Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is in reply to papers filed on 11/19/2024. Claims 2-21 are pending. Claim 2 is/are independent.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
U.S. Patent No. 11,108,780
Claims 2-4, 9-10, 12-13, 16, and 18-19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 -17 of U.S. Patent No. 11,108,780 in view of Rajakarunanayake et al. U.S. Publication 20130091280 (hereinafter “Rajakarunanayake”). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of U.S. Patent No. 11,108,780 render obvious the claims of the present application.
Claim 1 of U.S. Patent No. 11,108,780 lacks an artificial intelligence-based agent and software services.
Rajakarunanayake at para. 34, 45 and 50 discloses artificial intelligence agents and resources such as software services are accessible and associated with accessible data under a system of access control.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the method recited in claim 1 of U.S. Patent No. 11,108,780 to include artificial intelligence agents and to have resources such as software services, as taught by Rajakarunanayake, in order to improve the capabilities for access control associated with artificial intelligence agents and software services.
As for the dependent claims depending from instant claim 2, claims 1 -17 of U.S. Patent No. 11,108,780 disclose the dependent claims in view of Rajakarunanayake.
U.S. Patent No. 12,137,098
Claims 2-4, 8-9, 11-13, 15-16, and 18-19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 -17 of U.S. Patent No. 12,137,098 in view of Rajakarunanayake et al. U.S. Publication 20130091280 (hereinafter “Rajakarunanayake”). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of U.S. Patent No. 12,137,098 render obvious the claims of the present application.
Claim 1 of U.S. Patent No. 12,137,098 lacks an artificial intelligence-based agent and software services, and also lacks disclosure of (d) receiving a request to assign the AI-based agent to the access control list, to thereby deny or grant the AI-based agent access to the at least one software service via the access control system.
Rajakarunanayake at para. 34, 45 and 50 discloses artificial intelligence agents and resources such as software services are accessible and associated with accessible data under a system of access control. Rajakarunanayake also discloses receiving a request to add an artificial intelligence agent as a new group member, which is a request for adding the artificial intelligence agent to an access control list (para. 34 access to specific content may be shared with members and such access can be conditional. Access control rules are imposed on a per-member basis, para 44-45)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the method recited in claim 1 of U.S. Patent No. 12,137,098 to include artificial intelligence agents and to have resources such as software services, and techniques such as receiving a request to add an artificial intelligence agent as a new group member, as taught by Rajakarunanayake, in order to improve the capabilities for access control associated with artificial intelligence agents and software services, to thereby expand the capabilities of responding to requests to gain access to conditionally accessible data.
As for the dependent claims depending from instant claim 2, claims 1 -17 of U.S. Patent No. 12,137,098 disclose the dependent claims in view of Rajakarunanayake.
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 11/11/2024 is/are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement(s) is/are being considered by the examiner.
Specification
The disclosure is objected to because of the following informalities: para. 22 (as published) describes “cooperate boundaries” which should be corporate boundaries as found in the parent applications. Appropriate correction is required.
Claim Objections
Claim 13 is objected to because of the following informalities: claim 13 recites “cooperate boundaries” which should be corporate boundaries. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 2-3, 9-10, 12-14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan et al. U.S. Publication 20070136603 (hereinafter “Kuecuekyan”) in view of Rajakarunanayake et al. U.S. Publication 20130091280 (hereinafter “Rajakarunanayake”).
As per claim 1, Kuecuekyan discloses
A computer-implemented method [computer performs method, para. 207] for accessing [user (requestor) can access data, para. 19; verifying user authorized to perform request operation, para. 263; allow exclusive access based on security rule, para. 257] and using [read/write, para. 13] data in a computing environment [computing environment as depicted in FIG. 1] by an agent, [requestor can be any entity, such as a software application, para. 239] the method comprising:
[see Kuecuekyan figure 1 for computing environment and steps of method controlling access to protected data stored in hosts associated with domains;
Kuecuekyan
para. 239 requestor can be any entity, e.g., an individual, a software application,1 a machine, etc.
Kuecuekyan
[0207] The present invention is further directed to computer-readable media comprising computer instructions which, when executed by a computer, perform any of the methods described herein.
[0013] user data protection via enforcement of policy-based access control. DSA explicitly grants permission to perform operations, e.g., read/write and subscribe/publish operations on data that concurrently resides in one or more protected domains, where in the latter case the data is distributed across multiple security domains
[0019]
DSA provides an enforcement barrier between users and protected data that cannot be bypassed by unauthorized users. This is because DSA requires protected data to reside on hosts with secure operating systems that are configured with mandatory access control policies of their own that allow exclusive access to data only through an DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access.
Kuecuekyan [0257]
FIG. 1 …. DSA system in a single domain. …. DSA requires protected data to reside on hosts with secure operating systems that are configured with Mandatory Access Control policies of their own that allow exclusive access to data only through a DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access.
Kuecuekyan [0263] DSA receives the request, authentication token, and credentials, and verifies that the user is authorized to perform the requested operation on the target within any specified constraints in the domain's security policy..
(a) segmenting [elements of a target may physically be distributed across multiple domains, para. 11;] the data [target, para. 11] into a plurality of data segments [distribute multiple elements of a target across domains, para. 11; each domain owns a portion of the information para. 227] useable by a plurality of software services; [ each of these domains has secure operating system at para. 19, database and/or native file system at para. 272, each of which can disclose software services]
Kuecuekyan [0011] The smallest unit of information to be protected is referred to as an "Element" (which is smaller in granularity than a "file"). An element is a user-defined piece of data that the domain owner wishes to protect differently than other elements in a target. A target may therefore be comprised of multiple elements, and the elements of a target may physically be distributed across multiple domains.
