DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to amendment filed on 11/23/2022.  Claims 1, 4, 6, 8-13, 17, and 19 have been amended by the Applicant. Claims 1-20 have been examined.  This action is Non-Final.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/23/2022 has been entered.
 
Response to Amendment

Applicant's arguments filed 11/23/2022 have been fully considered but they are not persuasive. 
Applicant’s remark:  On pages 8-9 of the Applicant’s remark the Applicant states that, claim 13 would overcome the previous 112 rejection.  


Examiner’s response: 112 rejection on claim 13 has been withdrawn due to the Applicant amending to overcome 112 (b).
Applicant’s remark: On page 9-10 of the Applicant’s remark the Applicant argues claims 1-20 previous 101 rejection.  Further, the Applicant argues Step 2A Prong One, Applicant states that the claims cannot be practically be performed in the human mind. The Applicant states that the MPEP provides several illustrative examples of types of claims that cannot be practically performed by the human mind, “a claim to a specific data encryption method for computer communication involving a several-step manipulation of data”; and “detecting suspicious activity by using network monitors and analyzing network packets”.
Examiner’s response:   On page 10 of the Applicant’s remark, the Examiner disagrees with Applicant.  The example given, “detecting suspicious activity by using network monitors and analyzing network packets”.  Does not pertain to the Applicant’s claims.  Furthermore, in the MPEP states, “claims do recite a mental process when they contain limitations that can practically be performed in the human mind, including for example, observations, evaluations, judgments, and opinions”(See MPEP 2106.04).   Claims to "comparing BRCA sequences and determining the existence of alterations," where the claims cover any way of comparing BRCA sequences such that the comparison steps can practically be performed in the human mind”, University of Utah Research Foundation v. Ambry Genetics, 774 F.3d 755, 763, 113 USPQ2d 1241, 1246 (Fed. Cir. 2014).  “A claim to collecting and comparing known information (claim 1), which are steps that can be practically performed in the human mind”, Classen Immunotherapies, Inc. v. Biogen IDEC, 659 F.3d 1057, 1067, 100 USPQ2d 1492, 1500 (Fed. Cir. 2011).  

Thus, the step of “comparing the hash value received with a predetermined hash value”, can practically be performed in the mind.  Thus, the Applicant’s other example provided, “a claim to a specific data encryption method for computer communication involving a several-step manipulation of data”.  Is moot in regards to the arguments above.
Applicant’s argument:  Additionally, Applicant respectfully submits that the human mind is not equipped to practically perform several of the operations recited in Claims 1, 8, and 12. Even if a human mind could compare a hash value against a predetermined hash value it would be impractical to do so in the context of an automated system/method for verifying security compliance of a computer/device network as recited in Claims 1, 8, and 12, as relying on a human to mentally perform this operation would not be seen as a practical approach by those of ordinary skill in the art. 
Examiner’s response:  The Examiner asserts that there is no automated process claimed , nor a step of “verifying”.  Thus, the Applicant’s arguments are moot.  Furthermore, the Applicant is arguing the newly added limitations of “generating… a flag signal reporting”, and “providing an alert”… The Applicant states that these limitation are not performed in the mind.  The Examiner does not assert that these limitations are performed in the mind.  Therefore, the Applicant’s argument is moot.  The “generating… a flag signal reporting”, and “providing an alert” is post-solution activity.




Applicant’s argument: Step 2A Prong Two: On pages 11-12, the Applicant states that the claims recite an improvement to other technology to technical field.  
Examiner’s response: The Examiner disagrees.  The courts have found it was not enough to qualify as “significantly more” when recited in a claim with a judicial exception include: Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984 (see MPEP § 2106.05(d)).  Thus, comparing hash values is well-known in the art, and checking whether a default password has been changed is also well-known in the art.
Applicant’s argument: Step 2B: On page 13 of the Applicant’s argument, “generating.. a flag signal reporting… and providing… an alert, and generating a report…” is not well-understood, routine, conventional activity.
Examiner’s response: Step 2 B asks does the claim recite additional elements that amount to significantly more than the judicial exception?  The additional elements are, “generating, by the server, a flag signal reporting the security non-compliance of the device, providing, in response to the determination of security non-compliant, an alert that the said device is security non-compliant; and generating a report of the security compliant status of the one or more devices on the network”.  The additional claim elements do not amount to significantly more than the exception itself.  


