DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 1/14/2022. Applicant cancelled claims 2 and 14. Claims 1, 3-13 and 15-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/19/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
The arguments/remarks filed by the applicant on 1/14/2022 have been fully considered and are responded in the following.

Applicant's amendments to the claims have overcome the objections previously set forth in the Non-Final Office Action mailed 10/14/2021. All previous objections have been withdrawn.

Applicant's arguments regarding the 35 USC § 102 rejection of amended independent claim 1 have been fully considered but they are not persuasive. Applicant states that ‘In particular, the cited reference does not teach or suggest a method including (d) "preventing access to the one or more resources by applications executable outside the second portion of memory by an access control module of an operating system of the computing device". The Office Action, on page 10, cited Pars. [0029] and [0030] of Birch as teaching this feature. However, while Pars. [0029] and [0030] may teach blocking access to back end storage 214 from a data center 220 or "any device or entity other than front end service 212," there is no indication that this prevention of access is performed "by an access control module of an operating system of the computing device." Indeed, Par. [0029] makes it quite clear that the blocking access to data 216 is performed by the back end service 214 and not by some other application, such as an "access control module of an operating system," as claimed. (p. 10, ¶4)’ In response to applicant's arguments, the examiner respectfully disagrees. In particular, reference Birch discloses that “Some embodiments may comprise an article of manufacture. An article of manufacture may comprise a storage medium to store logic. … Examples of the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof.” (¶76) Therefore, the “preventing outside access to resources” can be implemented as “access control module of an operating system”, if it is desired. Similar rationale applies for claim 13 and 20 (p. 12, ¶3).

Applicant’s arguments, ‘claim 5, as amended, includes additional features, namely that (1) "the computing device, on which the first and second applications are executable, is a client device" and (2) "the first application operates to provide the computing device with client access to a remote cloud service running on the other device". The Office Action, on page 11, cited Pars. [0073]-[0074] and Fig. 8 of Birch as teaching the limitations of claim 5 prior to the current amendment. The cited portions teach that the data service 210 may be implemented by one or more servers 804 that are connected to clients 802. It should be noted that data service 210 includes front end service 212 and back end storage 214, which were identified as the claimed first application and second application, respectively, in the rejection of claim 1. Thus, the cited portions actually teach quite the opposite arrangement of what is now claimed (due to the amendment), since (1) "the computing device, on which the first and second applications are executable, is a client device," as claimed, but front end service 212 and back end storage 214 are now shown to be part of a server 804 that serves clients 802. This is further emphasized by the fact that the claim notes that "the computing device" is provided with "client access to a remote cloud service running on the other device." Thus, claim 5, as amended, is not taught or suggested by the cited art.’, see p. 11, ¶3, filed 1/14/2022, with respect to the amended claim overcoming the cited prior art references of the rejection of claim 5 under 35 USC § 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of previously cited prior art Van Camp. Please refer to "Claim Rejections - 35 USC § 103" section below for detail analysis.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1, 3-11, 13, 15-18 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7 of U.S. Patent No. 10587625. Although the claims at issue are not identical, they are not patentably distinct from each other because claims of the 10587625 contain .
Claims 12 and 19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10587625 in view of U.S. Patent No. 10771468. It would have been prima facie obvious to combine 10587625 and 10771468. One of ordinary skill in the art would have been motivated to perform such a modification to provide an efficient mechanism for using remote computing resources offered through a shared-resource environment, so users do not have to purchase and maintain dedicated hardware and software, and instead can pay for only those resources that are utilized at any given time (Walker [Col 1, Line 6-11]). Please refer to Claim Rejections - 35 USC § 103 section for detailed analysis.

A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a 35 patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Instant Application No. 16793433
US patent 10587625


1. A method comprising:




receiving, by a first application executable in a first portion of memory of a computing device, an instruction from another device, the instruction directing the computing device to access one or more resources of the computing device, the one or more resources being on a protected portion of the computing device;



receiving, by a second application executable in a second portion of the memory of the computing device, a request to carry out the received instruction, the request including an identifier that identifies the first application as a source of the request, and the second application being isolated from applications executable in the first portion aside from the first application;




providing, by the computing device, the second application with access to the one or more resources to accomplish the received instruction; and













preventing access to the one or more resources by applications executable outside the second portion of memory by an access control module of an operating system of the computing device.

