DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Amended claims 1-20 as submitted on 7/12/22 were considered.  

Response to Arguments
	Applicants arguments submitted on 7/12/22 were considered, but are not persuasive.
	Applicant argues that Ocepek does not teach the list 146 is used to identify a client device as unrecognized as required by the claim language.  Note that as discussed below, in response to applicant’s amendments, data structure 128, as discussed in at least paragraph 58, is considered the claimed list.  Data structure 128 is made of several lists, thus is itself a list and contain the identifiers of all previously known clients.  As discussed in paragraph 16, if a client is not known, then the client must go through authentication procedures.  The only way that Ocepek’s invention can determine if a client is known previously or not is by consulting data structure 128 to see if the client is listed in one of the lists in the data structure.
	Applicant argues Ocepek does not block access to the secure network but rather only allows limited access.  In other words, applicant is admitting that Ocepek blocks some access to the network.  The limitation as written does not require full blocking of access.  Further, even if access is allowed to authentication server 18 so that the unknown client can undergo authentication procedures, access to the network made of servers 16 are still automatically blocked.  One does not have to consider authentication server 18 part of the network formed from servers 16.
	Applicant argues Ocepek does not discuss any message sent from system device 10 to the authentication sever 18.  The examiner disagrees.  If the client is new/unrecognized, the client must undergo authentication procedures with authentication server 18 (paragraphs 16 and 47).  Some form of message must be sent even if the format of the message isn’t explicitly specified since authentication procedure does occur.  The alternative is that authentication spontaneously and without any input occurs at just the right moment that there is an unrecognized client that needs to be authenticated, which is absurd.  This message could be an actual message or packet from security device 10 to authentication server asking that authentication procedures get initialized or the client being redirected to authentication server 18.  The claim does not specify what format the message may take.
	Applicant argues that any identification information is added to a list when the response is received.  The examiner disagrees.  In particular, paragraph 66 discusses how the login procedure is monitored and depending on if the client successfully authenticates or not (i.e. the response), the client’s identification information is added to one or more lists discussed, which indicates if the client is allowed access or if it is blocked.  These lists are found in data structure 128 as discussed in paragraph 58.  Data structure 128 is considered the claimed list.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 5, 9-15, 17, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ocepek et al (US 2004/0054926) in view of Owen et al (US 2004/0187018).
Claims 1 and 14:
	As per claim 1, Ocepek discloses:
automatically detecting with a network device of the secure network an attempt by the client to access the secure network (paragraphs 39, 61, and 63;  Security device 10 passively monitors for when client devices 24 attempts to access the network, including the secured parts, by processing all frames received).
automatically detecting with a network device of the secure network
the client device requesting access to the secure network as unrecognized based on a comparison of the client device to a list maintained by the network device such that the client device has not previously requested access to the secure network (paragraphs 16, 46, 57-59, 63, and 74; Data structure 128 is considered the claimed list because a group of lists is itself a list.  Data structure 128, as discussed in paragraph 58, is comprised of several lists and together these lists contain a listing of all clients previously known.  Upon detection of a client attempting to access the protected servers 16, the lists found in data structure 128 are consulted to determine if the client was previously known, i.e. previously attempted to access the protected servers.  If they are not found in one of the lists in data structure 128, the client is considered an unknown client and forced to undergo authentication procedures).
automatically blocking with the network device access to the secure network by the client device based on the client device being detected as unrecognized (paragraphs 16, 46, 57, 63, 65-66, and 74;  As discussed in at least paragraph 16, for example, when an unknown client first attempts access, access to protected server devices by the client is blocked and the client is directed towards the authentication server.  Note that although an unknown client is redirected to the authentication server of the network to authenticate, the limitation of automatically blocking the network device is still met because the network device has been blocked from accessing the protected servers until successfully authenticated.  As worded, blocking access does not require blocking access to the entire network.  Even blocking access to part of the secure network would meet the limitation.  Alternatively, the protected servers 16 could be considered the claimed secure network without considering the authentication server or the secure device as part of the secure network as a network is two or more computers in communication with each other and as seen in Figure 1, there are multiple secure servers 16);
automatically causing a message in electronic form to be sent from the network device to a manager of the secure network based on the client device being detected as an unrecognized client device as another level of security, the message seeking a response from the manager as to whether access to the unrecognized client device should be granted or denied (paragraphs 16, 46, 57, 63, 65-67, and 74; The authentication server is considered the claimed manager and only if the authentication manager indicates that the client successfully authenticated will access to protected devices/servers be allowed to the client.  If the client fails to authenticate, access to protected devices are blocked.  Whatever means is used to allow the unknown/new client to contact the authentication server 18 to go through authentication procedures can be considered the claimed message sent in electronic form from the network device/security device 10 to the manager/authentication server 18.  One skilled should appreciate that this could be a message telling the authentication server that the client has to go through authentication or it could just be the security device redirecting the new client’s connection to the authentication server); and
automatically adding identification information of the unrecognized client device to the list of known client devices when the response is received by the network device and granting or denying access based on the response (paragraphs 16, 46, 58, 65-67, and 68-69; In particular, paragraph 66 discusses how the login procedure is monitored and depending on if the client successfully authenticates or not (i.e. the response), the client’s identification information is added to one or more lists discussed, which indicates if the client is allowed access or if it is blocked.  These lists are found in data structure 128 as discussed in paragraph 58).

