DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the application filed on 11/25/2024.
Claims 1-22 are currently pending in this application.
Claim Objections
Claim 16 objected to because of the following informalities: “the” is not capitalized in “the method of claim 15” and claim ends in a semicolon instead of a period. Appropriate correction is required.
Claim 21 objected to because of the following informalities: “The system of claim 1”. Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are:
“means for accessing an identity access protocol repository to retrieve an access protocol associated with a particular resource”; “means for receiving information associated with a first identity from the particular resource based on access protocol associated with the particular resource”; and “means for adding the first identity to a secure identity repository when the first identity is determined to be a privileged identity” in claim 22. Paragraph [33], [35], and [38], provides sufficient structure for claim 22.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-8, 10-15, and 16-22 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without a practical application or significantly more.
As per claim 1, 20, and 22, these claims recite the following limitations which are found to be abstract ideas not reciting a practical application or significantly more, with claim 1 being exemplary:
accessing an identity access protocol repository to retrieve an access protocol associated with a particular resource (abstract idea as a mental process as a human mind, at least using pen and paper, is capable of looking up a procedure/protocol in a reference list corresponding to a particular resource);
receiving information associated with a first identity from the particular resource based on the access protocol associated with the particular resource (abstract idea as a mental process as a human mind is capable of receiving identity information from a resource according to a defined procedure);
determining whether the first identity is a privileged identity based on the received information associated with the first identity (abstract idea as a mental process as a human mind is capable of evaluating identity information against criteria to determine whether the identity qualifies as privileged);
adding the first identity to a secure identity repository when the first identity is determined to be a privileged identity (abstract idea as a mental process as a human mind, at least using pen and paper, is capable of adding an identity to a list of privileged identities when the identity is determined to meet privileged criteria).
Claims 20 and 22 further recites additional elements of “an identity access protocol repository,” “an identity access engine,” “an entity data store,” and “a secure identity repository” (claim 20), and “means for accessing,” “means for receiving,” “means for determining,” and “means for adding” (claim 22) within a system. While these limitations are additional elements, they are not sufficient to recite a practical application of the abstract ideas as they amount to mere generic computer elements and thus amount to no more than a recitation of the words “apply it” (or an equivalent) or are no more than mere instructions to implement an abstract idea or other exception on a computer. See MPEP § 2106.05(f).
Further, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because when considered separately and in combination, the above recited additional elements from claims 20 and 22 do not add significantly more (also known as an “inventive concept”) to the exception. Rather, the additional elements disclosed above perform well-understood, routine, conventional computer functions as recognized by the court decisions listed in MPEP § 2106.05(d).
Therefore, independent claims 1, 20, and 22 are directed towards an abstract idea without practical application or significantly more.
As per claim 2, the limitations are merely directed towards further aspects of the “access protocol” specifying that it “includes an address for transmitting a request of identity information to the particular resource,” which does not further limit the abstract ideas recited in claim 1, or provide additional elements beyond the generic concept of an address for routing a request, and therefore, does not recite a practical application or significantly more.
As per claim 3, the limitations are merely directed towards further aspects of the “access protocol” specifying that it “comprises software instructions for retrieving identity information from the particular resource,” which amounts to mere instructions to implement the abstract idea on a generic computer, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(f).
As per claim 4, the limitations are merely directed towards further aspects of “access protocol” specifying that “identity information is received from the particular resource via a push protocol,” which does not further limit the abstract ideas recited in claim 1, or provide additional elements, and therefore, does not recite a practical application or significantly more.
As per claim 5, the limitations are merely directed towards further aspects of the “secure identity repository” being “configured to provide credential information associated with the first identity to an authorized requester,” which is also an abstract idea as a mental process since the human mind, at least using pen and paper, is capable of providing credential information from a list to a requester after confirming authorization. Further, these additional limitations do not recite a practical application or significantly more.
As per claim 6, the limitations are merely directed towards further aspects of the “authorized requester” being “a second resource” that uses credential information to access the particular resource, which does not further limit the abstract ideas recited in claim 5, or provide additional elements beyond generic computer components performing generic functions, and therefore, does not recite a practical application or significantly more.
