DETAILED ACTION
This office action is in reply to applicant communication filed on June 29, 2022.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-21, 29-49, 57-77, and 84 have been cancelled.
Claims 22-28, 50-56, and 78-83 are pending. 

Response to Argument
Applicant’s arguments filed on June 29, 2022 with respect to the 35 USC 102/103 rejections of independent claims have been fully considered but they are not persuasive.

Applicant’s argues that the prior arts on record, Osajima (US Pub. No. 2009/0060189) in view of Lu (US Pub. No. 2007/0208949), fails to teach the limitation of independent claims, “… a privilege controller to, based on a policy indicated in the command, set read and write privileges for the security device”. Examiner respectfully disagrees.

A review of the prior arts of the record (Osajima and Lu), corresponding to the above argued claim limitation reveals that the argued limitation is disclosed by Lu’s reference as, (paragraph 38 of Lu, after receiving Set_Report command from the host, the information security device resolves the command according to the data resolving protocol defined previously and performs appropriate security operations, such as conducting PIN authentication and signature authentication, downloading necessary data to the specified location, reading/writing/modifying/adding/deleting files according to file access privilege, or changing operation privileges on files). Applicant further argued, in page 3 of the remark, that an interconnect or communication protocol that is defined previously to receiving a Set_Report command does not teach or suggest the claimed policy indicated in a command. Examiner would point out that any instruction/command issued by the system or controller has some kind of policy in it to cause an action to be carried out. Therefore, the broad but reasonable interpretation of the claimed term “policy indicated in the command” could be any kind of instruction/command that issued by the controller to set read and write privileges. The prior art (Lu’s reference) disclosed this interpretation as, (paragraph 38 of Lu, after receiving Set_Report command from the host, the information security device resolves the command according to the data resolving protocol defined previously and performs appropriate security operations, such as conducting PIN authentication and signature authentication, downloading necessary data to the specified location, reading/writing/modifying/adding/deleting files according to file access privilege, or changing operation privileges on files).


Applicant’s argues that the prior arts on record, Osajima in view of Lu, fails to teach the limitation of claim independent claims, “… a participant list generator to, responsive to a command to add a security device to a secured group of devices in a network to prevent malicious activity, adding the security device to a participant device list including one or more endpoint devices and a control plane server to generate an updated participant device list”. Examiner respectfully disagrees.

A review of the prior arts of the record (Osajima), corresponding to part of the above argued claim limitation, “a participant list generator to, responsive to a command to add a device to a secured group of devices in a network to, add the device to a participant device list including one or more endpoint devices and a control plane server to generate an updated participant device list” reveals that the argued limitation is disclosed by Osajima’s reference as, (paragraph 61 of Osajima, the member management table 300 has one record 301 for each group 40 managed by the group management server 10. Each record 301 has a group identification information field 302 for storing group identification information to identify groups 40 and a terminal device/member identification information field 303 for storing terminal device/member identification information to identify the terminal devices 20 (or members) that belong to a group 40) and (paragraph 47 of Osajima, the group management server 10 is a server that manages a receiving group such as the group 40, e.g., using a group management table 6 and has the following functionality: generating a deletion key 60 corresponding to each of the terminal devices 20 and distributing it to a requiring terminal device 20; when a new terminal device 20 is added to the group 40, generating a different group encryption key (referred to as a "new group encryption key") for the group 40 to which the new terminal device 20 is added and distributing it to the terminal devices 20 that belong to the group 4) and (paragraph 76 of Osajima, terminal device A is authorized to request subscription and deletion of a new member to and from the group management server 10, which will in turn, on request from terminal device A with the admin privileges, update the member management table 300, generate and distribute a new group encryption key 50, generate/delete a deletion key 60, generate and distribute an updated group encryption key 50, and so on). Osajima’s reference fails to teach other part of the above argued limitation, “a security device that prevent malicious activity”. However, in the same field of endeavor, Lu’s reference teaches this limitation as, (paragraph 38 of Lu, after receiving Set_Report command from the host, the information security device resolves the command according to the data resolving protocol defined previously and performs appropriate security operations, such as conducting PIN authentication and signature authentication, downloading necessary data to the specified location, reading/writing/modifying/adding/deleting files according to file access privilege, or changing operation privileges on files). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 22, 26-27, 50, 54=55, 78, and 82-83 are rejected under 35 U.S.C. 103 as being unpatentable over Osajima (US Pub. No. 2009/0060189) in view of Lu (US Pub. No. 2007/0208949).

