Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION

1.         Claims 1-21 are pending.  



Continuity
2.         The instant application is a continuation of 15/785858, now US patent 10713355.


Information Disclosure Statement
3.         The IDS filed 11/15/2019 is being considered.



Response to Arguments
4.	The Terminal disclaimer of 10/27/2020 has been received and is approved.  Accordingly the rejection of claims 1-21 on the ground of non-statutory double patenting as being unpatentable over U.S. Patent No. US patent 10713355 is withdrawn.

No amendments to the claims have been made.  


The Examiner has carefully considered Applicant’s arguments but has found them to be unpersuasive.  Applicant argues that the prior art rejection does not teach the limitation “receiving context data related to the user device based on the user credentials”

The Examiner does not agree.  Paragraph [0074] of Kim et al. which Examiner relies upon the for the limitation in question directly states 

[0074] Referring back to FIGS. 1 and 2, the context information-based authentication server 200 may receive a context information message and authentication information from the mobile terminal 100, determine an authentication mechanism based on the context information message, and authenticate a user of the mobile terminal 100.  The context information-based authentication server 200 includes the data reception demon 210, the authentication execution demon 220, and the authentication policy application demon 230.  The context information-based authentication server 200 may further include the context information DB 240 which stores context information messages, the authentication policy DB 250 which stores authentication policies, and the authentication log DB 260 which stores authentication results.



Elaboration of this point is present in subsequent paragraphs.  For example in [0081], it states that it analyzes the context information message to “determine if a user ID in such context information message is a new user ID.”

Thus at a minimum, context data related to the user device based on the user credentials is received in that 

1.  a new user ID is received.
2.  it is present in the context information message and therefore is context data
3.  it is related to the user device because it is the ID of the user using such device (such user 
	   being new)
4.  is based on the user credential because a new user ID is itself a user credential 
5.  it is further based on the user credentials because without the user ID, a context information message constructed and containing therein a new user ID cannot be constructed.


As per the limitation is so far as the claimed recites 
“receiving context data related to the user device based on the validity of the user credentials” 

The Examiner relied upon Plewnia to augment such step.  

Specifically, Plewnia, USPGPUB 2014/0130142 teaches  
determining, at a cloud server, the validity of user credentials received from a user device, where the validity of the user credentials is determined with an initial determination   Plewnia Fig 2, [0032]
receiving context data related to the user device based on the validity of the user credentials, where if the user credentials are determined to be valid, additional context data is generated. Plewnia Fig 2, [0032, 0034]

Thus Plewnia, teaches a method in which context data may be received based on the validity of the user credentials.  More specifically, Plewnia [0032] teaches that additional access to a user information is denied if the user account information cannot first be located and or validated.   It is only after a user credential can be validated that a check is then made as to whether or not that user’s context includes an ID in which the user belongs on a list of cloud resources for which the user is authorized to access. 

Performing the initial validation check would have produced the predictable results of avoiding analysis of a user’s context if the user’s credentials cannot first be validated.  



Applicant does not appear to argue specifically why Plewnia is deficient, focusing the emphasis of the argument on the deficiencies of Kim et al. 

It is therefore unclear how Kim et al. in view of Plewnia does not teach the limitation.  More specifically it is not clear how the claims overcome the prior art asserted, or upon what basis a potential reasons for allowance can be drawn based on the allegation propounded by Applicant.

Although paragraph [0081] was not directly relied upon, the Examiner’s first citation of the teaching was in paragraph [0074], which references the received context information.  [0081] which merely elaborates upon the internal content of [0074] is not an exhaustive definition of the potential content of the received context information, but rather is an example.  Additional information demonstrating how the message is used is recited in the figures and [0093, 0094], figures 14, and 15, which recite which authentication mechanism is advanced given information concerning a given user.  



Plewnia et al. modifies the Kim et al. advantageously because as the Examiner has previously argued, Kim et al. has no prior explicit step of providing a validation to the user data.  While Kim et al. teaches receiving context data and using such context data (such as GPS or ID data of a device) to determine whether or not such ID or GPS data should be allowed to access the cloud, Plewnia et al. teaches that it makes sense to test the validity of the ID prior to its subsequent usage.  


Applicant additionally argues generally with respect to the Plewnia, Ben-Zvi, Jakobsson, and Sathish, that none of these references either apart or in combination teaches the deficiency of Kim et al.  No express argument is presented however, and it is therefore unclear as to what specifically Applicant is alleging is deficient (Applicant merely claims a limitation is not taught by Kim et al. and argues Kim), and why such basis is deficient.  


