DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections

Claim 10 is objected to because of the following informalities: “The method of claim 8, wherein the authorization request message includes one or more of a username, a password, a user ID, and a location” appears to contradict claim 1. Claim 1 recites “the authorization request message including a set of identification credentials, wherein the identification credentials identify a user, a device, and a location.” Appropriate correction is required.

Claim 13 is objected to because of the following informalities: it is written method form. The structures which goes to make up the system must be clearly and positively specified. The structures must be organized and correlated in such a manner as to present a complete operative system.  Appropriate correction is required.

Claim 14 is objected to because of the following informalities:  it appears to be a redundant limitation to the limitation “the identification credentials identify a user, a device, and a location” of claim 1.  Appropriate correction is required.
Drawings

The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the “host device” and the “computing system” must be shown or the feature(s) canceled from the claim(s).  No new matter should be entered.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 1 recites “...sending at least one alert message from the UE, associated with one or more alert triggers to the host device...” It is unclear if the “at least one alert message” from the UE is sent to the host device. Therefore, this claim is deemed indefinite. Claims 13 is rejected the same because it recites similar claim language. Claims 2-12 and 14-20 are rejected the same because they depend upon claim 1 or 13.

Claim 4 recites the limitation "the transaction" in line 4.  There is insufficient antecedent basis for this limitation in the claim. Therefore, this claim is deemed indefinite.

Claim 13 recites the limitation "the computing system" in line 6.  There is insufficient antecedent basis for this limitation in the claim. Therefore, this claim is deemed indefinite. Claims 19-20 are rejected the same because they depend upon claim 13.

Claims 14 recite the limitation "The system of claim..." in line 1.  There is insufficient antecedent basis for this limitation in the claim. Therefore, this claim is deemed indefinite.

Claims 15 recite the limitation "The system of claim..." in line 1.  There is insufficient antecedent basis for this limitation in the claim. Therefore, this claim is deemed indefinite. Claims 16-18 are rejected the same because they depend upon claim 15.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hernoud et al. (US 20190188993 A1) in view of Brown et al. (US 20190319965 A1).

