Prosecution Insights
Last updated: July 17, 2026
Application No. 18/848,882

NETWORK ACCESS CONTROL METHOD, APPARATUS AND DEVICE, AND STORAGE MEDIUM

Non-Final OA §103
Filed
Apr 16, 2025
Priority
Apr 06, 2022 — CN 202210357939.8 +1 more
Examiner
NARRAMORE, BLAKE I
Art Unit
Tech Center
Assignee
Beijing Bytedance Network Technology Co., Ltd.
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
1y 6m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
133 granted / 171 resolved
+17.8% vs TC avg
Strong +24% interview lift
Without
With
+24.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
19 currently pending
Career history
193
Total Applications
across all art units

Statute-Specific Performance

§101
1.4%
-38.6% vs TC avg
§103
91.4%
+51.4% vs TC avg
§102
2.5%
-37.5% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 171 resolved cases

Office Action

§103
Detailed Action This is a Non-final Office action in response to communications received on 4/16/2025. Claims 4, 9 and 10 were amended via preliminary amendment. Claims 8 and 11 were cancelled via preliminary amendment. Claims 1-7, 9-10 and 12-22 are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings The drawings, filed 9/19/2024, are acknowledged. Foreign Priority The foreign priority date of 4/6/2022 is acknowledged. Preliminary Amendment The preliminary amendment, filed 10/1/2024, are acknowledged. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 7, 9-10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pala (US 20190058713 A1), in view of Brown (US 20120173874 A1). Regarding claim 1, Pala teaches the limitations of claim 1 substantially as follows: A network access control method, comprising: receiving a certificate verification request sent by a terminal, and returning a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response)) interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification) Pala does not teach the limitations of claim 1 as follows: wherein the certificate verification response carries a preset server certificate, the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and However, in the same field of endeavor, Brown discloses the limitations of claim 1 as follows: wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate)) the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate)) receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk)) Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification. Regarding claim 9, Pala teaches the limitations of claim 9 substantially as follows: A non-transitory computer-readable storage medium, wherein an instruction is stored in the computer-readable storage medium, and when the instruction is running on a terminal device, the terminal device is caused to: (Pala; [0019]: software agent, executed by a processor and in communication with a memory) receive a certificate verification request sent by a terminal, and return a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response)) interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification) Pala does not teach the limitations of claim 9 as follows: wherein the certificate verification response carries a preset server certificate, the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and receive a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determine that the terminal has a security risk and However, in the same field of endeavor, Brown discloses the limitations of claim 9 as follows: wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate)) the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate)) receive a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determine that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk)) Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification. Regarding claim 10, Pala teaches the limitations of claim 10 substantially as follows: A network access control device, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements, when executing the computer program: (Pala; [0019]: software agent, executed by a processor and in communication with a memory) receiving a certificate verification request sent by a terminal, and returning a certificate verification response to the terminal, (Pala; Abstract: The contact point is configured to receive a network access granting request message from the electronic entity. The server further includes a processing module, configured to process the received network access granting request message, validate trust indicators contained within the network access granting request message, authorize access of the electronic entity to the network upon validation of the trust indicators (i.e., receive certificate verification request and returning certificate verification response)) interrupting a network access communication link of the terminal. (Pala; [0004]: the network typically is able to allow or block the entity's ability to access the network based on a security verification) Pala does not teach the limitations of claim 10 as follows: wherein the certificate verification response carries a preset server certificate, the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and However, in the same field of endeavor, Brown discloses the limitations of claim 10 as follows: wherein the certificate verification response carries a preset server certificate, (Brown; [0007]: The client receives a second certificate during a subsequent session (i.e., the certificate verification response carries a preset server certificate)) the certificate verification response is used for instructing the terminal to verify the preset server certificate based on a root certificate installed in the terminal, and identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate; and (Brown; [0007]: The client receives a second certificate during a subsequent