A transformation that contributes only nominally or insignificantly to the execution of the claimed method (e.g., in a data gathering step or in a field-of-use limitation) would not provide significantly more (or integrate a judicial exception into a practical application). 
Step 2B is whether the additional elements add more than insignificant extra-solution activity to the judicial exception. The term "extra-solution activity" can be understood as activities incidental to the primary process or product that are merely a nominal or tangential addition to the claim. Extra-solution activity includes both pre-solution and post-solution activity. An example of pre-solution activity is a step of gathering data for use in a claimed process, e.g., a step of obtaining information about credit card transactions, which is recited as part of a claimed process of analyzing and manipulating the gathered information by a series of steps in order to detect whether the transactions were fraudulent. An example of post-solution activity is an element that is not integrated into the claim as a whole, e.g., a printer that is used to output a report of fraudulent transactions, which is recited in a claim to a computer programmed to analyze and manipulate information about credit card transactions in order to detect whether the transactions were fraudulent. (See MPEP 2106.05g).  The additional elements amount to insignificant extra-solution activity, examiners may consider the following: Whether the limitation amounts to necessary data gathering and outputting, (i.e., all uses of the recited judicial exception require such data gathering or data output). See Mayo, 566 U.S. at 79, 101 USPQ2d at 1968; OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1092-93 (Fed. Cir. 2015).  Thus, the step of generating a flag signal reporting… , and 


providing an alert, and generating a report, is insignificant extra-solution activity, it is not necessary for data gathering and outputting.  
Applicant argues: On pages 13-15 of the Applicant’s arguments the Applicant argues previous cited art of Mahrino, for the newly added limitations of “generating a flag signal reporting, and generating a report…”.  
Examiner’s response: Applicant’s arguments, see remarks, filed 11/23/2022, with respect to claims have been fully considered and are persuasive.  The prior art of Mahrino has been withdrawn, and new art has been applied to the newly added limitations Auvenshine (2019/0052615). 


Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are directed to an abstract idea without integrating into a practical application nor being significantly more. 

Claims 1, 8, and 12 recites the limitation, “comparing… the hash value with a predetermined hash value, and determining if non-compliant or compliant”, the limitation as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the 

limitation in the mind but for recitation of generic components.  That is other than, processing circuit of said device, server, and configuration compliance evaluator, the claim elements 
precludes the step from practically being performed in the mind.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas, and the claims fall within “Mathematical relationship”: “generating a hash value”. Accordingly, the claims recite an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim recites additional elements additional elements “generating and receiving” steps.  The processing circuit in the “generating” step is recited at a high level of generality, as a generic circuit of performing a generic function of generating a hash value.  This generic processing circuit of said device is no more than mere instructions to apply the exception using a generic component.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Furthermore, the claim recites additional element of “receiving” is recited at a high level of generality, as a server performing the function of receiving information, such as a hash value.  This generic server is no more than mere instructions to apply the exception using a generic component.   The configuration compliance evaluator, is no more than mere instructions to apply the exception using a generic component. The additional elements of “generating… flag signal reporting, providing an alert, generating a report” in the claim amounts to no more than mere instructions to apply the exception using generic computer components.  


Mere instructions to apply an exception using generic computer components cannot integrate a judicial exception into a practical application or provide an inventive concept.  
Regarding claims 2-7, 9-11, and 13-20; Claims 2-7, 9-11 and 13-20 are also rejected under 35 USC 101 as being directed to non-statutory subject matter for the same reasons addressed above.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-3, 5-8, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over May et al. (2007/0250627) in view of Doane (9,300,643), and further in view of Auvenshine et al. (2019/0052615).