Similar rationale for claim 13 and 20.


receiving, by a frontend service running on the client computing device, an instruction from a remote application running on a remote cloud server via a network connection, the instruction directing the client computing device to perform an operation involving accessing the set of protected resources of the client computing device, the set of protected computing resources being configured to refuse access to the frontend service;

in response to receiving the instruction from the remote application, sending a request from the frontend service running on the client computing device to a backend service running on the client computing device, the request instructing the backend service to access the set of protected resources of the client computing device, the backend service being configured to not communicate via the network connection, the set of protected computing resources being configured to permit access to the backend service;

in response to the backend service receiving the request from the frontend service, the backend service accessing the set of protected resources of the client computing device in fulfillment of the operation; and

the frontend service providing a client user of the client computing device with access to the remote application running on the remote cloud server across the network connection.

2. The method of claim 1 wherein the client computing device is configured with an access control mechanism, the access control mechanism being configured to:
permit the backend service to receive requests only from the frontend service; and
permit the set of protected resources of the client computing device to be accessed only by the backend service.




Similar rationale for claim 15.


the set of protected resources of the client computing device are configured to refuse access except to the backend service.

1. A method of performing operations involving accessing a set of protected computing resources of a client computing device, the method comprising:
…
in response to the backend service receiving the request from the frontend service, the backend service accessing the set of protected resources of the client computing device in fulfillment of the operation; and
…
5. The method of claim 1 wherein: 




the computing device, on which the first and second applications are executable, is a client device;



the first application operates to provide the computing device with client access to a remote cloud service running on the other device.

Similar rationale for claim 16.
1. A method of performing operations involving accessing a set of protected computing resources of a client computing device, the method comprising:
…
in response to receiving the instruction from the remote application, sending a request from the frontend service running on the client computing device to a backend service running on the client computing device, …
…
the frontend service providing a client user of the client computing device with access to the remote application running on the remote cloud server across the network connection.
6. The method of claim 1 wherein the method further comprises operating the second application to:
check data of individual requests received from the first application for validity; and

access the one or more resources in response to validation of data of individual requests.

Similar rationale for claim 17.
4. The method of claim 1 wherein:


the method further comprises the backend service checking data of the request for validity; and

the backend service accesses the set of protected resources of the client computing device in fulfillment of the operation only in response to the backend service validating the request.
7. The method of claim 6,
wherein the instruction directs the computing device to download a software package 


wherein the request instructs the second application to install the software package on the one or more resources; and







wherein the check of data of individual requests received from the first application for validity includes verification of the remote source as a trusted source.

the instruction directs the client computing device to download a software package from a 

the request instructs the backend service to install the software package on the set of protected resources of the client computing device, the software package having been downloaded from the remote source by the frontend service, the software package bearing a cryptographic signature; and

the backend service checking data of the request for validity includes:
verifying that the remote source is a trusted source; and
verifying that the downloaded software package bears a valid cryptographic signature from the trusted source.

wherein the instruction directs the computing device to download a software package from a remote source and to install the software package on the one or more resources;


wherein the request instructs the second application to install the software package on the one or more resources, the software package including a cryptographic signature; and








wherein the check of data of individual requests received from the first application for validity includes verification of the cryptographic signature.
5. The method of claim 4 wherein:
the instruction directs the client computing device to download a software package from a remote source and to install the software package on the set of protected resources of the client computing device;

the request instructs the backend service to install the software package on the set of protected resources of the client computing device, the software package having been downloaded from the remote source by the frontend service, the software package bearing a cryptographic signature; and

the backend service checking data of the request for validity includes:
verifying that the remote source is a trusted source; and
verifying that the downloaded software package bears a valid cryptographic signature from the trusted source.
9. The method of claim 6,
wherein the instruction directs the computing device to stop execution of a process that includes use of the one or more resources;

wherein the request instructs the second 

wherein the check of data of individual requests received from the first application for validity includes verification of ownership of the process.

the instruction directs the client computing device to kill a process within the set of protected resources of the client computing device;

the request instructs the backend service to 

the backend service checking data of the request for validity includes verifying that the process is owned by the frontend service.

checking, by the first application, data of the instruction for validity; and

sending the request to carry out the received instruction to the second application in response to validation of the data.
7. The method of claim 4 wherein:
the method further comprises the frontend service checking data of the instruction for validity; and




sending the request from the frontend service to the backend service is performed in response to the frontend service validating the data of the instruction.
11. The method of claim 1 wherein the method further comprises:
a third application executable in the first portion of memory of the computing device sending another request to access the one or more resources to the second application; and
operating the second application to refuse the other request.

Similar rationale for claim 18.
3. The method of claim 1 wherein:

the backend service is configured to refuse any received request unless it is from the frontend service; and
the set of protected resources of the client computing device are configured to refuse access except to the backend service.
12. The method of claim 1 wherein the method further comprises:
receiving, by the first application, another instruction from the other device, the other instruction directing the computing device to access another resource of the computing device, the other resource being on an unprotected portion of the computing device; and
providing, by the computing device, the first application with access to the other resource to accomplish the received other instruction without use of the second application.