Kuecuekyan Para. [0010] ….. Process access requests from "requesters" wishing to perform "operations" on data " targets" in single or multiple -domain systems.
Kuecuekyan [0272] DSA interfaces over a network with the host computers on which the data protected by DSA resides. These protected data hosts may host data that resides on a native file system on the host, or within a database installed on the host..
Para. [0227] In a multiple-domain scenario, one access control decision is distributed such that partial decisions are independently made in each domain that owns a portion of the required information. The result is a securely coordinated end-to-end access control decision that protects the confidentiality of each participating domain's sources and data
(b) associating the agent with one or more data segments of the plurality of data segments;[ Requestors may be associated with Roles, para. 239; roles have access to targets under the rules, para. 37; grant user/agent/entity access to protected data only if a rule exists granting such access, para. 257; system administrator preferably defines all domain security policy rules, para. 290; it is the Kuecuekyan rules that provide associations between user, domain, and protected data]
Kuecuekyan para. 237
a role can be established which includes a rule stating that persons having such role are permitted to perform that one or more operation on that group of targets.
[0290]
The system administrator preferably defines all domain security policy rules prior to initial operational capability. In DSA, the default is that no access is allowed to any target unless a user is explicitly given privilege to perform a particular operation on the target. The administrator may assign users to roles to simplify security policy rule administration, or assign individual rules for users as needed.
Kuecuekyan [0257]
FIG. 1 …. …Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access.
[0239] Requestor/User--The "Requestor" in a security policy rule is the entity requesting access to protected resources. Some embodiments of DSAs require that all Requestors must have credentials that uniquely identify and authenticate them to the system. Requestors in DSA may be individuals or systems, but preferably are software processes or applications that operate on behalf of the individuals or systems to which they belong. Alternatively, a Requestor may be a trusted proxy that makes requests on behalf of other software application(s) that cannot make their own requests. Requestors may be associated with Roles (described below) for streamlining policy rule declarations. A requestor can be any entity, e.g., an individual, a software application, a machine, etc.
(c) providing an access control system [the security layer provided by the DSAs, para. 253] that provides the agent selective access to at least one software service [“access control decision is distributed such that partial decisions are independently made in each domain that owns a portion of the required information”, para. 227; granting access to one of the operating system, database, and/or file system in Kuecuekyan that holds the data sought by the requester] of the plurality of software services based at least in part on an access control list, [security policy rules define valid and invalid operations on targets, para. 236; access control list disclosed by the security policy rules at para. 19, para. 257; the Kuecuekyan rules indicate whether the user (e.g., any requestor entity such as software process/application para. 239) may access the data segment] wherein the at least one software service is associated [secure operating system (para. 19), file system, and/or database (para. 272) is associated with the data element that is being hosted ] with one or more data segments of the plurality of data segments; and
Kuecuekyan [0272] DSA interfaces over a network with the host computers on which the data protected by DSA resides. These protected data hosts may host data that resides on a native file system on the host, or within a database installed on the host..
[0019] DSA provides an enforcement barrier between users and protected data that cannot be bypassed by unauthorized users. This is because DSA requires protected data to reside on hosts with secure operating systems that are configured with mandatory access control policies of their own that allow exclusive access to data only through an DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access
Kuecuekyan [0236]
Operation—The “Operations” in security policy rules are the operations that the system specifically defines as valid (or invalid)in the system. Examples …..“Read”, and “Write”. …..
Kuecuekyan [0253]
The DSA preferably provides a strong security enforcement layer placed between a system's data and the potential producers and consumers of that data. In a multi-domain system, the security layer provided by the DSAs strictly controls access to all data in a distributed system by enforcing the explicit security policy rules of each domain in the distributed system. A DSA can perform a single access control decision within one domain, or across multiple domains where each domain is under the control of its own security policy. The DSAs according to the present invention are designed to process access requests from requesters wishing to perform operations on data targets in single or multiple-domain systems.
)
(d) receiving a request [administrator assigns users to roles, para. 290; administrator overwrites default value for user’s clearance level, para. 361] to assign [assigning roles para. 37, 290; overwriting clearance level, para. 261] the agent [user/requestor means any entity such as a software process/application para. 239 can disclose agent] to the access control list, [multiple roles can be assigned to user/requestor/entity, para. 37, 290; roles have access to targets under the rules, para. 37; the clearance level/role of the user is a factor to determine their access according to rules, para. 33, 37, 229] to thereby deny [deny, para. 50, 55] or grant [rule states a person with role permitted to perform operation on target, para. 37; clearance level indicates user allowed, para. 229] the agent access to the at least one software service [users access the operating system/file system/database in order to access the data being hosted] via the access control system.
Kuecuekyan
[0290] The system administrator preferably defines all domain security policy rules prior to initial operational capability. In DSA, the default is that no access is allowed to any target unless a user is explicitly given privilege to perform a particular operation on the target. The administrator may assign users to roles to simplify security policy rule administration, or assign individual rules for users as needed.
[0033] The following is a summary of a sequence of steps which can be carried out in a representative example of a policy rule enforcement process. [0034] First, a decision is made regarding whether the user's clearance level is equal to or greater than the protection level which has been assigned to each element within the target.
[0037] a role can be established which includes a rule stating that persons having such role are permitted to perform that one or more operation on that group of targets.
