DETAILED ACTION

Currently pending claims are 1 – 33.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/17/2022 has been entered.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 12, 14 – 30 & 32 – 33 are rejected under 35 U.S.C.103 as being unpatentable over Martinez et al. (U.S. Patent 9,069,599), in view of Seo et al. (U.S. Patent 2019/0065711).  


1, 18 & 19, Martinez teaches a  method for hardening cloud security policies of a cloud computing platform, comprising: 
gathering cloud activity logs from at least the cloud computing platform, wherein the cloud computing platform includes a plurality of cloud entities (Martinez: Figure 10 / E-20, E-1012 & Col. 28 / Line 62 – 64 / Line 52 – 6, Col. 42 Line 1 – 7 / Line 29 – 31 and Col. 4 Line 42 – 49: (a) a plurality of cloud entities can be provisoned across (e.g.) a secure public cloud, a private cloud, a SaaS (Service as a Software) cloud service provider, and etc. from a cloud computing platform (FIG. 10), and (b) monitoring the activities on the cloud computing platform based on respective security policies including cloud resource access permision policy, resource utilization (usage) policy and etc., i.e. cloud resource permission and usage policies as a whole);   
gathering a plurality of cloud security policies provisioned to protect the cloud entities (Martinez: see above: configuring a plurality of security policies to monitor and protect the cloud entities of the cloud computing platform, wherein the  the security policies including cloud resource access permision policy, resource utilization (usage) policy (i.e. cloud resource permission and usage policies, and etc., i.e. cloud resource permission and usage policies as a whole).  
However, Martinez does not disclose expressly generating a permission usage map. 
Seo (& Martinez) teaches for each of the plurality of cloud security policies, generating a permission usage map, wherein the permission usage map represents the permissions granted to each cloud entity and the permissions used by each cloud entity (Martinez: see above) || (Seo: Figure 8 & 6, Para [0125] – [0129], Para [0146] – [0147], Para [0056] / [0128] and Para [0125]: effectively and securely controll a permission of an application entity within a cloud computing environment for an electronic device that provides a requested function (service) by creating a permission usage map in a permission database with a fomat of a permission matrix that specifies permissions granted to each cloud entity (activity) for a particular application (e.g. permissions 1 – 5) and the permissions actually used by each cloud activity entity (see above) (e.g. only permission 3 – 5 are actually used by application entity C and permission 1, 2 & 5 are actually used by application entity B depending on the operating state of the application (see Seo: FIG. 8) – for example, some permissions are provisioned but may not be required (i.e. not actually used yet) during the normal operating state after installation (or downloading) (Seo: Figure 8 & 6, and Para [0147], Para [0125] – [0129] and Para [0146]) – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: FIG. 4B & FIG. 4C)) and thus, Seo in summary teaches:
(a) Seo teaches an electronic device can provide a requested function (service) in a cloud computing environment by processing the received result as it is or with additional elements (Seo: Para [0056] Line 17 – 20) and thus such a distributed network computing system constitutes one type of cloud computing platforms; besides, 
(b) Seo teaches a list of different permissions (1, 2, 3, 4 & 5) associated with an application of the electronic device in a cloud computing environment can be configured by different activities (A, B & C) of the application (Seo: Para [0125] Line 4 – 7) and thus a plurlaity of cloud application activities of a cloud application in the cloud computing environment constitute a plurality of cloud entities; 
(c) Seo teaches collecting cloud activity records from a plurality of cloud application activities (i.e. a plurality of cloud entities (see above)) in a cloud computing system platform) (Seo: Para [0056] / [0128] and Para [0125]); and
(d)  Seo teaches managing various permission policies (permission control schemes) of a cloud application dependeing, for example, on the operating state of the cloud application entity, or regarding a type of accessed resource such as sensitive personal data (user’s contacts) or hardware component (camera) (Seo: Figure 6 / E-660 & Para [0146] – [0147] and Par [0129] / [0132]).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating a permission usage map because Seo teaches to alternatively, effectively and securely controll a permission of an application entity within a cloud computing environment for an electronic device that provides a requested function (service) by creating a permission usage map in a permission database, wherein the permission usage map is presented with a fomat of a permission matrix that specifies permissions granted to each cloud entity (activity) for a particular application while the permissions actually used are depending on the operating state of the application (see Seo: FIG. 8) within the Martinez’s system of monitoring the activities on the cloud computing platform based on respective security policies including cloud resource access permision policy, resource utilization (usage) policy and etc., i.e. cloud resource permission and usage policies as a whole (see above). 
analyzing the permission usage map to discover at least one hardening gap, wherein each hardening gap is at least a difference between permissions granted and permissions used by a cloud entity (Martinez: see above) || (Seo: see above & Figure 8 and Para [0125] – [0129]: analyzing a hardening gap of various differences to improve security (i.e. for risk reduction) between permissions granted to a cloud activity and permissions used by a cloud entity (see immediate above) depending on the operating state of the respective application); 
for each discovered hardening gap, computing a risk score designating a potential risk reduction achieved by addressing the hardening gap (Martinez: see above) || (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: (a) different protection level corresponding to various levels of risk reduction (security improvement)  in accordance with different risk scores designating a potential risk reduction and (b) addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) reading user’s contacts information, (ii) accessing a camera in the backgroun state of the application to prevent from operating maliciously or (iii) sending a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])); 
generating at least one hardening recommendation for the at least one hardening gap and its respective computed risk score (Martinez: see above) || (Seo: see above & Para [0150] and Para [0134]: (e.g.) (a) providing a hardening recommendation to reduce the risk by sending a notification when a permission is used in the background state, which can be changed later with a user input (which could be first implemented as a defaut configuration / predefined rule) and (b) suggesting the device to restrict a combination with a particular dangerous permission in the backgroun state); and 
applying the at least one hardening recommendation to the respective cloud security policy, thereby hardening the cloud computing platform (Martinez: see above) || (Seo: see above).  

