DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 2/1/2019. Claims 1-27 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/15/2019, 2/23/2021, 3/18/2021, and 4/20/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. However, document number for entry #1-2 in 3/18/2021 IDS and document number for entry #2 in 4/20/2021 IDS are incorrect; therefore, the information referred to therein has not been considered.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-9 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because claim 1 recites “A system comprising: at least one processor to…”, which is considered software per se. The processor may be implemented as software or virtual processor. Although the Specification provides examples of processor as being implemented as hardware (Specification ¶94 & 131), the Specification discloses the embodiments are illustrative and that the scope of the disclosure is not limited to them (Specification: ¶136). Therefore, applicant is advised to positively recite hardware components. The dependent claims inherit the deficiencies of the claim upon which they ultimate claim and are rejected as well.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 3-4, 9-10, 12-13, 18-19, 21-22 and 27 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS).

Regarding claim 1, Argento teaches a system comprising: at least one processor to: 
receive training data and generate at least one machine learning rule based on the training data to apply when a condition occurs; ([Abstract] we present an approach based on machine learning to refine attribute-based access control policies in order to reduce the risks of users abusing their privileges. [p. 107, ¶3] We generated over 3000 behaviors, with almost an equal number of normal and anomalous instances. Intuitively, about 2000 behaviors were used for training, while the rest for testing.)
continually monitor at least one resource associated with a computing network for the condition in the computing network that may trigger an authorization control modification, ([Abstract] Our approach exploits behavioral patterns representing how users typically access resources to narrow the permissions granted to users when anomalous behaviors are detected. [p. 102, ¶2] our goal is to dynamically refine access control policies based on user behaviour monitored at run-time by narrowing granted privileges.) the condition comprising one of an active project that uses the at least one resource, a security alert level change, a resource locality change, metadata associated with the condition, a skill assessment, and a business state analysis; ([p. 101, last paragraph] These insider threats cannot be prevented by existing access control systems. The main problem lies in the fact that access control is static in the sense that the enforced access conditions do not change dynamically according to user behaviour. We argue that contextual features, such as the number of accesses and amount of accessed data, should be taken into account in access decision making.) Here Argento in 
determine that the condition has occurred in the computing network; and ([p. 105, ¶3] ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.)
dynamically and automatically modify a user authorization control for at least one particular user responsive to the machine learning rule. ([p. 105, ¶1&3] The DT outputs, hereafter called ML-rules, is used to bridge from the machine learning world to the actual refinement of access control policies. Therefore, ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.) In summary, Argento discloses “an approach based on machine learning to dynamically refine policies to prevent misconfiguration exploitation.” [p. 100, ¶3]

Regarding claim 3, Argento teaches all the features with respect to claim 1, as outlined above. Argento further teaches the at least one processor further to modify a level of the at least one user authorization control during one of a ransomware attack, a fire, and a change in a security alert level responsive to the machine learning rule. ([p. 103, ¶4] Behaviours represent how users are utilizing resources. They are defined in terms of the attributes forming access requests (i.e., user, resource and action) and of any contextual knowledge features that can be exploited by the access control system for decision making (e.g., working time, working location, types of activities). [p. 105, ¶3] ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.) Here 

Regarding claim 4, Argento teaches all the features with respect to claim 1, as outlined above. Argento further teaches the at least one processor further to modify a level of the at least one user authorization control during the active project responsive to the machine learning rule based on a previous level. ([p. 102, ¶2, 4, 5] dynamically refine access control policies based on user behaviour monitored at run-time by narrowing granted privileges. Assume that contextual features feature/NumberOfReadsPerHour and feature/BytesReadPerHour are monitored by the system and can be checked via new attributes in access rules. In particular, it is observed that every hour junior managers typically access at most 14 project documents for a total 345.6 KB. This knowledge can be exploited to refine policy1 as follows: policy2. Intuitively, policy2 narrows the access conditions of policy1 through contextual features by imposing additional constraints on how much and how often resources are typically accessed by junior managers. Consider, for instance, the case where Bob attempts to access 50 project documents within 10 min. Based on the updated policy, this behavior would be deemed as anomalous and thus denied, preventing Bob to access all documents.) Here Argento discloses modifying a level (from policy1 to policy2) based on previous level (typically access number for project documents and total bytes).

