DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
In response to 35 USC 103, filed 06/21/2022, to independent claims 1 and 11 and their respective dependent claims, regarding limitations “determining, based on an indication of at least one privilege associated with the application and at least one credential associated with the target network resource, whether access to the target network resource by an identity holding the at least one credential would potentially result in an illegitimate privilege elevation by the identity; and performing, based on at least one of a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address”.
Applicant’s arguments have been considered but are moot, because the newly recited amendment does not rely on the newly recited reference being applied to the prior rejection of record or any teaching or matter specifically challenged in the argument.

In response to 35 USC 103, filed 06/21/2022, to independent claims 1 and 11 and their respective dependent claims, regarding limitations “Performing, based on at least one of a determination that the network security configuration is misconfigured or a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address”.
Since the claim contains an alternative open ended claim language “or”. Niemala teaches “Performing, based on at least one of a determination that the network security configuration is misconfigured, a control action associated with the target network address”. Niemala discloses the security application may provide a warning about the detected vulnerability/misconfiguration [0028]”. This shows an control action when the network security configuration is misconfigured.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 7, 8, 10, 11, 12 16, 17, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela (US 20190188377), Banerjee et al. (US 20170093918 hereinafter as Banerjee), Desai et al. (US 20170223024 hereinafter Desai), and in further view of Levy (US 10601876).

Re. claim 1, Niemela discloses a non-transitory computer readable medium including instructions that, when executed by at least one processor (Niemela discloses non-transitory computer storage medium [0008]. Processor cause the computer system to perform [0017]), cause the at least one processor to perform operations for detecting application misconfiguration security threats (Niemela discloses analyses the computer system for vulnerabilities and misconfiguration [0019]), the operations comprising: scanning a computing environment to identify an application on at least one an authorization server or a network device, the application being configured for network communications (Niemela discloses the behaviour of the computer system is monitored to detect one or more procedures of the monitored applications and/or services that do not match the expected behaviours of the monitored applications and services. Each procedure of the one or more procedures of the monitored applications and/or services is identified by a characteristic action and one or more expected actions. The procedures may include any one or more of: establishment of a secure session, communication over a secure session, network operations (interpreted that application configured for network communications) [0029]. The computer runs a number of further applications, and the security application 14 monitors actions taken by those further applications. The client computer 1 may connect to a server 2, and the security application 14 sends results of the monitoring to the server 2 for analysis, or the analysis may be performed at the client computer 1 by the security application (interpreted that application on the device)[0017]); 
assessing, based on the comparing, whether the network security configuration is misconfigured (Niemela discloses if one or more procedures is detected not to match the expected behaviours of the monitored applications and services, S307 is entered where said application and/or service is identified as malicious or suspicious. In an embodiment, upon detection of one or more procedures not matching the expected behaviours, the method may further comprise analysing whether the detected one or more procedures match activities that are required to exploit said vulnerability types and/or misconfigurations and determining the severity of maliciousness of said application and/or service on the basis of the result of the analysis [0030]); 
and performing, based on at least one of a determination that the network security configuration is misconfigured, a control action association with the target network address (Niemela discloses the security application may provide a warning about the detected vulnerability/misconfiguration [0028]).
Although Niemela would teach detecting misconfigurations in a database, Niemela does not explicitly teach but Banerjee teaches analyzing a network security configuration of the application (Banerjee teaches the whitelist agent(s) can determine what web servers, application servers, databases, scripting engines, etc., deployed to the computing instance, are used for executing an application for an end-user. Once determined, the whitelist agents can inspect configuration files for the applications to identify properties or configuration data associated with a given application [0023]); 
comparing the target network address to a whitelist of trusted target network addresses (Banerjee teaches the configuration file component 304 can identify any information regarding how an application(s) is configured to communicate with other application(s), including IP addresses (Interpreted that the application includes an ip address) and ports of the application(s), processes associated with the execution of the application(s), source/destination process endpoints, process hierarchy (e.g., parent process to child process), process path, command line arguments, user groups, and the like [0045]. The whitelist can be returned to the agent on a given virtual machine, and the agent can use the whitelist to evaluate network communication generated by the application. For example, in one embodiment, once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist, the whitelist agent can prevent the communication or raise an alert (e.g., to an administrator or end-user) [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include analyzing a network security configuration of the application; comparing the target network address to a whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).