[0229] Clearance Level--The Clearance Level is a label assigned to a user that represents the highest Protection Level of data that the user is allowed to access in DSA.
[0018] DSA must explicitly enforce the security policy rules of each domain in a multi-domain system.
Para. 361 assign a default value for the user's clearance level attribute to be the lowest defined protection level in the domain (preferably, the default value may be overwritten by a value that is entered by the administrator);
Para. 239 Requestors may be associated with Roles (described below) for streamlining policy rule declarations. A requestor can be any entity, e.g., an individual, a software application, a machine, etc.
Para. [0019] DSA provides an enforcement barrier between users and protected data that cannot be bypassed by unauthorized users. This is because DSA requires protected data to reside on hosts with secure operating systems that are configured with mandatory access control policies of their own that allow exclusive access to data only through an DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access.
Kuecuekyan [0054] (2) if the local domain does not contain a rule for each element contained in the local domain indicating that the requestor is authorized to perform the desired operation on the target: [0055] (a) denying the request.
Kuecuekyan [0314] if a protected data host houses its data in a database rather than a filesystem, …. DSA can only add additional restrictions (to what the database's native access control mechanism already is configured to allow) on operations that can be performed on data targets in the database
Kuecuekyan [0049] (2) if the local domain does not contain a rule for each element in the target indicating that the requestor is authorized to perform the desired operation on the target:[0050] (a) denying the request;
However, Kuecuekyan does not expressly disclose artificial intelligence (AI)-based agent
Rajakarunanayake discloses access control for members of a group and a member of the group can be an artificial intelligence (AI)-based agent
[0034] Briefly, membership in the SNET group 100 may comprise docked social devices 102 with resources that are accessible to other members of the SNET group 100 and human SNET group members 104, as well as proxies thereof. Further, SNET group 100 nodes may include device services and software (e.g., applications) of various types participating as members. By way of example, SNET group members might include artificial intelligence agents/social robots 106, SNET security device(s) 108, appliances, vehicles and service providers 110, common or authorized members/functionality of other SNET groups 112, etc. Further, access to specific content and resources of a SNET group 100 may be shared with members of additional SNET(s) 114, including remote or web-based applications. Such access can be conditioned on acceptable profiling and association data. Similarly, social devices or individuals may be granted temporary or ad hoc memberships, with or without restricted access.
[0044] In other embodiments, access control and constraints 210 are imposed on a per-member basis. Further details of access control and constraint in accordance with various embodiments of the invention are described below.
[0045] The social group 202 may offer a wide variety of member services 212, including both internal and external services accessible by social system members 204. By way of example, the social group 202 may offer email or other communication services between full members and/or authorized guest members and visitors. As with other resources of the social group 202, access control and constraints on member services 212 may be applied to individual members or classes of members.
[0050] access control management and security 337 for maintaining the integrity of the SNET and affiliated data/resources;
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes access control for artificial intelligence agents of Rajakarunanayake to include artificial intelligence (AI)-based agent.
One of ordinary skill in the art would have made this modification to improve the ability of the system to utilize access control that controls access by artificial intelligence agents. The system of the primary reference can be modified to control access to restricted data by artificial intelligence agents.
As per claim 3, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses
further comprising determining whether the agent [user can get access to protected data if and only if a security policy rule exists in DSA granting such access, para. 19; users includes software agents para. 34] and the at least one software service [the at least one software service can be disclosed by the secure operating system; DSA requires protected data to reside (associated with) on hosts with secure operating systems, para. 19; the at least one software service can also be disclosed by the database/file system that is hosting the protected data, and these software are always associated with the protected data that they are hosting ] are associated with at least one same data segment [protected data, para. 19] of the plurality of data segments.
[0019] DSA provides an enforcement barrier between users and protected data that cannot be bypassed by unauthorized users. This is because DSA requires protected data to reside on hosts with secure operating systems that are configured with mandatory access control policies of their own that allow exclusive access to data only through an DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access
However, Kuecuekyan does not expressly disclose AI-based agent.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes controlling access by artificial intelligence agents of Rajakarunanayake to include AI-based agent.
As per claim 9, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses wherein a software service of the plurality of software services is automatically associated with a data segment of the plurality of data segments.
[When a Kuecuekyan data element is assigned (distributed, para. 12, 255) to a particular computing system, the secure operating system/database/file system is automatically associated with the data element, because the access control is mandatory (para. 19)].
Para. 12 DSA explicitly grants permission to perform operations, e.g., read/write and subscribe/publish operations on data that concurrently resides in one or more protected domains, where in the latter case the data is distributed across multiple security domains
[0255] The smallest unit of information that may be protected in a DSA system is an "element" (which is smaller in granularity than a "file"). An element is a user-defined piece of data that the domain owner wishes to protect differently than other elements in a target. A target may therefore be comprised of multiple elements, and the elements of a target may physically be distributed across multiple domains.
[0019] DSA provides an enforcement barrier between users and protected data that cannot be bypassed by unauthorized users. This is because DSA requires protected data to reside on hosts with secure operating systems that are configured with mandatory access control policies of their own that allow exclusive access to data only through an DSA host. Therefore, a user can get access to protected data if and only if a security policy rule exists in DSA granting such access.
As per claim 10, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses further comprising verifying whether the agent is associated with all of the plurality of data segments associated with the at least one software service.
