DETAILED ACTION

Currently pending claims are 1 – 33.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 18 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter where “A computer readable medium” as recited in the claim, may be reasonably interpreted as being intended to include communication media that include signals / carrier waves which “bear" instructions as claimed according to the disclosure of the specification (SPEC-PG.PUB [0112]: a non-transitory computer readable medium is any computer readable medium except for a transitory prapagating signal – i.e. a computer readable medium may include a transitory prapagating signal).  Such embodiments of the "manufacture" are not computer elements which define structural and functional interrelationships between the instructions and the rest of the computer that permit the functionality of the instructions to be realized / executed upon access by a hardware processor.  Examiner respectfully suggests an amendment of the claim language such as either (a) “A computer-readable storage device” or (b) “A non-transitory computer-readable storage medium”.  Appropriate correction(s) is (are) required and any other claims not addressed are objected by virtue of their dependency.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1 – 12, 14 – 30 and 32 – 33 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Seo et al. (U.S. Patent 2019/0065711). 

As per claim 1, 18 & 19, Seo teaches a  method for hardening cloud security policies of a cloud computing platform, comprising: 
gathering cloud activity logs from at least the cloud computing platform, wherein the cloud computing platform includes a plurality of cloud entities (Seo: Para [0056] / [0128] and Para [0125]: collecting cloud activity records from a plurality of cloud application activities (i.e. a plurality of cloud entities) in a (virtual) cloud computing system platform (environment)); 
gathering a plurality of cloud security policies provisioned to protect the cloud entities (Seo: Figure 6 / E-660 & Para [0146] – [0147] and Par [0129] / [0132]: managing various permission policies (permission control schemes) of a cloud application dependeing, for example, on the operating state of the cloud application entity, or regarding a type of accessed resource such as sensitive personal data (user’s contacts) or hardware component (camera)); 
for each of the plurality of cloud security policies, generating a permission usage map, wherein the permission usage map represents the permissions granted to each cloud entity and the permissions used by each cloud entity (Seo: Figure 8 & 6, Para [0125] – [0129] and Para [0146] – [0147]: creating a permission usage map in a permission database with a fomat of a permission matrix that specifies permissions granted to each cloud entity (activity) for a particular application (e.g. permissions 1 – 5) and the permissions actually used by each cloud entity (activity) (e.g. only permission 3 – 5 are actually used by application entity C and permission 1, 2 & 5 are actually used by application entity B depending on the operating state of the application (see Seo: FIG. 8) – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: FIG. 4B & FIG. 4C); 
analyzing the permission usage map to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by a cloud entity (Seo: see above & Figure 8 and Para [0125] – [0129]: analyzing a hardening gap of various differences to improve security (i.e. for risk reduction) between permissions granted to a cloud activity and permissions used by a cloud entity (see immediate above) depending on the operating state of the respective application); 
for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: (a) different protection level corresponding to various levels of risk reduction (security improvement)  in accordance with different risk scores designating a potential risk reduction and (b) addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) reading user’s contacts information, (ii) accessing a camera in the backgroun state of the application to prevent from operating maliciously or (iii) sending a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])); 
generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score (Seo: see above & Para [0150] and Para [0134]: (e.g.) (a) providing a hardening recommendation to reduce the risk by sending a notification when a permission is used in the background state, which can be changed later with a user input (which could be first implemented as a defaut configuration / predefined rule) and (b) suggesting the device to restrict a combination with a particular dangerous permission in the backgroun state); and 
applying the at least one hardening recommendation to the respective cloud security policy, thereby hardening the cloud computing platform (Seo: see above).  

As per claim(s) 2 – 3, 10, 16 – 17 and 20 – 21, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.

As per claim 4 and 22, Seo teaches wherein each permission usage map is a matrix of combinations of permissions and cloud entities of the plurality of cloud entities, wherein each cell in the matrix designates usage of a permission by at least one of the respective cloud entities (Seo: Figure 8 & 6, Para [0125] – [0129] and Para [0146] – [0147]: creating a permission usage map in a permission database as a permission matrix that specifies permissions granted to each cloud entity (activity) for a particular application (e.g. permissions 1 – 5) and the permissions actually used by each cloud entity (activity) (e.g. only permission 3 – 5 are actually used by application entity C and permission 1, 2 & 5 are actually used by application entity B depending on the operating state of the application (see Seo: FIG. 8) – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: FIG. 4B & FIG. 4C).  

As per claim 5 and 23, Seo teaches wherein the permission usage map further maintains a traceback of information to the policy units that were involved in granting the permissions (Seo: see above & Figure 7 / 8: (e.g.) based on different application activity entities).  

