DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to claims filed on 1/4/2021.  Claims 1-13 have been examined.  This office action is Non-Final.

Claim Objection
Claims 1-6  are objected to because of the following informalities:
Regarding claim 1,  claim 1 recites the limitations “the at least one network service providing device registering …,” “the legitimate user device [] logging into the authentication and authorization server…”  and “the target device comparing …”  To properly recite active steps of the claimed method, it’s suggested that the aforementioned limitations be further amended to “registering, by the at least one network service providing device …,” “logging into the authentication and authorization sever, by the legitimate user device …”  and “comparing, by the target device …”, respectively; (emphasis added).
Regarding claim 2,  claim 2 recites the limitations “the target device further determines.”  To properly recite active steps of the claimed method, it’s suggested that the aforementioned limitation be further amended to “determining, by the target device;” (emphasis added).  
Regarding claim 3, claim 3 recites the limitations, “when the access request is rejected.”  To properly recite active steps of the claimed method, it’s suggested that the aforementioned limitation be further amended to “recording the device ID of the user device in the blacklist, when the access request is rejected”. (emphasis added) 
Regarding claim 6; claim 6 needs to properly recited active steps of the claimed method.
Claims 1 and 7, are objected to for reciting acronyms ID and IP without spelling out in the full first occurrence.    

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 7, Claim 7 is directed to an information security system; However, the claim also recites “a method including: the at least one network service providing device registering…”  “a legitimate user device [] logging into …”  Claim 7 is found indefinite as the claim recites both method and system.  A claim is considered indefinite under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, if it does not reasonably apprise those skilled in the art of its scope.  See MPEP 2173.05(p) and IPXL Holdings, 430 F.3d at 1384; See also In re Katz Interactive Call Processing Patent Litig., 639 F.3d 1303 (Fed. Cir. 2011);  Ex parte Lozano (Appeal 2009-012018) for details.  
	Regarding claim 8, Claim 8 is directed to an information security system; However, the claim also recites a method (i.e.,  “the method makes the target device …” and  “the user device issuing the access request ….”)  The same as that of claim 7.
Regarding claim 9, Claim 9 is directed to an information security system; However, the claim also recites a method (i.e.,  “the access list generation method further includes …;”  and “the user device issuing the access request …”) The same as that of claim 7.
Regarding claims 10-13 are dependent on claim 7 respectively, and therefore inherit 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, issues of the independent claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 7, 10-11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over An et al. (2013/0117400) in view of Leung et al. (2020/0195609), and further in view of Chen et al. (2020/0304853).
As per claim 1, An et al. discloses an authorized access list generation method for controlling at least one network service request of at least one user device in a network service system, the network service system having an authentication and authorization server and at least one network service providing device, the method including: 
the at least one network service providing device registering for an authorized access list notification service with the authentication and authorization server to obtain a current content of an authorized access list provided by the authentication and authorization server (An:  para. 0300, See Table 34, the distribution messaging server of the receiving entity (i.e. network providing device) registering for an authorized access list notification service (i.e. registering to receive the whitelist) with the address directory server (i.e. authentication and authorization server) to obtain the latest (i.e. current content) of the whitelist provided by the address directory server (i.e. authentication and authorization server); and continuing to provide the update in a corresponding said authorization related record (An: para. 0761-0763, continuing to provide latest information from the whitelist).
 An et al. does not explicitly disclose the authorized access list including at least one authorization related record of at least one said user device to be allowed access, and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address; a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server, and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record.
However, analogous art of Leung discloses the authorized access list including at least one authorization related record of at least one said user device to be allowed access (Leung: para. 0087, whitelist (i.e. authorized access list) includes at least one authorization related record of a user device to be allowed access), and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address (Leung: para. 0086, whitelist includes authorization record including authorized device ID (i.e. MAC address), a network service providing device ID (i.e. domain name), an IP address); a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server (Leung: para. 0068-0071, 0080-0083, a legitimate user device of the at least one user device logging into by using the username, and sending a request); and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record with the IP address of one said user device (Leung: para. 0071, 0080-0083, continuing to provide the IP address and MAC address in a corresponding record of a whitelist).

Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Leung with the system/method of An to include the authorized access list including at least one authorization related record of at least one said user device to be allowed access, and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address; a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server, and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record.  
One would have been motivated to provide a security measure that ensures that only authorized devices can update the information to be included in a whitelist (Leung: para. 0068). 
An et al. and Leung do not explicitly disclose the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result.
However, analogous art of Chen discloses the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result (Chen: para. 0057, compares the IP address stored, and sending an access request to target device (i.e. service server), if the no match of IP address rejecting the access request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Chen with the system/method of An et al. and Leung to include the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result.  
One would have been motivated to improve the accuracy of access request by preventing request of illegal attackers from entering the server; thereby ensuring normal operation of the server (Chen: para. 0057).  
As per claim 4, An et al., Leung, and Chen disclose the authorized access list generation method as disclosed in claim 1.
 	Leung further discloses wherein the user ID includes an account and a password, and the password is a text password or a biometric password (Leung: para. 0068, username includes an account, a user has an associated account with a username and password combination, text password, a series of letters and/or numbers).
Same Motivation as claim 1 above.          
As per claim 5, An et al., Leung, and Chen disclose the authorized access list generation method as disclosed in claim 1.  The combination of Leung and Chen further disclose wherein the user device is selected from a group consisting of a smart phone (Chen: para. 0039, UE user equipment/phone), a portable computer (Chen: para. 0039, wireless communication device), a personal computer (Chen: para. 0039, UE/phone is a personal computer), a networked camera (Leung: para. 0029, surveillance camera), and a wearable device (Chen: para. 0039, wearable device).
Same motivation as claim 1 above.
As per claim 7, An et al. discloses an information security system, which is installed in a network and has an authentication and authorization server and at least one network service providing device to execute an authorized access list generation method to control at least one network service request of at least one user device, the method including: 
the at least one network service providing device registering for an authorized access list notification service with the authentication and authorization server to obtain a current content of an authorized access list provided by the authentication and authorization server (An:  para. 0300, See Table 34, the distribution messaging server of the receiving entity (i.e. network providing device) registering for an authorized access list notification service (i.e. registering to receive the whitelist) with the address directory server (i.e. authentication and authorization server) to obtain the latest (i.e. current content) of the whitelist provided by the address directory server (i.e. authentication and authorization server), and continuing to provide the update in a corresponding said authorization related record (An: para. 0761-0763, continuing to provide latest information from the whitelist).
 An et al. does not explicitly disclose the authorized access list including at least one authorization related record of at least one said user device to be allowed access, and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address; a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server, and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record.
However, analogous art of Leung discloses the authorized access list including at least one authorization related record of at least one said user device to be allowed access (Leung: para. 0087, whitelist (i.e. authorized access list) includes at least one authorization related record of a user device to be allowed access), and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address (Leung: para. 0086, whitelist includes authorization record including authorized device ID (i.e. MAC address), a network service providing device ID (i.e. domain name), an IP address); a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server (Leung: para. 0068-0071, 0080-0083, a legitimate user device of the at least one user device logging into by using the username, and sending a request); and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record with the IP address of one said user device (Leung: para. 0071, 0080-0083, continuing to provide the IP address and MAC address in a corresponding record of a whitelist).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Leung with the system/method of An et al. to include the authorized access list including at least one authorization related record of at least one said user device to be allowed access, and each said authorization related record including a user ID, an authorized device ID, a network service providing device ID, and an IP address; a legitimate user device of the at least one user device logging into the authentication and authorization server by outputting one said user ID to the authentication and authorization server, and directly sending an access request to a target device of the at least one network service providing device after logging into the authentication and authorization server, and continuing to provide the IP address in use and a device ID to the authentication and authorization server to update the IP address and the authorized device ID in a corresponding said authorization related record.  
One would have been motivated to provide a security measure that ensures that only authorized devices can update the information to be included in a whitelist (Leung: para. 0068). 
An et al. and Leung do not explicitly disclose the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result.
However, analogous art of Chen discloses the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result (Chen: para. 0057, compares the IP address stored, and sending an access request to target device (i.e. service server), if the no match of IP address rejecting the access request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Chen with the system/method of An et al. and Leung to include the target device comparing the IP address, stored in each said authorization related record of one said authorized access list provided by the authentication and authorization server, and sending an access request to the target device, and rejecting the access request if each said comparison operation produces a not-matched result.  
One would have been motivated to improve the accuracy of access request by preventing request of illegal attackers from entering the server; thereby ensuring normal operation of the server (Chen: para. 0057).  
As per claims 10-11, rejected under similar scope as claims 4-5 respectively.
As per claim 13, An et al., Leung, and Chen disclose the information security system as disclosed in claim 7.  An et al. further discloses wherein the network is an Internet or a local area network (An: para. 0141, Internet).

