggest at least the feature of Claim 1 of (in a network resource) capturing an operation request, via API, from a process or an operating system in the network resource for the computer resource on the network resource before the computer resource is accessed, in a case where an access request for a computer resource on the network resource is received from the communication apparatus.’, see p. 2, ¶3, filed 1/15/2026, with respect to the amended claims overcoming the cited prior art references of the rejection of claims 1 and 13 under 35 USC § 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of previously cited prior art Schultz. Please refer to "Claim Rejections - 35 USC § 102" section below for detail analysis.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-13 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Schultz (US 20170063927 A1).
Regarding claim 1, Schultz teaches an information processing method for controlling access to a computer resource on a network resource from a communication apparatus used by a user, comprising:
selecting a policy suitable for a state of the communication apparatus from a plurality of policies with access privilege allowed for each one of a plurality of types of work defined as a policy for each work; and in the network resource, ([0068] At 510, the control and monitoring node accesses a user-specific security policy that is associated with the user identifier and that indicates at least a network destination and a user-specific security-related action associated with the network destination, such as a security action associated with attempts by the user to access a destination. In some embodiments, the control and monitoring node may proactively access the user-specific security policy. In some embodiments, another system, such as the user tracking system, may proactively push the user-specific policy to the control and monitoring node. The user-specific security-related action may be allow or deny, or some other action. The user-specific policy may also indicate destination protocol information, such as destination TCP or UDP ports, application tokens provided by a shared user system, and so forth.)
obtaining information of a policy selected for the communication apparatus; ([0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
capturing an operation request, via API (Application Programming Interface), from a process or an operating system in the network resource for the computer resource on the network resource before the computer resource is accessed, in a case where an access request for a computer resource on the network resource is received from the communication apparatus; ([0071] At 516, the network node enforces the active security policy. Enforcing the active security policy includes, in various examples, inspecting packets that arrive at the network node, comparing the data found in the packets—such as in the headers in the packets—to the active security policy, identifying any matches between the packets and an entry in the active security policy, and performing the actions specified in the active security policy (e.g., deny, allow, drop, accept). As noted above, enforcement of the active security policy may be stateless or stateful. [0075] Processor(s) 602 may include one or more single-core processing unit(s), multi-core processing unit(s), central processing units (CPUs), graphics processing units (GPUs), general-purpose graphics processing units (GPGPUs), or hardware logic components configured, e.g., via specialized programming from modules or application program interfaces (APIs), to perform functions described herein.) Here Schultz discloses that the capturing functions (inspecting arrived packets) described in [0071] can be performed via APIs.
determining whether or not there is access privilege for a computer resource specified by the operation request captured in the capturing on a basis of information of the policy obtained in the obtaining; ([0071] At 516, the network node enforces the active security policy. Enforcing the active security policy includes, in various examples, inspecting packets that arrive at the network node, comparing the data found in the packets—such as in the headers in the packets—to the active security policy, identifying any matches between the packets and an entry in the active security policy, and performing the actions specified in the active security policy (e.g., deny, allow, drop, accept). As noted above, enforcement of the active security policy may be stateless or stateful.)
executing processing to send the operation request as is to an operating system if a result of the determining is that there is an access privilege and send the result back to a request source; and ([0071] At 516, the network node enforces the active security policy. Enforcing the active security policy includes, in various examples, inspecting packets that arrive at the network node, comparing the data found in the packets—such as in the headers in the packets—to the active security policy, identifying any matches between the packets and an entry in the active security policy, and performing the actions specified in the active security policy (e.g., deny, allow, drop, accept). As noted above, enforcement of the active security policy may be stateless or stateful.)
denying access to the computer resource specified by the operation request if a result of the determining is that there is no access privilege. ([0071] At 516, the network node enforces the active security policy. Enforcing the active security policy includes, in various examples, inspecting packets that arrive at the network node, comparing the data found in the packets—such as in the headers in the packets—to the active security policy, identifying any matches between the packets and an entry in the active security policy, and performing the actions specified in the active security policy (e.g., deny, allow, drop, accept). As noted above, enforcement of the active security policy may be stateless or stateful.)