As per claim 1, May discloses a method for verifying security compliance of one or more devices on a network, said method comprising (May: para. 0009, verifying security compliance of a client computer (i.e. device)):
receiving, by a server, a generated hash value from a processing circuit for configuration data of the device (May: para. 0043, 0045, and 0115, the processor circuit/microprocessor of the 


client computer transmits the generated hash value, and gateway node (i.e. server), receives the generated hash value from the processor circuit/microprocessor (i.e. processing circuit),  
generating, a hash value for configuration codes (i.e. configuration data) of the client computer)).
May does not explicitly disclose comparing, by the server, the hash value received with a pre-determined hash value for said configuration data of said device, wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value.
However, in analogous art of Doane discloses comparing, by the server, the hash value received with a pre-determined hash value for said configuration data of said device (Doane: col. 6, lines 62-66, col. 7, lines 3-7, and See Fig. 3; comparing, by the credential verification servers (i.e. server), the hash value received with a stored hash (i.e. pre-determined hash value) for said authentication credential (i.e. configuration data) of said client)), 
wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value (Doane: See Fig. 3, #308, #310, col. 19, lines 38-50, client device is determined to not be in compliance when the received hash is matched to the pre-determined hash value, if the device is determine as compliant when the received hash value is not matched with the pre-determined hash value).


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include comparing, by the server, the hash value received with a pre-determined hash value for said configuration data of said device, wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value of Doane with method of May’s processing circuit, the motivation is that this a security measure that insures the uniqueness of the authentication credentials that meet the guidelines and/or best practices in selecting secure authentication credentials (Doane: col. 5, lines 50-55).
May and Doane do not explicitly the default password is set at the time of manufacture or installation of the device, generating, a flag signal reporting the security non-compliance of the device; providing, in response to the determination of security non-compliant, an alert that the said device is security non-compliant; and generating a report of the security compliant status of the one or more devices on the network.  
However, analogous art of Auvenshine discloses default password is set at the time of manufacture or installation of the device (Auvenshine: para. 0011, 0019, devices often ship with a default password, thus set at the time of manufacture); generating, a flag signal reporting the security non-compliance of the device (Auvenshine: para. 0013, the security verification system may retest the user identifiers of the devices flagged for not having changed the default passwords, which means a flag is generated when the default password is the same/equal); providing, in response to the determination of security non-complaint, an alert that the said device is security non-compliant (Auvenshine: para. 0027, generating, reporting the security non-compliance, the non-compliance the examiner asserts when the default password has not

changed, thus the default password is the same as the login password, when the same an alert is generated); and generating a report of the security compliant status of the one or more device on the network (Auvenshine: para. 0027, reporting module by generate detailed reports regarding updates a new information and provide the reports to the user via the device).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include default password is set at the time of manufacture or installation of the device; generating, a flag signal reporting the security non-compliance of the device; providing, in response to the determination of security non-compliant, an alert that the said device is security non-compliant; and generating a report of the security compliant status of the one or more devices on the network of the system/method of Auvenshine with the combination of May and Doane, the motivation is that security verification system may is a non-disruptive system for verifying that default login information (e.g. default password) has been 
changed to reduce or prevent security breaches and/or unauthorized access to one or more devices (Auvenshine: para. 0013).

As per claim 2, May, Doane, and Auvenshine discloses the method of claim 1.  May further discloses wherein generating the hash value further comprises (May: para. 0115, generating, a hash value for configuration codes (i.e. configuration data) of the client computer), by a microprocessor (i.e. processing circuit) of client computer):
analyzing, the configuration data by employing hash function (May: para. 0115, analyzing (i.e. reading) the configuration codes (i.e. configuration data) to generate the hash value by applying a hash function); and
determining, the hash value based on the analysis of the configuration data (May: para. 0115, determining the hash value based on analysis of the configuration codes, the hash value is determined (i.e. checked)).

As per claim 3, May, Doane, and Auvenshine discloses the method of claim 1.
Doane further discloses wherein comparing the hash values further comprises device (Doane: col. 6, lines 62-66, col. 7, lines 3-7, and See Fig. 3; comparing, by the credential verification servers (i.e. server), the hash value received with a stored hash (i.e. pre-determined hash value) for said authentication credential (i.e. configuration data) of said client)):
determining, the configuration data for which the hash value is received (Doane: col. 10, lines 39-55, determining, the authentication credentials (i.e. configuration data) for which the hash value (i.e. one-way hash) is received);
extracting, the pre-determined hash value corresponding to the determined configuration data of said device from a repository, wherein said repository is configured to store pre-determined hash values corresponding to multiple configuration data for each device on said network (Doane: col. 12, lines 46-60, 65-67, col. 13, lines 1-4, 8-14, and col. 18, lines 13-25, extracting the stored hash value (i.e. one-way hash) corresponding to the determined authentication credentials (i.e. configuration data) of the client stored in the credential database (i.e. repository), the repository stores a collection of hash values corresponding to multiple authentication credentials); and