As per claim 7, the limitations are merely directed towards further aspects of the second resource accessing the particular resource “without intervention by a human operator,” which merely specifies the generic automation of the abstract idea on a computer, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(f).
As per claim 8, the limitations are merely directed towards a further method step of “determining whether the first identity is anomalous” which is also an abstract idea as a mental process since the human mind is capable of evaluating information about an identity to determine whether it appears anomalous or unusual. Further, these additional limitations do not recite a practical application or significantly more.
As per claim 10, the limitations are merely directed towards a further method step of determining anomalous status “based on a comparison of the information associated with the first identity matches one or more anomalous access criteria” which is also an abstract idea as a mental process since the human mind is capable of comparing identity information against criteria to identify matches. Further, these additional limitations do no recite a practical application or significantly more.
As per claim 11, the limitations are merely directed towards further method steps of “providing the information associated with the first identity to a model trained on information associated with a plurality of anomalous identities and a plurality of permissible identities,” which amounts to mere instructions to apply the abstract idea using a generic machine learning model on a computer, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(f).
As per claim 12, the limitations are merely directed towards further aspects of the anomalous determination being “based on the first identity having been determined to be a privileged identity,” which does not further limit the abstract ideas recited in claim 8, or provide additional elements, and therefore, does not recite a practical application or significantly more.
As per claim 13, the limitations are merely directed towards further method steps of determining privileged status “based on comparison of the information associated with the first identity to one or more privileged access criteria” which are also abstract ideas as mental processes since the human mind is capable of comparing identity information against criteria to determine if an identity qualifies as privileged. Further, these additional limitations do not recite a practical application or significantly more.
As per claim 14, the limitations are merely directed towards further aspects of the “privileged access criteria” being “associated with the particular resource,” which does not further limit the abstract ideas recited in claim 1, or provide additional elements, and therefore, does not recite a practical application or significantly more.
As per claim 15, the limitations are merely directed towards the repetition of the same abstract ideas “for a plurality of additional resources that are different than the particular resource,” which does not further limit the abstract ideas recited in claim 1, or provide additional elements, and therefore, does not recite a practical application or significantly more.
As per claim 16, the limitations are merely directed towards further aspects of different access protocols such “API”, “pull operation”, and “push operation” for different resources, which are generic data transmission mechanisms that do not further limit the abstract ideas recited in claim 15, or provide additional elements beyond generic computer functions, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(f).
As per claim 17, the limitations are merely directed towards a further method step of “determining whether a second identity that is present in the secure identity repository is not received from the particular resource” which is also an abstract idea as a mental process since the human mind, at least using a pen and paper, is capable of comparing two lists to identify entries present in one, but missing from the other. Further, these additional limitations do not recite a practical application or significantly more.
As per claim 18, the limitations are merely directed towards further aspects of the “particular resource” being enumerated as a variety of generic computer components, which amounts to mere recitation of generic computer elements, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(d).
As per claim 19, the limitations are merely directed towards a further method step of “transmitting a reporting indicating a number of new identities associated with the particular resource and other resources during a pre-determined time period” which is also an abstract idea as a mental process since the human mind, at least using a pen and paper, is capable of counting new identities over a time period and transmitting a corresponding report. Further, these additional limitations do not recite a practical application or significantly more.
As per claim 21, the limitations are merely directed towards further aspects of the system further comprising “a plurality of identity controlled resources that include the particular resource,” which amounts to mere recitation of generic computer elements, and therefore, does not recite a practical application or significantly more. See MPEP § 2106.05(d).
Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention does not fall within at least one of the four categories of patent eligible subject matter.
As per claim 20, the limitations recite a system with elements such as “repository”, “engine”, and “data store” which can be interpreted as software per se because the claim or the specification does not indicate the system requires hardware(s) or define these elements as hardware. Therefore, claim 20 is rejected under 35 USC 101.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-10, 13-15, 18, 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Dayan et al. US 20240179147 hereinafter referred to as Dayan in view of Srinivasan et al. US 9069979 hereinafter referred to as Srinivasan.