Regarding claim 2, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches
wherein in the obtaining, after information for identifying the policy selected for the communication apparatus is received from the communication apparatus, information of a policy selected for the communication apparatus corresponding to the information for identifying the policy is obtained. ([0059] Environment 400 includes network function block 422, which may be the same as or similar to the network function block 112 as shown in FIG. 1. The network function block 422 may include one or more virtual resources 424, executable using a virtualization technology such as a virtual machine using a virtualization technology such as a hypervisor 426. The virtual resource 424 may be configured to provide one more virtualized network appliance functions, such as a router function, a switch function, a firewall function, a anti-virus function, a proxy server function, a VPN function, a load balancing function, and so forth. The network function block 422 includes a network appliance 428, which may be a conventional standalone network appliance, rather than a virtualized appliance, such as the virtual resource 404. The network appliance 428 may be a firewall, router, proxy server, switch, or other network appliance type. The one or more active security policies provided by the control and monitoring node 108 may be stored in policy store 430. The policy store 430 is updated to include active security policies, and the network appliance 428 is configured to enforce the policies in the policy store 408, including any active security policies. In some examples, the network function block 422 may be provided without the virtual resource 424 and the hypervisor 426. Thus, in some examples, the network function block 422 represents a standalone network appliance 428, such as a legacy or conventional network router, firewall, anti-virus monitor, proxy server, VPN server, load balancer, etc. [0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
Regarding claim 3, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches
wherein in the obtaining, after information for identifying the policy selected for the communication apparatus is received from another network resource, information of a policy selected for the communication apparatus corresponding to the information for identifying the policy is obtained. ([0059] Environment 400 includes network function block 422, which may be the same as or similar to the network function block 112 as shown in FIG. 1. The network function block 422 may include one or more virtual resources 424, executable using a virtualization technology such as a virtual machine using a virtualization technology such as a hypervisor 426. The virtual resource 424 may be configured to provide one more virtualized network appliance functions, such as a router function, a switch function, a firewall function, a anti-virus function, a proxy server function, a VPN function, a load balancing function, and so forth. The network function block 422 includes a network appliance 428, which may be a conventional standalone network appliance, rather than a virtualized appliance, such as the virtual resource 404. The network appliance 428 may be a firewall, router, proxy server, switch, or other network appliance type. The one or more active security policies provided by the control and monitoring node 108 may be stored in policy store 430. The policy store 430 is updated to include active security policies, and the network appliance 428 is configured to enforce the policies in the policy store 408, including any active security policies. In some examples, the network function block 422 may be provided without the virtual resource 424 and the hypervisor 426. Thus, in some examples, the network function block 422 represents a standalone network appliance 428, such as a legacy or conventional network router, firewall, anti-virus monitor, proxy server, VPN server, load balancer, etc. [0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
Regarding claim 4, Schultz teaches all the features with respect to claim 2, as outlined above. Schultz further teaches
wherein in the obtaining, information of a policy selected for the communication apparatus corresponding to the information for identifying the policy is obtained from a file stored in a storage unit of the network resource. ([0059] Environment 400 includes network function block 422, which may be the same as or similar to the network function block 112 as shown in FIG. 1. The network function block 422 may include one or more virtual resources 424, executable using a virtualization technology such as a virtual machine using a virtualization technology such as a hypervisor 426. The virtual resource 424 may be configured to provide one more virtualized network appliance functions, such as a router function, a switch function, a firewall function, a anti-virus function, a proxy server function, a VPN function, a load balancing function, and so forth. The network function block 422 includes a network appliance 428, which may be a conventional standalone network appliance, rather than a virtualized appliance, such as the virtual resource 404. The network appliance 428 may be a firewall, router, proxy server, switch, or other network appliance type. The one or more active security policies provided by the control and monitoring node 108 may be stored in policy store 430. The policy store 430 is updated to include active security policies, and the network appliance 428 is configured to enforce the policies in the policy store 408, including any active security policies. In some examples, the network function block 422 may be provided without the virtual resource 424 and the hypervisor 426. Thus, in some examples, the network function block 422 represents a standalone network appliance 428, such as a legacy or conventional network router, firewall, anti-virus monitor, proxy server, VPN server, load balancer, etc. [0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