	As per claim 22 Osajima discloses:
An apparatus comprising: a participant list generator to, responsive to a command to add a device to a secured group of devices in a network to, add the device to a participant device list including one or more endpoint devices and a control plane server to generate an updated participant device list; (paragraph 61 of Osajima, the member management table 300 has one record 301 for each group 40 managed by the group management server 10. Each record 301 has a group identification information field 302 for storing group identification information to identify groups 40 and a terminal device/member identification information field 303 for storing terminal device/member identification information to identify the terminal devices 20 (or members) that belong to a group 40) and (paragraph 47 of Osajima, the group management server 10 is a server that manages a receiving group such as the group 40, e.g., using a group management table 6 and has the following functionality: generating a deletion key 60 corresponding to each of the terminal devices 20 and distributing it to a requiring terminal device 20; when a new terminal device 20 is added to the group 40, generating a different group encryption key (referred to as a "new group encryption key") for the group 40 to which the new terminal device 20 is added and distributing it to the terminal devices 20 that belong to the group 4) and (paragraph 76 of Osajima, terminal device A is authorized to request subscription and deletion of a new member to and from the group management server 10, which will in turn, on request from terminal device A with the admin privileges, update the member management table 300, generate and distribute a new group encryption key 50, generate/delete a deletion key 60, generate and distribute an updated group encryption key 50, and so on).
A command controller to, based on the command, determine whether to generate a shared communication key using a shared system key; and a communication processor to encrypt communications with the one or more endpoint devices with the shared communication key. (Paragraph 42 of Osajima, the group encryption key 50 refers to a secret key shared by the terminal devices 20 that belong to the group 40. When a terminal device 20 is added to, or deleted from, the group 40, and when a regular update of security-related keys is performed, a new group encryption key 50 is generated) and (paragraph 43 of Osajima, the terminal devices 20 that belong to the group 40 use the group encryption key 50 to encrypt/decrypt information when communicating within the group. Alternatively, when a terminal device 20 is deleted from the group 40, each terminal device 20 generates a new group encryption key 50 using the deletion key 60 of the terminal device 20 to be deleted).
Osajima teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The method of having a security device that prevent malicious activity and a privilege controller to, based on a policy indicated in the command, set read and write privileges for the security device.
However, in the same field of endeavor, Lu teaches this limitation as, (paragraph 38 of Lu, after receiving Set_Report command from the host, the information security device resolves the command according to the data resolving protocol defined previously and performs appropriate security operations, such as conducting PIN authentication and signature authentication, downloading necessary data to the specified location, reading/writing/modifying/adding/deleting files according to file access privilege, or changing operation privileges on files).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima and include the above limitation using the teaching of Lu in order to secure the computing system using a system that is independent from the computing system and enhance the security of the system (see abstract of Lu).

Claims 50 and 78 are rejected under the same reason set forth in rejection of claim 22:

As per claim 26:
Osajima teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The apparatus of claim 22, wherein the privilege controller is to, based on the policy, set the read and write privileges for the security device so that the security device can read communications from any of the one or more endpoint devices and the control plane server but cannot send communications to any of the one or more endpoint devices.
However, in the same field of endeavor, Lu teaches this limitation as, (paragraph 38 of Lu, after receiving Set_Report command from the host, the information security device resolves the command according to the data resolving protocol defined previously and performs appropriate security operations, such as conducting PIN authentication and signature authentication, downloading necessary data to the specified location, reading/writing/modifying/adding/deleting files according to file access privilege, or changing operation privileges on files).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima and include the above limitation using the teaching of Lu in order to secure the computing system using a system that is independent from the computing system and have the proper privilege level to secure the system (see paragraph 38 of Lu).

Claims 54 and 82 are rejected under the same reason set forth in rejection of claim 26:

As per claim 27:
Osajima teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The apparatus of claim 22, wherein the security device includes a security information and event management server.
However, in the same field of endeavor, Lu teaches this limitation as, (paragraph 31 of Lu, the information security device 302 has a high performance built-in SCM or smart card chip 303. It is connected to the host 301 via a built-in USB interface. The SCM or smart card chip 303 can store user keys or digital certificates. The user identity is authenticated with the encryption algorithms built in USB Key. The SCM or smart card chip has built-in operating system).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima and include the above limitation using the teaching of Lu in order to secure the computing system using a system that is independent from the computing system and have appropriate security information (see paragraph 31 of Lu).