As per claim(s) 2 – 3, 10, 16 – 17 and 20 – 21, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.

As per claim 4 and 22, Martinez as modified teaches wherein each permission usage map is a matrix of combinations of permissions and cloud entities of the plurality of cloud entities, wherein each cell in the matrix designates usage of a permission by at least one of the respective cloud entities (Martinez: see above) || (Seo: Figure 8 & 6, Para [0125] – [0129] and Para [0146] – [0147]: creating a permission usage map in a permission database with a fomat of a permission matrix that specifies permissions granted to each cloud entity (activity) for a particular application (e.g. permissions 1 – 5) and the permissions actually used by each cloud activity entity (see above) (e.g. only permission 3 – 5 are actually used by application entity C and permission 1, 2 & 5 are actually used by application entity B depending on the operating state of the application (see Seo: FIG. 8) – for example, some permissions are provisioned but may not be required (i.e. not actually used yet) during the normal operating state after installation (or downloading) (Seo: Figure 8 & 6, and Para [0147], Para [0125] – [0129] and Para [0146]) – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: FIG. 4B & FIG. 4C)).  

As per claim 5 and 23, Martinez as modified teaches wherein the permission usage map further maintains a traceback of information to the policy units that were involved in granting the permissions (Martinez: see above) || (Seo: see above & Figure 7 / 8: (e.g.) based on different application activity entities).  

As per claim 6 – 7 and 24 – 25, Martinez as modified teaches complementing (or as a part of an alternative means) the permission usage map with future usage permissions and risk information (Martinez: see above) || (Seo: see above & Figure 8 & Para [0134] Last sentence and Para [0126]: an application is granted with (e.g.) a 1st and a 2nd permissions – however, the 2nd permission is a future usage permission, which is a permission that has been granted to a cloud entity but has not been used yet when considering the risk factor to combine the usages together between the 1st permission and the 2nd permission that would be dangerous to increase the risk level – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0091] / [0092]: alternatively (or complememtarily) including a future usage permission together with a risk information).  

As per claim 8 and 26, Martinez as modified teaches learning permission usage patterns of cloud entities of different cloud environments, wherein the usage patterns are utilized to derive the future usage permissions (Martinez: see above) || (Seo: see above and Para [0057] Last sentence, Para [0147] and Para [0056]: analyzing permission usage patterns of cloud entities such as installation of an application may present permissions allowed by a user used in a background state; but, it may not be required (i.e. not used yet after the installation state) including downloading applications from other cloud services (servers) – this constitutes a future usage permission because (e.g.) some permissions are provisioned but may not be required (i.e. not actually used yet) during the normal operating state after installation (or downloading) (Seo: para [0147]) – this is also consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0004]).  