Regarding claim 1, Hernoud discloses a method comprising: 
receiving, by a computing system (figs. 1-2 CRITSEC 100), an authorization request message from a user equipment (UE), the authorization request message including a set of identification credentials, wherein the identification credentials identify a user, a device, and a location ([0032] To authenticate to the CRITSEC server in accordance with one exemplary embodiment, the software on the mobile device (i.e. “user equipment (UE)” can send the authentication command (i.e. “authorization request message”) to the CRITSEC server along with the user name/password and any other needed data for authentication. The CRITSEC server will then take the data and do the actual authentication through LDAP/active directory and then return the result back to the mobile client through the socket connection. All commands involving LDAP/active directory require the user issuing the command authentication information which is then used by the CRITSEC server to try and run the appropriate LDAP/active directory command so that the existing authorization information is used. This prevents, for example, unauthorized usage by non-privileged users because it is using the existing LDAP or active directory level permissions. [0036] Only Authorized Users on Authenticated Devices May Connect: 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); and 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information. [0067] The mobile devices 50 can also be connected to or include one or more of a smart card reader 52, a biometric reader 54, and can optionally access the network 10 via, for example, a wireless access point 56. Each of the mobile devices 50 are capable of running a Mobile-IMPACT application for which an exemplary interface can be seen on the screen of mobile device 58. CRITSEC 100 can manage one or more of identity proofing, credential issuance, factors of authentication, biometrics, sensors, both onboard and outboard, GIS/GPS systems, access control readers, cameras/video, sensors, enterprise IT security, enterprise facility security, alarm systems, networks, incident management systems, situational awareness suites/dashboards, identity management systems and metadata, directory services, door readers, time and other physical access devices, computer/network access, and the like 110.); 
performing, by the computing system, a validation process via one or more databases, to determine if the identification credentials are valid, and meet an authorization clearance level ([0021] Authenticated users can be allowed to utilize the services, and the roles (e.g. “an authorization clearance level”) will define the degree of authentication (1—what you know, i.e., pass phrase/pin, 2—what you have, e.g., a token and/or the mobile device itself or a combination of the features of the device, 3—who are you, i.e., a biometric, and 4—an arbitrary factor, such as time and location), as well as privileges. All authentication levels/mechanisms and privileges (e.g. “an authorization clearance level”) can be modified based upon, for example, threat levels, policies, rules, implementation environment, and the like. The privileges and authentication required for certain functions can be different than when the user is logged onto a smart device, work station, secure terminal at the office, or the like. [0067] CRITSEC 100 can manage one or more of identity proofing, credential issuance, factors of authentication. [0068] These systems can have access to one or more databases 202 as well as configuration files/registry information 204. [0036] Only Authorized Users on Authenticated Devices May Connect (i.e. “validation process”): 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data; 3. The CRITSEC server receives this data, checks to see if the Device ID that was sent by the device is allowed (if the server is configured to check for this), and then forwards the other authentication pieces to appropriate location (Active Directory/LDAP server, biometric checker, etc.); and 4. If the user is successfully authenticated (i.e. “”) then the server marks this connection and user as allowed to send commands and returns a success result to Mobile-IMPACT application and the user can then begin navigating through the application. Otherwise a failure message is sent to the application and the connection is closed forcing the user to try again. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information. [0094] For example, in step S480, the server can connect to the active directory/LDAP, retrieve information from a database, update a controller configuration, update a user or a user configuration, or the like, and one or more of a confirmation, additional information, or the like, as appropriate, return to the mobile device is step S490. [0031] The software on the mobile devices is also able to communicate and authenticate to the active directory or LDAP directory type services through different methods, including ODBC and future protocols. For example, if the mobile device supports LDAP/active directory (or in general any database structure), and the device is able to connect to a CRITSEC server with a LDAP service running (such as active directory) and since there is no firewall or the firewall allows for remote LDAP/active directory connections, then the software on the mobile device can connect and issue direct LDAP/active directory commands to control the data for the LDAP/active directory service. If the device does not support LDAP/active directory, or by policy the access to open ports is controller/limited, the software on the mobile device can utilize the same connection socket that is used for regular communication to send commands to the CRITSEC server, and commensurately, the CRITSEC server could then issue the command or return the data requested by the command.); 
sending, via the computing system an in-session indication(figs. 1-2 CRITSEC 100; [0036] If the user is successfully authenticated (all configured checks pass) then the server marks this connection (i.e. “in-session indication”) and user as allowed to send commands and returns a success result to Mobile-IMPACT application and the user can then begin navigating through the application. Otherwise a failure message is sent to the application and the connection is closed forcing the user to try again.); 
monitoring an alert trigger from the UE, based on one or more priority values ([0021] All authentication levels/mechanisms and can be modified based upon, for example, threat levels (e.g. “priority values”), policies, rules, implementation environment, and the like. [0028] The server can request that the user provide various information for a multi-factor authentication including, but not limited to, user name/password, knowledge-based answers, challenge-response interchanges, biometrics, device ID, location (longitude and latitude), certificates, and the like. If conditions the CRITSEC server are configured to identify and respond to are not met (e.g. “alert trigger”), the CRITSEC server can optionally disconnect the user and not accept any commands therefrom. This can also be logged and an event generated that creates, for example, an alert for a security manager.  [0034] CRITSEC server logs the event and checks in the settings if the event matches a rule or threshold that was defined, derived or configured for alerting (e.g. “an alert trigger”). If the event matches a rule set or a set of conditions (e.g. “an alert trigger”), the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies can be invoked at time intervals based upon event/response time, etc (e.g. “one or more priority values”). Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0109] In this particular example, there is an alert 1710 illustrated on the interface. The alert includes event information, date information, card information, name information, controller information, as well as the reader information. In addition, relevant links can be provided 1720 and 1730 that allow a user immediate access to management operations that may be associated with the alert. These links 1720 and 1730 can be dynamically created based on the type of the alert, the severity of the alert, type of event, or in general, based on any information associated with the alert (e.g. “priority values”).); 
sending at least one alert message from the UE, associated with one or more alert triggers ([0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0035] Set New Alarm Conditions: 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings (i.e. “alert triggers”) for this event type (i.e. “alert message”). 2. The current settings for this event are loaded by contacting the CRITSEC server for the settings. 3. The user can then enable or disable the methods (i.e. email, text message, screen alerts, etc.) that they want to be alerted with. 4. If the user selects the save button, a command is sent to the server telling it to update the saved settings with the new provided data. [0037] View and Modify Physical Configurations and Settings: 1. Mobile-IMPACT application sends command to CRITSEC server requesting the data for a particular section or device. 2. CRITSEC server checks to see if user is authorized to view data, and if they are, returns the current configuration for that section or device to the Mobile-IMPACT application, which then displays the data to user. 3. If user makes any changes and chooses to save/update, Mobile-IMPACT then sends a command with the updated data to the CRITSEC server. 4. The CRITSEC server then checks to see if the user is authorized to make changes to the settings sent and if the user is allowed, updates the settings for that section or device. [0081] In step S324, the failed attempt (e.g. “alert trigger”) to execute the command can be logged and, in step S326, an optional event (e.g. “alert message”) sent to the event handling module 106.); and 
alerting a second device of the one or more alert triggers received from the UE ([0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies (i.e. “alerting a second device”) can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application. [0044] Aspects of the invention also relate to providing an extension of the CRITSEC functionality to one or more mobile devices to includes one or more of alerts. [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices.).
However Hernoud does not expressly disclose a host device.
Brown, from a similar field of endeavor, teaches a host device ([0064] Referring back to FIG. 1, an example computing system is shown, within which embodiments of the present invention may operate. A user 110 may access a base station 112 (i.e. “host device”), via mobile device 108, which may then be configured to communicate with authentication service 102 via a network 114 (e.g., the Internet, or the like). Moreover, the authentication service 102 may comprise a server 104 (i.e. “computing system”) in communication with a database 106. [0065] The server 104 may be embodied as a computer or computers as known in the art. The server 104 may provide for receiving of electronic data from various sources, including but not necessarily limited to the user device 108 and base station 112. The server 104 may be configured to facilitate, authorize, enable, or verify various actions (e.g., e-commerce transactions) based on, for example, location information provided by various user devices or the like. [0041] FIG. 1 shows a user 110 carrying an associated mobile device 108 that is configured for communication with base station 112. Base station 112, in turn, communicates with one or more servers 104. [0036] Further, where a computing device is described herein to receive data from another computing device, it will be appreciated that the data may be received directly from the another computing device or may be received indirectly via one or more intermediary computing devices, such as, for example, one or more servers, relays, routers, network access points, base stations, and/or the like, sometimes referred to herein as a “network.” Similarly, where a computing device is described herein to send data to another computing device, it will be appreciated that the data may be sent directly to the another computing device or may be sent indirectly via one or more intermediary computing devices, such as, for example, one or more servers, relays, routers, network access points, base stations, and/or the like..).
Therefore, it would have been obvious for a person of ordinary skill in the art at the time of first filing of the claimed invention to provide a host device as suggested by Brown in the system taught by Hernoud in order to communicate data and improve access security (as suggested in [0036] and [0052] of Brown). 