session. The second certificate has a second certificate chain to an authority certificate signed by a certificate authority. The client assigns a signature security rating to each chain certificate in the second certificate chain. The client compares the signature security rating of each chain certificate in the first certificate chain with the signature security rating of each corresponding chain certificate in the second certificate chain. The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., identity verification information of the root certificate is partially or fully different from identity verification information of the preset server certificate)) receiving a verification result returned by the terminal for the preset server certificate, and in a case where the verification result indicates that certificate verification succeeds, determining that the terminal has a security risk and (Brown; [0007]: The client treats the second certificate as insecure if the signature security rating of a chain certificate in the second certificate chain is lowered from a signature security rating of a corresponding chain certificate in the first certificate chain (i.e., security risk)) Brown is combinable with Pala because all are from the same field of endeavor of verification of certificates. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Pala to incorporate certificate comparison and notification of discrepancy as in Brown in order to improve the security by comparing a current certificate to a known certificate as a means of authentication or verification. Regarding claims 7 and 17, Pala and Brown teach the limitations of claims 1 and 9. Pala and Brown teach the limitations of claims 7 and 17 as follows: before interrupting the network access communication link of the terminal, in a case where the verification result indicates that the certificate verification succeeds, sending an alarm message to the terminal. (Brown; [0008]: the client may provide to a user a warning of an impersonation danger for the second certificate associated with a lowered signature security rating) The same motivation to combine as in claims 1, and 9 are applicable to the instant claims. Claims 2-4, 12-14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pala (US 20190058713 A1), in view of Brown (US 20120173874 A1), as applied to independent claims, further in view of Scahill (US 20140325615 A1). Regarding claims 2, 12 and 18, Pala and Brown teach the limitations of claims 1, 9 and 10. Pala and Brown do not teach the limitations of claims 2, 12 and 18 as follows: in response to determining that verification of the terminal for the preset server certificate fails, re-initiating a network access authentication process for the terminal. However, in the same field of endeavor, Scahill discloses the limitations of claims 2, 12 and 18 as follows: in response to determining that verification of the terminal for the preset server certificate fails, re-initiating a network access authentication process for the terminal. (Scahill; [0063]: Once this new association has been established, the hotspot will again forward data requests to the PAC gateway 105 which redirect the user to the log in page. Once the user has again logged in and their credentials have been verified, then the browsing session can continue) Scahill is combinable with Pala and Brown because all are from the same field of endeavor of authentication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified system of Pala and Brown to incorporate rerouting a user to login using credentials again as in Scahill in order to improve the security of the system by requiring reauthentication before granting access. Regarding claims 3, 13 and 19, Pala, Brown and Scahill teach the limitations of claims 2, 12 and 18. Pala, Brown and Scahill teach the limitations of claims 3, 13 and 19 as follows: wherein in response to determining that the verification of the terminal for the preset server certificate fails, re-initiating the network access authentication process for the terminal, comprises: in a case where the verification result indicates that the certificate verification fails, or in response to determining that the verification result for the preset server certificate is not received from the terminal within a preset duration, re-initiating the network access authentication process for the terminal, wherein the preset duration is used for indicating a duration from a moment at which the certificate verification response is sent to the authentication server to a current moment. (Pala; [0034]: the message header further includes one or more of: (i) the message format version; (ii) a nonce value (i.e., not repeated by the device) functional to tie the network access granting request with a subsequent response provided by server 106, and which further serves to provide protection against reply attacks in the case where server 106 memorizes used nonces; (iii) a date and time, if available, when entity 104 generated the network access granting request (e.g., in step S120); and (iv) a validity period (e.g., a number of seconds, minutes, hours, etc.) after which the network access granting request shall not be considered valid, and may or shall be discarded by server) Regarding claims 4, 14 and 20, Pala and Brown teach the limitations of claims 1, 9 and 10. Pala and Brown do not teach the limitations of claims 4, 14 and 20 as follows: before returning the certificate verification response to the terminal, acquiring historical certificate verification information corresponding to the terminal, wherein the historical certificate verification information comprises a historical certificate verification result, and the historical certificate verification result is used for identifying a latest verification result