Regarding claim 9, Argento teaches all the features with respect to claim 1, as outlined above. Argento further teaches the at least one processor further to receive the training data, analyze the training data, and generate the at least one machine learning rule, the training data comprising at least one of type of events during previous projects, a number of events during the previous projects, project durations, particular users that caused security events during the previous projects, permission access activity for the at least one particular user, computing environment security alert levels, system security audit logs, security event system logs, application logs, ransomware and cyber-attack monitors, data protection activities, network traffic, device monitoring feedback, and travel schedules for the at least one particular user. ([p. 107, ¶3] We generated over 3000 behaviors, with almost an equal number of normal and anomalous instances. Intuitively, about 2000 behaviors were used for training, while the rest for testing.)

Regarding claim 10, 12-13, 18-19, 21-22 and 27, the scope of the claims are similar to that of claims 1, 3-4 and 9, respectively.  Accordingly, the claims are rejected using a similar rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 5, 8, 11, 14, 17 20, 23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over by Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS) in view of Carroll (US 20030046550 A1).

Regarding claim 2, Argento teaches all the features with respect to claim 1, as outlined above. Argento further teaches the at least one processor further to modify … of the at least one user authorization control during one of a ransomware attack, a fire, and a change in a security alert level responsive to the machine learning rule. ([p. 103, ¶4] Behaviours represent how users are utilizing resources. They are defined in terms of the attributes forming access requests (i.e., user, resource and action) and of any contextual knowledge features that can be exploited by the access control system for decision making (e.g., working time, working location, types of activities). [p. 105, ¶3] ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.) Here Argento discloses policy refinement/modification depending on change of working location, which is analogous to claim limitation “change in a security alert level” because the user may be accessing the network from less secure locations.
But Argento does not teach modify a duration of the at least one user authorization control. This aspect of the claim is identified as a difference.
However, Carroll in an analogous art explicitly teaches
modify a duration of the at least one user authorization control. ([0022-0023] The broadcast object 112 monitors selected conditions pertinent to determining the satisfaction of conditions of authorization required of the user 100, and sends information such as notifications of changes in the selected conditions to its registered listeners. The broadcast object 112 may send information in an a predetermined schedule.) Here Carroll discloses broadcast object sending information to change access based on predetermined intervals of time.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “adaptive access control” concept of Argento, and the “dynamic control of authorization” approach of Carroll. One of ordinary skill in the art would have been motivated to perform such a modification to provide an efficient way to dynamically manage authorization to access Internet services by enabling the termination of earlier-authorized access when conditions change, as well as by granting and denying access (Carroll [0012]).

Regarding claim 5, Argento teaches all the features with respect to claim 1, as outlined above. Argento in view of Carroll further teaches the at least one processor further to modify a duration of the at least one user authorization control during the active project responsive to the machine learning rule based on a previous duration. ([Argento p. 102, ¶4&5] In particular, it is observed that every hour junior managers typically access at most 14 project documents for a total 345.6 KB. This knowledge can be exploited to refine policy1 as follows: policy2. Intuitively, policy2 narrows the access conditions of policy1 through contextual features by imposing additional constraints on how much and how often resources are typically accessed by junior managers. Consider, for instance, the case where Bob attempts to access 50 project documents within 10 min. Based on the updated policy, this behavior would be deemed as anomalous and thus denied, preventing Bob to access all documents. [Carroll 0023] The broadcast object 112 may send information in an event-driven manner according to changes in the selected conditions, or periodically, or aperiodically according to a predetermined schedule.) Here Reference Argento discloses modifying a level (frequency of access, amount of data) based on previous level (typically access number for project documents and total bytes). Reference Carroll discloses 

