Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This action is in response to the Amendment filed on 02/01/2022.
Claims 1-20 are under examination.
The Information Disclosure Statements filed on 11/30/2021, 02/22/2022 and 04/20/2022  have been entered and considered.
 

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-2, 4-5, 8, 10-11, 13-14, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Caudle et al. (US 2012/0331526 A1) and Potlapally et al. (US 2015/0244716 A1).
Regarding claim 1, Caudle et al. discloses: A system for improving security of networks using environment hashes [par. 0012, “the configuration hash value can determine that the current hardware and/or software configuration of the mobile device is valid, and can accordingly send a signal to the mobile device granting access to the protected resource and/or the private network”], the system comprising: one or more memory devices storing computer-readable code; and one or more processing devices operatively coupled to the one or more memory devices [see fig. 1, par. 0016], wherein the one or more processing devices are configured to execute the computer-readable code [par. 0024] to: receive a request from an entity to access a network through the use of an entity computer system [par. 0010, “a mobile device can request access to a protected network resource included in a private network… the mobile device can include the request in one or more signals sent to an access server of the private network via a public wireless network”]; receive authentication credentials from the entity [par. 0011, “receive from the mobile device, one or more user authentication credentials”]; compare the authentication credentials from the entity with authentication requirements [par. 0011, “Based at least in part on the received authentication credentials, the access server can determine whether the user of the mobile device is a valid/recognized user of the private network”]; identify an environment hash for the entity computer system; compare the environment hash for the entity computer system with hash requirements [par. 0012, “the mobile device can first determine whether a current configuration hash value associated with the mobile device is equivalent to a previously-calculated and stored configuration hash value associated with the mobile device. For example, the access server can receive, from the mobile device, a signal including a current configuration hash value for the mobile device that it can compare to the previously-calculated, stored configuration hash value for that mobile device”]; allow the entity computer system to access the network when the entity computer system is validated based on the comparison of the authentication credentials and the authentication requirements and the environment hash and the hash requirements [par. 0056, “Having authenticated the user of the mobile device 410 and verified that the mobile device 410 has a valid inventory hash value (and thus a valid hardware and/or software configuration), the access server 430 can send a signal 482 to the mobile device 410 via the public wireless network 420. The signal 482 can include, for example, an indication that the user has been authenticated and/or that the mobile device 410 has been validated by the access server 430. Said differently, the signal 482 can include an indication that the mobile device 410 has been granted access to the requested network resource stored, executed and/or offered at the network server 460”]; and prevent the entity computer system from accessing the network when the entity computer system fails to be validated based on the comparison of the authentication credentials and the authentication requirements or the environment hash and the hash requirements [par. 0018, “The access server 130 can be any combination of hardware and/or software (executing in hardware) configured to (1) authenticate a user of the mobile device 110, and (2) validate the configuration of the mobile device 110. Said differently, the access server 130 can be any device configured to receive requests to access the private network 140 and grant such access only to authenticated users using validated mobile devices”, par. 0055, “the access server 430 can perform an authentication process associated with the user of the mobile device 410 and/or a validation process associated with the mobile device 410 itself. As described in connection with FIG. 3 above, the authentication process can include verification of one or more user credentials by accessing, for example, a database such as the database 450. The validation process can include, in some embodiments, comparison of a received configuration hash value to a previously-calculated, stored configuration hash value for the mobile device 410”].
Caudle et al. does not explicitly disclose wherein identifying the environment hash comprises accessing a shared hash database comprising a plurality of environment hashes for a plurality of entity computer systems and identifying the environment hash for the entity computer system, wherein the shared hash database is populated with the plurality of environment hashes from two or more third party entities.
However, Potlapally et al. teaches wherein identifying the environment hash comprises accessing a shared hash database comprising a plurality of environment hashes for a plurality of entity computer systems and identifying the environment hash for the entity computer system, wherein the shared hash database is populated with the plurality of environment hashes from two or more third party entities [par. 0037, “several different candidate instance hosts may be identified, and the corresponding hash values 475 may all be provided to the requesting client for approval. The client may compare the hash value or values with approved earlier-generated hash values in a database (e.g., a local database maintained by the client or another database maintained by some trusted third party or by a service of the provider network)”, par. 0051, “The computed hash value may be compared with some set of one or more previously computed approved hash values (element 810)… the client may specify a particular pre-computed hash value that the targeted resource stack is to meet, so only a single comparison may be required to determine whether the measured resource stack meets the client's security criteria or not”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Potlapally et al. into the teaching of Caudle et al. with the motivation of providing the necessary assurance to the client that the proposed execution environment meets the client's security criteria as taught by Potlapally et al. [Potlapally et al.: par. 0017].
Regarding claim 2, the rejection of claim 1 is incorporated.
 Caudle et al. further discloses identifying the environment hash comprises identifying the environment hash stored on the entity computer system [par. 0054, “an indication from the mobile device 410 that a configuration hash value associated with the mobile device 410 has passed a device-executed, internal configuration hash value check”, par. 0069, “the access server can send a signal including the updated hash value to the mobile device for local storage and use (e.g., for subsequent use in determining, at the mobile device, whether a configuration of the mobile device has changed since the current inventory validation process ("integrity check"))”].
Potlapally et al. further teaches accessing the shared hash database when the environment hash is not stored on the entity computer system [par. 0037, “several different candidate instance hosts may be identified, and the corresponding hash values 475 may all be provided to the requesting client for approval. The client may compare the hash value or values with approved earlier-generated hash values in a database (e.g., a local database maintained by the client or another database maintained by some trusted third party or by a service of the provider network)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Potlapally et al. into the teaching of Caudle et al. with the motivation of providing the necessary assurance to the client that the proposed execution environment meets the client's security criteria as taught by Potlapally et al. [Potlapally et al.: par. 0017].
Regarding claim 4, the rejection of claim 1 is incorporated.
 Caudle et al. further discloses identifying the environment hash comprises creating the environment hash based on a configuration of the entity computer system [par. 0025, “the configuration hash module 223 can calculate a configuration hash value associated with the mobile device 200”].
Regarding claim 5, the rejection of claim 1 is incorporated.
 Caudle et al. further discloses the hash requirements are stored within a hash database system, and wherein the hash requirements comprise at least authorized environment hashes or unauthorized environment hashes [par. 0037, “The previously-stored valid configuration hash value can optionally be stored at a database included in the access server 300 and/or operationally coupled thereto. In such embodiments, if the validation module 322 determines that the received configuration hash value matches the previously-stored valid configuration hash value associated with the mobile device, the validation module 322 can determine that the mobile device is valid, and can accordingly send a response signal to the mobile device indicating that access to the private network and/or the protected resource has been granted”].
Regarding claim 8, the rejection of claim 1 is incorporated.
Caudle et al. further discloses the authentication credentials comprise a user identifier and a password, a secure token, biometric information, a computer identifier, an image, or a gesture [par. 0051, “The authentication information can include, for example, username, password, biometric credential, password question/answer and/or other user authentication information”].
Regarding claim 10, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 11, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.

Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Caudle et al. (US 2012/0331526 A1) and Potlapally et al. (US 2015/0244716 A1) as applied to claims 1-2, 4-5, 8, 10-11, 13-14, 17 and 19 above, and further in view of Kawazu (US 2017/0249483 A1).
Regarding claim 3, the rejection of claim 1 is incorporated.
Caudle et al. and Potlapally et al. disclose storing the environment hash in the shared hash database.
Caudle et al. and Potlapally et al. does not explicitly disclose monitor the entity computer system for a configuration change; determine a new environment hash when the configuration change occurs; and share the new environment hash for the entity computer system for storage in the shared hash database.
However Kawazu teaches monitor the entity computer system for a configuration change; determine a new environment hash when the configuration change occurs; and share the new environment hash for the entity computer system for storage in the shared hash database [par. 0031, “every time the data is updated in the client PC 1001, the valid hash value stored in the database 1003 provided in the server 1002 needs to be updated”, par. 0037, “The data a 115 and the data b 116 are data handled by the module A 113, and can be for example, configuration files that control the behavior of the module”, par. 0049].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Kawazu into the teaching of Caudle et al. and and Potlapally et al. with the motivation to manage the valid hash value of each module provided in the client PC as taught by Kawazu [Kawazu: par. 0029].
Regarding claim 12, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.