utilizing, the pre-determined hash value extracted from the repository for comparison with the hash value (Doane: col. 18, lines 17-25, utilizing the stored hash value extracted from the credential database for comparison with the received hash value) received from the processing circuit (May: 0043, 0045, the processor circuit/microprocessor).
Same Motivation as claim 1 above.

As per claim 5, May, Doane, and Auvenshine discloses the method of claim 1.
Doane further discloses wherein said configuration data is a password, and the generated hash value is a present password (Doane: col. 9, lines 26-27, col. 12, lines 16-30, configuration data (i.e. password), the generated hash value is a received password).
	Same Motivation as claim 1 above.

As per claim 6, May, Doane, and Auvenshine discloses the method of claim 1.
May further discloses transmitting, the generated hash value towards the server as a message, wherein said generated hash value is part of said message (May: para. 0066, 0074, transmitting, the generated hash value towards the gateway node (i.e. server) as a message, the transmission is a message the Examiner asserts and the generated hash value is part of the transmission).





As per claim 7, May, Doane, and Auvenshine discloses the method of claim 1.  Doane further discloses  wherein said configuration data comprises at least one of port data, status of Secure Socket Shell (SSH), status of Telnet, password, and firmware version (Doane: para. 0066, 0074, password, only one is required according to the claim “at least one”).
Same Motivation as claim 1 above.

As per claim 8, May discloses a method for verifying security compliance of a device on a network, the method comprising:
May discloses receiving, a generated hash value from a processing circuit for configuration data of said device (May: para. 0043, 0045, and 0115, the processor circuit/microprocessor of the client computer transmits the generated hash value, and gateway node (i.e. server), receives the generated hash value from the processor circuit/microprocessor (i.e. processing circuit),  generating, a hash value for configuration codes (i.e. configuration data) of the client computer)). 
May does not explicitly disclose receiving, by a configuration compliance evaluator, a generated hash value from a processing circuit for configuration data of said device; and comparing, by the configuration compliance evaluator, the hash value received from the processing circuit with a pre-determined hash value for default authentication credentials of said device, wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value.


Doane discloses receiving, by a configuration compliance evaluator, the generated hash value; and comparing, by the configuration compliance evaluator, the hash value received from with a pre-determined hash value for default authentication credentials of said device (Doane: col. 12, lines 65-67, col. 13, lines 1-4, receiving, by a credential verification module (i.e. configuration compliance evaluator), the generated hash value and comparing, the credential verification module, the hash value received with a stored hash value for the stored (i.e. default) authentication credentials of the device), wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value (Doane: See Fig. 3, #308, #310, col. 19, lines 38-50, client device is determined to not be in compliance when the received hash is matched to the pre-determined hash value, if the device is determine as compliant when the received hash value is not matched with the pre-determined hash value). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include comparing, by the server, the hash value received with a pre-determined hash value for said configuration data of said device, wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value of Doane with method of May’s processing circuit, the motivation is that this a security measure that insures the uniqueness of the authentication credentials that meet the guidelines and/or best practices in selecting secure authentication credentials (Doane: col. 5, lines 50-55).