Although the combination of Niemela-Banerjee would teach a destination address of the configuration files, the combination of Niemela-Banerjee do not explicitly teach but Desai teaches Identifying, based on the application, a target network address that the application is configured to use to redirect the network device to a target network resource, the target network address being at least one of: embedded in a source code of the application or included in a list of trusted network addresses associated with the application (Desai teaches application-level access control where access to certain network resources is not allowed from blacklisted applications or allowed only using a specific whitelisted application that conforms to the security standards of the enterprise. Evaluate the request, redirecting the request to an authorized app if the application is legitimate based on the whitelist [0061-0062]. the admin configures applications (e.g., whitelist, blacklist) and their custom URL schemes. REDIRECT to Application "SafeBrowser" if URL matches "*.company.com," (c) REDIRECT to Application "BOX" if URL contains "data.company.com," [0069] Fig 7 and 8 (interpreted as the application is configured to use the target network resource when it is included in a list of trusted network address with the application).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee to include Identifying, based on the application, a target network address that the application is configured to use to redirect the network device to a target network resource, the target network address being at least one of: embedded in a source code of the application or included in a list of trusted network addresses associated with the application as disclosed by Desai. One of ordinary skill in the art would have been motivated for the purpose of preventing malicious application to access sensitive information (Desai [0003]).
Although the combination of Niemala-Banerjee-Desai would teach target network resource and detecting misconfiguration, the combination of Niemala-Banerjee-Desai do not explicitly teach but Levy teaches determining, based on an indication of at least one privilege associated with the application and at least one credential associated with the target network resource, whether access to the target network resource by an identity holding the at least one credential would potentially result in an illegitimate privilege elevation by the identity (Levy teaches the result of the implementing with respect to the requested action includes at least one of: denying or granting access to a privileged access credential [Col 3 lines 62-65]. A second security application (Application.sub.2) may have a corresponding security policy (Policy.sub.2) which impersonates execution for the set of applications or processes to run with elevated (e.g., administrator) privileges. In this situation, if Policy.sub.2 is first to act when User.sub.B attempts to use one of the applications or processes not in the first set (i.e., the whitelisted set), User.sub.B may be permitted to use the applications or processes since they may be granted the administrator privileges. This conflicts with Policy.sub.1, however, which would have restricted use of such applications or processes since they are not whitelisted [Col 11 lines 1-17] Figs. 2-4, applications that do not comply to their model based on elevating privilege. That there is an inconsistency of the privilege, which identifies that the privilege is illegitimate);
and performing, based on at least one of a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address (Levy teaches specific security decisions of the tested security application (e.g., specific instances of denying access, granting access, granting privileges, elevating privileges, modifying privileged group memberships, etc.) and timing data (e.g., execution time, timing of specific actions, time duration, time zone, etc.) may be identified and stored. These specific actions may be compared to the actions of other security applications (e.g., based on their normalized models), and inconsistencies may be identified [Col 5 lines 10-31]. A word processing application running on one of endpoints 108 seeking to communicate with a particular file storage site having a particular IP address. Security policy 302 may have a variety of different types of Action values for this operation, such as “Allow,” “Deny,” “Fetch Privileges,” “Allow and Audit Report,” “Deny and Send Alert,” etc [Col 10 lines 1-27]). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining, based on an indication of at least one privilege associated with the application and at least one credential associated with the target network resource, whether an identity associated with the application can elevate its privileges by accessing the target network resource; and Performing, based on at least one of a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Re. claim 2, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1. Although Niemela would teach identifying an application, Niemela does not explicitly teach but Banerjee teaches wherein scanning the computing environment comprises scanning multiple applications (Banerjee teaches once the whitelist agents 106A-106N identify the application(s) 104A-104N, the whitelist agents 106A-106N can inspect configuration files 108A-108N to identify properties or configuration data associated with applications 104A-104N [0034]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein scanning the computing environment comprises scanning multiple applications as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 6, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1, the operations further comprise disabling network communications capabilities for the target network address (Niemela discloses upon identifying said application and/or service as malicious or suspicious, the application and/or service is handled by one or more of: terminating a process of the application/service, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the application/service and performing a further malware scan on the application/service [0031]).