Regarding claim 2, Hernoud in view of Brown discloses the method of claim 1, further comprising: receiving, by the computing system, an authorization request message from the host device, the authorization request message including a set of identification credentials (Hernoud [0030] The software on the mobile devices can be installed like most mobile software with a setup installer. An optional configuration module could require that in order to authenticate on the CRITSEC server, a specific mobile device is required, and only commands from that specific devices/users running the mobile software will be accepted. To restrict access to only particular device, an access list could be created within the CRITSEC environment using a unique identifier, for example, the device ID, MAC address, GUID/composite GUID or the like, of each device that is to be allowed/authorized. The identifier could optionally be retrieved from attributes of the mobile device, and once the identifier is integrated into the list, only those devices on the list would be able to connect. [0032] To authenticate to the CRITSEC server in accordance with one exemplary embodiment, the software on the mobile device (i.e. “user equipment (UE)” can send the authentication command (i.e. “authorization request message”) to the CRITSEC server along with the user name/password and any other needed data for authentication. The CRITSEC server will then take the data and do the actual authentication through LDAP/active directory and then return the result back to the mobile client through the socket connection. All commands involving LDAP/active directory require the user issuing the command authentication information which is then used by the CRITSEC server to try and run the appropriate LDAP/active directory command so that the existing authorization information is used. This prevents, for example, unauthorized usage by non-privileged users because it is using the existing LDAP or active directory level permissions. [0036] Only Authorized Users on Authenticated Devices May Connect: 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); and 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information.).

Regarding claim 3, Hernoud in view of Brown discloses the method of claim 1, wherein the at least one alert message includes information regarding each of the one or more alert triggers (Hernoud [0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0035] Set New Alarm Conditions: 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings (i.e. “alert triggers”) for this event type (i.e. “alert message”). 2. The current settings for this event are loaded by contacting the CRITSEC server for the settings. 3. The user can then enable or disable the methods (i.e. email, text message, screen alerts, etc.) that they want to be alerted with. 4. If the user selects the save button, a command is sent to the server telling it to update the saved settings with the new provided data. [0037] View and Modify Physical Configurations and Settings: 1. Mobile-IMPACT application sends command to CRITSEC server requesting the data for a particular section or device. 2. CRITSEC server checks to see if user is authorized to view data, and if they are, returns the current configuration for that section or device to the Mobile-IMPACT application, which then displays the data to user. 3. If user makes any changes and chooses to save/update, Mobile-IMPACT then sends a command with the updated data to the CRITSEC server. 4. The CRITSEC server then checks to see if the user is authorized to make changes to the settings sent and if the user is allowed, updates the settings for that section or device. [0081] In step S324, the failed attempt (e.g. “alert trigger”) to execute the command can be logged and, in step S326, an optional event (e.g. “alert message”) sent to the event handling module 106.).