Ocepek does not disclose, but Owen discloses determining that the client device has passed a first-factor of a multi-factor authentication security system (Fig 5; paragraphs 52-54, 57, and 159; Multi-factor authentication scheme is disclosed where access is allowed only if a user/client is able to successfully pass two or more authentication schemes.  Those schemes could include pin/password authentication, geolocation authentication, time based authentication, etc.  As per paragraph 159, each of the authentication schemes can be carried out in any order with respect to each other).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to utilize Owen’s teachings of a multi-factor authentication scheme along with the various individual authentication schemes within Ocepek’s invention.  One of ordinary skill would have been motivated to utilize Owen’s teachings because use of multiple authentication schemes would cover the weaknesses of any one authentication scheme and Owen’s teachings overcomes the disadvantages of previously known authentication schemes (Owen: paragraph 8).

The rejection of claim 1 applies, mutatis mutandis, to claim 14.  Note that Ocepek’s invention being implemented in a computer network, it would also have a memory storing one or more instructions; and at least one processor configured to execute the one or more instructions to carry out the tasks required of the invention (Fig 1).

Claims 2 and 17:
Ocepek further discloses wherein the identification information is a Media Access Control (MAC) address of the client device (paragraphs 58-59).  

Claim 5:
	Ocepek further discloses wherein the message is selected from the group consisting of a text message sent to a phone number of the manager, an email sent to an email address of the manager, or an electronic message sent to an app accessible by the manager (paragraphs 61 and 66; Security device 10 sends electronic message to authentication server to perform authentication on a client.  The application/software used by the authentication server to receive the authentication request is considered the app accessible by the manger/authentication server).

Claim 9:
	Ocepek further discloses wherein the network device communicates with a cloud server for at least one of having the message sent and having the response received (paragraphs 35-36; Network can include wireless portions, thus servers can be cloud servers).

Claim 10:
	Owen further makes obvious wherein said steps of detecting that the client device as unreconized, causing, and adding are part of a security system for granting or denying access to client devices to the secure network (paragraph 66; Owen’s teachings show that it can use any number of multi-factor authentication schemes, so when Ocepek and Owen’s teachings are combined, any authentication scheme Ocepek already uses can be incorporated with ones taught by Owen as part of a greater security system for granting or denying access to client devices in the secure network).

Claim 11:
	Owen further makes obvious wherein said steps of detecting that the client device as unrecognized, causing, and adding are part of a second or subsequent factor of a multi-factor authentication security system, and wherein the first-factor of the multi-factor authentication security system must be passed before said steps of detecting that the client device as unrecognized, causing, and adding occur (paragraph 159; Each authentication scheme of the multi-factor authentication scheme can be performed in any order relative to each other).

Claim 12:
	Owen further discloses wherein the first-factor requires accurate submission of a pre-set secret password (paragraphs 19 and 159).

Claim 13:
	Ocepek and Owen further disclose wherein the client device is selected from the group consisting of a smartphone, smartwatch, tablet computer, lap-top computer, wearable device, smartwatch, smart appliance, smart television, computer, lap top computer, tablet computer, and wireless personal electronic device (Ocepek: paragraph 36 and Owen: paragraph 11).

Claim 15:
Ocepek further discloses wherein the secure network is a wireless local area network (WLAN), wherein the network device is customer premise equipment (CPE), a gateway device, or a WiFi router of the secure network that has access to the Internet, and wherein the network device transmits the message to the manager via the Internet (paragraphs 35-37).

