DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 3/21/2022. Claims 1-22 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/23/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. However, document number for entry #2 in IDS is incorrect; therefore, the information referred to therein has not been considered.

Claim Objections
Claim 19 is objected to because of the following informalities: 
Claim 19 recites “A non-transitory computer-readable storage medium having instructions stored thereon that, when executed by at least one processor to perform operations, the operations comprising: receiving, by at least one processor, training data…” The second term “at least one processor” has already been defined previously and should therefore be referred to using a definite article.
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-5, 8-14 and 17-22 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 of U.S. Patent No. 10999290. Although the claims at issue are not identical, they are not patentably distinct from each other because claims of the 10999290 contain every element of claims of the instant application. Application claims 1-5, 8-14 and 17-22 are anticipated by the patent claims 1-16.
Claims 6-7 and 15-16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 6 of U.S. Patent No. 10999290 in view of Publication No. US 20170295197 A1. It would have been prima facie obvious to combine 10999290 and US 20170295197 A1. One of ordinary skill in the art would have been motivated to perform such a modification to improve infrastructure security by adopting policies to prevent and/or monitor unauthorized access, misuse, modification, and/or denial of the computer network infrastructure (Parimi [0003])

A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a 35 patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 9-13, 18-19 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS) in view of Simpson (US 20080319999 A1).

Regarding claim 1, Argento teaches a system comprising:
receive training data and generating at least one machine learning rule based on the training data to apply when a condition occurs to trigger changing a privilege level for at least one particular user, ([Abstract] we present an approach based on machine learning to refine attribute-based access control policies in order to reduce the risks of users abusing their privileges. [p. 107, ¶3] We generated over 3000 behaviors, with almost an equal number of normal and anomalous instances. Intuitively, about 2000 behaviors were used for training, while the rest for testing.)
continually monitor at least one resource associated with a computing network for the condition; ([Abstract] Our approach exploits behavioral patterns representing how users typically access resources to narrow the permissions granted to users when anomalous behaviors are detected. [p. 102, ¶2] our goal is to dynamically refine access control policies based on user behaviour monitored at run-time by narrowing granted privileges.)
determine that the condition has occurred; and ([p. 105, ¶3] ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.)
dynamically and automatically adjust the privilege level for the at least one particular user responsive to the at least one machine learning rule. ([p. 105, ¶1&3] The DT outputs, hereafter called ML-rules, is used to bridge from the machine learning world to the actual refinement of access control policies. Therefore, ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.) In summary, Argento discloses “an approach based on machine learning to dynamically refine policies to prevent misconfiguration exploitation.” [p. 100, ¶3]

Argento teaches a condition occurs to trigger changing a privilege level for at least one particular user, but does not explicitly teach wherein the condition is independent of behavior of the at least one particular user and includes a change in at least one of a status of a business project or a health status of a computing device. This aspect of the claim is identified as a difference.
However, Simpson in an analogous art explicitly teaches
a memory; and ([0016] a processing device, a node, a service, an application, a system, a schema definition, a directory, an operating system (OS), a file system, a data store,)
at least one processor to execute instructions stored within the memory to: (([0016] a processing device, a node, a service, an application, a system, a schema definition, a directory, an operating system (OS), a file system, a data store,)
wherein the condition is independent of behavior of the at least one particular user and includes a change in at least one of a status of a business project or a health status of a computing device. ([0031-0032] the staged-based access control service permits an additional layer of security to be defined and enforced on resources and environments based on a particular stage of a project's lifecycle. Each stage includes its own set of resources and, perhaps, its own processing environment. The resources are dynamically configured, transitioned, and managed within each stage and between the various stages of the lifecycle. The staged-based access control service is invoked for processing when defining staged-based access control for a particular stage or when a requesting resource transitions to a particular stage having the staged-based access control service and under staged-based access control.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “adaptive access control” concept of Argento, and the “project lifecycle staged-based access control” approach of Simpson. One of ordinary skill in the art would have been motivated to perform such a modification to provide a mechanism, which allows for improved and automated project lifecycle stage-based access control, as well as can be implemented in existing network architectures, security systems, data centers, and/or communication devices (Simpson [0010, 0028]).