Regarding claim 4, Hernoud in view of Brown discloses the method of claim 1, further comprising: determining, by the computing system, priority values corresponding to the one or more alert triggers satisfied by the transaction; determining, by the computing system, a priority of the multiple alert triggers based on the priority values corresponding to the one or more alert triggers; and generating, by the computing system, one or more alert messages based on the priority of the one or more alert triggers to send to one or more additional user equipments (UEs) (Hernoud [0021] All authentication levels/mechanisms and can be modified based upon, for example, threat levels (e.g. “priority values”), policies, rules, implementation environment, and the like. [0028] The server can request that the user provide various information for a multi-factor authentication including, but not limited to, user name/password, knowledge-based answers, challenge-response interchanges, biometrics, device ID, location (longitude and latitude), certificates, and the like. If conditions the CRITSEC server are configured to identify and respond to are not met (e.g. “alert trigger”), the CRITSEC server can optionally disconnect the user and not accept any commands therefrom. This can also be logged and an event generated that creates, for example, an alert for a security manager.  [0034] CRITSEC server logs the event and checks in the settings if the event matches a rule or threshold that was defined, derived or configured for alerting (e.g. “an alert trigger”). If the event matches a rule set or a set of conditions (e.g. “an alert trigger”), the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies can be invoked at time intervals based upon event/response time, etc (e.g. “one or more priority values”). Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0109] In this particular example, there is an alert 1710 illustrated on the interface. The alert includes event information, date information, card information, name information, controller information, as well as the reader information. In addition, relevant links can be provided 1720 and 1730 that allow a user immediate access to management operations that may be associated with the alert. These links 1720 and 1730 can be dynamically created based on the type of the alert, the severity of the alert, type of event, or in general, based on any information associated with the alert (e.g. “priority values”). [0044] Aspects of the invention also relate to providing an extension of the CRITSEC functionality to one or more mobile devices to includes one or more of alerts. [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices.).

Regarding claim 5, Hernoud in view of Brown discloses the method of claim 1, wherein the priority value for each of the alert triggers is predetermined by an issuer (Hernoud [0035] Set New Alarm Conditions: 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings for this event type.).

Regarding claim 6, Hernoud in view of Brown discloses the method of claim 1, further comprising: tracking each of the one or more alert triggers; and storing the priority values of each of the one or more alert triggers in a storage (Hernoud [0008] Query and update user identity and one or more of privileges, permissions, and attributes. [0035] Set New Alarm Conditions: 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings for this event type. 2. The current settings for this event are loaded by contacting the CRITSEC server for the settings. 3. The user can then enable or disable the methods (i.e. email, text message, screen alerts, etc.) that they want to be alerted with. 4. If the user selects the save button, a command is sent to the server telling it to update the saved settings with the new provided data. [0037] If user makes any changes and chooses to save/update, Mobile-IMPACT then sends a command with the updated data to the CRITSEC server. The CRITSEC server then checks to see if the user is authorized to make changes to the settings sent and if the user is allowed, updates the settings for that section or device. [0068] These systems can have access to one or more databases 202 as well as configuration files/registry information 204. As illustrated, these systems have access also to outside resources 110, such as cameras, internet resources, and the like as described above. While not illustrated, each system can also include one or more processors, controllers, memory and storage as appropriate. [0094] For example, in step S480, the server can connect to the active directory/LDAP, retrieve information from a database, update a controller configuration, update a user or a user configuration, or the like, and one or more of a confirmation, additional information, or the like, as appropriate, return to the mobile device is step S490. Brown [0066] The database 106 may be embodied as a data storage device such as a Network Attached Storage (NAS) device or devices, or as a separate database server or servers. The database 106 includes information accessed and stored by the server 104 to facilitate the operations of the authentication service 102. For example, the database 106 may include, without limitation, user account credentials, biometric data, and the like for system administrators and any number and types of various users.).