Regarding claim 5, Schultz teaches all the features with respect to claim 2, as outlined above. Schultz further teaches
wherein in the obtaining, information of a policy selected for the communication apparatus corresponding to the information for identifying the policy is obtained from an external management server. ([0059] Environment 400 includes network function block 422, which may be the same as or similar to the network function block 112 as shown in FIG. 1. The network function block 422 may include one or more virtual resources 424, executable using a virtualization technology such as a virtual machine using a virtualization technology such as a hypervisor 426. The virtual resource 424 may be configured to provide one more virtualized network appliance functions, such as a router function, a switch function, a firewall function, a anti-virus function, a proxy server function, a VPN function, a load balancing function, and so forth. The network function block 422 includes a network appliance 428, which may be a conventional standalone network appliance, rather than a virtualized appliance, such as the virtual resource 404. The network appliance 428 may be a firewall, router, proxy server, switch, or other network appliance type. The one or more active security policies provided by the control and monitoring node 108 may be stored in policy store 430. The policy store 430 is updated to include active security policies, and the network appliance 428 is configured to enforce the policies in the policy store 408, including any active security policies. In some examples, the network function block 422 may be provided without the virtual resource 424 and the hypervisor 426. Thus, in some examples, the network function block 422 represents a standalone network appliance 428, such as a legacy or conventional network router, firewall, anti-virus monitor, proxy server, VPN server, load balancer, etc. [0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
Regarding claim 6, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches
wherein in the obtaining, information of a policy selected for the communication apparatus is obtained from the communication apparatus. ([0059] Environment 400 includes network function block 422, which may be the same as or similar to the network function block 112 as shown in FIG. 1. The network function block 422 may include one or more virtual resources 424, executable using a virtualization technology such as a virtual machine using a virtualization technology such as a hypervisor 426. The virtual resource 424 may be configured to provide one more virtualized network appliance functions, such as a router function, a switch function, a firewall function, a anti-virus function, a proxy server function, a VPN function, a load balancing function, and so forth. The network function block 422 includes a network appliance 428, which may be a conventional standalone network appliance, rather than a virtualized appliance, such as the virtual resource 404. The network appliance 428 may be a firewall, router, proxy server, switch, or other network appliance type. The one or more active security policies provided by the control and monitoring node 108 may be stored in policy store 430. The policy store 430 is updated to include active security policies, and the network appliance 428 is configured to enforce the policies in the policy store 408, including any active security policies. In some examples, the network function block 422 may be provided without the virtual resource 424 and the hypervisor 426. Thus, in some examples, the network function block 422 represents a standalone network appliance 428, such as a legacy or conventional network router, firewall, anti-virus monitor, proxy server, VPN server, load balancer, etc. [0070] At 514, the control and monitoring node sends, and a network node receives, the active security policy. In alternative embodiments, the network node may receive (such as from the user tracking service or the control and monitoring node) the association information discussed above (e.g., the association between the client identifier and the authenticated user) and the network node itself generates the active security policy from this information and from a user-specific security policy. In some examples, the network node may be included as part of a network function block such as the network function blocks 112, 402, and 422. In some examples, the network node may be included in an application function block, such as the application function blocks 114 and 412. In some embodiments, the control and monitoring node may transmit the active security policy (or information usable by the network node to generate the active security policy) responsive to determining that the network node has been instantiate in the network. The control and monitoring node may identify the network node as providing security services to the application node.)