Similar rationale for claim 19.
Claim 1 of U.S. Patent No. 10587625 in view of U.S. Patent No. 10771468.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1, 3-4, 6, 10-11, 13, 15, 17-18 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Birch (US 20130167200 A1).

Regarding claim 1, Birch teaches a method comprising: 
receiving, by a first application executable in a first portion of memory (FIG. 7 system memory 706) of a computing device, (FIG. 2 front end service 212 in data service 210) an instruction from another device, the instruction directing the computing device to access one or more resources (FIG. 2 data 216) of the computing device, the one or more resources being on a protected portion of the computing device; ([0003] The front end service may receive a request from a client in the data center to access a back end storage. [0018] Data service may be implemented with a cloud computing model. In a cloud computing model, the applications and/or data storage may be implemented across many for data or for a job that is protected by a secret, front end service 400 may retrieve…” in ¶42.
receiving, by a second application executable in a second portion of the memory of the computing device, (FIG. 2 back end storage 214 in data service 210) a request to carry out the received instruction, the request including an identifier that identifies the first application as a source of the request, and the second application being isolated from applications executable in the first portion aside from the first application; (FIG. 5: receive a request at the front end service to access the back end storage from a client in the data center at block 504; access the back end storage from the front end service using the secret generated for the data center at block 506. [0014] Data centers may access data and data-related services from the back end data store through the front end service.) Here isolation of back end storage 214 is apparent in FIG. 2. Because Birch discloses “front end service 212 may be the only process that can access back end storage 214” in ¶27, it can be concluded that an identifier that identifies the source is included in the request so that back end storage can decide if it is front end service and provide access accordingly. In addition, claim 2 of Birch reciting “wherein accessing the back end storage comprises executing a process on the back end storage”; therefore, accessing back end storage is analogous to executing back end storage process/application.
providing, by the computing device, the second application with access to the one or more resources to accomplish the received instruction; and (FIG. 5: return the result of accessing the back end storage to the client at block 508.)
preventing access to the one or more resources by applications executable outside the second portion of memory by an access control module of an operating system of the computing device. ([0029, 0030] Back end storage 214 may include data 216 and secrets 218. Secrets 218 may include any secret information that may be used to access data 216, without which data 216 cannot be accessed. only back end storage 214 can access data 216 directly. This is analogous to the claimed limitation “preventing access to resources by applications executable outside the second portion of memory”. In addition, reference Birch discloses that “Some embodiments may comprise an article of manufacture. An article of manufacture may comprise a storage medium to store logic. … Examples of the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof.” (¶76) Therefore, the “preventing outside access to resources” can be implemented as “access control module of an operating system”, if it is desired.

Regarding claim 3, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches wherein the second application communicates with devices external to the computing device only via the first application. ([0027] front end service 212 may be the only process that can access back end storage 214.)

Regarding claim 4, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches wherein the first application fulfills the instruction from the other device with reference to the request having been accomplished by the second application accessing the one or more resources. (FIG. 5: access the back end storage from the front end service using the secret 

Regarding claim 6, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches wherein the method further comprises operating the second application to:
check data of individual requests received from the first application for validity; and ([0014] Data centers may access data and data-related services from the back end data store through the front end service. Secrets, e.g. passwords and certificates, are needed to access secure data.) Here Birch discloses back end data store checking “secrets” to ensure the validity of the request.
access the one or more resources (FIG. 2 data 216) in response to validation of data of individual requests. ([0029, 0030] Back end storage 214 may include data 216 and secrets 218. Secrets 218 may include any secret information that may be used to access data 216, without which data 216 cannot be accessed. There is just one copy of secrets 218 in one location (back end storage 214).) Here Birch discloses that data 216 is accessible only after back end storage 214 checking request against secrets 218 to ensure the validity of the request.

Regarding claim 10, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches wherein the method further comprises, in response to the first application receiving the instruction from the other device: 
checking, by the first application, data of the instruction for validity; and (FIG. 4: block diagram of a front end service 400, with a validating module 440. [0045] Validating module 440 may be used to validate a request. If a request is for data that the requesting data center does not have access privileges for, the request may be invalid.)
sending the request to carry out the received instruction to the second application in response to validation of the data. (FIG. 6: After “determine whether the data center is authenticated in block 604” and “determine whether the request was valid at block 608”, logic flow may “fulfill the request in block 616”.) In block 616, the front end service makes the request to back end storage to access data 216, as described in [0058 & 0051].