As per claim 1, Dayan teaches a method of preventing unauthorized access to a computing system, comprising:
receiving information associated with a first identity from the particular resource based on the access protocol associated with the particular resource (Dayan [0007], [0094]: receives identity information from a resource through a native communication protocol established for that resource, see e.g., “the network identity to access at least one network resource using a native communication protocol; monitoring a communication between the network identity and the at least one network resource to identify additional data associated with the network identity”);
determining whether the first identity is a privileged identity based on the received information associated with the first identity (Dayan [FIG. 1], [FIG. 3], [0071], [0081]: determines privilege level of an identity by checking the received identity information, see e.g., “network resource proxy 120 may authorize network identity 240… determine if network identity 240 has the necessary level of permissions to access network resource 170… may verify access to the requested network resource 170 and determine whether network identity 240 can access network resource 170 and perform requested actions”);
adding the first identity to a secure identity repository when the first identity is determined to be a privileged identity (Dayan [FIG. 1], [0072]: secret hub functions as a secure identities, credentials, storage and stores the credentials that have access to the resource, see e.g., “Secret hub 160 may be any form of secure storage location for storing secrets, which may include, but are not limited to, passwords, credentials, encryption keys, tokens, certificates, or any other form of access credential for use in applications, services, privileged accounts, and other secure network resources. Secret hub 160 may allow for central management of secrets across multiple accounts within a network and allow security access policies to be consistently enforced across multiple accounts. In particular, secret hub 160 may encrypt and store credentials required to access network resource 170”).
Dayan does not explicitly disclose accessing an identity access protocol repository to retrieve an access protocol associated with a particular resource.
Srinivasan teaches accessing an identity access protocol repository to retrieve an access protocol associated with a particular resource (Srinivasan [Col. 9, lines 5-13]: per-service instance security store that mentions artifacts used to connect to the resources, see e.g., “Each service instance of any type can have its own composite OPSS security store on a per-instance basis. The security store can provide isolation to a service instance for all of that instance's security artifacts… artifacts can include those used to obtain and consume credentials to connect back-end systems. Such artifacts can include those used to obtain and consume keys and certificates to establish secure socket layers (SSL) connections”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan of an adaptive authentication system with the teachings of Srinivasan to include an access protocol repository in order to manage access across different platforms while improving interoperability.
As per claim 2, Dayan in view of Srinivasan teaches the method of claim 1, wherein the access protocol associated with the particular resource includes an address for transmitting a request of identity information to the particular resource (Dayan [0097]: parameters used to connect to the network resource include the IP addresses used for transmitting request to that resource, see e.g., “parameters to connect to a proxy may indicate information such as the identity making the request to access network resource 170… An identification of a network resource may comprise parameters to connect to network resource 170… identification of network resource 170 may include a source and destination address and port, protocol, domain name system information, IP address information, or any other connection information for identifying network resource 170”).
As per claim 3, Dayan in view of Srinivasan teaches the method of claim 1, wherein the access protocol associated with the particular resource comprises software instructions for retrieving identity information from the particular resource (Dayan [0094]: protocol has software implemented native communication protocol instructions which constitutes the software instructions used to retrieve and exchange information, see e.g., “Native communication protocols may include rules and conventions for exchanging information between devices through a network or other media… such as a Secure Shell Protocol (SSH), a structured query language (SQL), a Remote Desktop Protocol (RDP), a File Transfer Protocol (FTP), an SSH File Transfer Protocol (SFTP), a Simple Mail Transfer Protocol (SMTP), a hypertext transfer protocol (HTTP), a Hypertext Transfer Protocol Secure (HTTPs), or any other protocol suitable for transmitting information between systems”).
As per claim 5, Dayan in view of Srinivasan teaches the method of claim 1, wherein the secure identity repository is configured to provide credential information associated with the first identity to an authorized requester (Dayan [0072]: secret hub that authenticates and authorize a requester and provides them access to secrets, see e.g., “Secret hub 160 may authenticate and authorize users, machines, or applications attempting to access one or more secrets before permitting access to stored sensitive data”).
