Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
1.        Claims 1 - 27 are pending.  Claims 1, 15, 27 are independent.    File date is 4-19-2019.  

Claim Rejections - 35 USC § 102  
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

3.        Claims 1 - 27 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Lang et al. (US PGPUB No. 20180069899).     	
 
Regarding Claims 1, 15, 27, Lang discloses a processor-implemented method and a computing system and a non-transitory computer readable medium comprising instructions to configure a processor to perform operations, the method and the system and the non-transitory computer readable medium comprising:
a)  obtaining one or more normalized access control policies associated with one or more first entities based on a stored access control policy representation governing access to a set of resources in an information technology (IT) infrastructure comprising a plurality of subsystems; (Lang ¶ 007, ll 8-15: receiving (i.e. obtaining) policy input loaded from data storage or a memory; ¶  090, ll 1-7: runtime access control policy enforcement includes monitoring incidents related to policy enforcement; ¶ 077, ll 1-8: information is normalized to allow for more consistent processing in subsequent processing; information is transformed into a consistent model)    
b)  determining, based on the one or more normalized access control policies, at least one entity cluster associated with the one or more first entities; (Lang ¶ 157, ll 20-25: graph database; use graph structure (cluster) to represent and store data (access control policies); graph directly relates data items within the data structure; (graph representation analogous to cluster); ¶ 228, ll 1-9: policies define rules for a specific user group)    
c)  determining one or more derived access control policies corresponding to the at least one entity cluster; (Lang ¶ 007, ll 8-15: selecting policy aspects applicable to IT system (i.e. cluster configuration) and from policy template) and
d)  determining a set of non-compliant access control policies (Lang ¶ 054, ll 1-5: access policies; verify that for a particular implemented access policy a particular system cannot access a particular other system (i.e. non-compliant format)), 
wherein the set of non-compliant access control policies comprises:
e)  a first subset of the one or more normalized access control policies that are non-compliant with one or more stated access control policies applicable to the at least one entity cluster, or f) a subset of the one or more derived access control policies that are non-compliant with the one or more stated access control policies, or a combination thereof. (Lang ¶ 054, ll 1-5: access policies; verify that for a particular implemented access policy a particular system cannot access a particular other system (i.e. non-compliant format); (selected: a first subset of the one or more normalized access control policies that are non-compliant); ¶ 178, ll 1-19: actions added to existing actions such as allow/deny if policy should be enforced or actions could replace existing action if policy should not be enforced)    

Furthermore for Claim 15, Lang discloses wherein a memory, and a processor coupled to the memory, wherein the processor is configured to perform operations. (Lang ¶ 041, ll 8-13: sequence of actions embodied within any form of computer-readable storage medium having stored therein a corresponding set of computer instructions that upon execution cause an associated processor to perform the functionality described herein)    

Regarding Claims 2, 16, Lang discloses the method of Claim 1 and the computing system of Claim 15, wherein the policy representation comprises one or more second entities with access to the one or more first entities, or one or more third entities accessible to the one or more first entities; or a combination thereof. (Lang ¶ 133, ll 1-9: translate high level policy rules to machine enforceable low level policy rules; map input to a corresponding output; (selected: one or more second entities with access to the one or more first entities))    

Regarding Claims 3, 17, Lang discloses the method of Claim 2 and the computing system of Claim 16, wherein each entity cluster in the at least one entity cluster is determined based on at least one attribute common to one or more of: a subset of the one or more first entities, or a subset of the one or more second entities, or a subset of the one or more third entities. (Lang ¶ 087, ll 1-6: authoring of policies that share common policy requirements (i.e. policies for similar industries); include templates that determine the policies for the particular industry; ¶ 133, ll 1-9: translate high level policy rules to machine enforceable low level policy rules; map input to a corresponding output; (selected: a subset of the one or more first entities))

Regarding Claims 4, 18, Lang discloses the method of Claim 3 and the computing system of Claim 17, wherein the at least one attribute comprises at least one of:
an access privilege, or an access pattern, or
an activity pattern, the activity pattern comprising one or more of: an activity type, or an activity volume over a time period, or an activity time, or
a variance of one or more parameters associated with a current activity pattern in relation to corresponding parameters for a historical activity pattern, or a location, or a user or user group, or a role, or a device type, or
an access domain associated with the IT infrastructure, or a combination thereof. (Lang ¶ 080-082: user given a role in order to access information based upon the access controls; ¶ 172, ll 1-10: yield sets of functional system attributes used to formulate the functional system environment (i.e. certain patterns of events; access pattern); (selected: access pattern))    

Regarding Claims 5, 19, Lang discloses the method of Claim 1 and the computing system of Claim 15, wherein determining the one or more derived access control policies comprises:
a)  determining, for the at least one entity cluster, one or more corresponding resource access patterns or one or more resource utilization patterns, or a combination thereof, for one or more resources associated with the at least one entity cluster, the one or more resources comprised in the set of resources; (Lang ¶ 332, ll 1-17: policy decision device evaluates the policies it stores (i.e. corresponding access policy information) against the trigger event information and makes a policy decision (i.e. derived access policy information); provides the policy decision; ¶ 172, ll 1-10: yield sets of functional system attributes used to formulate the functional system environment (i.e. certain patterns of events; access pattern)) and
b)  determining, based on one or more of: the corresponding resource access patterns, or the resource utilization patterns, the one or more derived access control policies. (Lang ¶ 172, ll 1-10: yield sets of functional system attributes used to formulate the functional system environment (i.e. certain patterns of events; access pattern); (selected: corresponding resource access patterns))    