For these reasons, Applicant’s arguments are unpersuasive and the rejection is maintained.  


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.         Claim(s) 1-2, 5-6, 8-9, 12-13, 15-16, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. USPGPUB 2013/0174239 in view of Plewnia, USPGPUB 2014/0130142.  

7.         Claim(s) 3, 10, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. USPGPUB 2013/0174239 in view of Plewnia, USPGPUB 2014/0130142 in further view of Jakobsson USPGPUB 2016/0381552

8.         Claim(s) 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. USPGPUB 2013/0174239 in view of Plewnia, USPGPUB 2014/0130142 in further view of Sathish USPGPUB 2010/0153970.

(s) 7, 14, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. USPGPUB 2013/0174239 in view of Plewnia, USPGPUB 2014/0130142 in further view of Ben-Zvi USPGPUB 20110126281.


In reference to claim 1:
Kim et al. teaches a method for controlling access to data held in the cloud, comprising: 
determining, at a cloud server, the validity of user credentials received from a user device, where the validity of user credential is used alongside context information to determine whether to grant a user access to cloud based resources.   Kim et al. [0012, 0123-0124, 0069] 
receiving context data related to the user device based on the user credentials, where context data relating to a user is received so as to be used as a means to determine whether or not access is permissible.  Kim et al. Fig 2, 13, 14, 15 & [0074, 0093, 0094, 0100]
synchronizing the context data with the cloud server, where the context data may be synchronized with the cloud server, and where such synchronization may be performed on a transmission interval.  Kim et al. Figure 10, Step S1006, Fig 11, [0083]
enforcing context-sensitive security checks on requests made by a user for resources based on the sensor data collected by the user device, where the context-sensitive security checks are enforced on requests made by a user for resources based on sensor data collected by the user device.  Kim et al. [0091, 0112] & Fig 2, 13, 14, 15
wherein the context data comprises data about an operational state of the user device itself, where the context data comprises data about a state of the user including GPS information or userID, or other information about a state of the user device.  Kim et al. [0059, 0062, 0064] & Figure 15.

Kim et al. however fails to explicitly teach a method where an initial determination of the validity of user credentials is made, and then receiving additional context data based on the validity of the user credentials.  Kim et al. however states that both the user credentials and context data are sent in a packet to the server Kim et al. [0069]

Plewnia, USPGPUB 2014/0130142 teaches  
determining, at a cloud server, the validity of user credentials received from a user device, where the validity of the user credentials is determined with an initial determination   Plewnia Fig 2, [0032]
receiving context data related to the user device based on the validity of the user credentials, where if the user credentials are determined to be valid, additional context data is generated. Plewnia Fig 2, [0032, 0034]

Plewnia [0032] teaches that additional access to a user information is denied if the user account information cannot first be located and or validated.   It is only after a user credential can be validated that a check is then made as to whether or not that user’s context includes an ID in which the user belongs on a list of cloud resources for which the user is authorized to access. 



It would have been obvious to one of ordinary skill in the art before the effective filing date to determine at the cloud server the validity of user credentials made, and then receive context data based on the validity of the user credentials, in order to avoid wasteful transmission of context information over the network if the user’s initial credentials cannot be validated, and to avoid wasteful analysis of a user’s context if a user’s credentials cannot first be validated.

Examiner’s Comment: 
Broadly construed, on of ordinary skill in the art would understand that GPS location information provided by a device may indicate whether or not the device is powered on.   One such example of this interpretation can be found in prior art 20140095091 [0029-0030]

In reference to claim 2:
Kim et al. in view of Plewnia teaches the method for controlling access to data held in the cloud according to claim 1, wherein the context data comprises data about a state of a physical world outside of the user device, where the context data comprises data about a state of the user including GPS information or userID, or other information about a state of the user device.  Kim et al. [0059, 0062, 0064] & Figure 15.


In reference to claim 3:


Kim et al. however does teach context data including a user identity, a global positioning system location of the user device, Kim et al. [0059, 0062, 0064] & Figure 15.

However Jakobsson USPGPUB 2016/0381552 teaches a method where risk events based on the context of smartphone device data is handled.   For instance, based on data comprising a user identity, a GPS location reading, and an accelerometer reading may be used to determine whether a device is stolen and should be locked.

