DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner Notes

The amended claims listed below are statutory, in that applying the abstract idea into a practical application by applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets.
Claims 15-20 claims, “A computer storage medium”.  However, in the Applicant’s specification there is disclosed “A computer storage medium” does not include waves or signals per se (See Applicant’s specification page. 18).

                                          Examiner’s Amendment

Authorization for the Examiner’s Amendment was given in an interview with the Applicant’s representative, Scott Y. Shigeta (Reg. No. 50,398) on July 28, 2021.
Claims 1, 6, 8, 13, and 15 have been amended by the Applicant, Claims 3, 9, and 16 have been canceled by the Applicant. The following Examiner’s amendment is listed below:

Claims

1.         (Currently Amended) A computer-implemented method for generating access control rules for controlling access to computer resources, the method comprising:
collecting historical access data for user accesses to a computer resource using an access control policy generation system;
separating the historical access data into a training data set and a validation data set using the access control policy generation system;
generating an access control rule for the computer resource based on one or more properties of the user accesses to the computer resource in the training data set;
validating the access control rule against the validation data set prior to a deployment of the access control rule, where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value, wherein the validation data set is a subset of the historical access data, where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value comprises applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets, scoring the denial rate level for each subset of the plurality of subsets to a corresponding one of a plurality of threshold parameter values to a score for each subset of the plurality of subsets, collecting the scores for each subset of the plurality of subsets to determine a cumulative score; and determining that the access control rule is valid if the cumulative score is below a threshold score value; and


3.	(Canceled)

6.         (Currently Amended) The computer-implemented method of Claim 1 
receiving a user access request for the computer resource;
obtaining the access control rule for the computer resource from the access rules store; applying the access control rule to the received user access request to determine if one or more properties of the received user access request fall within one or more permitted parameters of the access control rule;
permitting the user access request if the one or more properties of the received user access request fall within the one or more permitted parameters of the access control rule; and
rejecting the user access request if the one or more properties of the received user access request do not fall within the one or more permitted parameters of the access control rule.

8.	(Currently Amended) An automatic access control policy generation system, the automatic access control policy generation system comprising: 
one or more processors; and
at least one computer storage medium having computer executable instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to:

separate the historical access data into a training data set and a validation data set using the automatic access control policy generation system:
generate an access control rule for the computer resource based on one or more properties of the user accesses to the computer resource in the training data set;
validate the access control rule against the validation data set prior to a deployment of the access control rule, where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value, wherein the validation data set is a subset of the historical access data; and where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value comprises applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets, scoring the denial rate level for each subset of the plurality of subsets to a corresponding one of a plurality of threshold parameter values to a score for each subset of the plurality of subsets, collecting the scores for each subset of the plurality of subsets to determine a cumulative score; and determining that the access control rule is valid if the cumulative score is below a threshold score value; and
if the access control rule is determined to be valid, provide the access control rule to an administrative interface for deployment to the computer resource.

9. 	(Canceled)
13.	(Currently Amended) The automatic access control policy generation system of Claim 8 
receive a user access request for the computer resource;
obtain the access control rule for the computer resource from the access rules store; 
apply the access control rule to the received user access request to determine if one or more properties of the received user access request fall within one or more permitted parameters of the access control rule; 
permit the user access request if the one or more properties of the received user access request fall within the one or more permitted parameters of the access control rule; and
reject the user access request if the one or more properties of the received user access request do not fall within the one or more permitted parameters of the access control rule.

15.	(Currently Amended) A computer storage medium having computer executable instructions stored thereon which, when executed by one or more processors, cause the processors to execute a method for generating access control rules for controlling access to computer resources, the method comprising:
collecting historical access data for user accesses to a computer resource using an access control policy generation system:
separating the historical access data into a training data set and a validation data set using the access control policy generation system:
generating an access control rule for the computer resource based on one or more properties of the user access to the computer resource in the training data set;
validating the access control rule against the validation data set prior to a deployment of the access control rule, where the access control rule is determined to be valid if a denial rate 
where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value comprises applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets, scoring the denial rate level for each subset of the plurality of subsets to a corresponding one of a plurality of threshold parameter values to a score for each subset of the plurality of subsets, collecting the scores for each subset of the plurality of subsets to determine a cumulative score; and determining that the access control rule is valid if the cumulative score is below a threshold score value; and
if the access control rule is determined to be valid, providing the access control rule to an administrative interface for deployment to the computer resource.