Claims 55 and 83 are rejected under the same reason set forth in rejection of claim 27:

Claims 23, 51, and 79 are rejected under 35 U.S.C. 103 as being unpatentable over Osajima (US Pub. No. 2009/0060189) in view of Lu (US Pub. No. 2007/0208949) and further in view of Sprunk (US Pub. No. 2008/0049942).

As per claim 23:
The combination of Osajima and Lu teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The apparatus of claim 22, further including a key generator to: based on the command indicating not to generate the shared communication key using the shared system key, generate the shared communication key using a private key; and based on the command indicating to generate the shared communication key using the shared system key, generate the shared system using the shared system key.
However, in the same field of endeavor, Sprunk teaches this limitation as, (paragraph 56 of Sprunk, upon receipt of the data request message, the PKI server 16 retrieves an appropriate set of PKI data from its database 36, and generates a random key agreement key pair based on a set of pre-determined system key agreement parameters, which may differ for each type of PKI data or for each family of products. The PKI server 16 also generates a shared secret based on the PKI server key agreement private key and the product's key agreement public key that was received as part of the data request message 108).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima and Lu to include the above limitation using the teaching of Sprunk in order to generate the encryption/shared key using different key information and increase the level of system security (see paragraph 56 of Sprunk).

Claims 51 and 79 are rejected under the same reason set forth in rejection of claim 23:

Claims 28 and 56 are rejected under 35 U.S.C. 103 as being unpatentable over Osajima (US Pub. No. 2009/0060189) in view of Lu (US Pub. No. 2007/0208949) and further in view of Matsumoto (US Pub. No. 2015/0254477).

As per claim 28:
The combination of Osajima and Lu teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The apparatus of claim 22, wherein the command is to indicate to (a) generate the shared communication key using the shared system key when computational burden of the one or more endpoint device is to be reduced, and (b) not to generate the shared communication key using the shared system key when security is to be optimized.
However, in the same field of endeavor, Matsumoto teaches this limitation as, (paragraph 69 if Matsumoto, according to the encryption process in FIG. 8, the secret information encryption key 305 is generated by combining the information a 410 with the information b 304 (step S704), but a bit value constituting the information b 304 varies according to, for example, the individual host controller 101, and it is thus possible to generate the secret information encryption key 305 unique to an encryption IC chip, making reproduction of the secret information encryption key 305 more difficult and thus further raising security level).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima and Lu to include the above limitation using the teaching of Sprunk in order to generate the encryption/shared key using different key information and increase the level of system security (see paragraph 69 of Matsumoto).

Claims 56 is rejected under the same reason set forth in rejection of claim 28:

Claims 24, 52, and 80 are rejected under 35 U.S.C. 103 as being unpatentable over Osajima (US Pub. No. 2009/0060189) in view of Lu (US Pub. No. 2007/0208949) and further in view of Sprunk (US Pub. No. 2008/0049942) and Donlan (US 11,082,217).

As per claim 24:
The combination of Osajima, Lu, and SPrunk teaches the method of adding and removing a new terminal device to and from the network (see paragraph 47 of Osajima) but fails to disclose:
The apparatus of claim 23, wherein the key generator is to generate the shared system key via an asynchronous ratchet tree group key calculation when the command indicates not to generate the shared communication key using the shared system key.
However, in the same field of endeavor, Donlan teaches this limitation as, (column 12, line 40-50 of Donlan, while the example in FIG. 4 shows ratcheting in two dimensions (horizontally and vertically, in the figure), other embodiments implement more than two dimensions where, for example, a node in the tree can be ratcheted in three more different ways to generate different seeds to be ratcheted to generate keys. In such a tree, there can be a predetermined way of traversing the tree (by ratcheting) so that keys are used in sequential order).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Osajima, Lu, and Sprunk to include the above limitation using the teaching of Donlan in order to generate the different kind of encryption/shared key using different ways based on the initial keys/seeds (see column 3, line 65-67 and column 4, line 1-14 of Donlan).

Claims 52 and 80 are rejected under the same reason set forth in rejection of claim 24:

Allowable Subject Matter
Claims 25, 53 and 81 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Examiner will provide reason for allowance at the time of allowing the application. 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Marvais (US Pub. No. 2014/0115655). Marvais discloses the methods and systems for the rapid deployment of network security device.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434