As per claim 6, Dayan in view of Srinivasan teaches the method of claim 5, wherein the authorized requester is a second resource, wherein the second resource is configured to use the credential information associated with the first identity to access the particular resource (Dayan [0082]: network resource proxy can constitute a second resource which receives credentials from the secret hub and uses those credentials to authenticate and access the resource on behalf of the network identity, see e.g., “Network resource proxy 120 may retrieve strong account credentials from secret hub 160 through a privileged access manager… network resource proxy 120 may send a request to secret hub 160 to retrieve strong account credentials. In response, secret hub 160 may retrieve the strong account credentials, decrypt the protected strong account credentials, and return the strong account credentials to network resource proxy 120 over a secured channel”).
As per claim 7, Dayan in view of Srinivasan teaches the method of claim 6, wherein the second resource accesses the particular resource without intervention by a human operator (Dayan [0077]: second resource can be another network identity that accesses resources, and these identities include software instances and applications that operate without human intervention, see e.g., “Network identity 240 may be a virtual machine (e.g., based on AWS™, Azure™, IBM Cloud™, etc.), container instance (e.g., Docker™ container, Java™ container, Windows Server™ container, etc.), or other virtualized instance”).
As per claim 8, Dayan in view of Srinivasan teaches the method of claim 1, determining whether the first identity is anomalous (Dayan [0087]: “network identity 240 may be determined to be associated with anomalous or suspicious network behavior, or for any other reason that a connection may be terminated between network identity 240 and network resource 170”).
As per claim 9, Dayan in view of Srinivasan teaches the method of claim 8, wherein, when the first identity is determined to be anomalous: access by the first identity to the particular resource is disabled; and an alert communication is issued (Dayan [0087], [0139]: “network identity 240 may be determined to be associated with anomalous or suspicious network behavior, or for any other reason that a connection may be terminated between network identity 240 and network resource 170… other security actions may include generating an alert, flagging network identity 240, suspending or terminating a least-privilege connection”).
As per claim 10, Dayan in view of Srinivasan teaches the method of claim 8, wherein the first identity is determined to be anomalous based on a comparison of the information associated with the first identity matches one or more anomalous access criteria (Dayan [0228]: anomaly detection is performed by comparing additional identity data against stored data, where deviations indicate anomalous activity, see e.g., “authentication step 1745 may be configured to detect changes in data associated with network identity 240… Authentication step 1745 may include comparing additional data 1735 with the stored data. A difference between additional data 1735 and the stored data may reflect anomalous activity and thus may require additional authentication or another form of control action”).
As per claim 13, Dayan in view of Srinivasan teaches the method of claim 1, wherein the first identity is determined to be a privileged identity based on comparison of the information associated with the first identity to one or more privileged access criteria (Dayan [0081]: comparing identity information against access policy criteria, see e.g., “Authorizing network identity 240 may include checking the authentication credentials of network identity 240 against one or more access policy to determine if network identity 240 may access network resource 170”).
As per claim 14, Dayan in view of Srinivasan teaches the method of claim 1, wherein the one or more privileged access criteria are associated with the particular resource (Dayan [0100]: “an access policy may be based on an address of network resource 170, an instance name of network resource 170, a schema of network resource 170, a type of command, a table of network resource 170, a column of network resource 170, or a row of network resource 170”).
As per claim 15, Dayan in view of Srinivasan teaches the method of claim 1, wherein said accessing, receiving, determining, and adding are repeated for a plurality of additional resources that are different than the particular resource (Dayan [0073], [0088], [0109]: resources can be any type of computing resource within a network and you would have to do the same steps to access the resource, see e.g., “network identity 240 would have to repeat process 300 to access network resource 170 or to perform additional actions on network resource 170… resource discovery may be used to discover network resource 170 and other resources that may be accessed by network identity 240; Srinivasan [Col. 9, lines 5-13]: per-service instance security store that mentions artifacts used to connect to the resources).
As per claim 18, Dayan in view of Srinivasan teaches the method of claim 1, wherein the particular resource is a data store, a database, the secure identity repository, a particular record in a data store, a server, a service operating on a server, an operating system, an enterprise manager, an active directory, a network automation engine, network attached storage, an identity management store, a mainframe, an application, a cloud environment, a service associated with a cloud environment, a computer, a phone, or a mobile communication device (Dayan [0073]: “Network resource 170 may refer to any type of computing resource within a network that may be accessed by entities (e.g., users, machines, applications) through a communications network. Examples of network resources 170 may include servers, databases, or data structures holding confidential information, restricted-use applications, operating system directory services, access-restricted cloud-computing resources, sensitive IoT equipment, or any other computer-based equipment or software that may be accessible over a network e.g., network 110”).