Kuecuekyan Para. [0025]
If it is determined that there are any elements within the target for which there is not a rule which grants access to that element to the user, the request will be denied (and no further communication will be provided to the user….. If it is determined that all of the elements within the target are owned by the local domain and there are rules which indicate that the user is entitled to perform the requested operation(s) on all of those elements, the request will be granted.
However, Kuecuekyan does not expressly disclose AI-based agent.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes controlling access by artificial intelligence agents of Rajakarunanayake to include AI-based agent.
As per claim 12, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses wherein the segmenting in (a) comprises segmenting the data based on geographical boundaries, political boundaries, or physical boundaries.[Physically distributed target data across multiple domains, para. 255-256]
Kuecuekyan Para. 0255]
The smallest unit of information that may be protected in a DSA system is an “element” (which is smaller in granularity than a “file”). An element is a user-defined piece of data that the domain owner wishes to protect differently than other elements in a target. A target may therefore be comprised of multiple elements, and the elements of a target may physically be distributed across multiple domains..
Kuecuekyan [0256]
….. the target of a request may have elements that are physically distributed across multiple domains..
Kuecuekyan [0264]
A user never knows that their request may have a target that is physically distributed across multiple domains…..a DSA domain never divulges location information of its local targets across a domain boundary.
As per claim 13, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses wherein the segmenting in (a) comprises segmenting the data based on legal boundaries [the domain owner is the legal owner of the domain and the domain owner determines how they want to protect the individual elements of a target, para. 255] or cooperate boundaries. [This is interpreted as corporate boundaries. Support can be found in the specification of the parent applications]
Kuecuekyan Para. 0255]
The smallest unit of information that may be protected in a DSA system is an “element” (which is smaller in granularity than a “file”). An element is a user-defined piece of data that the domain owner wishes to protect differently than other elements in a target. A target may therefore be comprised of multiple elements, and the elements of a target may physically be distributed across multiple domains..
As per claim 14, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses wherein the segmenting in (a) comprises segmenting the data based on types of customers. [For storing data, some customers prefer one type of file system over another, para. 340; some types of customers prefer specific applications and databases; some types of customers prefer protecting different groups of data differently, para. 593]
Kuecuekyan
[see customers in table 1 on page 15; in particular notice that many of the configurations are dependent on customers.]
Para. [0340]
The requirements for, and design of, additional filesystem monitor components depends upon the nature of the filesystem(s) upon which a customer wishes to host its protected data.
Kuecuekyan [0402] individual customers can specify their requirements for the user-side applications and databases that they wish to integrate as "requestors" in a DSA domain.
Kuecuekyan [0403] individual customers will specify their requirements for the data (target)-side applications and databases that they wish to integrate as "datastores" to host the data targets in a DSA domain.
Kuecuekyan [0593] Data Protection Levels represent a hierarchical labeling and implied separation between groups of data that a customer wishes to protect differently in their domain.
As per claim 20, the rejection of claim 2 is incorporated herein.
Kuecuekyan discloses further comprising (i) using a graphical user interface (GUI) to graphically represent at least one data segment [administrator can use GUI to review and modify data target related protection levels/roles/security rules/clearance level, (para. 292-295 below) and the data targets include the data elements that make up the data target ]of the plurality of data segments associated with the AI-based agent and (ii) using the graphical representation to disassociate [disassociate is interpreted to mean that the agent access rights are changed so agent can no longer access the data segment, which is made possible when the administrator modifies clearance level, modifies protection level labels, removes targets from the system, remove roles, or remove security part rules, as shown in the paragraphs 292-295 below] the agent from the at least one data segment.
[0291] The system preferably can provide to the administrator the ability to perform any the following activities during system operation, via the system administration graphical user interface (GUI). Upon committing any changes, the system adapts its enforcement mechanisms to coincide with the new configuration parameters.
[0292] During system operation, the system administrator preferably may add and remove users, add and remove authentication privileges, and add and modify clearance levels.
[0293] The system administrator preferably may view the metadata attributes in the system's internal representation of the active data targets, modify protection level labels on the targets, add and or remove need to now attributes for data targets, and add or remove targets from the system.
[0294] The system administrator preferably may add and remove roles, modify relationships between roles, and add new relationships between roles.
[0295] The system administrator preferably may add and remove security policy rules during operation. The system always ensures that access to data is denied unless a rule exists that grants access.
However, Kuecuekyan does not expressly disclose AI-based agent.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes controlling access by artificial intelligence agents of Rajakarunanayake to include AI-based agent.
Claims 4-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, further in view of Siegel et al. U.S. Publication 20140052980 (hereinafter “Siegel”).
As per claim 4, the rejection of claim 3 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose further comprising denying the request if the AI-based agent and the at least one software service are not associated with the at least one same data segment.