16.	(Canceled)





                                          Reasons for Allowance
Claims 1-2, 4, 6-8, 10-11, 13, 15, 17-21, and 23-24 are allowable.

The following is an Examiner’s statement of reasons for allowance:
            The present invention is directed to a system and method that discloses the present technology reduces the attack surface for a system or machine by automatically generating access control rules to limit access to computer resources based on historical user access data. The historical access data can include frequent access requests to a computer resource by a particular user and an access control rule is generated that permits access by the particular user but denies access to other users. When access to a computer resource is limited to users who normally access the computer resource, the vulnerability of the computer resource is reduced. The present invention discloses generating access control rules for computer resources involving collecting historical access data for user accesses to a computer resource and separating the historical access data into a training data set and a validation data set. An access control rule is generated for the computer resource based on the properties of the user accesses to the computer resource in the training data set. The rule is validated against the validation data set to determine whether the rule produces a denial rate level is below a threshold when the rule is applied to the validation data set. If the rule is valid, then it is provided to an administrative interface so that an administrator can select the rule for application to incoming user requests.
The prior art of Koottayi et al. (2018/0288063) discloses creating dynamic enforcement polices based on the event/data collection, and publishing the dynamic enforcement polices for consumption by the agents. Koottayi discloses a threat detection component may comprise a 
The prior art of Koottayi et al. (2018/0288063) does not explicitly disclose or suggest, “validating the access control rule against the validation data set prior to a deployment of the access control rule, where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value, wherein the validation data set is a subset of the historical access data; and where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value comprises applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets, scoring the denial rate level for each subset of the plurality of subsets to a corresponding one of a plurality of threshold parameter values to a score for each subset of the plurality of subsets, collecting the scores for each subset of the plurality of subsets to determine a cumulative score; and determining that the access control rule is valid if the cumulative score is below a threshold score value”.

The Non-patent literature of Musca (Title: Secure Access to Cloud Resources) teaches the cloud computing involves dynamic resource allocation and many users that come and leave, traditional security mechanisms are not sufficient. The Cloud Computing platform used, provides a simple security access control mechanism that resembles the UNIX permission system which is Access Control List (ACL) based. By default, only the owner of the resource can use and manage it. The OpenNebula security system supports also groups and access control list rules. The access control list mechanism is an old security mechanism that has performance hits, storage inefficiency, lack of fine granularity and lack of support for the least privilege principle. We chose this platform to use as a base for our proposed framework, using the Role Based Access Control model to solve these problems. This model is easy to maintain because the security officer typically assigns roles to users and not permissions to roles. 
The Non-patent literature of Musca (Title: Secure Access to Cloud Resources) does not 
teach or suggest, “validating the access control rule against the validation data set prior to a deployment of the access control rule, where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value, wherein the validation data set is a subset of the historical access data; and where the access control rule is determined to be valid if a denial rate level obtained from applying the access control rule to the validation data set is below a threshold parameter value comprises applying the access control rule to user access requests in a plurality of subsets of the validation data set that are directed toward the computer resource to obtain a denial rate level for each subset of the plurality of subsets, scoring the denial rate level for each subset of the plurality of subsets to a corresponding one of a plurality of threshold parameter values to a score for each subset of the plurality of subsets, collecting the scores for each subset of the plurality of subsets to determine a cumulative score; and determining that the access control rule is valid if the cumulative score is below a threshold score value”.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


7/28/2021
/J.E.J/Examiner, Art Unit 2439                



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439