Regarding claim 7, Hernoud in view of Brown discloses the method of claim 1, wherein the one or more alert triggers includes a set of identification information including one or more of a location-based value, a time of day-based value, a room number value, a user identification value, an alert level value and a threshold value (Hernoud [0034] CRITSEC server logs the event and checks in the settings if the event matches a rule or threshold that was defined, derived or configured for alerting. If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies can be invoked at time intervals based upon event/response time, etc. [0089] Event handling occurs with the cooperation of the event handling module 106, and one or more of the other modules as illustrated, for example, in FIG. 2. For example, if an event occurs, e.g. a physical, logical, or other event, such as failed login attempt, in step S377, the event can optionally be logged. Then, in step S378, a determination is made whether the event is significant enough to trigger an alert. It should be appreciated, that a single event could be configured to trigger an alert, multiple events of the same type, or a combination of events when looked at in totality be the trigger for an alert. If an alert is required, in step S379, an alert command is sent to the CRITSEC server S375 which, as previously discussed, can forward the alert to the mobile device 50. [0075] As will be discussed hereinafter, it is to be appreciated that various rules and policies can be associated with any of the above activities based on, for example, a user profile, whether or not the mobile device 50 has been authenticated to CRITSEC 100, and in general any security measures put in place to ensure the user mobile device 50 is actually authorized to manage CRITSEC 100 and/or impact 200. [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices. Once this configuration has been established, in step S1920, a determination is made whether a triggering event or combination of events has been satisfied. If a triggering event has not been satisfied, control continues to step S1930 where the system is continually monitored with control jumping back to step S1920. If a triggering event, or combination of events has been met, in step S1940, an alert command is sent to the mobile device(s). [0117] The interface in FIG. 20 illustrates another exemplary alerting screen that includes information unique to the security system. In this particular example, there is a colored (an optionally flashing) alert box 2010 illustrated on the interface. The alert 2020 includes event information, date information, card information, name information, controller information, as well as the reader information.).

Regarding claim 8, Hernoud in view of Brown discloses the method of claim 1, wherein the computing system is coupled to a processing network having an enrollment database in the storage, that contains a list of account identifiers enrolled in the computing system (Hernoud [0030] The software on the mobile devices can be installed like most mobile software with a setup installer. An optional configuration module could require that in order to authenticate on the CRITSEC server, a specific mobile device is required, and only commands from that specific devices/users running the mobile software will be accepted. To restrict access to only particular device, an access list could be created within the CRITSEC environment using a unique identifier, for example, the device ID, MAC address, GUID/composite GUID or the like, of each device that is to be allowed/authorized. The identifier could optionally be retrieved from attributes of the mobile device, and once the identifier is integrated into the list, only those devices on the list would be able to connect. [0067] FIG. 1 illustrates an exemplary security system 1 according to this invention. The security system 1 includes an IT/network and physical security management system (CRITSEC) 100, an incident management perimeter access control and tracking system (IMPACT) 100, and one or more mobile devices 50 interconnected by one or more networks 10 and links 5. Brown [0064] Referring back to FIG. 1, an example computing system is shown, within which embodiments of the present invention may operate. A user 110 may access a base station 112, via mobile device 108, which may then be configured to communicate with authentication service 102 via a network 114 (e.g., the Internet, or the like). Moreover, the authentication service 102 may comprise a server 104 in communication with a database 106. [0066] The database 106 may be embodied as a data storage device such as a Network Attached Storage (NAS) device or devices, or as a separate database server or servers. The database 106 includes information accessed and stored by the server 104 to facilitate the operations of the authentication service 102. For example, the database 106 may include, without limitation, user account credentials, biometric data, and the like for system administrators and any number and types of various users.).

Regarding claim 9, Hernoud in view of Brown discloses the method of claim 8, wherein the authorization request message is received by the computing system in response to the processing network determining a matching account identifier (Hernoud [0067] CRITSEC 100 can manage one or more of identity proofing, credential issuance, factors of authentication. [0068] These systems can have access to one or more databases 202 as well as configuration files/registry information 204. [0036] Only Authorized Users on Authenticated Devices May Connect (i.e. “validation process”): 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data; 3. The CRITSEC server receives this data, checks to see if the Device ID that was sent by the device is allowed (if the server is configured to check for this), and then forwards the other authentication pieces to appropriate location (Active Directory/LDAP server, biometric checker, etc.); and 4. If the user is successfully authenticated (i.e. “”) then the server marks this connection and user as allowed to send commands and returns a success result to Mobile-IMPACT application and the user can then begin navigating through the application. Otherwise a failure message is sent to the application and the connection is closed forcing the user to try again. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information.).