Siegel discloses requiring compliance with criteria to add a user to a whitelist
[TNI is trusted network interface in this Siegel reference]
[0024] It is appreciated that another form of security attacks are associated with attackers flooding the capacity of a network by the transmission of an abundant amount of communications to the network in the attempt to crash a network or inhibit the performance of a network. Therefore, a high-speed Internet protocol (IP) white-listing firewall that can be configured by an independent preliminary-authentication service can be employed as a preliminary authenticator for entry into a trusted network. The white-listing IP firewall can quickly drop all incoming traffic from sources that aren't explicitly white-listed (i.e. on an explicitly permitted list). The preliminary authentication service can authenticate a user independent of internal services of the trusted network. A secure network can be configured to use a TNI's cryptographic credentials as the qualifying criteria to add that user's IP address to the firewall's white-list. In such a configuration, the firewall permits only IP traffic from valid TNIs to reach internal services. If the preliminary authentication service is attacked, new clients may not be able to become white-listed, while existing white-listed clients can remain white-listed and continue to connect to internal services. In this manner, internal services of the trusted network are hidden from any public network while maintaining full functionality for authenticated users, and unauthenticated users will have all traffic silently dropped by the firewall, as if there was no device present. Monitoring systems within the trusted network can also leverage the white-listing IP firewall to remove misbehaving authenticated clients from the white-list and deny them network access.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for requiring compliance with criteria to add a user to a whitelist of Siegel to include further comprising denying the request if the AI-based agent and the at least one software service are not associated with the at least one same data segment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to specify criteria for adding an AI agent to an access control list such as a whitelist. The system of the primary reference, as modified to include AI agents, can be further modified to include customized criteria for adding the AI agents to a whitelist. For example, such customization of criteria might be that the user seeking being added to the whitelist must be associated with qualifying cryptographic credentials (para. 24 Siegel), and/or that there is no attack (para. 24 Siegel). When there is an ongoing attack (both user and internal services associated with the attack), the criteria prevent the user (agent) seeking access from being added to the whitelist.
As per claim 5, the rejection of claim 3 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose further comprising granting the request if the AI-based agent and the at least one software service are associated with the at least one same data segment.
Siegel discloses requiring compliance with criteria to add a user to a whitelist
[TNI is trusted network interface in this Siegel reference]
[0024] It is appreciated that another form of security attacks are associated with attackers flooding the capacity of a network by the transmission of an abundant amount of communications to the network in the attempt to crash a network or inhibit the performance of a network. Therefore, a high-speed Internet protocol (IP) white-listing firewall that can be configured by an independent preliminary-authentication service can be employed as a preliminary authenticator for entry into a trusted network. The white-listing IP firewall can quickly drop all incoming traffic from sources that aren't explicitly white-listed (i.e. on an explicitly permitted list). The preliminary authentication service can authenticate a user independent of internal services of the trusted network. A secure network can be configured to use a TNI's cryptographic credentials as the qualifying criteria to add that user's IP address to the firewall's white-list. In such a configuration, the firewall permits only IP traffic from valid TNIs to reach internal services. If the preliminary authentication service is attacked, new clients may not be able to become white-listed, while existing white-listed clients can remain white-listed and continue to connect to internal services. In this manner, internal services of the trusted network are hidden from any public network while maintaining full functionality for authenticated users, and unauthenticated users will have all traffic silently dropped by the firewall, as if there was no device present. Monitoring systems within the trusted network can also leverage the white-listing IP firewall to remove misbehaving authenticated clients from the white-list and deny them network access.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for requiring compliance with criteria to add a user to a whitelist of Siegel to include further comprising granting the request if the AI-based agent and the at least one software service are associated with the at least one same data segment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to specify criteria for adding an AI agent to an access control list such as a whitelist. The system of the primary reference, as modified to include AI agents, can be further modified to include customized criteria for adding the AI agents to a whitelist. For example, such customization of criteria might be that the user seeking being added to the whitelist must be associated with qualifying cryptographic credentials (para. 24 Siegel), and/or that there is no attack (para. 24 Siegel). When there is no ongoing attack (both user and software service are not associated with attack), the criteria allows the user (agent) to be added to the whitelist.
As per claim 6, the rejection of claim 5 is incorporated herein.
Kuecuekyan discloses in response to granting the request, [verifies the user authorized to perform, para. 263; user can get access to protected data if and only if a security policy rule exists in DSA granting such access, para. 19; [0240] Security Policy--A Security Policy contains explicit rules that state the mandatory conditions that must be met prior to granting a Requestor access to a particular data target in a system] allowing the AI-based agent to perform one or more actions [enabling agent to perform desired operation, para. 59; generated agent performs granted operation on behalf of authorized user, para. 20; performing the desired operation, para. 197] with the at least one software service and the at least one same data segment.
[the at least one software service can be disclosed by the secure operating system providing access to the data; DSA requires protected data to reside on hosts with secure operating systems, para. 19; the at least one software service can also be disclosed by the database/file system that is hosting the protected data, and these software are always associated with the protected data that they are hosting ]
[0059] if the local domain contains all of the at least one element in the target: [0060] (a) enabling a first agent to access the at least one element to perform the desired operation,
[0020] If a request is granted, DSA then generates an Agent which is given the ability to perform the granted operation on a specific target on behalf of the authorized user. This design construct prevents the user from being given the opportunity to know where the target is actually located.
[0197] (2) performing at least one step selected from among (a) determining whether a stored NTK for the requestor includes performing the desired operation on the at least one element
Kuecuekyan [0263] DSA receives the request, authentication token, and credentials, and verifies that the user is authorized to perform the requested operation on the target within any specified constraints in the domain's security policy..
However, Kuecuekyan does not expressly disclose AI-based agent.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes controlling access by artificial intelligence agents of Rajakarunanayake to include AI-based agent.
As per claim 7, the rejection of claim 6 is incorporated herein.
Kuecuekyan discloses further comprising performing the one or more actions by the agent [enabling agent to perform desired operation, para. 59; generated agent performs granted operation on behalf of authorized user, para. 20 note that the agent that requested the
operation is still able to achieve the desired result of reading or writing, although performed by the generated agent, thereby disclosing performing the one or more actions by the agent; performing the desired operation, para. 197]
[0059] if the local domain contains all of the at least one element in the target: [0060] (a) enabling a first agent to access the at least one element to perform the desired operation,
[0020] If a request is granted, DSA then generates an Agent which is given the ability to perform the granted operation on a specific target on behalf of the authorized user. This design construct prevents the user from being given the opportunity to know where the target is actually located.
