Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-24 are pending.
Drawings
The drawings are objected to because Figure 5 contains blurry portions. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 4-7, 9, 12-15, 17, 20-23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jin (US 20190146998 A1, hereinafter referred to as Jin) in view of Shukla (US 20100235830 A1, hereinafter referred to as Shukla).
Regarding claim 1, Jin discloses: A computer-implemented method comprising: receiving a request to instantiate a computing environment, wherein the request identifies a data object to be associated with the computing environment (Jin: Paragraph [0127] states, " The one or more federated devices may also generate and store, in a federated area, a corresponding new instance log that specifies details of the new performance of the job flow, including the identifier of the job flow definition, the identifiers of all of the task routines that were executed, the identifiers of the one or more data objects used as inputs and/or generated as outputs, and the identifier of the new result report." Paragraph [0338] states, "the insertion of the intervening federated area 2566u may be initiated in a request transmitted to the portal from either the user of the source device 2100q or the user of the source device 2100x, depending on which user has sufficient access permissions to be permitted to make such a change in the relationship between the private federated area 2566q and the base federated area 2566x, including the instantiation and insertion of the intervening federated area 2566u therebetween."); instantiating the computing environment after receiving the request, wherein instantiating the computing environment includes preventing unauthorized access of the data object (Jin: Paragraph [0104] states, "One or more federated devices may provide a portal to control access to data objects and task routines within each of the federated areas, including control over types of accesses made, to prevent unauthorized additions, changes and/or deletions." Paragraph [0127] states, " The one or more federated devices may also generate and store, in a federated area, a corresponding new instance log that specifies details of the new performance of the job flow, including the identifier of the job flow definition, the identifiers of all of the task routines that were executed, the identifiers of the one or more data objects used as inputs and/or generated as outputs, and the identifier of the new result report." Paragraph [0338] states, "the insertion of the intervening federated area 2566u may be initiated in a request transmitted to the portal from either the user of the source device 2100q or the user of the source device 2100x, depending on which user has sufficient access permissions to be permitted to make such a change in the relationship between the private federated area 2566q and the base federated area 2566x, including the instantiation and insertion of the intervening federated area 2566u therebetween."), but fails to explicitly disclose: determining that the computing environment is attempting to access the data object to perform one or more computing operations.
However, in the same field of endeavor, Shukla discloses: determining that the computing environment is attempting to access the data object to perform one or more computing operations (Shukla: Paragraph [0032] states, "The computing environment component may access the data object, respecting all of the complexities of such accessing (e.g., through the particular data object system; retrieving the data object from another computer or device over a network, or referencing a locally cached representation of the data object, where the cache has been suitably synchronized; or verifying the permission of the application to access the data object), and may provide a representation of the data object to the application if successful. In this manner, a virtualized application may access the computing environment in a comparatively simple manner by submitting an operation to the virtual environment interface, which invokes the computing environment component executing outside of the virtual environment to perform the operation.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Jin and include the above limitation with the teaching of Shukla in order to "promote the security of the application, both by restricting the manner in which the application may access the computing environment (e.g., in case the application is not fully trusted and may contain faulty or malicious instructions) and by reducing interference in the application from other processes executing both with and outside the virtual environment" (Shukla: Paragraph [0002]).
This motivation applies to the remainder of the claim.
Jin further discloses: identifying a set of data-access protocols associated with the data object (Jin: Paragraph [0332] states, "Regardless of the exact manner in which a portal may be implemented and/or what protocol(s) may be used, in determining whether to grant or deny access to the one or more federated areas 2566 to another device from which a request for access has been received, the processor(s) 2550 of the one or more federated devices 2500 may be caused to refer to indications stored within portal data 2539 of users authorized to be granted access."); determining that one or more characteristics associated with the computing environment and the one or more computing operations comply with the set of data-access protocols (Jin: Paragraph [0385] states, "As previously discussed in connection with at least FIG. 18A, the processor(s) 2550 of the one or more federated devices 2500 that receive the request may be caused by execution of the portal component 2549 to restrict access to the one or more federated areas 2566 for any of such requests to only authorized users, and may restrict the types of requests that may be granted to only those for which each user is authorized based on indications of such authorized users and/or types of granted access within the portal data 2539. Also, as depicted, the control routine 2540 may also include a selection component 2543 to employ one or more identifiers provided in a request and/or one or more rules to locate, select and retrieve objects associated with a job flow from the one or more federated areas 2566." Paragraph [0046] states, "the job flow definition 2220fgh may include interface definitions 2224 that specify aspects of task interfaces 2444 employed in communications among task the routines 2440 that are selected for execution to perform the tasks of the example job flow 2200fgh (e.g., the task routines 2440f, 2440g2 and 2440h). Such aspects may include quantity, type, bit widths, protocols, etc., of parameters passed from one task routine 2440 to another as part of communications among task routines 2440 during their execution."), but fails to explicitly disclose: and authorizing the computing environment to access the data object to perform the one or more computing operations.