Regarding claim 8, Argento teaches all the features with respect to claim 1, as outlined above. Argento in view of Carroll further teaches the at least one processor further to receive an authentication and access control request from a user of a client computing device and determine if the user of the client computing device is authorized to access a computing resource based on the user authorization control. ([Carroll 0018-0019] One purpose of the session object 114 is to identify the user 100 and its characteristics and privileges to the server 110 and to the application program 118 that is executed by the server 110 to provide the service selected by the user 100. Consequently, the session object 114 may contain authorization-to-access information, including conditions of authorization, that describe privileges of the user 100 to access (or not) the N services provided by the server 110. Once a session is established, the user 100 selects a service to be provided by the server 110, and the server 110 receives a request from the user 100 to access the selected service (step 215). The server 110 then consults the session object 114 to determine whether the session object 114 includes authorization to access the selected service (step 220).)

Regarding claim 11, 14, 17, 20, 23 and 26, the scope of the claims are similar to that of claims 2, 5 and 8, respectively.  Accordingly, the claims are rejected using a similar rationale.

Claims 6-7, 15-16 and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over by Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS) in view of Parimi (US 20170295197 A1).

Regarding claim 6, Argento teaches all the features with respect to claim 1, as outlined above. But Argento does not teach the at least one processor further to determine that a number of events decrease over a period of time and shorten a duration of the at least one user authorization control responsive to the machine learning rule. This aspect of the claim is identified as a difference.
However, Parimi in an analogous art explicitly teaches the at least one processor further to determine that a number of events decrease over a period of time and shorten a duration of the at least one user authorization control responsive to the machine learning rule. ([0040-0041] The method dynamically adjusts access privileges 110 to at least one of the set of heterogeneous cloud-based services based on the monitoring of the activity of the user 104 over the period of time. The adjustment to the access privileges 110 may include a revocation 1800 and/or a grant 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services. The adjustment to the access privileges 110 may include a revocation 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services when the monitored activity of the user indicates that the user 104 does not access the particular service within the period of time.) Here Parimi discloses an example of determining privileges (claim limitation “a duration of the at least one user authorization control”) based on activity of the user over the period of time (claim limitation “a number of events over a period of time”). Decreasing user activity means less trustworthy, resulting in less privileges (shorten duration of user authorization control).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “adaptive access control” concept of Argento, and the “dynamic user privileges” approach of Parimi. One of ordinary skill in the art would have been motivated to perform such a modification to improve infrastructure security by adopting policies to prevent and/or monitor unauthorized access, misuse, modification, and/or denial of the computer (Parimi [0003]).

Regarding claim 7, Argento teaches all the features with respect to claim 1, as outlined above. Argento in view of Parimi further teaches the at least one processor further to determine that a number of events increase over a period of time and increase a duration of the at least one user authorization control responsive to the machine learning rule. ([Parimi 0040-0041] The method dynamically adjusts access privileges 110 to at least one of the set of heterogeneous cloud-based services based on the monitoring of the activity of the user 104 over the period of time. The adjustment to the access privileges 110 may include a revocation 1800 and/or a grant 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services.) Here Parimi discloses an example of determining privileges (claim limitation “a duration of the at least one user authorization control”) based on activity of the user over the period of time (claim limitation “a number of events over a period of time”). Increasing user activity means more trustworthy, resulting in more privileges (increasing duration of user authorization control).

Regarding claim 15-16 and 24-25, the scope of the claims are similar to that of claims 6-7, respectively.  Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 10999290 B2, "Dynamic authorization control system and method", by Spurlock, teaches to continually monitor at least one resource associated with the computing 
US 20210250362 A1, "Dynamic authorization control system and method", by Spurlock, teaches to continually monitor at least one resource associated with a computing network for a condition in the computing network that may trigger an authorization control modification, determine that the condition has occurred in the computing network, and dynamically and automatically modify a user authorization control for at least one particular user responsive to the condition.
US 20080319999 A1, "Techniques for project lifecycle staged-based access control", by Simpson, teaches that access control rights are defined for a stage of a project's lifecycle. As requestors transition to the stage, the access control rights are enforced on top of any existing security restrictions. In an embodiment, selective resources are not visible to requesters within the stage in response to the access control rights.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493


/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493