[0197] (2) performing at least one step selected from among (a) determining whether a stored NTK for the requestor includes performing the desired operation on the at least one element
However, Kuecuekyan does not expressly disclose AI-based agent.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Kuecuekyan with the technique for access control that includes controlling access by artificial intelligence agents of Rajakarunanayake to include AI-based agent.
Claims 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, in view of Do et al. U.S. Patent No. 20120047576 (hereinafter “Do”).
As per claim 8, the rejection of claim 2 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose
wherein denying or granting the access to the at least one software service and the associating the data segment with the at least one software service are performed in parallel. Do discloses individual security functions can be encapsulated into payloads that are concurrently executed on the monitor coprocessor
Do Para. [0044] The monitor coprocessor 211 runs a software environment that provides interfaces to the hypervisor functionality in such a way that individual security functions can be encapsulated into payloads that are concurrently executed on the monitor coprocessor 211 while still being isolated and protected from interference by other payloads.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for performing security functions concurrently of Do to include
wherein denying or granting the access to the at least one software service and the associating the data segment with the at least one software service are performed in parallel. One of ordinary skill in the art would have made this modification to improve the ability of the system to perform security operations concurrently in parallel, to reduce the time required to complete the operations and improve efficiency. The system of the reference can be modified to perform security functions concurrently as taught in Do.
Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, in view of Walters et al. U.S. Patent No. 10884894 (hereinafter “Walters”).
As per claim 11, the rejection of claim 2 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose
wherein the segmenting in (a) comprises using automated empirical methods, AI methods, or machine learning (ML) methods to segment the data.
Walters discloses wherein the segmenting in (a) comprises using automated empirical methods, AI methods, or machine learning (ML) methods to segment the data.
Walters 6:56-58 synthetic-data system 102 trains or implements a machine learning model to determine a data segment size (e.g., as disclosed in reference to FIG. 7).
7:1-2 training a machine learning model to determine segment size of a data segment,
14:5-8 A parameter model may include a recurrent neural network model, a long short-term memory model, or any other machine learning model.
14:58-61 (68) Segmenter 338 may be configured to train a distribution model to generate a synthetic data segment, consistent with disclosed embodiments. A distribution model may include a multilayer perceptron model, a convolutional neural network model, 11:3-15 Model optimizer 336 may include programs (scripts, functions, algorithms) to train, implement, store, receive, retrieve, and/or transmit one or more machine-learning models. Machine-learning models may include a neural network model, an attention network model, a generative adversarial model (GAN), a recurrent neural network (RNN) model, a deep learning model (e.g., a long short-term memory (LSTM) model), a random forest model, a convolutional neural network (CNN) model, an RNN-CNN model, a temporal-CNN model, a support vector machine (SVM) model, a natural-language model, and/or another machine-learning model
11:23-24 Training may be supervised or unsupervised.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for using machine learning to generate data segments of Walters to include
wherein the segmenting in (a) comprises using automated empirical methods, AI methods, or machine learning (ML) methods to segment the data.
One of ordinary skill in the art would have made this modification to improve the ability of the system to generate data segments using machine learning. This allows the machine to adapt from training and automatically generate data segments according to learned features. The system of the primary reference can be modified to use machine learning to generate data segments.
Claim 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, further in view of Hankins et al. U.S. Publication 20200401316 (hereinafter “Hankins”).
As per claim 15, the rejection of claim 2 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose wherein the segmenting in (a) comprises segmenting a data segment into a subset of another data segment.
Hankins discloses wherein the segmenting in (a) comprises segmenting a data segment into a subset of another data segment. [Breaking a segment into data shards. The shards are distributed with redundancy, para. 82; this means that the individual shards are each a subset of another group of shards representing the original data segment in redundancy]
[0082] A segment is a logical container of data in accordance with some embodiments. A segment is an address space between medium address space and physical flash locations, i.e., the data segment number, are in this address space. Segments may also contain meta-data, which enable data redundancy to be restored (rewritten to different flash locations or devices) without the involvement of higher level software. In one embodiment, an internal format of a segment contains client data and medium mappings to determine the position of that data. Each data segment is protected, e.g., from memory and other failures, by breaking the segment into a number of data and parity shards, where applicable. The data and parity shards are distributed, i.e., striped, across non-volatile solid state storage 152 coupled to the host CPUs 156 (See FIGS. 2E and 2G) in accordance with an erasure coding scheme. Usage of the term segments refers to the container and its place in the address space of segments in some embodiments. Usage of the term stripe refers to the same set of shards as a segment and includes how the shards are distributed along with redundancy or parity information in accordance with some embodiments.
[0213] FIG. 7 shows various aspects of partitioning schemes 712 that may influence the transformation 708 performed on the ID 702 of data 704 or metadata 706, in embodiments of object replication. Data could be a file, a file chunk, an object, or an object chunk, each of which could have an ID 702. Metadata 706 could include pointers, an access control list (e.g., with file or object access permissions), addressing indirection information, locality association information, or other information
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for breaking a segment into data shards, the shards being distributed with redundancy of Hankins to include wherein the segmenting in (a) comprises segmenting a data segment into a subset of another data segment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to divide the data into shards with redundancy. The system of the primary reference can be modified to divide the data into shards and duplicating the shards to create redundancy, to allow for more robust recovery in case the data in some shards are corrupted.