However, Shukla further discloses: and authorizing the computing environment to access the data object to perform the one or more computing operations (Shukla: Paragraph [0032] states, "The computing environment component may access the data object, respecting all of the complexities of such accessing (e.g., through the particular data object system; retrieving the data object from another computer or device over a network, or referencing a locally cached representation of the data object, where the cache has been suitably synchronized; or verifying the permission of the application to access the data object), and may provide a representation of the data object to the application if successful. In this manner, a virtualized application may access the computing environment in a comparatively simple manner by submitting an operation to the virtual environment interface, which invokes the computing environment component executing outside of the virtual environment to perform the operation.").
Regarding claim 4, Jin discloses: The computer-implemented method of claim 1, wherein the set of data-access protocols includes an operation-type protocol, wherein the operation-type protocol specifies types of computing operations for which the data object is authorized to be accessed, and wherein the one or more characteristics indicate that the one or more computing operations correspond at least one of the types of computing operations (Jin: Paragraph [0385] states, "As previously discussed in connection with at least FIG. 18A, the processor(s) 2550 of the one or more federated devices 2500 that receive the request may be caused by execution of the portal component 2549 to restrict access to the one or more federated areas 2566 for any of such requests to only authorized users, and may restrict the types of requests that may be granted to only those for which each user is authorized based on indications of such authorized users and/or types of granted access within the portal data 2539. Also, as depicted, the control routine 2540 may also include a selection component 2543 to employ one or more identifiers provided in a request and/or one or more rules to locate, select and retrieve objects associated with a job flow from the one or more federated areas 2566." Paragraph [0046] states, "the job flow definition 2220fgh may include interface definitions 2224 that specify aspects of task interfaces 2444 employed in communications among task the routines 2440 that are selected for execution to perform the tasks of the example job flow 2200fgh (e.g., the task routines 2440f, 2440g2 and 2440h). Such aspects may include quantity, type, bit widths, protocols, etc., of parameters passed from one task routine 2440 to another as part of communications among task routines 2440 during their execution.").
Regarding claim 5, Jin discloses: The computer-implemented method of claim 1, further comprising: deleting the data object after completion of the one or more computing operations (Jin: Paragraph [0504] states, "if at 3512, the processor determines that the request to delete one or more objects within the specified federated area is authorized, then at 3520, the processor may check whether the one or more objects includes one or more data sets (e.g., one or more of the data sets 2330 or 2370). If so, then the processor may delete the one or more data sets from the specified federated area at 3522.").
Regarding claim 6, the combination of Jin as modified by Shukla discloses: The computer-implemented method of claim 1.
Shukla further discloses: determining that the computing environment is attempting to access the data object [to perform a different set of computing operations] (Shukla: Paragraph [0032] states, "The computing environment component may access the data object, respecting all of the complexities of such accessing (e.g., through the particular data object system; retrieving the data object from another computer or device over a network, or referencing a locally cached representation of the data object, where the cache has been suitably synchronized; or verifying the permission of the application to access the data object), and may provide a representation of the data object to the application if successful.").
The same motivation to modify with Shukla, as in claim 1, applies.