As per claim 6 – 7 and 24 – 25, Seo teaches complementing the permission usage map with future usage permissions and risk information (Seo: see above & Figure 8 & Para [0134] Last sentence and Para [0126]: an application is granted with (e.g.) a 1st and a 2nd permissions – however, the 2nd permission is a future usage permission, which is a permission that has been granted to a cloud entity but has not been used yet when considering the risk factor to combine the usages together between the 1st permission and the 2nd permission that would be dangerous to increase the risk level – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0091] / [0092]: alternatively (or complememtarily) including a future usage permission together with a risk information).  

As per claim 8 and 26, Seo teaches learning permission usage patterns of cloud entities of different cloud environments, wherein the usage patterns are utilized to derive the future usage permissions (Seo: see above and Para [0057] Last sentence, Para [0147] and Para [0056]: analyzing permission usage patterns of cloud entities such as installation of an application may present permissions allowed by a user used in a background state; but, it may not be required (i.e. not used yet after the installation state) including downloading applications from other cloud services (servers) – this constitutes a future usage permission – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0004]).  

As per claim 9 and 27, Seo teaches deriving, from the complemented permission usage map, at least one of a risk metric and an exposure metric, wherein the risk metric and the exposure metric indicate a hardening level of the cloud security policy (Seo: see above & Figure 8 and Para [0127] – [0130]: (a) various protection levels, as taught by Seo, corresponding to various applicable hardening levels of the cloud security policy (Seo: Para [0127]) and (b) the matrix of the permission usage map (FIG. 8), by itself, represents a combination of an exposure metric and a risk metric when considering the usage (exposure) of permissions associated potential risk factors).  

As per claim 10 and 28, Seo teaches iterating through policy units defined in the cloud security policy;Page 23 of 29RADW P1422 for each policy unit, extracting a permission usage map scoped at the policy unit; and discovering hardening gaps in each scoped permission usage map (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: for each of different security control schemes (policies), addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) the security control scheme w.r.t. reading user’s contacts information (sensitive personal data resource)  , as well as (ii) the security control scheme w.r.t. accessing a camera (hardware component resource)  in the backgroun state of the application to prevent from operating maliciously or alternatively, a permission control scheme (policy) to (iii) send a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])).  

As per claim 11 – 12 and 29 – 30, Seo teaches applying a set of predefined rules, wherein each rule maps each type of a discovered hardening gap to at least one hardening recommendation (Seo: see above & Para [0134] and Para [0150]: (e.g.) (a) suggesting the device to restrict a combination with a particular dangerous permission in the backgroun state or (b) providing a defaut configuration / predefined rule (as a recommendation) to send a notification when a permission is used in the background state, which can be changed later with a user input).  

As per claim 14 and 32, Seo teaches associating each hardening recommendation with a value and cost, wherein the value of a hardening recommendation is an expected reduction in risk achieved by the hardening recommendation, and the cost hardening recommendation factors at least a complexity of implementing the hardening recommendation (Seo: see above & Para [0132]: (e.g) to allow accessing camera only in the foreground state and prevent the access in the beckground state – this can reduce the risk level, however, it’s compensated with an implementation cost to allow freely access a camera function of the application).  

As per claim 15 and 33, Seo teaches producing candidate hardening recommendations for the discovered hardening gaps; associating each hardening recommendation with score, wherein the score is based on a value and cost associated with the respective hardening recommendation; and selecting a hardening recommendation based on the respective score (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: (a) different protection level corresponding to various levels of risk reduction in accordance with different risk score designating a potential risk reduction and (b) addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) reading user’s contacts information, (ii) accessing a camera in the backgroun state of the application to prevent from operating maliciously or (iii) a hardening recommendation to reduce the risk by sending a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 13 and 31 are rejected under 35 U.S.C.103 as being unpatentable over Seo et al. (U.S. Patent 2019/0065711), in view of Matsuda et al. (U.S. Patent 2006/0005228).  

As per claim 13 and 31, translating the at least one hardening recommendation into a script of policy change instructions supported by a respective cloud entity of the plurality of cloud entities (Seo: see aove) || (Matsuda: Para [0005]: translating a security criteria (i.e. security improvement recommentation) from a 1st format of natural language description into a 2nd format of device-specific language of a script in one-to-one correspondence).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of translating a security hardening recommendation into a script of policy change instructions because Matsuda teaches to alternatively, effectively and securely translating a security criteria (i.e. security improvement recommentation) from a 1st format of natural language description into a 2nd format of device-specific language of a script in one-to-one correspondence (see above) within the Seo’s system of providing a security improvement (reduction) criteria to prevent malicious attacks on an application (see above). 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2288 – 2021
---------------------------------------------------