Although Niemela would teach comparing in a database, Niemela does not explicitly teach but Banerjee teaches wherein when the target network address is not included in the whitelist of trusted target network addresses (Banerjee teaches once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein when the target network address is not included in the whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 7, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1, the operations further comprise generating an alert identifying the target network address (Niemela discloses an alert is triggered when detecting any operations on said applications/services that do not match “the baseline” and especially when said modifications match activities required to exploit a known vulnerability in said application [0031]).
Although Niemela discloses comparing in a database, Niemela does not explicitly disclose but Banerjee discloses wherein when the target network address is not included in the whitelist of trusted target network addresses (Banerjee teaches once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein when the target network address is not included in the whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 8, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1. Niemela-Banerjee-Desai do not explicitly teach but Geller teaches wherein the operations further comprise determining, based on the target network address, whether the identity has sufficient privileges to access the target network resource (Levy teaches policy 302 may be a JSON policy file specifying access rights for creating, updating, modifying, or deleting virtual computing resources based on whether an identity has “aws_admin” access privileges [Col 9 lines 28-44]. allow User.sub.B to use the application or process and access the shared resource, since Policy.sub.2 impersonates a valid user of Group.sub.A. This would conflict with Policy.sub.1, however, which only permits access to the shared resource by users within Group.sub.A, and thus not User.sub.B [Col 10 lines 48-67]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining, based on the target network address, whether the identity has sufficient privileges to access the target network resource as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Re. claim 10, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1, furthermore Nos teaches wherein the control action incudes based on the determining whether access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, at least one of: disabling the network device from accessing the target network resource or generating an alert (Levy teaches specific security decisions of the tested security application (e.g., specific instances of denying access, granting access, granting privileges, elevating privileges, modifying privileged group memberships, etc.) and timing data (e.g., execution time, timing of specific actions, time duration, time zone, etc.) may be identified and stored. These specific actions may be compared to the actions of other security applications (e.g., based on their normalized models), and inconsistencies may be identified [Col 5 lines 10-31]. A word processing application running on one of endpoints 108 seeking to communicate with a particular file storage site having a particular IP address. Security policy 302 may have a variety of different types of Action values for this operation, such as “Allow,” “Deny,” “Fetch Privileges,” “Allow and Audit Report,” “Deny and Send Alert,” etc [Col 10 lines 1-27]). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining whether access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, at least one of: disabling the network device from accessing the target network resource or generating an alert as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Re. claim 11, Niemela discloses a computer-implemented method for detecting application misconfiguration security threats, the method comprising: scanning a computing environment to identify an application on at least one an authorization server or a network device, the application being configured for network communications (Niemela discloses the behaviour of the computer system is monitored to detect one or more procedures of the monitored applications and/or services that do not match the expected behaviours of the monitored applications and services. Each procedure of the one or more procedures of the monitored applications and/or services is identified by a characteristic action and one or more expected actions. The procedures may include any one or more of: establishment of a secure session, communication over a secure session, network operations (interpreted that application configured for network communications) [0029]. The computer runs a number of further applications, and the security application 14 monitors actions taken by those further applications. The client computer 1 may connect to a server 2, and the security application 14 sends results of the monitoring to the server 2 for analysis, or the analysis may be performed at the client computer 1 by the security application (interpreted that application on the device) [0017]); 
assessing, based on the comparing, whether the network security configuration is misconfigured (Niemela discloses if one or more procedures is detected not to match the expected behaviours of the monitored applications and services, S307 is entered where said application and/or service is identified as malicious or suspicious. In an embodiment, upon detection of one or more procedures not matching the expected behaviours, the method may further comprise analysing whether the detected one or more procedures match activities that are required to exploit said vulnerability types and/or misconfigurations and determining the severity of maliciousness of said application and/or service on the basis of the result of the analysis [0030]); 
and providing, based on a determination that the network security configuration is misconfigured, a configuration validation status indicating a misconfiguration vulnerability in the application (Niemela discloses the security application may provide a warning about the detected vulnerability/misconfiguration [0028]).