Regarding claim 10, Hernoud in view of Brown discloses the method of claim 8, wherein the authorization request message includes one or more of a username, a password, a user ID, and a location (Hernoud [0032] To authenticate to the CRITSEC server in accordance with one exemplary embodiment, the software on the mobile device (i.e. “user equipment (UE)” can send the authentication command (i.e. “authorization request message”) to the CRITSEC server along with the user name/password and any other needed data for authentication. The CRITSEC server will then take the data and do the actual authentication through LDAP/active directory and then return the result back to the mobile client through the socket connection. All commands involving LDAP/active directory require the user issuing the command authentication information which is then used by the CRITSEC server to try and run the appropriate LDAP/active directory command so that the existing authorization information is used. This prevents, for example, unauthorized usage by non-privileged users because it is using the existing LDAP or active directory level permissions. [0036] Only Authorized Users on Authenticated Devices May Connect: 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); and 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information. [0067] The mobile devices 50 can also be connected to or include one or more of a smart card reader 52, a biometric reader 54, and can optionally access the network 10 via, for example, a wireless access point 56. Each of the mobile devices 50 are capable of running a Mobile-IMPACT application for which an exemplary interface can be seen on the screen of mobile device 58. CRITSEC 100 can manage one or more of identity proofing, credential issuance, factors of authentication, biometrics, sensors, both onboard and outboard, GIS/GPS systems, access control readers, cameras/video, sensors, enterprise IT security, enterprise facility security, alarm systems, networks, incident management systems, situational awareness suites/dashboards, identity management systems and metadata, directory services, door readers, time and other physical access devices, computer/network access, and the like 110.).

Regarding claim 11, Hernoud in view of Brown discloses the method of claim 1, wherein the one or more alert triggers indicate one or more indications selected from call my phone, knock on door, help emergency, and cancel request (Hernoud [0087] For example, if the alert has to do with a user trying multiple times to gain access through a door, and those access attempts having failed and number of attempts reaching a threshold, links can be provided in the alert that allow the user to immediately view a camera feed of that door as well as the log information so the user at the mobile device 50 is aware of what access credentials/factors and associated biometrics the user is attempting to use to gain access to the door. [0081] In step S324, the failed attempt to execute the command can be logged and, in step S326, an optional event sent to the event handling module 106. [0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies (i.e. “alerting a second device”) can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0044] Aspects of the invention also relate to providing an extension of the CRITSEC functionality to one or more mobile devices to includes one or more of alerts. [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices).

Regarding claim 12, Hernoud in view of Brown discloses the method of claim 1, wherein the host device is configured to: access one or more active session relating to a plurality of user equipments (UEs); send a request to a user in possession of one of the plurality of UEs; receive a notification from one of the plurality of UEs (Hernoud [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices); sound an alarm (Hernoud [0108] The interface in FIG. 17 illustrates an alerting screen that includes information unique to the security system. For example, the Mobile-IMPACT application can run in the background when the user is not using it, and still receive messages, such as instant messages and alerts from the CRITSEC server, for example, when there is an alert. The message can optionally appear and play sound, vibrate, or otherwise notify the user that they have an alert, and this alert can override other applications running on the mobile device. For example, if the screen of the mobile device is turned off, the alert can turn the screen on for the user thereby providing the user with the ability to work on other applications while still being able to monitor their security infrastructure.); determine security compliance based on one or more of a predetermined security values and the Health Insurance Portability and Accountability Act (HIPAA); or communicate with one or more emergency alert services.

Claim 13 is being rejected  similarly to the rejection of claim 1 above for being directed to an apparatus having operations/functions corresponding to the steps of claim 1 above whereby the scope and contents of the recited limitations are substantially the same.

Regarding claim 14, Hernoud in view of Brown discloses the system of claim 1, wherein the identification credentials identify a user, a device, and a location (Hernoud [0032] To authenticate to the CRITSEC server in accordance with one exemplary embodiment, the software on the mobile device (i.e. “user equipment (UE)” can send the authentication command (i.e. “authorization request message”) to the CRITSEC server along with the user name/password and any other needed data for authentication. The CRITSEC server will then take the data and do the actual authentication through LDAP/active directory and then return the result back to the mobile client through the socket connection. All commands involving LDAP/active directory require the user issuing the command authentication information which is then used by the CRITSEC server to try and run the appropriate LDAP/active directory command so that the existing authorization information is used. This prevents, for example, unauthorized usage by non-privileged users because it is using the existing LDAP or active directory level permissions. [0036] Only Authorized Users on Authenticated Devices May Connect: 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.); and 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data. [0039] If the server is configured to require GPS location information for authentication, the server will inform the application during the authentication stage and the application will send the phone's current GPS position to the server when it sends the rest of the authentication information. [0067] The mobile devices 50 can also be connected to or include one or more of a smart card reader 52, a biometric reader 54, and can optionally access the network 10 via, for example, a wireless access point 56. Each of the mobile devices 50 are capable of running a Mobile-IMPACT application for which an exemplary interface can be seen on the screen of mobile device 58. CRITSEC 100 can manage one or more of identity proofing, credential issuance, factors of authentication, biometrics, sensors, both onboard and outboard, GIS/GPS systems, access control readers, cameras/video, sensors, enterprise IT security, enterprise facility security, alarm systems, networks, incident management systems, situational awareness suites/dashboards, identity management systems and metadata, directory services, door readers, time and other physical access devices, computer/network access, and the like 110.).