Claims 16-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, in view of Siegel, in view of D'Souza et al. U.S. Publication 20150046985 (hereinafter “D'Souza”).
As per claim 16, the rejection of claim 7 is incorporated herein.
However, the combination of Kuecuekyan, Rajakarunanayake, and Siegel does not expressly disclose wherein the computing environment comprises a pharmaceutical platform, an application development platform, a data processing platform, a point-of-sale platform, an enterprise platform, or a manufacturing platform.
D'Souza discloses wherein the computing environment comprises a pharmaceutical platform, [systems and apparatuses for sharing documents, para. 47] an application development platform, a data processing platform, a point-of-sale platform, an enterprise platform, or a manufacturing platform.
D'Souza Para. [0003] Documents are the new digital currency for online commerce, the record of business for online collaboration, and the "lifeblood" of present day business processes. The documents include commercial artifacts such as catalogs, offers, bids and contracts. Doctors and Bioscientists leverage documents with domain-specific formats, such as HL7, and medical images. Business networks leverage design extranets through other specialized document types. Aerial surveillance and prospecting requires the sharing and storage of images. In the Pharmaceutical vertical, these documents might contain information about DNA sequencing, reagent information, and components of drug discovery.
D'Souza [0149] For at least some embodiments, any policy that includes Identity, Authorization, and Access Control, can be expressed in the form of Mediation Rule primitives, similar to a compilation target in a programming language.
[0047] The described embodiments include methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a subscriber. The described embodiments address two of the primary obstacles to securely sharing documents across trust boundaries. These are the existence, and proliferation of silos of identity/authorization (Auth/AuthZ), and the silos of document storage and sharing repositories. The described embodiments provide systems and methods for federating these silos in a manner that reconciles the conflicting requirements of efficiency, and security.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan, Rajakarunanayake, and Siegel with the technique for storing documents and allowing access to documents such as pharmaceutical documents of D'Souza to include
wherein the computing environment comprises a pharmaceutical platform, an application development platform, a data processing platform, a point-of-sale platform, an enterprise platform, or a manufacturing platform.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide access control for pharmaceutical data. The system of the primary reference can be customized to store pharmaceutical data.
As per claim 17, the rejection of claim 16 is incorporated herein.
However, the combination of Kuecuekyan, Rajakarunanayake, and Siegel does not expressly disclose wherein the plurality of data segments of the pharmaceutical platform comprises confidential or personally identifying information.
D'Souza discloses confidential pharmaceutical data such as DNA sequencing, region formation, and drug discovery components [para. 3; “sensitive business IP, or Personally Identifiable Information (PII).”, Para. 4.]
[D'Souza Para. 4 states the information in the pharmaceutical documents is sensitive business IP, or Personally Identifiable Information (PII)]
D'Souza Para. [0003] Documents are the new digital currency for online commerce, the record of business for online collaboration, and the "lifeblood" of present day business processes. The documents include commercial artifacts such as catalogs, offers, bids and contracts. Doctors and Bioscientists leverage documents with domain-specific formats, such as HL7, and medical images. Business networks leverage design extranets through other specialized document types. Aerial surveillance and prospecting requires the sharing and storage of images. In the Pharmaceutical vertical, these documents might contain information about DNA sequencing, reagent information, and components of drug discovery.
[0004] The information contained in these documents is usually sensitive business IP, or Personally Identifiable Information (PII), and often content that is highly regulated by perhaps Health and Human Services (HIPAA, FDA), the Office of Currency Comptroller (Gramm-Leach-Bliley), or self-regulated through consortiums such as the PCI Council
D'Souza [0149] For at least some embodiments, any policy that includes Identity, Authorization, and Access Control, can be expressed in the form of Mediation Rule primitives, similar to a compilation target in a programming language.
[0175] FIG. 12 shows a system that provides for monitoring and control of access to an electronic content, according to an embodiment
[0047] The described embodiments include methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a subscriber. The described embodiments address two of the primary obstacles to securely sharing documents across trust boundaries. These are the existence, and proliferation of silos of identity/authorization (Auth/AuthZ), and the silos of document storage and sharing repositories. The described embodiments provide systems and methods for federating these silos in a manner that reconciles the conflicting requirements of efficiency, and security.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan, Rajakarunanayake, and Siegel with the technique for storing documents and allowing access to documents such as pharmaceutical documents of D'Souza to include
wherein the plurality of data segments of the pharmaceutical platform comprises confidential or personally identifying information.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide access control for confidential and/or personally identifiable pharmaceutical data. The system of the primary reference can be customized to store confidential and/or personally identifiable pharmaceutical data with access controls.
As per claim 18, the rejection of claim 16 is incorporated herein.
However, the combination of Kuecuekyan, Rajakarunanayake, and Siegel does not expressly disclose wherein the plurality of data segments of the pharmaceutical platform comprises sales data or marketing data of one or more pharmaceutical products.
D'Souza discloses the pharmaceutical platform [systems and apparatuses for sharing documents, para. 47] comprises sales data or marketing data of one or more pharmaceutical products.
D'Souza Para. [0003] Documents are the new digital currency for online commerce, the record of business for online collaboration, and the "lifeblood" of present day business processes. The documents include commercial artifacts such as catalogs, offers, bids and contracts. Doctors and Bioscientists leverage documents with domain-specific formats, such as HL7, and medical images. Business networks leverage design extranets through other specialized document types. Aerial surveillance and prospecting requires the sharing and storage of images. In the Pharmaceutical vertical, these documents might contain information about DNA sequencing, reagent information, and components of drug discovery.