Although Niemela would teach detecting misconfigurations in a database, Niemela does not explicitly teach but Banerjee teaches analyzing a network security configuration of the application (Banerjee teaches the whitelist agent(s) can determine what web servers, application servers, databases, scripting engines, etc., deployed to the computing instance, are used for executing an application for an end-user. Once determined, the whitelist agents can inspect configuration files for the applications to identify properties or configuration data associated with a given application [0023]); 
comparing the target network address to a whitelist of trusted target network addresses (Banerjee teaches the configuration file component 304 can identify any information regarding how an application(s) is configured to communicate with other application(s), including IP addresses (Interpreted that the application includes an ip address) and ports of the application(s), processes associated with the execution of the application(s), source/destination process endpoints, process hierarchy (e.g., parent process to child process), process path, command line arguments, user groups, and the like [0045]. The whitelist can be returned to the agent on a given virtual machine, and the agent can use the whitelist to evaluate network communication generated by the application. For example, in one embodiment, once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist, the whitelist agent can prevent the communication or raise an alert (e.g., to an administrator or end-user) [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include analyzing a network security configuration of the application; comparing the target network address to a whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).
Although the combination of Niemela-Banerjee would teach a destination address of the configuration files, the combination of Niemela-Banerjee do not explicitly teach but Desai teaches Identifying, based on the application, a target network address that the application is configured to use to redirect the network device to a target network resource, the target network address being at least one of: embedded in a source code of the application or included in a list of trusted network addresses associated with the application (Desai application-level access control where access to certain network resources is not allowed from blacklisted applications or allowed only using a specific whitelisted application that conforms to the security standards of the enterprise. Evaluate the request, redirecting the request to an authorized app if the application is legitimate based on the whitelist [0061-0062]. the admin configures applications (e.g., whitelist, blacklist) and their custom URL schemes. REDIRECT to Application "SafeBrowser" if URL matches "*.company.com," (c) REDIRECT to Application "BOX" if URL contains "data.company.com," [0069] Fig 7 and 8 (interpreted as the application is configured to use the target network resource when it is included in a list of trusted network address with the application).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee to include Identifying, based on the application, a target network address that the application is configured to use to redirect the network device to a target network resource, the target network address being at least one of: embedded in a source code of the application or included in a list of trusted network addresses associated with the application as disclosed by Desai. One of ordinary skill in the art would have been motivated for the purpose of preventing malicious application to access sensitive information (Desai [0003]).