Jakobsson [0029], [0044] teaches handling risk events based on a user identity, a global positioning system location of the user device, and an accelerometer reading.

It would have been obvious to one of ordinary skill in the art before the effective filing date to apply the method of Jakobsson and handle risk events according to additional data including an accelerometer reading, because such information can be used to determine whether or not a device has been stolen (such a thief absconding away with a smartphone) and should be locked.  




Kim et al. in view of Plewnia teaches does not explicitly teach the method for controlling access to data held in the cloud according to claim 1 wherein the context data about the state of the user device itself comprises applications running on the user device at a given time, a battery level of the user device, and screen brightness of the user device.  

USPGPUB Berk et al. 2010/0277326 teaches a method monitoring smartphone devices, in particular for power consumption attributes.  Specifically, Berk et al. indicates that monitoring a device state comprising battery level, screen brightness, and running applications are important in determining the drain rate of the power level of a smart device which determines whether or not a particular program or application can execute.   Berk et al. [0021, 0023, 0025]

It would have been obvious to one of ordinary skill in the art before the effective filing date to apply the method of Berk et al. context information to the method of Kim et al. in view of Plewnia in order to determine the drain rate of the particular smartphone and whether or not the device in question has sufficient power to execute the security enforcement of Kim et al.  


In reference to claim 5:
Kim et al. in view of Plewnia teaches the method for controlling access to data held in the cloud according to claim 1, wherein access to the resources is subject to one or more preconditions related to the context data, where access to the resources in the cloud is subject to conditions related to the context data to see whether or not the context data such as time or location fits the authorized contexts.     Kim et al. [0092], [0102], [0124] & Figure 2, 7, 14, 15, 
 
In reference to claim 6:
Kim et al. in view of Plewnia teaches the method for controlling access to data held in the cloud according to claim 1, further comprising determining if the requests for resources are compliant with access control policies of the cloud server in addition to enforcing the context-sensitive security checks, where a determination is made as to whether the requests for resources are compliant with the access control policies of the cloud server.  Kim et al. [0092], [0069], [0102], [0124] & Figure 2, 7, 14, 15,
 

In reference to claim 7:
Kim et al. in view of Plewnia fails to explicitly teach the method for controlling access to data held in the cloud according to claim 1, wherein the context-sensitive security checks varies based on a sensitivity level of the resources.

Kim et al. in view of Plewnia however teaches the method for controlling access to data held in the cloud according to claim 1, wherein the context-sensitive security checks varies based on an authentication level, where the context-sensitive security checks varies based on a sensitive level of the resource, and where Kim varies the sensitivity level of the resource based on the authentication level.  Kim et al. [0009, 0130] see also Figure 14, 15



It would have been obvious to one of ordinary skill before the effective filing date to mediate the context sensitive security check based on a sensitive level of the resource because doing so would result in the predictable result of performing unnecessary authentication for lower sensitivity resources, while also ensuring that sufficient security authentication is maintained for higher sensitivity resources.  


Claim 8 is substantially similar to claim 1 and is rejected for the same reasons.  
Claim 9 is substantially similar to claim 2 and is rejected for the same reasons.  
Claim 10 is substantially similar to claim 3 and is rejected for the same reasons.  
Claim 11 is substantially similar to claim 4 and is rejected for the same reasons.  
Claim 12 is substantially similar to claim 5 and is rejected for the same reasons.  
Claim 13 is substantially similar to claim 6 and is rejected for the same reasons.  
Claim 14 is substantially similar to claim 7 and is rejected for the same reasons.  

Claim 15 is substantially similar to claim 1 and is rejected for the same reasons.  
Claim 16 is substantially similar to claim 2 and is rejected for the same reasons.  
Claim 17 is substantially similar to claim 3 and is rejected for the same reasons.  
Claim 18 is substantially similar to claim 4 and is rejected for the same reasons.  

Claim 20 is substantially similar to claim 6 and is rejected for the same reasons.  
Claim 21 is substantially similar to claim 7 and is rejected for the same reasons.  



Conclusion
10.         The following art not relied upon is made of record:
USPGPUB 20140123296 teaches a method of cloud security through metadata orchestrators.
US patent 10877937 teaches a method of cloud synchronization of device events

11.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


12.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS HO whose telephone number is (571)270-7862.  The examiner can normally be reached on 9:00AM - 6:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THOMAS HO/Examiner, Art Unit 2494                                         
                                                                                                           
/CHAU LE/Primary Examiner, Art Unit 2493