D'Souza [0149] For at least some embodiments, any policy that includes Identity, Authorization, and Access Control, can be expressed in the form of Mediation Rule primitives, similar to a compilation target in a programming language.
[0047] The described embodiments include methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a subscriber. The described embodiments address two of the primary obstacles to securely sharing documents across trust boundaries. These are the existence, and proliferation of silos of identity/authorization (Auth/AuthZ), and the silos of document storage and sharing repositories. The described embodiments provide systems and methods for federating these silos in a manner that reconciles the conflicting requirements of efficiency, and security.
[sales and marketing data of one or more pharmaceutical products is nonfunctional descriptive material and is given no patentable weight. See MPEP 2111.05]).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan, Rajakarunanayake, and Siegel with the technique for storing documents and allowing access to documents such as pharmaceutical sales documents of D'Souza to include wherein the plurality of data segments of the pharmaceutical platform comprises sales data or marketing data of one or more pharmaceutical products.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide access control for pharmaceutical data. The system of the primary reference can be customized to store pharmaceutical data.
As per claim 19, the rejection of claim 16 is incorporated herein.
However, the combination of Kuecuekyan, Rajakarunanayake, and Siegel does not expressly disclose wherein the one or more actions comprises (i) functionally accessing drug data, healthcare provider data, sales data, marketing data, or lead-generation data or (ii) using the at least one software service to process the drug data, the healthcare provider data, the sales data, the marketing data, or the lead-generation to perform appointment actions or communications actions.
D'Souza discloses securely sharing documents [para. 47] that include confidential pharmaceutical data such as DNA sequencing, region formation, and drug discovery components [para. 3; “sensitive business IP, or Personally Identifiable Information (PII).”, Para. 4.]
D'Souza Para. [0003] ‘Documents are the new digital currency for online commerce, the record of business for online collaboration, and the "lifeblood" of present day business processes. The documents include commercial artifacts such as catalogs, offers, bids and contracts. Doctors and Bioscientists leverage documents with domain-specific formats, such as HL7, and medical images. Business networks leverage design extranets through other specialized document types. Aerial surveillance and prospecting requires the sharing and storage of images. In the Pharmaceutical vertical, these documents might contain information about DNA sequencing, reagent information, and components of drug discovery.’
[0004] The information contained in these documents is usually sensitive business IP, or Personally Identifiable Information (PII), and often content that is highly regulated by perhaps Health and Human Services (HIPAA, FDA), the Office of Currency Comptroller (Gramm-Leach-Bliley), or self-regulated through consortiums such as the PCI Council
D'Souza [0149] For at least some embodiments, any policy that includes Identity, Authorization, and Access Control, can be expressed in the form of Mediation Rule primitives, similar to a compilation target in a programming language.
[0175] FIG. 12 shows a system that provides for monitoring and control of access to an electronic content, according to an embodiment
[0047] The described embodiments include methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a subscriber. The described embodiments address two of the primary obstacles to securely sharing documents across trust boundaries. These are the existence, and proliferation of silos of identity/authorization (Auth/AuthZ), and the silos of document storage and sharing repositories. The described embodiments provide systems and methods for federating these silos in a manner that reconciles the conflicting requirements of efficiency, and security.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan, Rajakarunanayake, and Siegel with the technique for storing documents and allowing access to documents such as pharmaceutical documents of D'Souza to include
wherein the one or more actions comprises (i) functionally accessing drug data, healthcare provider data, sales data, marketing data, or lead-generation data or (ii) using the at least one software service to process the drug data, the healthcare provider data, the sales data, the marketing data, or the lead-generation to perform appointment actions or communications actions.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide access to drug information under a system that provides access control for confidential and/or personally identifiable pharmaceutical data. The system of the primary reference can be customized to store confidential and/or personally identifiable pharmaceutical data with access controls.
Claim 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuecuekyan in view of Rajakarunanayake, further in view of Lin et al. U.S. Patent No. 8479302 (hereinafter “Lin”).
As per claim 21, the rejection of claim 2 is incorporated herein.
However, the combination of Kuecuekyan and Rajakarunanayake does not expressly disclose wherein the AI-based agent is trained using an unsupervised learning algorithm comprising a neural network, a convolutional neural network (CNN), or a recurrent neural network.
Lin discloses wherein the AI-based agent is trained using an unsupervised learning algorithm comprising a neural network, a convolutional neural network (CNN), or a recurrent neural network. Lin 7:57-8:3 The machine learning algorithms used to carry out machine learning take the form of an artificial neural network (ANN) although other models are possible. In an ANN, factors from the previous users become into training data which determine "neurons" of the ANN. An error function which measures a distance between the input and some expected output is used in the determination of the neurons as well as classifying inputs into a trained ANN. In an unsupervised learning paradigm, an autoassociative ANN uses positive data (i.e., factors from users who were granted access) as input values and the error function measures the distance between the input values and output values. Other learning paradigms for ANNs, such as supervised and reinforcement, are also possible.
For the reasons discussed with respect to claim 2, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Kuecuekyan and Rajakarunanayake with the technique for training a neural network of Lin to include wherein the AI-based agent is trained using an unsupervised learning algorithm comprising a neural network, a convolutional neural network (CNN), or a recurrent neural network.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036. The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HOWARD H. LOUIE/Examiner, Art Unit 2494
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494
1 Emphasis is additional throughout.