Although the combination of Niemala-Banerjee-Desai would teach target network resource and detecting misconfiguration, the combination of Niemala-Banerjee-Desai do not explicitly teach but Levy teaches determining, based on an indication of at least one privilege associated with the application and at least one credential associated with the target network resource, whether access to the target network resource by an identity holding the at least one credential would potentially result in an illegitimate privilege elevation by the identity (Levy teaches the result of the implementing with respect to the requested action includes at least one of: denying or granting access to a privileged access credential [Col 3 lines 62-65]. A second security application (Application.sub.2) may have a corresponding security policy (Policy.sub.2) which impersonates execution for the set of applications or processes to run with elevated (e.g., administrator) privileges. In this situation, if Policy.sub.2 is first to act when User.sub.B attempts to use one of the applications or processes not in the first set (i.e., the whitelisted set), User.sub.B may be permitted to use the applications or processes since they may be granted the administrator privileges. This conflicts with Policy.sub.1, however, which would have restricted use of such applications or processes since they are not whitelisted [Col 11 lines 1-17] Figs. 2-4, applications that do not comply to their model based on elevating privilege. That there is an inconsistency of the privilege, which identifies that the privilege is illegitimate);
and performing, based on at least one of a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address (Levy teaches specific security decisions of the tested security application (e.g., specific instances of denying access, granting access, granting privileges, elevating privileges, modifying privileged group memberships, etc.) and timing data (e.g., execution time, timing of specific actions, time duration, time zone, etc.) may be identified and stored. These specific actions may be compared to the actions of other security applications (e.g., based on their normalized models), and inconsistencies may be identified [Col 5 lines 10-31]. A word processing application running on one of endpoints 108 seeking to communicate with a particular file storage site having a particular IP address. Security policy 302 may have a variety of different types of Action values for this operation, such as “Allow,” “Deny,” “Fetch Privileges,” “Allow and Audit Report,” “Deny and Send Alert,” etc [Col 10 lines 1-27]). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining, based on an indication of at least one privilege associated with the application and at least one credential associated with the target network resource, whether an identity associated with the application can elevate its privileges by accessing the target network resource; and Performing, based on at least one of a determination that access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, a control action associated with the target network address as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Re. claim 12, the combination of Niemela-Banerjee-Desai-Levy teach the computer-implemented method of claim 11. Although Niemela would teach identifying an application, Niemela does not explicitly teach but Banerjee teaches wherein scanning the computing environment comprises scanning multiple applications (Banerjee teaches once the whitelist agents 106A-106N identify the application(s) 104A-104N, the whitelist agents 106A-106N can inspect configuration files 108A-108N to identify properties or configuration data associated with applications 104A-104N [0034]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein scanning the computing environment comprises scanning multiple applications as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 16, the combination of Niemela-Banerjee-Desai-Levy teach the computer-implemented method of claim 11, the operations further comprise disabling network communications capabilities for the target network address (Niemela discloses upon identifying said application and/or service as malicious or suspicious, the application and/or service is handled by one or more of: terminating a process of the application/service, terminating the characteristic action or an action resulting from the characteristic action, removing or otherwise making safe the application/service and performing a further malware scan on the application/service [0031]).
Although Niemela would teach comparing in a database, Niemela does not explicitly teach but Banerjee teaches wherein when the target network address is not included in the whitelist of trusted target network addresses (Banerjee teaches once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein when the target network address is not included in the whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 17, the combination of Niemela-Banerjee-Desai-Levy teach the computer-implemented method of claim 11, the operations further comprise generating an alert identifying the target network address (Niemela discloses an alert is triggered when detecting any operations on said applications/services that do not match “the baseline” and especially when said modifications match activities required to exploit a known vulnerability in said application [0031]).
Although Niemela would teach comparing in a database, Niemela does not explicitly teach but Banerjee teaches wherein when the target network address is not included in the whitelist of trusted target network addresses (Banerjee teaches once the whitelist agent determines that a network communication is directed to an address that is not on the constructed whitelist [0023]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Niemala to include wherein when the target network address is not included in the whitelist of trusted target network addresses as disclosed by Banerjee. One of ordinary skill in the art would have been motivated for the purpose of detecting anomalies to prevent network intrusion and improved protection against data exfiltration techniques (Banerjee [0022] [0055]).