Jin further discloses: access the data object to perform a different set of computing operations (Jin: Paragraph [0490] states, "if at 3320, there is at least one other task routine with the same flow task identifier already stored within the specified federated area (or within such a base or intervening federated area), then the processor may check at 3330 whether the input interfaces (e.g., data interfaces 2443 that receive data from data objects, and/or task interfaces 2444 that receive parameters from another task routine) are implemented in the task routine in a manner that is identical to those of the one or more task routines with the same flow task identifier that are already so stored. Alternatively, and as previously discussed, such a comparison may be made between the implementation of the input interfaces of the task routine and the specifications for the input interfaces within one or more job flow definitions that include the task performed by the task routine. If, at 3330, the input interfaces are not identical, then the processor may transmit a denial of the request to the device via the network at 3314." Paragraph [0046] states, "the job flow definition 2220fgh may include interface definitions 2224 that specify aspects of task interfaces 2444 employed in communications among task the routines 2440 that are selected for execution to perform the tasks of the example job flow 2200fgh (e.g., the task routines 2440f, 2440g2 and 2440h). Such aspects may include quantity, type, bit widths, protocols, etc., of parameters passed from one task routine 2440 to another as part of communications among task routines 2440 during their execution."); determining that one or more characteristics associated with the different set of computing operations violates the set of data-access protocols; and denying access of the data object for performing the different set of computing operations (Jin: Paragraph [0490] states, "if at 3320, there is at least one other task routine with the same flow task identifier already stored within the specified federated area (or within such a base or intervening federated area), then the processor may check at 3330 whether the input interfaces (e.g., data interfaces 2443 that receive data from data objects, and/or task interfaces 2444 that receive parameters from another task routine) are implemented in the task routine in a manner that is identical to those of the one or more task routines with the same flow task identifier that are already so stored. Alternatively, and as previously discussed, such a comparison may be made between the implementation of the input interfaces of the task routine and the specifications for the input interfaces within one or more job flow definitions that include the task performed by the task routine. If, at 3330, the input interfaces are not identical, then the processor may transmit a denial of the request to the device via the network at 3314.").
Regarding claim 7, Jin discloses: The computer-implemented method of claim 1, wherein the data object includes a training dataset, and wherein the one or more computing operations include using the training dataset to train a machine-learning model (Jin: Paragraph [0272] states, "training data is received. In some examples, the training data is received from a remote database or a local database, constructed from various subsets of data, or input by a user. The training data can be used in its raw form for training a machine-learning model or pre-processed into another form, which can then be used for training the machine-learning model.").
Claims 9 and 17 recite feature similar to those in claim 1, therefore, they are rejected in a similar manner.
Claims 12 and 20 recite feature similar to those in claim 4, therefore they are rejected in a similar manner.
Claims 13 and 21 recite feature similar to those in claim 5, therefore they are rejected in a similar manner.
Claims 14 and 22 recite feature similar to those in claim 6, therefore they are rejected in a similar manner.
Claims 15 and 23 recite feature similar to those in claim 7, therefore they are rejected in a similar manner.
Claim(s) 2, 3, 10, 11, 18, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jin (US 20190146998 A1, hereinafter referred to as Jin) in view of Shukla (US 20100235830 A1, hereinafter referred to as Shukla) in further view of Hughes (US 20200175181 A1, hereinafter referred to as Hughes).
Regarding claim 2, Jin as modified by Shukla discloses: The computer-implemented method of claim 1, but fails to explicitly disclose: wherein the set of data-access protocols includes a location-based protocol, wherein the location-based protocol specifies a set of regions for which the data object is authorized to be accessed, and wherein the one or more characteristics indicate that the computing environment was instantiated at one of the set of regions.