May and Doane do not explicitly disclose default password of said device, wherein the default password is set at the time of manufacture or installation of the device; generating, a flag signal reporting the security non-compliance of the device, providing, in response to the determination of security non-compliant, an alert that the said device is security non-compliant; and generating a report of the security compliant status of the one or more devices on the network.
However, analogous art of Auvenshine discloses default password is set at the time of manufacture or installation of the device (Auvenshine: para. 0011, 0019, devices often ship with a default password, thus set at the time of manufacture); generating, a flag signal reporting the security non-compliance of the device (Auvenshine: para. 0013, the security verification system may retest the user identifiers of the devices flagged for not having changed the default passwords, which means a flag is generated when the default password is the same/equal); providing, in response to the determine of security non-compliant, an alert that said device is security non-compliant (Auvenshine: para. 0027, generating, reporting the security non-compliance, the non-compliance the examiner asserts when the default password has not changed, thus the default password is the same as the login password, when the same an alert is generated); and generating a report of the security compliant status of the one or more devices on the network (Auvenshine: para. 0027, reporting module by generate detailed reports regarding updates a new information and provide the reports to the user via the device).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include, wherein the default password is set at the time of manufacture or installation of the device; generating, a flag signal reporting the security non-compliance of the device, and providing, in response to the determination of security non-compliant, an alert that the said device is security non-compliant; and generating a report of the security compliant status of the one of or more devices on the network system/method of Auvenshine with the combination of May and Doane, the motivation is that the security verification system may is a non-disruptive system for verifying that default login information (e.g. default password) has been changed to reduce or prevent security breaches and/or unauthorized access to one or more devices (Auvenshine: para. 0013).

As per claim 10, May, Doane, and Auvenshine disclose the method of claim 8.
Doane further discloses extracting, by the configuration compliance evaluator, the pre-determined hash value for said device from a repository (Doane: col. 18, lines 8-22, credential verification module (i.e. confirmation compliance evaluator) the stored hash value (i.e. predetermined hash value) for said device from credential database (i.e. repository)), wherein said repository is configured to store pre-determined hash values corresponding to a plurality of devices on said network (Doane: col. 18, lines 8-22, repository is configured to store hash values (i.e. pre-determined hash values), it is stored in credential database); and utilizing, by the configuration compliance evaluator, the pre-determined hash value extracted from the repository for comparison with the hash value (Doane: col. 18, lines 8-22, utilizing, by the credential verification module (i.e. confirmation compliance evaluator) received from the processing circuit (May: 0043, 0045, the processor circuit/microprocessor) .
Same Motivation as claim 8 above.



Claims 4, 9, and 11, are rejected under 35 U.S.C. 103 as being unpatentable over May et al. (2007/0250627) in view of Doane (9,300,643), in view of Auvenshine et al. (2019/0052615) and further in view of Hong et al. (2015/0254458).

As per claim 4, May, Doane, and Auvenshine disclose the method of claim 1.
May, Doane, and Auvenshine does not explicitly disclose further comprises: generating, a logic high signal when the received hash value is equal to the pre- determined hash value indicating security non-compliance of said device; and reporting, security non-compliance of the device upon generation of the logic high signal.
However, in analogous art of Hong discloses generating, a logic high signal when the received hash value is equal to the pre- determined hash value indicating security non-compliance of said device; and reporting, security non-compliance of the device upon generation of the logic high signal (Hong: para. 0105-0106, generating, a logic high signal (i.e. logic high level) when the reference hash value RHASH is equal to a verification hash value VHASH  indicating security non-compliance of said device when the RHASH and VHASH are equal/same, thus a logic high level is signaled, and  reporting the comparison signal to the control circuit).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include generating, a logic high signal when the received hash value is equal to the pre- determined hash value indicating security non-compliance of said device; and reporting, security non-compliance of the device upon generation of the logic high signal of the system/method of Hong with the combination of May, Doane, and Auvenshine, the 

motivation is that this an efficient security measure that detects when there is no integrity, by providing an indication alerting using a logic high signal (Hong: para. 0117).

As per claim 9, May, Doane, and Auvenshine discloses the method of claim 8.
May, Doane, and Auvenshine do not explicitly disclose further comprises: generating, by the configuration compliance evaluator, a logic high signal when the received hash value is equal to the pre-determined hash value indicating security non-compliance of said device; and reporting, by the configuration compliance evaluator, security non-compliance of the device upon generation of the logic high signal.
However, analogous art of Hong discloses generating, by the configuration compliance evaluator (Hong: para. 0105, comparator (i.e. configuration compliance evaluator), a logic high signal when the received hash value is equal to the pre-determined hash value indicating security non-compliance of said device (Hong: para. 0105-0106, generating, a logic high signal (i.e. logic high level) when the reference hash value RHASH is equal to a verification hash value VHASH  indicating security non-compliance of said device when the RHASH and VHASH are equal/same, thus a logic high level is signaled); and reporting, by the configuration compliance
evaluator, security non-compliance of the device upon generation of the logic high signal (Hong: para. 0105-0106, reporting the comparison signal to the control circuit).