As per claims 20 and 22, the claims disclose a system corresponding to the method claim 1 above, and they are rejected, at least for the same reasons.
As per claim 21, Dayan in view of Srinivasan teaches the system of claim 20, further comprising a plurality of identity controlled resources that include the particular resource (Dayan [0073]: “Network resource 170 may refer to any type of computing resource within a network that may be accessed by entities (e.g., users, machines, applications) through a communications network. Examples of network resources 170 may include servers, databases, or data structures holding confidential information, restricted-use applications, operating system directory services, access-restricted cloud-computing resources, sensitive IoT equipment, or any other computer-based equipment or software that may be accessible over a network (e.g., network 110). Other examples of network resources 170 may include files, folders, elements in cloud buckets, databases, serverless function settings, logs, computer programs, computer codes, machine executable instructions, or any other type of data that may be stored in a data structure. In some embodiments, network resource 170 may be a privileged resource to which access is limited or restricted”).
Claims 4 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Dayan in view of Srinivasan, and further in view of Edwards et al. US 20210211389 hereinafter referred to as Edwards.
As per claim 4, Dayan in view of Srinivasan teaches the method of claim 1.
Dayan in view of Srinivasan does not explicitly disclose that wherein the access protocol associated with the particular resource indicates that identity information is received from the particular resource via a push protocol.
Edwards teaches that wherein the access protocol associated with the particular resource indicates that identity information is received from the particular resource via a push protocol (Edwards [0057]: “provide for different communication protocols to implement not only the passage of identity data, but also any logic required to provision or reconcile accounts and access, pull, or push identity changes from/to identity repositories e.g., human resource (HR) systems”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan of access protocols associated with particular resources with teachings of Edwards to include a push protocol in order to improve efficiency of resource access with proactive data delivery.
As per claim 16, Dayan in view of Srinivasan teaches the method of claim 15,
wherein the access protocol associated with the particular resource comprises an API address and protocol for requesting information associated with identities that are authorized to access the particular resource; wherein an access protocol associated with a second resource indicates that information associated with identities that are authorized to access the second resource can be accessed via a pull operation (Dayan [0094-0095]: multiple distinct communication protocols including API-based HTTP/HTTPS protocols and pull-based query protocols such as SQL, SFTP, FTP for retrieving information from different resources, see e.g., “Native communication protocols may include rules and conventions for exchanging information between devices through a network or other media… such as a Secure Shell Protocol (SSH), a structured query language (SQL), a Remote Desktop Protocol (RDP), a File Transfer Protocol (FTP), an SSH File Transfer Protocol (SFTP), a Simple Mail Transfer Protocol (SMTP), a hypertext transfer protocol (HTTP), a Hypertext Transfer Protocol Secure (HTTPs), or any other protocol suitable for transmitting information between systems… Authenticating network identity 240 using an existing protocol may occur conditional on network identity 240 using a native client”).
Dayan in view of Srinivasan does not explicitly disclose wherein an access protocol associated with a third resource indicates that information associated with identities that are authorized to access the third resource can be accessed via a push operation.
Edwards teaches wherein an access protocol associated with a third resource indicates that information associated with identities that are authorized to access the third resource can be accessed via a push operation (Edwards [0057]: protocol associated with a resource, HR systems, can indicate that information about authorized identities can be accessed via a push operation, see e.g., “provide for different communication protocols to implement not only the passage of identity data, but also any logic required to provision or reconcile accounts and access, pull, or push identity changes from/to identity repositories e.g., human resource (HR) systems”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan of access protocols associated with particular resources with teachings of Edwards to include a push protocol in order to improve efficiency of resource access with proactive data delivery.
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Dayan in view of Srinivasan, and further in view of Xu et al. US 20230195863 here in after referred to as Xu.