Claim 19:
Ocepek further discloses further discloses wherein the at least one processor is further configured to execute the one or more instructions to directly send the message and receive the response (paragraphs 46 and 48).

Claim 20:
	Ocepek and Owen further makes obvious wherein the at least one processor is further configured to execute the one or more instructions to provide the multi-factor authentication system for granting or denying access to client devices to the security network (Owen: paragraphs 10 and 19), and wherein the multi-factor authentication security system includes the first-factor requiring accurate for a pre-set secret password (Owen: paragraphs 10 and 19), and wherein a second or subsequent factor of the multi-factor authentication security system is provided by the list maintained by the network device (Owen: paragraph 10 and 159; Ocepek: paragraphs 57-59; As per Owen’s teachings, each factor in the multi-factor authentication system can be performed in any order relative to each other.  Since Ocepek disclose of use of a list maintained by the network device as part of his authentication scheme, in the combination invention of Ocepek-Owen, the pin/password authentication and authentication using a list can both be utilized and in any order).



Claim(s) 3-4 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ocepek et al (US 2004/0054926) in view of Owen et al (US 2004/0187018) in further view of Huotari et al (US 2009/0122787).
Claim 3:
	Ocepek and Owen do not explicitly disclose, but Huotari discloses wherein the list includes a whitelist of identification information of known client devices that are automatically to be granted access to the secure network by the network device (paragraph 32).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Ocepek and Owen’s combination invention according to Huotari’s teachings discussed by using a whitelist to bypass multifactor authentication of a client.  One skilled would have been motivated to do so as it would allow automatic access of a client to protected resources without having to go through all the authentication processes (Huotari: paragraph 32), which would save computer resources.

Claim 4:
	Ocepek and Owen do not explicitly disclose, but Huotari discloses wherein the list includes a blacklist of identification information of known client devices that are automatically to be denied access to the secure network by the network device (paragraph 32).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Ocepek and Owen’s combination invention according to Huotari’s teachings discussed by using a blacklist to bypass multifactor authentication of a client and automatically blocking known clients that previously failed the authentication process.  One skilled would have been motivated to dos so as it would allow automatic blocking of a client to protected resources without having to go through all the authentication processes (Huotari: paragraph 32), which would save computer resources and prevent a brute force attack.

Claim 16:
	The rejection of claims 3 and 4 combined, applies, mutatis mutandis, to claim 16.




Claim(s) 5-8 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ocepek et al (US 2004/0054926) in view of Owen et al (US 2004/0187018) in further view of Wang et al (US 9,961,079).

Claim 5:
	Alternative to the above rejection of claim 5 over Ocepek and Owen, Wang also discloses wherein the message is selected from the group consisting of a text message sent to a phone number of the manager, an email sent to an email address of the manager, or an electronic message sent to an app accessible by the manager (col 6, lines 62-67; Use of messages sent via text to a phone number).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Wang’s teachings into Ocepek and Owen’s combination invention so that the message was sent via text.
The rationale for why one of ordinary skill in the art would find it obvious to do so is that doing so is nothing more than simple substitution of one known element (i.e. type of message) for another to achieve predictable results (see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007)).

Claim 6:
	Wang further discloses the step of requesting a phone number, email address, or username of an app to be input by the manager during setup of the network device (paragraphs 53-54; Messaging is done via phone or text, which means a phone number needs to be set up at some point for successful message delivery to phone).
	Note that a manger device/program requesting the user input a phone number, email address, or user name for an app as part of a system or software setup was also something that was well known in the art prior to the effective filing date of applicant’s claimed invention.  It would have been obvious for one of ordinary skill in the art to further modify Ocepek-Owen-Wang’s combination invention to have the manager request a user to input a phone number, email address, or username of an app as part of a standard network system setup so the system works properly in order to know where to send alert messages.

Claim 7:
	Ocepek further discloses wherein the secure network is a wireless local area network (WLAN), wherein the network device is customer premise equipment (CPE), a gateway device, or a WiFi router of the secure network that has access to the Internet, and wherein the network device transmits the message to the manager via the Internet (paragraphs 35-37).

Claim 8:
	Ocepek further discloses further discloses wherein the network device performs at least one of (directly) sending the message and receiving the response (paragraphs 46 and 48).

Claim 18:
	Claim 18 recite limitations substantially similar to what is recited in both claims 5 and 6, thus the rejections of claims 5 and 6 over Ocepek, Owen, and Wang apply, mutatis mutandis, to claim 18.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495