Regarding claim 15, Hernoud in view of Brown discloses the system of claim 1, wherein the UE is configured to display a user enabled mobile application (Hernoud [0067] Each of the mobile devices 50 are capable of running a Mobile-IMPACT application for which an exemplary interface can be seen on the screen of mobile device 58.).

Regarding claim 16, Hernoud in view of Brown discloses the system of claim 15, wherein the mobile application comprises of a web-based service accessed by the user through the Internet (Hernoud [0064] and [0124] Furthermore, while the exemplary embodiments illustrated herein show the various components of the system collocated, it is to be appreciated that the various components of the system can be located at distant portions of a distributed network, such as a communications network and/or the Internet, or within a dedicated secure, unsecured, and/or encrypted system.).

Regarding claim 17, Hernoud in view of Brown discloses the system of claim 15, wherein the mobile application is configured to send a plurality of messages to one or more other user equipments (UEs), the plurality of messages including one or more alerts (Hernoud [0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies (i.e. “alerting a second device”) can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application. [0044] Aspects of the invention also relate to providing an extension of the CRITSEC functionality to one or more mobile devices to includes one or more of alerts.  [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices).

Regarding claim 18, Hernoud in view of Brown discloses the system of claim 17, wherein the one or more alert triggers indicate one or more indications selected from call my phone, knock on door, help emergency, and cancel request (Hernoud [0087] For example, if the alert has to do with a user trying multiple times to gain access through a door, and those access attempts having failed and number of attempts reaching a threshold, links can be provided in the alert that allow the user to immediately view a camera feed of that door as well as the log information so the user at the mobile device 50 is aware of what access credentials/factors and associated biometrics the user is attempting to use to gain access to the door. [0081] In step S324, the failed attempt to execute the command can be logged and, in step S326, an optional event sent to the event handling module 106. [0034] If the event matches a rule set or a set of conditions, the CRITSEC server will send an alert via all the defined methods (i.e. Email, text message, screen alerts, etc.) and cascading call tree taxonomies (i.e. “alerting a second device”) can be invoked at time intervals based upon event/response time, etc. Screen alerts are a direct CRITSEC client-server connection, and thus if this is one of the defined rules, the CRITSEC server will send the message to all client's applications (CRITSEC application and Mobile-IMPACT users) which accepts the provided data and highlights and/or displays it instantly to the user allowing them to jump to a particular part of the application (such as the user's card information). [0044] Aspects of the invention also relate to providing an extension of the CRITSEC functionality to one or more mobile devices to includes one or more of alerts. [0116] FIG. 19 illustrates an exemplary method of alerting a mobile device according to this invention. In particular, control begins in step S1900 and continues to step S1910. In step S1910, mobile alerting can be configured on the CRITSEC that allows for mobile alerts to be sent to one or more mobile devices).

Regarding claim 19, Hernoud in view of Brown discloses the system of claim 13, further comprising a physical memory storing instruction and the one or more alert triggers (Hernoud [0008] Query and update user identity and one or more of privileges, permissions, and attributes. [0035] Set New Alarm Conditions: 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings for this event type. 2. The current settings for this event are loaded by contacting the CRITSEC server for the settings. 3. The user can then enable or disable the methods (i.e. email, text message, screen alerts, etc.) that they want to be alerted with. 4. If the user selects the save button, a command is sent to the server telling it to update the saved settings with the new provided data. [0031] The software on the mobile devices is also able to communicate and authenticate to the active directory or LDAP directory type services through different methods, including ODBC and future protocols. For example, if the mobile device supports LDAP/active directory (or in general any database structure), and the device is able to connect to a CRITSEC server with a LDAP service running (such as active directory) and since there is no firewall or the firewall allows for remote LDAP/active directory connections, then the software on the mobile device can connect and issue direct LDAP/active directory commands to control the data for the LDAP/active directory service. If the device does not support LDAP/active directory, or by policy the access to open ports is controller/limited, the software on the mobile device can utilize the same connection socket that is used for regular communication to send commands to the CRITSEC server, and commensurately, the CRITSEC server could then issue the command or return the data requested by the command. [0037] If user makes any changes and chooses to save/update, Mobile-IMPACT then sends a command with the updated data to the CRITSEC server. The CRITSEC server then checks to see if the user is authorized to make changes to the settings sent and if the user is allowed, updates the settings for that section or device. [0068] These systems can have access to one or more databases 202 as well as configuration files/registry information 204. As illustrated, these systems have access also to outside resources 110, such as cameras, internet resources, and the like as described above. While not illustrated, each system can also include one or more processors, controllers, memory and storage as appropriate. [0094] For example, in step S480, the server can connect to the active directory/LDAP, retrieve information from a database, update a controller configuration, update a user or a user configuration, or the like, and one or more of a confirmation, additional information, or the like, as appropriate, return to the mobile device is step S490. Brown [0066] The database 106 may be embodied as a data storage device such as a Network Attached Storage (NAS) device or devices, or as a separate database server or servers. The database 106 includes information accessed and stored by the server 104 to facilitate the operations of the authentication service 102. For example, the database 106 may include, without limitation, user account credentials, biometric data, and the like for system administrators and any number and types of various users.).