Regarding Claims 6, 20, Lang discloses the method of Claim 5 and the computing system of Claim 19, wherein the one or more derived access control policies are determined using a machine learning model. (Lang ¶ 158, ll 1-6: machine learning implemented using AI technology; ¶ 164, ll 1-8: learn from policies over time and using AI to produce predictive policies based on learned knowledge (i.e. recognized patterns) learned policies are automatically used by policy management system; (machine learning))    

Regarding Claims 7, 21, Lang discloses the method of Claim 1 and the computing system of Claim 15, wherein determining the first subset of the one or more normalized access control policies comprises:
a)  determining one or more non-compliant entities in the at least one entity cluster with attributes that are inconsistent with access control parameters associated with a resource accessed by the at least one entity cluster in the set of resources, the access b) control parameters being specified in at least one stated access control policy applicable to the resource, (Lang ¶ 178, ll 1-19: actions added to existing actions such as allow/deny (disabling) if policy should be enforced or actions could replace existing action if policy should not be enforced; (selected: disabling set of non-compliant access control policies)) and
c)  adding, for each non-compliant entity, corresponding normalized policies governing access to the resource to the first subset. (Lang ¶ 332, ll 1-17: policy decision device evaluates the policies it stores (i.e. corresponding access policy information) against the trigger event information and makes a policy decision (i.e. derived access policy information); provides the policy decision; ¶ 172, ll 1-10: yield sets of functional system attributes used to formulate the functional system environment (i.e. certain patterns of events; access pattern))     

Regarding Claims 8, 22, Lang discloses the method of Claim 1 and the computing system of Claim 15, further comprising: determining a second subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from: the one or more stated access control policies, or at least one stated access control policy applicable to a resource accessed by the entity cluster in the set of resources, or a combination thereof. (Lang ¶ 139, ll 1-12: different mappers are stacked into mapper chains which define refinement paths for different attributes used in translating high-level rules into technical rules (low-level rules); calculates all possible mapping chains between technically available attributes and any other attributes; (policies differ))    

Regarding Claims 9, 23, Lang discloses the method of Claim 1 and the computing system of Claim 15, wherein the one or more normalized access control policies are automatically configurable. (Lang ¶ 089, ll 1-10: system automatically generates the low-level policies corresponding to the generated high-level policies; automatically generate policy rules and configurations for systems analyzed in earlier steps)    

Regarding Claims 10, 24, Lang discloses the method of Claim 1 and the computing system of Claim 15, wherein the stored access control policy representation comprises the stated access control policies and the derived access control policies. (Lang ¶ 234, ll 1-5: security for assets generated by merging all aspects relevant for an asset)    

Regarding Claims 11, 25, Lang discloses the method of Claim 1 and the computing system of Claim 15, further comprising: initiating at least one corrective action in relation to the set of non-compliant access control policies. (Lang ¶ 178, ll 1-19: actions added to existing actions such as allow/deny if policy should be enforced or actions could replace existing action (corrective actions) if policy should not be enforced; (selected: disabling set of non-compliant access control policies))    

Regarding Claim 12, Lang discloses the method of Claim 11, wherein initiating the at least one corrective action in relation to the set of non-compliant access control policies comprises:
disabling the set of non-compliant access control policies; or 
initiating transmission of a message identifying the set of non-compliant access control policies, or
flagging the set of non-compliant access control policies for evaluation; or 
increasing a risk score associated with each non-compliant access control policy in the set of non-compliant access control policies; 
a combination thereof. (Lang ¶ 178, ll 1-19: actions added to existing actions such as allow/deny if policy should be enforced or actions could replace existing action if policy should not be enforced; (selected: deny; disabling set of non-compliant access control policies)) 

Regarding Claim 13, Lang discloses the method of Claim 1, further comprising: determining a third subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from the one or more derived access control policies applicable to the at least one entity cluster. (Lang ¶ 139, ll 1-12: different mappers are stacked into mapper chains which define refinement paths for different attributes used in transalting high-level rules into technical rules (low-level rules); calculates all possible mapping chains between technically available attributes and any other attributes; (policies differ))     

Regarding Claim 14, Lang discloses the method of Claim 1, further comprising: determining, for the one or more first entities, a set of unexercised normalized access control policies, the set of unexercised normalized access control policies comprising normalized access control policies associated with the one or more first entities that were not invoked over a time period. (Lang ¶ 174, ll 1-13: deploy runtime policy decision points in a way where no access policy decisions (unexercised policies) are actually carried out; instead PDPs collect a record of each access request together with their decisions on a running functional system environment)    

Regarding Claim 26, Lang discloses the computing system of Claim 15, wherein the processor is further configured to: determine a third subset of the one or more normalized access control policies applicable to entities in the at least one entity cluster that differ from the one or more derived access control policies applicable to the at least one entity cluster. (Lang ¶ 139, ll 1-12: different mappers are stacked into mapper chains which define refinement paths for different attributes used in translating high-level rules into technical rules (low-level rules); calculates all possible mapping chains between technically available attributes and any other attributes; (policies differ))        



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920.  The examiner can normally be reached on M - F 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KYUNG H SHIN/                                                                                           April 21, 2021Primary Examiner, Art Unit 2443