As per claim 9 and 27, Martinez as modified teaches deriving, from the complemented permission usage map, at least one of a risk metric and an exposure metric, wherein the risk metric and the exposure metric indicate a hardening level of the cloud security policy (Martinez: see above) || (Seo: see above & Figure 8 and Para [0127] – [0130]: (a) various protection levels, as taught by Seo, corresponding to various applicable hardening levels of the cloud security policy (Seo: Para [0127]) and (b) the matrix of the permission usage map (FIG. 8), by itself, represents a combination of an exposure metric and a risk metric when considering the usage (exposure) of permissions associated potential risk factors).  

As per claim 10 and 28, Martinez as modified teaches iterating through policy units defined in the cloud security policy;Page 23 of 29RADW P1422 for each policy unit, extracting a permission usage map scoped at the policy unit; and discovering hardening gaps in each scoped permission usage map (Martinez: see above) || (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: for each of different security control schemes (policies), addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) the security control scheme w.r.t. reading user’s contacts information (sensitive personal data resource)  , as well as (ii) the security control scheme w.r.t. accessing a camera (hardware component resource)  in the backgroun state of the application to prevent from operating maliciously or alternatively, a permission control scheme (policy) to (iii) send a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])).  

As per claim 11 – 12 and 29 – 30, Martinez as modified teaches applying a set of predefined rules, wherein each rule maps each type of a discovered hardening gap to at least one hardening recommendation (Martinez: see above) || (Seo: see above & Para [0134] and Para [0150]: (e.g.) (a) suggesting the device to restrict a combination with a particular dangerous permission in the backgroun state or (b) providing a defaut configuration / predefined rule (as a recommendation) to send a notification when a permission is used in the background state, which can be changed later with a user input).  

As per claim 14 and 32, Martinez as modified teaches associating each hardening recommendation with a value and cost, wherein the value of a hardening recommendation is an expected reduction in risk achieved by the hardening recommendation, and the cost hardening recommendation factors at least a complexity of implementing the hardening recommendation (Martinez: see above) || (Seo: see above & Para [0132]: (e.g) to allow accessing camera only in the foreground state and prevent the access in the beckground state – this can reduce the risk level, however, it’s compensated with an implementation cost to allow freely access a camera function of the application).  

As per claim 15 and 33, Martinez as modified teaches producing candidate hardening recommendations for the discovered hardening gaps; associating each hardening recommendation with score, wherein the score is based on a value and cost associated with the respective hardening recommendation; and selecting a hardening recommendation based on the respective score (Martinez: see above) || (Seo: see above & Para [0127] – [0130], Para [0132] / [0118] and Para [0150]: (a) different protection level corresponding to various levels of risk reduction in accordance with different risk score designating a potential risk reduction and (b) addressing the hardening gap w.r.t. a dangerous permission by increasing the protection level (i.e. risk reduction) when restricting, for example, (i) reading user’s contacts information, (ii) accessing a camera in the backgroun state of the application to prevent from operating maliciously or (iii) a hardening recommendation to reduce the risk by sending a notification when a permission is used in the background state, which can be changed later with a user input to reduce the risk exposures (Seo: Para [0150])).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 13 and 31 are rejected under 35 U.S.C.103 as being unpatentable over Martinez et al. (U.S. Patent 9,069,599), Seo et al. (U.S. Patent 2019/0065711), and in view of Matsuda et al. (U.S. Patent 2006/0005228).  

As per claim 13 and 31, translating the at least one hardening recommendation into a script of policy change instructions supported by a respective cloud entity of the plurality of cloud entities (Martinez | Seo: see aove) || (Matsuda: Para [0005]: translating a security criteria (i.e. security improvement recommentation) from a 1st format of natural language description into a 2nd format of device-specific language of a script in one-to-one correspondence).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of translating a security hardening recommendation into a script of policy change instructions because Matsuda teaches to alternatively, effectively and securely translating a security criteria (i.e. security improvement recommentation) from a 1st format of natural language description into a 2nd format of device-specific language of a script in one-to-one correspondence (see above) within the Martinez’s system of providing a security enhancement by monitoring the activities on the cloud computing platform based on respective security policies including cloud resource access permision policy, resource utilization (usage) policy and etc., i.e. cloud resource permission and usage policies as a whole (see above).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2288 – 2022
---------------------------------------------------