Regarding claim 20, Hernoud in view of Brown discloses the system of claim 19, wherein the memory is configured to: receive a request from the UE for the one or more alert triggers or location information of a mobile device amongst a plurality of mobile devices, submitting the one or more alert triggers (Hernoud [0031] The software on the mobile devices is also able to communicate and authenticate to the active directory or LDAP directory type services through different methods, including ODBC and future protocols. For example, if the mobile device supports LDAP/active directory (or in general any database structure), and the device is able to connect to a CRITSEC server with a LDAP service running (such as active directory) and since there is no firewall or the firewall allows for remote LDAP/active directory connections, then the software on the mobile device can connect and issue direct LDAP/active directory commands to control the data for the LDAP/active directory service. If the device does not support LDAP/active directory, or by policy the access to open ports is controller/limited, the software on the mobile device can utilize the same connection socket that is used for regular communication to send commands to the CRITSEC server, and commensurately, the CRITSEC server could then issue the command or return the data requested by the command. [0035] Set New Alarm Conditions 1. User navigates to the event type in Mobile-IMPACT and selects a button to modify the alert settings for this event type. 2. The current settings for this event are loaded by contacting the CRITSEC server for the settings. 3. The user can then enable or disable the methods (i.e. email, text message, screen alerts, etc.) that they want to be alerted with. 4. If the user selects the save button, a command is sent to the server telling it to update the saved settings with the new provided data.); authenticate the request from the UE as being from a UE that is subscribed to the system as a result of an authorization clearance level being met ([[0036] Only Authorized Users on Authenticated Devices May Connect: 1. When the application is started, before the user can navigate anywhere, the user must provide authentication details the server requires (username/password, biometrics, etc.). 2. When the user sends the authentication information to the server, another piece called the Device ID is sent with the data. 3. The CRITSEC server receives this data, checks to see if the Device ID that was sent by the device is allowed (if the server is configured to check for this), and then forwards the other authentication pieces to appropriate location (Active Directory/LDAP server, biometric checker, etc.). 4. If the user is successfully authenticated (all configured checks pass) then the server marks this connection and user as allowed to send commands and returns a success result to Mobile-IMPACT application and the user can then begin navigating through the application. Otherwise a failure message is sent to the application and the connection is closed forcing the user to try again.); and transmit the one or more alert triggers or location information to the UE ([0036] 4. If the user is successfully authenticated (all configured checks pass) then the server marks this connection and user as allowed to send commands and returns a success result to Mobile-IMPACT application and the user can then begin navigating through the application. Otherwise a failure message is sent to the application and the connection is closed forcing the user to try again. [0037] View and Modify Physical Configurations and Settings: 1. Mobile-IMPACT application sends command to CRITSEC server requesting the data for a particular section or device. 2. CRITSEC server checks to see if user is authorized to view data, and if they are, returns the current configuration for that section or device to the Mobile-IMPACT application, which then displays the data to user. 3. If user makes any changes and chooses to save/update, Mobile-IMPACT then sends a command with the updated data to the CRITSEC server. 4. The CRITSEC server then checks to see if the user is authorized to make changes to the settings sent and if the user is allowed, updates the settings for that section or device. [0038] Query and Update User Identity and Privilege Information—this can be accomplished in a similar manner to the “View and Modify Physical Configurations and Settings”.).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAJSHEED O BLACK-CHILDRESS whose telephone number is (571)270-7838. The examiner can normally be reached M to F, 10am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, QUAN-ZHEN WANG can be reached on (571) 272-3114. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/RAJSHEED O BLACK-CHILDRESS/Examiner, Art Unit 2684