However, in the same field of endeavor, Hughes discloses: wherein the set of data-access protocols includes a location-based protocol, wherein the location-based protocol specifies a set of regions for which the data object is authorized to be accessed, and wherein the one or more characteristics indicate that the computing environment was instantiated at one of the set of regions (Hughes: Paragraph [0118] states, "the request processing engine 112 determines a selected security environment for the data access request, wherein the selected security environment based at least in part on the one or more runtime parameters. In some embodiments, the request processing engine 112 determines the selected security environment from a group of security environments associated with the data interaction platform computing entity 106. In some embodiments, the request processing engine 112 determines the selected security environment based on at least one of a location-based runtime parameter value indicating a particular geographic area (e.g., a particular geographic area corresponding to a particular office of a particular company), a temporal runtime parameter value indicating a particular range of time within a week (e.g., every weekday between 9 AM and 5 PM), a network connection-based runtime parameter indicating a particular network connection used to connect to the data interaction platform computing entity 106 (e.g., a particular virtual private network (VPN) associated with a company), an environment-selection runtime parameter indicating an environment state selected by a user of the data interaction platform computing entity 106 (e.g., an environment state associated with work or leisure), and/or the like.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Jin as modified by Shukla and include the above limitation with the teaching of Hughes in order to "efficiently and reliably maintain data security policies" (Hughes: abstract).
Regarding claim 3, Jin as modified by Shukla discloses: The computer-implemented method of claim 1, but fails to explicitly disclose: wherein the set of data-access protocols includes a time-based protocol, wherein the time-based protocol specifies a time period during which the data object is authorized to be accessed, and wherein the one or more characteristics indicate that the computing environment was instantiated within the time period.
However, Hughes discloses: wherein the set of data-access protocols includes a time-based protocol, wherein the time-based protocol specifies a time period during which the data object is authorized to be accessed, and wherein the one or more characteristics indicate that the computing environment was instantiated within the time period (Hughes: Paragraph [0118] states, "the request processing engine 112 determines a selected security environment for the data access request, wherein the selected security environment based at least in part on the one or more runtime parameters. In some embodiments, the request processing engine 112 determines the selected security environment from a group of security environments associated with the data interaction platform computing entity 106. In some embodiments, the request processing engine 112 determines the selected security environment based on at least one of a location-based runtime parameter value indicating a particular geographic area (e.g., a particular geographic area corresponding to a particular office of a particular company), a temporal runtime parameter value indicating a particular range of time within a week (e.g., every weekday between 9 AM and 5 PM), a network connection-based runtime parameter indicating a particular network connection used to connect to the data interaction platform computing entity 106 (e.g., a particular virtual private network (VPN) associated with a company), an environment-selection runtime parameter indicating an environment state selected by a user of the data interaction platform computing entity 106 (e.g., an environment state associated with work or leisure), and/or the like.").
The same motivation to modify with Hughes, as in claim 2, applies.
Claims 10 and 18 recite feature similar to those in claim 2, therefore they are rejected in a similar manner.
Claims 11 and 19 recite feature similar to those in claim 3, therefore they are rejected in a similar manner.
Claim(s) 8, 16, 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jin (US 20190146998 A1, hereinafter referred to as Jin) in view of Shukla (US 20100235830 A1, hereinafter referred to as Shukla) in further view of Narayanaswamy (US 20170264640 A1, hereinafter referred to as Narayanaswamy).
Regarding claim 8, Jin as modified by Shukla discloses: The computer-implemented method of claim 1, but fails to explicitly disclose: wherein the set of data-access protocols prevents modifications or downloading of the data object.
However, in the same field of endeavor, Narayanaswamy discloses: wherein the set of data-access protocols prevents modifications or downloading of the data object (Narayanaswamy: Paragraph [0434] states, "the trust-deficient transaction is content file upload, download, or modification of a first content file having a first file type and the multi-part policy prevents upload, download, or modification of a particular file type different from the first file type and the method includes identifying the first content file from the trust-deficient transaction, looking up a file profile of the first content file in the supplemental data store, determining a true file type of the content file based on corresponding object metadata, and when the true file type fails to match the particular file type, determining the first content file to be compromised and triggering a security action based on the multi-part policy.").
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teaching of Jin as modified by Shukla and include the above limitation with the teaching of Narayanaswamy in order to provide "visibility, control and data security" (Narayanaswamy: Paragraph [0017]).
Claims 16 and 24 recite feature similar to those in claim 8, therefore they are rejected in a similar manner.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHREYAJ RAM BHANDARI whose telephone number is (571)272-0727. The examiner can normally be reached 7:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHREYAJ RAM BHANDARI/ Examiner, Art Unit 2434
/NOURA ZOUBAIR/ Primary Examiner, Art Unit 2434