Claims 2 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over An et al. (2013/0117400) in view of Leung et al. (2020/0195609), and further in view of Chen et al. (2020/0304853), and further in view of Taylor (2017/0180382).
As per claim 2, An et al., Leung, and Chen disclose the authorized access list generation method as disclosed in claim 1.
An et al., Leung, and Chen do not explicitly disclose wherein, when one said comparison operation produces a matched result, the target device further determines whether the authorized device ID in a corresponding said authorization related record matches the device ID of the user device issuing the access request, if true, the access request is allowed, and if false, the access request is rejected.
However, analogous art of Taylor discloses wherein, when one said comparison operation produces a matched result, the target device further determines whether the authorized device ID in a corresponding said authorization related record matches the device ID of the user device issuing the access request, if true, the access request is allowed, and if false, the access request is rejected (Chen: para. 0064 and 0066, comparing the device identifier with the whitelist database, if match allowed, if not denied access request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Taylor with the system/method of An et al., Leung, and Chen to include wherein, when one said comparison operation produces a matched result, the target device further determines whether the authorized device ID in a corresponding said authorization related record matches the device ID of the user device issuing the access request, if true, the access request is allowed, and if false, the access request is rejected.  
One would have been motivated to provide a security measure that ensures only authorized devices are allowed to access information/data (Taylor: para. 0066).  
As per claim 8, rejected under similar scope as claim 2. 	
Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over An et al. (2013/0117400) in view of Leung et al. (2020/0195609), and further in view of Chen et al. (2020/0304853), and in view of Taylor (2017/0180382), and further in view of Sakumoto et al. (2018/0047232).
As per claim 3, An et al., Leung, Chen, and Taylor disclose the authorized access list generation method as disclosed in claim 2.
 An et al., Leung, Chen, and Taylor do not explicitly disclose further including: when the access request is rejected, the device ID of the user device issuing the access request is recorded into a blacklist.
However, analogous art of Sakumoto discloses when the access request is rejected, the device ID of the user device issuing the access request is recorded into a blacklist (Sakumoto: para. 0396, access request is rejected/denied, the terminal ID is stored in the blacklist).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sakumoto with the system/method of An et al., Leung, Chen, and Taylor to include the access request is rejected, the device ID of the user device issuing the access request is recorded into a blacklist. 
One would have been motivated to have a security measure that tracks the denied access request from certain devices, thereby providing affective access control (Sakumoto: para. 0396).  
As per claim 9, rejected under similar scope as claim 3.

Claims 6 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over An et al. (2013/0117400) in view of Leung et al. (2020/0195609), and in view of Chen et al. (2020/0304853), and further in view of Amarendra et al. (2021/0150015).
As per claim 6, An et al., Leung, and Chen discloses the authorized access list generation method as disclosed in claim 1.
An et al., Leung, and Chen do not explicitly disclose wherein the network service providing device is a network attached storage device.
However, analogous art of Amarendra discloses wherein the network service providing device is a network attached storage device (Amarendra: para. 0036, network attached storage).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Amarendra with the system/method of An et al., Leung, and Chen to include the network service providing device is a network attached storage device.  One would have been motivated to have a dedicated file storage to maintain data and/or information (Amarendra: para. 0036).  
As per claim 12, rejected under similar scope as claim 6.






                                                            Conclusion           Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

8/15/2022
/JJ/
AU 2439

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439