of the terminal for the preset server certificate; and returning the certificate verification response to the terminal correspondingly comprises: in a case where it is determined that the historical certificate verification result is a first result, returning the certificate verification response to the terminal, wherein the first result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification succeeds. However, in the same field of endeavor, Scahill discloses the limitations of claims 4, 14 and 20 as follows: before returning the certificate verification response to the terminal, acquiring historical certificate verification information corresponding to the terminal, wherein the historical certificate verification information comprises a historical certificate verification result, and the historical certificate verification result is used for identifying a latest verification result of the terminal for the preset server certificate; and returning the certificate verification response to the terminal correspondingly comprises: in a case where it is determined that the historical certificate verification result is a first result, returning the certificate verification response to the terminal, wherein the first result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification succeeds. (Scahill; [0029]: Once this is complete the laptop 11a issues an Address Resolution Protocol (ARP) request in order to obtain the layer 2 MAC address for the PAC gateway IP address. The ARP response contains the MAC address of the PAC gateway 5 for the hotspot. The laptop then updates its routing table so that packets are forwarded to the hotspot 3a via the PAC gateway 5 (i.e., table maintains historical certificate information)) Scahill is combinable with Pala and Brown because all are from the same field of endeavor of authentication. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified system of Pala and Brown to incorporate maintaining information in a routing table as in Scahill in order to improve the security of the system by maintaining historical network access information. Allowable Subject Matter Claims 5-6, 15-16 and 21-22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: As to claims 5, 15 and 21, it contains allowable subject matter when the claim is taken as a whole. See the italicized text indicating aspects that in combination with the remainder of the claim differentiate it from prior art. wherein the historical certificate verification information further comprises a certificate verification time corresponding to the historical certificate verification result; the method further comprises: after acquiring the historical certificate verification information corresponding to the terminal, in a case where it is determined that the historical certificate verification result is a second result, determining whether a time difference between the certificate verification time corresponding to the historical certificate verification result and the current moment is greater than a preset time threshold value, wherein the second result is used for identifying that the latest verification result of the terminal for the preset server certificate is that the certificate verification fails; and returning the certificate verification response to the terminal correspondingly comprises: in response to determining that the time difference between the certificate verification time corresponding to the historical certificate verification result and the current moment is greater than the preset time threshold value, returning the certificate verification response to the terminal. As to claims 6, 16 and 22, it contains allowable subject matter when the claim is taken as a whole. See the italicized text indicating aspects that in combination with the remainder of the claim differentiate it from prior art. wherein acquiring the historical certificate verification information corresponding to the terminal comprises: searching for, from a hash table and based on a terminal identifier of the terminal, historical certificate verification information corresponding to the terminal identifier, wherein a correspondence between terminal identifiers and historical certificate verification information is stored in the hash table, and the hash table is obtained by pre-loading a local file stored with the historical certificate verification information. Prior Art Considered But Not Relied Upon Guzner (US 20100186086 A1) which teaches scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Hockey (US 20230353564 A1) which teaches mutual authentication accomplished using a certificate of the application that matches a naming system name used for the application. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357. The examiner can normally be reached on Monday - Friday 0700-1700 MT. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BLAKE I NARRAMORE/Primary Examiner, Art Unit 2438
Read full office action

Prosecution Timeline

Apr 16, 2025
Application Filed
Jul 01, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683808
CERTIFICATE MANAGEMENT
4y 11m to grant Granted Jul 14, 2026
Patent 12683996
SYSTEMS AND METHODS FOR DETECTING DATA LEAKAGE OF ONLINE CONTENT
4y 1m to grant Granted Jul 14, 2026
Patent 12683778
ERROR REDUCTION DURING CRYPTOGRAPHIC KEY UPDATES IN SECURE MEMORY DEVICES
4y 1m to grant Granted Jul 14, 2026
Patent 12682040
Applying a Security Policy to an Instance of an Application
3y 11m to grant Granted Jul 14, 2026
Patent 12682112
DATA PRIVACY PROTECTION METHOD, SERVER DEVICE AND CLIENT DEVICE FOR FEDERATED LEARNING
3y 7m to grant Granted Jul 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+24.0%)
2y 9m (~1y 6m remaining)
Median Time to Grant
Low
PTA Risk
Based on 171 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month