It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generating, by the configuration compliance evaluator, a logic high signal when the received hash value is equal to the pre-determined hash value indicating security non-compliance of said device; and reporting, by the configuration compliance evaluator, security non-compliance of the device upon generation of the logic high signal of the system/method of Hong with the combination of May, Doane, and Auvenshine, the motivation is that this an efficient security measure that detects when there is no integrity, by providing an indication alerting using a logic high signal (Hong: para. 0117).

As per claim 11, May, Doane, and Auvenshine disclose the method of claim 8.
Doane further discloses updating, by the configuration compliance evaluator, the pre-determined hash value with the received hash value in said repository (Doane: col. 18, lines 66-67, col. 19, lines 1-3, 50-55, updating the stored hash value with the received hash value in the credential database (i.e. repository)); and periodically compare, by the configuration compliance evaluator, the received hash value of authentication credentials and said updated pre-determined hash value for said device to determine security non-compliance of said device (Doane: col. 17, lines 15-20, col. 19, lines 38-47, each time the web service computer makes a credential verification request, the comparator will periodically compare the received hash value of the authentication credentials with updated (i.e. stored) hash value).
May, Doane, and Auvenshine do not explicitly disclose generating, by the configuration compliance evaluator, a logic low signal when the received hash value and the pre-determined hash value are different.

Hong discloses generating, by the configuration compliance evaluator, a logic low signal when the received hash value and the pre-determined hash value are different (Hong: para. 0105, generating by the comparator (i.e. configuration compliance evaluator), a logic low signal (i.e. logic low level) when the RHASH and VHASH are different).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include generating, by the configuration compliance evaluator, a logic low signal when the received hash value and the pre-determined hash value are different of the system/method of Hong with the method of May, Doane, and Auvenshine, the motivation is that this an efficient security measure that detects when there is no integrity, by providing an indication alerting using a logic high signal (Hong: para. 0117).

Claims 12, and 16 are rejected under 35 U.S.C. 103 as being unpatentable Doane (9,300,643) in view of Auvenshine (2019/0052615).

As per claim 12, Doane discloses a system for verifying security compliance of a device on a network, said system comprising (Doane: col. 19, lines 38-50, verifying security compliance of a client computer (i.e. device)): 
Doane discloses a server configured to received a hash value generated by employing a hash function on configuration data of said device, the server having: 
a repository configured to store a pre-determined hash value for the configuration data of said device (Doane: col. 18, lines 8-22, repository is configured to store hash values (i.e. pre-determined hash values), it is stored in credential database); and 

one or more processors configured to compare the received hash value with the pre-determined hash value (Doane: col. 18, lines 8-22, utilizing, by the credential verification module (i.e. confirmation compliance evaluator), wherein said device is determined as security non-compliant when the received hash value is equal to the pre-determined hash value, and said device is determined as security compliant when the received hash value is different than the pre-determined hash value (Doane: See Fig. 3, #308, #310, col. 19, lines 38-50, client device is determined to not be in compliance when the received hash is matched to the pre-determined hash value, if the device is determine as compliant when the received hash value is not matched with the pre-determined hash value).
Doane do not explicitly disclose default password is set at the time of manufacture or installation of the device; generate a flag signal reporting security non-compliance of said device; provide, in response to the flag signal reporting security non-compliance, an alert that the said device is security non-compliant; generate a report of the security compliant status of the one or more devices on the network; and display details of the device being security non-compliant, the details including an alert and action to be taken.  
However, analogous art of Auvenshine discloses default password is set at the time of manufacture or installation of the device (Auvenshine: para. 0011, 0019, devices often ship with a default password, thus set at the time of manufacture); generate a flag signal reporting security non-compliance of said device (Auvenshine: para. 0012-0013, flagging when the default password has not changed, which means it is the same and non-compliant); provide, in response to the flag signal reporting security non-compliance, an alert that the said device is security non-compliant (Auvenshine: para. 0013, 0022,  see Fig. 3 #303, means the default password is the 