As per claim 11, Dayan in view of Srinivasan teaches the method of claim 8.
Dayan in view of Srinivasan does not explicitly disclose wherein the first identity is determined to be anomalous by providing the information associated with the first identity to a model trained on information associated with a plurality of anomalous identities and a plurality of permissible identities.
Xu teaches wherein the first identity is determined to be anomalous by providing the information associated with the first identity to a model trained on information associated with a plurality of anomalous identities and a plurality of permissible identities (Xu [Abstract]: submits the access data of the identity into a model and it outputs an anomaly report, see e.g., “submitting access data to a trained machine learning model, receiving anomaly detection result (214) from the trained machine learning model, formulating compromise assessment based on the anomaly detection result and supplying the compromise assessment (308) for use by an access control mechanism”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan anomaly detection with the teachings of Xu to submit data involving the anomaly to a model in order to reduce false positives and tune the model to differentiate between malicious and legitimate identities.
Claims 12, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dayan in view of Srinivasan, and further in view of Yip et al. US 12386991 hereinafter referred to as Yip.
As per claim 12, Dayan in view of Srinivasan teaches the method of claim 8.
Dayan in view of Srinivasan does not explicitly disclose wherein the determination of whether the first identity is anomalous is based on the first identity having been determined to be a privileged identity.
Yip teaches wherein the determination of whether the first identity is anomalous is based on the first identity having been determined to be a privileged identity (Yip [Col. 5, lines 11-16], [Col. 15, lines 45-55]: risk score can determine that a privileged account is anomalous, see e.g., “risk score can indicate level of risk, and/or potential threat to an account. The risk score can be weighted based on privilege level (e.g., privilege status and/or privilege value) of an account. For instance, the apparatus can calculate a high risk score for an account with a high privilege value (e.g., privileged-tier-high) with a low level of security”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan of anomaly detection with the teachings of Yip to include privilege-weighted anomaly determination in order to detect issues involving privileged accounts and providing remedial actions to prevent any compromise (Yip [Col. 15, lines 45-55].
As per claim 17, Dayan in view of Srinivasan teaches the method of claim 15.
Dayan in view of Srinivasan does not explicitly disclose further comprising determining whether a second identity that is present in the secure identity repository is not received from the particular resource.
Yip teaches further comprising determining whether a second identity that is present in the secure identity repository is not received from the particular resource (Yip [Col. 4, lines 13-17]: detecting accounts that were previously stored but no longer received from the platform, see e.g., “the apparatus can perform an INSERT, UPDATE, and/or DELETE comparisons for the database to detect any changes in the data from scheduled/executed jobs stored in the database and newly received data for each account from the computing platforms”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan of an adaptive authentication engine with the teachings of Yip to include change detection for identifying accounts in order to automatically sync the repository with the actual state of resource to prevent security gaps caused by invalid identity data.
As per claim 19, Dayan in view of Srinivasan teaches the method of claim 1.
Dayan in view of Srinivasan does not explicitly disclose further comprising transmitting a report indicating a number of new identities associated with the particular resource and other resources during a pre-determined time period.
Yip teaches further comprising transmitting a report indicating a number of new identities associated with the particular resource and other resources during a pre-determined time period (Yip [FIGS. 10A-10C] [Col. 17, lines 32-39]: generating reports that collects account data during scans, where the number of new identities is reflected by accounts newly identified across platforms within the reporting interval, see e.g., “the report can include a table listing identifies of each account retrieved, platforms from which each account is retrieved, credentials associated with each account, privileged access rights of each account, risk scores of each account, and/or the like. The report can also include statistical analysis of the privileged access rights analysis e.g., the percentage of accounts retrieved being privileged accounts, or a breakdown of privileged accounts by platforms”).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dayan in view of Srinivasan of securing privileged identities with the teachings of Yip to include a reporting mechanism in order to enhance security monitoring and auditing by providing visibility of new identities.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CAROLINE HOANG-ANH NGUYEN whose telephone number is (571)272-8309. The examiner can normally be reached Monday-Thursday 7am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/C.H.N./Examiner, Art Unit 2495
/HENRY TSANG/Primary Examiner, Art Unit 2495
Prosecution Insights