Re. claim 18, Niemela-Banerjee-Desai-Levy teach the computer-implemented method of claim 11. Niemela-Banerjee-Desai do not explicitly teach but Nos teaches wherein the operations further comprise determining, based on the target network address, whether the identity has sufficient privileges to access the target network resource (Levy teaches policy 302 may be a JSON policy file specifying access rights for creating, updating, modifying, or deleting virtual computing resources based on whether an identity has “aws_admin” access privileges [Col 9 lines 28-44]. allow User.sub.B to use the application or process and access the shared resource, since Policy.sub.2 impersonates a valid user of Group.sub.A. This would conflict with Policy.sub.1, however, which only permits access to the shared resource by users within Group.sub.A, and thus not User.sub.B [Col 10 lines 48-67]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining, based on the target network address, whether the identity has sufficient privileges to access the target network resource as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Re. claim 20, the combination of Niemela-Banerjee-Desai-Nos teach the computer-implemented method of claim 19, furthermore Nos discloses wherein the control action includes, based on the determining whether access to the target network resource by the identity would potentially result in an illegitmate privilege elevation, at least one of: disabling the network device form accessing the target network resource or generating an alert (Levy teaches specific security decisions of the tested security application (e.g., specific instances of denying access, granting access, granting privileges, elevating privileges, modifying privileged group memberships, etc.) and timing data (e.g., execution time, timing of specific actions, time duration, time zone, etc.) may be identified and stored. These specific actions may be compared to the actions of other security applications (e.g., based on their normalized models), and inconsistencies may be identified [Col 5 lines 10-31]. A word processing application running on one of endpoints 108 seeking to communicate with a particular file storage site having a particular IP address. Security policy 302 may have a variety of different types of Action values for this operation, such as “Allow,” “Deny,” “Fetch Privileges,” “Allow and Audit Report,” “Deny and Send Alert,” etc [Col 10 lines 1-27]). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemala-Banerjee-Desai to include determining whether access to the target network resource by the identity would potentially result in an illegitimate privilege elevation, at least one of: disabling the network device from accessing the target network resource or generating an alert as disclosed by Levy. One of ordinary skill in the art would have been motivated for the purpose of blocking or allowing certain access (Levy [Col 2 lines 28-33]).

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela (US 20190188377), Banerjee et al. (US 20170093918 hereinafter as Banerjee), Desai et al.  (US 20170223024 hereinafter Desai), Levy (US 10601876), and in further view of D et al. (US 20180063140 hereinafter as D).

Re. claim 3, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1. The combination of Niemela-Banerjee-Desai-Levy would teach the network security configuration, the combination of Niemela-Banerjee-Desai-Levy do not explicitly teach but D teaches wherein the network security configuration of the application is an OAuth configuration (D teaches the generic client library in turn interfaces with a data store that includes service-specific OAuth configuration information for each of a plurality of services. The generic client library may use the service-specific configuration information to make the hypertext transfer protocol (HTTP) calls required to complete the steps of the OAuth protocol. Once the steps of the OAuth protocol are complete, the application may use the resulting tokens to access resources provided by the services [0012]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the network security configuration of the application is an OAuth configuration as disclosed by D. One of ordinary skill in the art would have been motivated for the purpose of authorizing third party applications to access resources in the service on behalf of clients without sharing a user's login credentials. (D [0002]).

Re. claim 13, the combination of Niemela-Banerjee-Desai-Levy s teach the computer-implemented method of claim 11. The combination of Niemela-Banerjee-Desai-Levy teaches the network security configuration, the combination of Niemela-Banerjee-Desai-Levy do not explicitly teach but D teaches wherein the network security configuration of the application is an OAuth configuration (D teaches the generic client library in turn interfaces with a data store that includes service-specific OAuth configuration information for each of a plurality of services. The generic client library may use the service-specific configuration information to make the hypertext transfer protocol (HTTP) calls required to complete the steps of the OAuth protocol. Once the steps of the OAuth protocol are complete, the application may use the resulting tokens to access resources provided by the services [0012]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the network security configuration of the application is an OAuth configuration as disclosed by D. One of ordinary skill in the art would have been motivated for the purpose of authorizing third party applications to access resources in the service on behalf of clients without sharing a user's login credentials. (D [0002]).

Claims 4, 5, 14, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela (US 20190188377), Banerjee et al. (US 20170093918 hereinafter as Banerjee), Desai et al.  (US 20170223024 hereinafter Desai), Levy (US 10601876), and in further view of Srinivasan et al. (US 20190103968 hereinafter as Srinivasan).