same as login password, alert is raised, the Examiner asserts the device is non-compliant); generate a report of the security compliant status of the one or more devices on the network (Auvenshine: para. 0027, reporting module by generate detailed reports regarding updates a new information and provide the reports to the user via the device) ; and display details of the device being security non-compliant, the details including an alert and action to be taken (Auvenshine: para. 0013, details are displayed to the device, alert and action to be taken, including changing the default password)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include default password is set at the time of manufacture or installation of the device; generate a flag signal reporting security non-compliance of said device; provide, in response to the flag signal reporting security non-compliance, an alert that the said device is security non-compliant; generate a report of the security compliant status of the one or more devices on the network; and display details of the device being security non-compliant, the details including an alert and action to be taken of the system/method of Avenshine with the Doane, the motivation is that the security verification system may is a non-
disruptive system for verifying that default login information (e.g. default password) has been changed to reduce or prevent security breaches and/or unauthorized access to one or more devices (Auvenshine: para. 0013).





As per claim 16, Doane and Auvenshine discloses the system of claim 12.
Doane further discloses wherein said configuration data comprises a present password (Doane: col. 9, lines 26-28). 
Same Motivation as claim 12.

Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable Doane (9,300,643) in view of Auvenshine (2019/0052615), and further in view of Hong et al. (2015/0254458).

As per claim 13, Doane and Auvenshine disclose the system of claim 12.
Doane discloses determine the configuration data for the received hash value, and extract the pre-determined hash value corresponding to the determined configuration data from the repository (Doane: col. 12, lines 46-60, 65-67, col. 13, lines 1-4, 8-14, and col. 18, lines 13-25, extracting the stored hash value (i.e. one-way hash) corresponding to the determined authentication credentials (i.e. configuration data) of the client stored in the credential database (i.e. repository), the repository stores a collection of hash values corresponding to multiple authentication credentials); and compare the received hash value with the pre-determined hash value extracted from the repository (Doane: col. 18, lines 17-24,  each device has credential verification module (i.e. digital comparator)).
Doane and Auvenshine do not explicitly disclose generate a logic high signal indicating security non-compliance of said device, when the received hash value is equal to the pre-determined hash value. 


Hong discloses generate a logic high signal indicating security non-compliance of said device, when the received hash value is equal to the pre-determined hash value (Hong: para. 0105-0106, generating, a logic high signal (i.e. logic high level) when the reference hash value RHASH is equal to a verification hash value VHASH indicating security non-compliance of said device when the RHASH and VHASH are equal/same, thus a logic high level is signaled). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate a logic high signal indicating security non-compliance of said device, when the received hash value is equal to the pre-determined hash value of the system/method of Hong with the combination of Doane and Auvenshine, the motivation is that this an efficient security measure that detects when there is no integrity, by providing an indication alerting using a logic high signal (Hong: para. 0117).   
As per claim 14, Doane and Auvenshine disclose the system of claim 12. 
            Doane further discloses update the pre-determined hash value with the received hash value in said repository (Doane: col. 18, lines 66-67, col. 19, lines 1-3, 50-55, updating the stored hash value with the received hash value in the credential database (i.e. repository)); and periodically compare the received hash value of configuration data and said updated pre-determined hash value for said device to determine security compliance of said device (Doane: col. 17, lines 15-20, col. 19, lines 38-47, each time the web service computer makes a credential
verification request, the comparator will periodically compare the received hash value of the authentication credentials with updated (i.e. stored) hash value). 

Doane and Auvenshine do not explicitly disclose wherein said generate a logic low signal when the received hash value and the pre-determined hash value are different.
Hong discloses generate a logic low signal when the received hash value and the pre-determined hash value are different (Hong: para. 0105, generating by the comparator (i.e. configuration compliance evaluator), a logic low signal (i.e. logic low level) when the RHASH and VHASH are different).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate a logic low signal when the received hash value and the pre-determined hash value are different of the system/method of Hong with the method of Doane and Auvenshine, the motivation is that this an efficient security measure that detects when there is no integrity, by providing an indication alerting using a logic high signal (Hong: para. 0117).
           As per claim 15, Doane, Auvenshine, and Hong disclose the system of claim 13.
           Hong further discloses wherein said generate a flag signal reporting security non-compliance of said device upon generation of the logic high signal (Hong: para. 0105, comparator (i.e. configuration compliance evaluator) comprises a comparison signal (i.e. notifier), to generate a flag signal to report security non-compliance (i.e. RHASH and VHASH the same) upon generation of the logic high signal (i.e. logic high level)). 
            Same Motivation as claim 13.




Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Doane (9,300,643), and in view of Auvenshine et al. (2019/0052615) and further in view of McChord et al (2018/0006870).
            As per claim 17, Doane and Auvenshine disclose the system of claim 12.
Doane and Auvenshine do not explicitly disclose transmit the received hash value to the server as part of a heartbeat message, and wherein the server is configured to receive the hash value from the heartbeat message. 
McChord discloses transmit the received hash value to the server as part of a heartbeat message, and wherein the server is configured to receive the hash value from the heartbeat message (McChord: para. 0097, 0125, transmit said hash value as part of a heartbeat message (i.e. heartbeat includes hash codes).
It would have been obvious to one of ordinary skill in the art before the effective filing date to the claimed invention to include transmit the received hash value to the server as part of a heartbeat message, and wherein the server is configured to receive the hash value from the heartbeat message of the system/method of McChord with the processing circuit combination of Doane and Auvenshine, the motivation is that this is an efficient technique that if the heartbeat message is not received in a certain time/interval the heartbeat is assumed to have failed to arrive at the destination, thus integrity is protected (McChord: para. 0125).




7.	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Doane (9,300,643), and in view of Auvenshine (2019/0052615) and  further in view of Dellow (2008/0222428). 
           As per claim 18, Doane and Auvenshine disclose the system of claim 12.
           Doane and Auvenshine do not explicitly disclose wherein said pre-determined hash value is associated with default configuration data applied during manufacturing or installation. 
	Dellow discloses wherein said pre-determined hash value is associated with default configuration data applied during manufacturing or installation (Dellow: para. 0017, pre-determined hash value (i.e. stored hash value) is associated with a default configuration data (i.e. original configuration data) applied during manufacturing). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include wherein said pre-determined hash value is associated with default configuration data applied during manufacturing or installation of the system/method of Dellow with Doane and Auvenshine, the motivation is that in order to prevent any successful manipulation, a hash value of the configuration at the time of manufacturer is stored (Dellow: para. 0017).
   





Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable Doane (9,300,643) in view of Auvenshine (2019/0052615), and May et al. (2007/0250627).

As per claim 19, Doane and Auvenshine discloses the system of claim 12.
Doane and Auvenshine does not explicitly disclose further discloses wherein said processing circuit comprises: a memory configured to store the hash function; and a processor configured to: analyze the configuration data by employing the hash function; and determine the received hash value for the analyzed configuration data.
May discloses further discloses wherein said processing circuit comprises: a memory configured to store the hash function (May: para. 0067, processing circuit (i.e. microprocessor/processor circuit) memory (i.e. computer readable medium) to store the hash function); and a processor configured to: analyze the configuration data by employing the hash function (May: para. 0115, analyzing (i.e. reading) the configuration codes (i.e. configuration data) to generate the hash value by applying a hash function); and determine the received hash value for the analyzed configuration data (May: para. 0115, determining the hash value based on analysis of the configuration codes, the hash value is determined (i.e. checked)).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include wherein said processing circuit comprises: a memory configured to store the hash function; and a processor configured to: analyze the configuration data by employing the hash function; and determine the received hash value for the analyzed configuration data of the system/method of May with Doane and Auvenshine, the 


motivation is that there is a desire to exercise control over the configuration of the operation and configuration of security software on networked client computers (May: para. 0008).
             As per claim 20, May and Auvenshine discloses the system of claim 12.
May further discloses wherein said server shares a same or different network with the device being verified for security compliance (May: para. 0025, 0074, server (i.e. gateway node) shares a different network (i.e. second network) with device being verified for security compliance).
Same motivation as claim 19 above.


                                                                Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.



If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

12/5/2022
/J.E.J/Examiner, Art Unit 2439    



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439