Regarding claim 11, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches a third application executable in the first portion of memory of the computing device sending another request to access the one or more resources to the second application; and operating the second application to refuse the other request. ([0027] front end service 212 may be the only process that can access back end storage 214. [0029] Back end storage 214 may block any attempt to access it by any device or entity other than front end service 212.) Therefore, request from any other process, such as third application, will be refused by back end storage accordingly.

Regarding claims 13, 15, 17-18 and 20, the scope of the claims are similar to that of claims 1, 3, 6 and 11 respectively. Accordingly, the claims are rejected using a similar rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary 

Claim 5, 7-8, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Birch (US 20130167200 A1) in view of Van Camp (US 20110078675 A1).

Regarding claim 5, Birch teaches all the features with respect to claim 1, as outlined above. But Birch does not teach the computing device, on which the first and second applications are executable, is a client device; the first application operates to provide the computing device with client access to a remote cloud service running on the other device. This aspect of the claim is identified as a difference.
However, Van Camp in an analogous art explicitly teaches 
the computing device, on which the first and second applications are executable, is a client device; ([0014] The client application in at least some of these embodiments includes a front-end module (analogous to claim limitation “first application”) operating in the DMZ and a back-end module (analogous to claim limitation “second application”) operating in the specialized network layer. The front-end module communicates with the server application to request information regarding the available software updates and/or the actual software updates as downloadable objects. The back-end module in turn communicates with the front-end module to retrieve the software updates and the metadata from the DMZ, decrypt and decompress the retrieved software updates and the metadata if required, and initiate automatic installation of the software updates in the specialized network layer. [0045] the client application 16 need not necessarily include two separate modules as is the case in the example embodiments illustrated in FIGS. 1 and 2. For example, some customer systems may not implement a secure network layer at all, and the client application 16 in these embodiments could a single module with the combined functionality of the modules 18 and 20 discussed above.) Indeed, it would be obvious to duplicate the functions (data service 210 including front end service 212 and back end storage 214) disclosed by Birch in a client device if it is desired; See MPEP 2144.04(VI)(B).
the first application operates to provide the computing device with client access to a remote cloud service running on the other device. ([0014] The front-end module communicates with the server application to request information regarding the available software updates and/or the actual software updates as downloadable objects.) Here reference Van Camp discloses that the front-end module (analogous to claim limitation “first application”) of the client provides access to remote server (analogous to claim limitation “remote service running on the other device”). Reference Birch discloses the remote server being implemented with a cloud computing model (Birch ¶18). Therefore, the combination discloses the entire limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “front end service for a back end data store” concept of Birch, and the “deployment of software update” approach of Van Camp. One of ordinary skill in the art would have been motivated to perform such a modification because periodic updates of antivirus software can reduce threats of electronic attacks and increase cyber protection (Van Camp [0004]).

Regarding claim 7, Birch teaches all the features with respect to claim 6, as outlined above. But Birch does not teach wherein the instruction directs the computing device to download a software package from a remote source and to install the software package on the one or more resources; wherein the request instructs the second application to install the software package on the one or more resources; and wherein the check of data of individual requests received from the first application for validity includes verification of the remote source as a trusted source. This aspect of the claim is identified as a difference.
explicitly teaches 
wherein the instruction directs the computing device to download a software package from a remote source and to install the software package on the one or more resources; ([0013] A software update system deploys approved software updates to a customer system so that the approved software updates can be safely installed. The software update system may include a client application downloadable, and a server application to manage software updates, determine which software updates should be installed in the customer system, and deliver the software updates to the client application.)
wherein the request instructs the second application to install the software package on the one or more resources; and ([0014] The client application includes a front-end module and a back-end module. The front-end module communicates with the server application to request information regarding the software updates as downloadable objects. In some situations, the front-end module communicates with other applications such as an antivirus update application or an upstream OS-specific deployment application to specify which antivirus or OS software updates have been approved for installation. The back-end module in turn communicates with the front-end module to retrieve the software updates, and initiate installation of the software updates.)
wherein the check of data of individual requests received from the first application for validity includes verification of the remote source as a trusted source. ([0036] The back-end module 20 applies a decryption algorithm to verify the integrity and security of the retrieved objects.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “front end service for a back end data store” concept of Birch, and the “deployment of software update” approach of Van Camp. One of ordinary skill in the (Van Camp [0004]).