Re. claim 4, the combination of Niemela-Banerjee-Desai-Levy teach the non-transitory computer readable medium of claim 1. The combination of Niemela-Banerjee-Desai-Levy would teach the target network resource and network device, the combination of Niemela-Banerjee-Desai-Levy do not explicitly teach but Srinivasan teaches wherein the target network resource is a network resource accessible by the network device conditional on the network device asserting an access token (Srinivasan teaches Since the user has already been authenticated, at 220, Cloud Gate 114 then permits access to protected resource 108 [0072]. Distributed system 400 includes one or more client computing devices 402, 404, 406, and 408, coupled to a server 412 via one or more communication networks 410. Clients computing devices 402, 404, 406, and 408 may be configured to execute one or more applications, including non-confidential clients, that may use the services of a token relay system for acquiring access tokens [0116] Fig. 2 and 4).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the target network resource is a network resource accessible by the network device conditional on the network device asserting an access token as disclosed by Srinivasan. One of ordinary skill in the art would have been motivated for the purpose of acquiring tokens, which can then be used to securely access protected resources such as REST based web resources (Srinivasan [0003]).

Re. claim 5, the combination of Niemela-Banerjee-Desai-Levy-Srinivasan teach the non-transitory computer readable medium of claim 4, furthermore Srinivasan discloses wherein the access token is dynamically provisioned by an authorization server (Srinivasan teaches token issuer authority 110 may be an authorization server such as an OAuth server that is configured to issue OAuth access tokens [0039] Fig. 2). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the access token is dynamically provisioned by an authorization server as disclosed by Srinivasan. One of ordinary skill in the art would have been motivated for the purpose of acquiring tokens, which can then be used to securely access protected resources such as REST based web resources (Srinivasan [0003]).

Re. claim 14, the combination of Niemela-Banerjee-Desai-Levy teach the computer-implemented method of claim 11. Niemela-Banerjee-Desai-Levy discloses the target network resource and network device, the combination of Niemela-Banerjee-Desai-Levy do not explicitly teach but Srinivasan teaches wherein the target network resource is a network resource accessible by the network device conditional on the network device asserting an access token (Srinivasan teaches Since the user has already been authenticated, at 220, Cloud Gate 114 then permits access to protected resource 108 [0072]. Distributed system 400 includes one or more client computing devices 402, 404, 406, and 408, coupled to a server 412 via one or more communication networks 410. Clients computing devices 402, 404, 406, and 408 may be configured to execute one or more applications, including non-confidential clients, that may use the services of a token relay system for acquiring access tokens [0116] Fig. 2 and 4).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the target network resource is a network resource accessible by the network device conditional on the network device asserting an access token as disclosed by Srinivasan. One of ordinary skill in the art would have been motivated for the purpose of acquiring tokens, which can then be used to securely access protected resources such as REST based web resources (Srinivasan [0003]).

Re. claim 15, the combination of Niemela-Banerjee-Desai-Levy Srinivasan teach the computer-implemented method of claim 14, furthermore Srinivasan discloses wherein the access token is dynamically provisioned by an authorization server (Srinivasan teaches token issuer authority 110 may be an authorization server such as an OAuth server that is configured to issue OAuth access tokens [0039] Fig. 2). 
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by the combination of Niemela-Banerjee-Desai-Levy to include wherein the access token is dynamically provisioned by an authorization server as disclosed by Srinivasan. One of ordinary skill in the art would have been motivated for the purpose of acquiring tokens, which can then be used to securely access protected resources such as REST based web resources (Srinivasan [0003]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Dani et al. (US 20210021629) discloses a developer machine. Such machines will have lower security restrictions as they may have whitelisted applications. The system can also be a developer machine based on certain file types (source code files) or databases.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912. The examiner can normally be reached Monday-Thursday 8AM-5PM; Friday: Variable EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/K.A./Examiner, Art Unit 2496                                                                                                                                                                                                        
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496