Claims 6-7 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Caudle et al. (US 2012/0331526 A1) and Potlapally et al. (US 2015/0244716 A1) as applied to claims 1-2, 4-5, 8, 10-11, 13-14, 17 and 19 above, and further in view of Wo et al. (US 2016/0112538 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
Caudle et al. discloses the entity computing system is prevented from accessing the network.
Caudle et al. does not explicitly disclose preventing the entity computer system from making future requests when the entity computing system is prevented from accessing the network.
However Wo et al. teaches preventing the entity computer system from making future requests when the entity computing system is prevented from accessing the network [par. 0023, “When the bot detection module 118 fails to receive affirmative satisfactory or successful human verification from the user and/or client device 106, in exemplary embodiments, the bot detection module 118 creates or otherwise generates an entry in a blocked user cache 122 coupled to the server 102 via the network 108. In this regard, the entry in the blocked user cache 122 maintains an association between the unverified requesting source and a calculated resumption time value indicating when the user will be allowed to subsequently initiate a database activity… a requesting user may be permanently blocked after being temporarily blocked by the bot detection module 118 a certain number of times”, par. 0029, par. 0036, “In response to receiving the request, the bot detection module 118 obtains information identifying the source of the request (e.g., a user identifier associated with the request, a network address, or the like) and accesses the blocked user cache 122 to determine whether the user and/or the client device 106 is blocked or otherwise prevented from initiating the requested database activity”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Wo et al. into the teaching of Caudle et al. and Potlapally et al. with the motivation for regulating access to a database by a server as taught by Wo et al. [Wo et al.: abs.].
Regarding claim 7, the rejection of claim 6 is incorporated.
Wo et al. further teaches preventing the entity computer system from making the future requests comprises: identifying a computer identifier for the entity computer system; store the computer identifier as a stored computer identifier for restricting communication with the network [par. 0012, “a source may be identified using a unique user identifier associated with a user of a computing device making the request, a network address (e.g., an internet protocol (IP) address or the like) of a computing device making the request, a session identifier associated with a request, or the like, and/or any combination thereof”, par. 0023, “When the bot detection module 118 fails to receive affirmative satisfactory or successful human verification from the user and/or client device 106, in exemplary embodiments, the bot detection module 118 creates or otherwise generates an entry in a blocked user cache 122 coupled to the server 102 via the network 108. In this regard, the entry in the blocked user cache 122 maintains an association between the unverified requesting source and a calculated resumption time value indicating when the user will be allowed to subsequently initiate a database activity… a requesting user may be permanently blocked after being temporarily blocked by the bot detection module 118 a certain number of times”]; identify the entity computer system is trying to communicate with the network; determine the computer identifier of the entity computer system matches the stored computer identifier; and prevent the entity computer system from making a second request on the network [par. 0029, par. 0036, “In response to receiving the request, the bot detection module 118 obtains information identifying the source of the request (e.g., a user identifier associated with the request, a network address, or the like) and accesses the blocked user cache 122 to determine whether the user and/or the client device 106 is blocked or otherwise prevented from initiating the requested database activity”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Wo et al. into the teaching of Caudle et al. with the motivation for regulating access to a database by a server as taught by Wo et al. [Wo et al.: abs.].
Regarding claim 15, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

Claims 9, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Caudle et al. (US 2012/0331526 A1) and Potlapally et al. (US 2015/0244716 A1) as applied to claims 1-2, 4-5, 8, 10-11, 13-14, 17 and 19 above, and further in view of Paris et al. (US 2012/0151206 A1).
Regarding claim 9, the rejection of claim 1 is incorporated.
Caudle et al. discloses the environment hash.
Caudle et al. does not explicitly disclose the environment hash comprises a cryptographic hash output value comprising of a fixed-length character string.
However Paris et al. teaches the environment hash comprises a cryptographic hash output value comprising of a fixed-length character string [par. 0031, “a credential of a file is represented by a hash value, which may be generated by hashing a file image of the file using any of a variety of hash algorithms, such as, for example, SHA-1 or MD-5, etc. The hash value is then stored in a storage as part of credentials 110, locally or remotely”, official notice: SHA-1 is a cryptographic hash with 160 bit hash value, which rendered as hexadecimal number, 40 digits long, (see US 2017/0331837 A1, par.0130, the first device may use a method of generating the integrity check data using the SHA-1 hash algorithm in order to generate the 160-bit integrity check data)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Paris et al. into the teaching of Caudle et al. with the motivation of performing a hash operation according to a variety of hash algorithms for credential data representing system integrity of at least one component running on the client for accessing a resource provided in a network as taught by Paris et al. [Paris et al.: abs. par. 0027].
Regarding claim 18, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 9. The reason for the rejection of claim 9 is incorporated herein.


Response to Arguments
Applicant’s arguments, filed on 02/01/2022, with respect to rejection under 35 USC § 102/103 have been considered but are moot in view of the new ground(s) of rejection.

Applicant’s arguments, filed on 02/01/2022, with respect to the official notice have been considered. An evidence has been provided.



Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20170264593 A1		SYSTEM AND METHOD TO SECURE THE STREAMING OF MEDIA TO A VALID CLIENT
US 9059853 B1		System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment
US 9305159 B2		Secure system for allowing the execution of authorized computer program code
US 9363087 B2		End-to-end security for hardware running verified software
US 20120054843 A1		NETWORK ACCESS CONTROL FOR TRUSTED PLATFORMS
US 20210306303 A1		REVERSE PROXY SERVERS FOR IMPLEMENTING APPLICATION LAYER-BASED AND TRANSPORT LAYER-BASED SECURITY RULES
US 20150244716 A1		SECURING CLIENT-SPECIFIED CREDENTIALS AT CRYPTOGRAPICALLY ATTESTED RESOURCES
US 9916443 B1		Detecting an attempt to exploit a memory allocation vulnerability
US 9087199 B2		System and method for providing a secured operating system execution environment
US 20160294802 A1		ACCELERATED PASSPHRASE VERIFICATION

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM TO 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431