DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/08/2021 has been entered.
 
Response to Amendment
This office action is in response to amendment/reconsideration filed on 02/08/2021, the amendment/reconsideration has been considered. Claims 21 is newly added. Claims 1-14 and 16-21 are pending for examination as cited below.
	
Response to Arguments
Applicant’s arguments have been considered but are moot in view of the new grounds of rejection.
Claim Objections
Claim 16 is objected to because of the following informalities:  Claim 16 is depending from a canceled claim 15. Examiner however will consider the claim 16 to be dependent from claim 13 for examination purposes.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 1-14 and 16-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Buck et al. (Pub. No.: US 2020/0285761 A1), hereinafter “Zhan” in view of Cockerill et al. (Pub. No.: US 2018/0359244 A1), hereinafter “Coc”.

As to claim 1. Buck discloses, a non-transitory computer readable medium comprising instructions (Buck, abstract) that when executed cause at least one processor to: 
receive an application flow from a device by an active threat detection agent (Zhan, fig.4, [0706], applications that have been determined to 
    PNG
    media_image1.png
    754
    589
    media_image1.png
    Greyscale
be similar (e.g., as described above) are classified based on signing certificates, which are used to classify applications into two groups. identifying potentially pirated applications (e.g., for copyright enforcement); identifying potentially malicious applications; optimizing a sales strategy (e.g., such as identifying additional 
analyze the application flow for user context, device context, and application context (Buck, fig.4, [0780], Based on the data from admin server 1310, evaluation server 1302 causes mobile device 1312 to perform one or more actions. In one example, the action is implementing a quarantine of application 1316. In one example, the action is changing one or more permissions 1340. In one example, the action is denying access to a network.); 
determine whether to classify the application flow based on the analysis of the application flow (Buck, fig.4, [0780], Based on the data from admin server 1310, evaluation server 1302 causes mobile device 1312 to perform one or more actions. In one example, the action is implementing a quarantine of application 1316. In one example, the action is changing one or more permissions 1340. In one example, the action is denying access to a network.).
Zhan however is silent on disclosing explicitly, in response to the application flow being classified as anomalous, direct the application flow according to the classification of the application flow and an application access policy, wherein the application access policy includes at least one restriction for the application flow.
Coc however discloses a similar concept as, e.g. in response to the application flow being classified as anomalous (Coc, [0123], determined whether application is anomalous), direct the application flow according to the classification of the application flow and an application access policy, wherein the application access policy includes at least one restriction for the application flow (Coc, [0180], policies may be defined and 
Therefore, before the effective filing date of the instant application it would have been obvious to one skilled in the art to incorporate the teachings of Coc into those of Buck in order to provide systems for security evaluation associated with a request for access by a computing device to a service (e.g., an online or network service). Additionally such a system will provide a security evaluation in computer systems, and more particularly, but not limited to performing a security evaluation associated with access or attempted access by a computing device to a service (e.g., an online service provided by a service provider).

As to claim 2. The combined system of Buck and Coc discloses the invention as in parent claims above, including, wherein the device context includes a security assessment of the device, the security assessment being based in part on whether the device is an enterprise issued device, what type of network the device is connected to, where the device is located, and a user account associated with the device (Coc, [0005], Exploits can take advantage of security vulnerabilities associated with a mobile device in order to execute malicious code or perform undesired actions on the device. Potentially, exploits can bypass permissions or policies set by the user, manufacturer, operating system, or mobile operator and give the attacker complete control of the device etc.).

As to claim 3. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the user context and device context are evaluated by an identity services engine having network visibility to all devices connected to the network, and that receives security information from at least two security services (Buck, [0281]).

As to claim 4. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the application context pertains to where the application is located in the network, and the access profile for the application (Buck, fig.5, element-1013, [0082]).

As to claim 5. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the access policy takes into account whether a user account has access privileges to access an application that is a destination of the access flow, and whether the user context and device context are sufficient to access the application (Coc, [0238]).

As to claim 6. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the instructions to direct the application flow according to the classification of the application flow and an application access policy include instructions to provide a change of authorization to discontinue authorization to access the application after a session with the application has already been initiated (Coc, [0080]).

As to claim 7. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the instructions to classify the application flow include instructions to use a machine learning classifier to classify the application flow (Buck, [0804]).

As to claim 8. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the machine learning classifier is at least one of a random forest classifier or an isolation forest classifier (Buck, [0804], a device matches if an output from a model or rule exceeds a predetermined threshold.).

As to claim 9. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the user context and device context include an untrusted device on an untrusted network, and the classification of the application flow is a trusted application flow (Buck, [0804], the candidate devices match the queries if the devices satisfy one or more rules. In one example, the devices match if they contain an identified component (e.g., component 1334, 1336, 1324, and/or 1326), or contain a component similar to an identified component.).

As to claim 10. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the user context and device context include an untrusted device on a trusted network (Buck, [0036]).

As to claim 11. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the user context and device context include a trusted device on an untrusted network (Buck, [0036]).

As to claim 12. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the user context and device context include an untrusted user (Buck, [0112]).

As to claim 13. Is rejected for same rationale as applied to claim 1 above.

As to claim 14. The combined system of Buck and Coc discloses the invention as in parent claim above including, a switch or router configured receive the flow and to execute the threat detection agent (Buck, [0171]).

As to claim 16. Is rejected for same rationale as applied to claim 6 above.

As to claim 17. Is rejected for same rationale as applied to claim 1 and 13 above.

As to claim 18. Is rejected for same rationale as applied to claim 2 above.

As to claim 19. Is rejected for same rationale as applied to claim 3 above.

As to claim 20. Is rejected for same rationale as applied to claim 6 above.

As to claim 21. The combined system of Buck and Coc discloses the invention as in parent claim above including, wherein the application flow is received over a network and includes at least application data to/from an application (Buck, [0023]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Beam et al. US 2017/0126727 A1 is yet another one of the most pertinent art in the field of invention and discloses, techniques for taking direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a graphical representation of threats.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAUQIR HUSSAIN whose telephone number is (571)270-1247.  The examiner can normally be reached on M-F 7:00 - 8:00 with IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571 272-7952.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



/Tauqir Hussain/Primary Examiner, Art Unit 2446