Regarding claim 8, Birch teaches all the features with respect to claim 6, as outlined above. But Birch does not teach wherein the instruction directs the computing device to download a software package from a remote source and to install the software package on the one or more resources; wherein the request instructs the second application to install the software package on the one or more resources, the software package including a cryptographic signature; and wherein the check of data of individual requests received from the first application for validity includes verification of the cryptographic signature. This aspect of the claim is identified as a difference.
However, Van Camp in an analogous art explicitly teaches 
wherein the instruction directs the computing device to download a software package from a remote source and to install the software package on the one or more resources; ([0013] A software update system deploys approved software updates to a customer system so that the approved software updates can be safely installed. The software update system may include a client application downloadable, and a server application to manage software updates, determine which software updates should be installed in the customer system, and deliver the software updates to the client application.)
wherein the request instructs the second application to install the software package on the one or more resources, the software package including a cryptographic signature; and ([0014] The client application includes a front-end module and a back-end module. The front-end module communicates with the server application to request information regarding the software updates as downloadable objects. In some situations, the front-end module communicates with other applications back-end module in turn communicates with the front-end module to retrieve the software updates, and initiate installation of the software updates. [0016] include a digital signature of the manufacturer of the process control system to assure security.)
wherein the check of data of individual requests received from the first application for validity includes verification of the cryptographic signature. ([0016] include a digital signature of the manufacturer of the process control system to assure security. [0036] verify the integrity and security of the retrieved objects. To this end, the back-end module 20 may apply any suitable techniques known in the art (e.g., applying digital certificates).)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “front end service for a back end data store” concept of Birch, and the “deployment of software update” approach of Van Camp. One of ordinary skill in the art would have been motivated to perform such a modification because periodic updates of antivirus software can reduce threats of electronic attacks and increase cyber protection (Van Camp [0004]).

Regarding claim 16, the scope of the claim is similar to that of claim 5 respectively. Accordingly, the claim is rejected using a similar rationale.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Birch (US 20130167200 A1) in view of Jones (US 5642515 A).

Regarding claim 9, Birch teaches all the features with respect to claim 6, as outlined above. But 
However, Jones in an analogous art explicitly teaches 
wherein the instruction directs the computing device to stop execution of a process that includes use of the one or more resources; ([Col 7, Line 57-59] FIG. 2(b) illustrates the back end service program which handles requests to terminate sessions.)
wherein the request instructs the second application to stop execution of the process that includes use of the one or more resources; and (FIG. 2(b) back end service handling requests to terminate sessions: “step 200, receive session delete request for client”)
wherein the check of data of individual requests received from the first application for validity includes verification of ownership of the process. (FIG. 2(b) back end service handling requests to terminate sessions: “step 202, determine who has session with requestor”.) Here Jones discloses “based on if any host computers established a session with the requestor (step 204)” to determine whether “build and send session delete notification (step 208 and 210)”or not. This is analogous to the claimed limitation “checking validity“ by “verifying ownership of the process”.

It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “front end service for a back end data store” concept of Birch, and the “deleted session” approach of Jones. One of ordinary skill in the art would have been (Jones [Col 8, Line 1]).

Claim 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Birch (US 20130167200 A1) in view of Walker (US 10771468 B1).

Regarding claim 12, Birch teaches all the features with respect to claim 1, as outlined above. Birch further teaches clients/servers communicating information between each other (¶74) and server with resource being on an unprotected portion of the computing device (FIG. 4: data 450). But Birch does not teach receiving, by the first application, another instruction from the other device, the other instruction directing the computing device to access another resource of the computing device, the other resource being on an unprotected portion of the computing device; and providing, by the computing device, the first application with access to the other resource to accomplish the received other instruction without use of the second application. This aspect of the claim is identified as a difference.
However, Walker in an analogous art explicitly teaches 
receiving, by the first application, another instruction from the other device, the other instruction directing the computing device to access another resource of the computing device, the other resource being on an unprotected portion of the computing device; and ([Col 3, Line 9-12] FIG. 1, a user wanting to utilize a portion of the resources 114 can submit a request that is received to an interface layer 108 of the provider environment 106.)
providing, by the computing device, the first application with access to the other resource to accomplish the received other instruction without use of the second application. ([Col 3, Line 51-53; 

It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “front end service for a back end data store” concept of Birch, and the “requests for resources” approach of Walker. One of ordinary skill in the art would have been motivated to perform such a modification to provide an efficient mechanism for using remote computing resources offered through a shared-resource environment, so users do not have to purchase and maintain dedicated hardware and software, and instead can pay for only those resources that are utilized at any given time (Walker [Col 1, Line 6-11]).

Regarding claim 19, the scope of the claim is similar to that of claim 12, respectively. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20130318152 A1, "Method and system for exchanging information between back-end and front-end systems", by Iyer, teaches exchanging information content between a back-end system within a restricted access environment and an end-user includes a front-end 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a).   Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493