Regarding claim 7, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches
in a second network resource, which is a network resource accessed from the communication apparatus, (FIG. 4, details shown in [0057-0059])
obtaining information of a policy selected for the communication apparatus; ([0070], see claim 1 rejection above)
capturing an operation request, via API, from a process or an operating system in the second network resource for a computer resource of the second network resource before the computer resource is accessed; and ([0071, 0075], see claim 1 rejection above)
determining whether or not there is access privilege for a computer resource specified by the operation request on a basis of information of the policy. ([0071], see claim 1 rejection above)
Regarding claim 8, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches
in the communication apparatus, (FIG. 4, details shown in [0061])
capturing an operation request, via API, from a process or an operating system in the communication apparatus for a computer resource on the communication apparatus before the computer resource is accessed; and ([0071, 0075], see claim 1 rejection above)
in the communication apparatus,
determining whether or not there is access privilege for a computer resource specified by the operation request on a basis of information of the policy selected. ([0071], see claim 1 rejection above)
Regarding claim 9, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches wherein
the plurality of policies include, in each policy, information of at least an IP address, a host name, a URL, a directory path of a file server, and a network device name for a network resource targeted for access control, and (TABLE 5)
in the determining, whether or not there is an access privilege for a computer resource designated by the operation request captured on a basis of the information of the network resource included in each policy. ([0068] At 510, the control and monitoring node accesses a user-specific security policy that is associated with the user identifier and that indicates at least a network destination and a user-specific security-related action associated with the network destination, such as a security action associated with attempts by the user to access a destination. In some embodiments, the control and monitoring node may proactively access the user-specific security policy. In some embodiments, another system, such as the user tracking system, may proactively push the user-specific policy to the control and monitoring node. The user-specific security-related action may be allow or deny, or some other action. The user-specific policy may also indicate destination protocol information, such as destination TCP or UDP ports, application tokens provided by a shared user system, and so forth.)
Regarding claim 10, Schultz teaches all the features with respect to claim 9, as outlined above. Schultz further teaches wherein
the plurality of policies further include, in each policy, information that designate a program that runs on the communication apparatus for accessing a network resource targeted for access control, and (TABLE 5)
in the determining, whether or not there is an access privilege for a computer resource designated by the operation request captured is determined also on a basis of the information that designates the program included in each policy. ([0068] At 510, the control and monitoring node accesses a user-specific security policy that is associated with the user identifier and that indicates at least a network destination and a user-specific security-related action associated with the network destination, such as a security action associated with attempts by the user to access a destination. In some embodiments, the control and monitoring node may proactively access the user-specific security policy. In some embodiments, another system, such as the user tracking system, may proactively push the user-specific policy to the control and monitoring node. The user-specific security-related action may be allow or deny, or some other action. The user-specific policy may also indicate destination protocol information, such as destination TCP or UDP ports, application tokens provided by a shared user system, and so forth.)
Regarding claim 11, Schultz teaches all the features with respect to claim 9, as outlined above. Schultz further teaches wherein
the plurality of policies further include, in each policy, application target information that designates at least one of information of the communication apparatus, user information, position information of the communication apparatus, and time information used by the communication apparatus. ([0035-0036] In other examples, a first user tracking system 106 may authenticate the user device 102, using a certain level of security or trustworthiness (such as based on username and password) while a second user tracking system 106 authenticates the user device 102 using a different level of security or trustworthiness (such as based on biometric data, location data, smart card authentication, and so forth). Based on the level of authentication security, the control and monitoring node 108 may produce the active security policy 118. In another example, a user tracking system 106 may provide information to the control and monitoring node 108 regarding a level of access provided or afforded to the user device 102 based on a confidence level in the identity of the user. The control and monitoring node 108 may utilize this information to generate the active security policy 118, such as by providing access to more or fewer application servers, allowing access to or from different destination and source protocol ports, and so forth. Furthermore, the network node 112 (and/or the application node 114) may be configured to track usage statistics. The network node 112 and/or the application node 114 may provide such usage statistics to the control and monitoring node 108, which utilizes the usage statistics to determine a level of access to be provided to the user device 102. For example, where the usage data (such as statistics, usage patterns, and so on) indicate suspicious activities, the level of access provided to the user may be reduced in a modified active security policy 118 provided to the network node 112 and/or the application node 114. [0099] V. The computing system of clause U, further comprising means for receiving, from another user tracking system, other information regarding a location of the client device associated with the authenticated user, the other information including at least a location of the client device; means for determining a level of access to be provided to the authenticated user based on the information and the other information; and means for generating the active security policy such that the network node provides the client with the level of access to the destination node.) Here specific examples are shown in ¶37-38.
Regarding claim 12, Schultz teaches all the features with respect to claim 1, as outlined above. Schultz further teaches wherein
the state of the communication apparatus includes applicable communication apparatus information, user information, communication apparatus position information, and time information. ([0035-0038, 0099] see claim 11 rejection above)
Regarding claim 13, the scope of the claim is similar to that of claim 1, respectively. Accordingly, the claim is rejected using a similar rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638. The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HAN YANG/Primary Examiner, Art Unit 2493