Regarding claim 2, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein to adjust the privilege level comprises at least one of increasing or decreasing the privilege level for the at least one particular user responsive to the at least one machine learning rule. ([Simpson 0038-0039] In an embodiment, at 121, the staged-based access control service determines customized authentication for each requesting resource that transitions to the first stage and the first processing environment. That is, the access control rights may include policies that define how a particular requesting resource is to authenticate for initial access to the first stage and the first processing environment. In another case, at 122, the staged-based access control service may dynamically restrict some of the requesting resources from viewing particular ones of the first stage resources in response to enforcement of the access control rights and their policies. That is, some first stage resources may not even be viewable or discoverable by particular requesting resources, when the access control rights and policies prohibit those first stage resources from being viewed based on the identity of the particular requesting resources.) In summary, “the staged-based access control service and the access control rights are enforced on top of and in addition to other security restrictions that may be associated with the first stage resources and/or the first processing environment. So, the processing of the staged-based access control service is in addition and layered on top of existing security that exists for the resources and the environment” (¶42). Argento discloses “an approach based on machine learning to dynamically refine policies to prevent misconfiguration exploitation” [p. 100, ¶3]. Therefore the combination discloses the entire limitation.

Regarding claim 3, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the change in the status of the business project includes at least one of the business project becoming active, a security event occurring during the business project, the business project being completed, initiation of an audit, or initiation of a technology deployment. ([Simpson 0031-0032] the staged-based access control service permits an additional layer of security to be defined and enforced on resources and environments based on a particular stage of a project's lifecycle. Each stage includes its own set of resources and, perhaps, its own processing environment. The resources are dynamically configured, transitioned, and managed within each stage and between the various stages of the lifecycle. The staged-based access control service is invoked for processing when defining staged-based access control for a particular stage or when a requesting resource transitions to a particular stage having the staged-based access control service and under staged-based access control.)

Regarding claim 4, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the change in the health status of the computing device includes at least one of the computing device going offline, the computing device going online, the computing device failing, or the computing device having a pending failure. ([Simpson 0031-0032] the staged-based access control service permits an additional layer of security to be defined and enforced on resources and environments based on a particular stage of a project's lifecycle. Each stage includes its own set of resources and, perhaps, its own processing environment. The resources are dynamically configured, transitioned, and managed within each stage and between the various stages of the lifecycle. The staged-based access control service is invoked for processing when defining staged-based access control for a particular stage or when a requesting resource transitions to a particular stage having the staged-based access control service and under staged-based access control.) Claim 1 recites “wherein the condition is independent of behavior of the at least one particular user and includes a change in at least one of a status of a business project or a health status of a computing device;” Examiner selects “a status of a business project” between these two conditions. “Change in a health status of a computing device” is not selected; therefore, any dependent claims related to this condition is not relevant.

Regarding claim 9, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. The combination further teaches to receive the training data, analyze the training data, and generate the at least one machine learning rule, the training data comprising at least one of type of events during previous projects, a number of events during the previous projects, project durations, particular users that caused security events during the previous projects, permission access activity for the at least one particular user, computing environment security alert levels, system security audit logs, security event system logs, application logs, ransomware and cyber-attack monitors, data protection activities, network traffic, device monitoring feedback, and travel schedules for the at least one particular user. ([Argento p. 107, ¶3] We generated over 3000 behaviors, with almost an equal number of normal and anomalous instances. Intuitively, about 2000 behaviors were used for training, while the rest for testing.)

Regarding claims 10-13, 18-19 and 21-22, the scope of the claims are similar to that of claims 1-4 and 9, respectively.  Accordingly, the claims are rejected using a similar rationale.

Claims 5, 8, 14, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS) in view of Simpson (US 20080319999 A1) and Carroll (US 20030046550 A1).

Regarding claim 5, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. The combination further teaches to modify … of the adjusted privilege level for the at least one particular user for a predetermined time period responsive to the at least one machine learning rule. ([Argento p. 103, ¶4] Behaviours represent how users are utilizing resources. They are defined in terms of the attributes forming access requests (i.e., user, resource and action) and of any contextual knowledge features that can be exploited by the access control system for decision making (e.g., working time, working location, types of activities). [p. 105, ¶3] ML-rules are used to transfer the contextual knowledge learned by the RFs into the access control policies. Policy refinement occurs on the basis of the conditions on the contextual features present in an ML-rule.)
But the combination does not teach to modify a duration of the adjusted privilege level for the at least one particular user for a predetermined time period. This aspect of the claim is identified as a difference.
However, Carroll in an analogous art explicitly teaches to
modify a duration of the adjusted privilege level for the at least one particular user for a predetermined time period. ([0022-0023] The broadcast object 112 monitors selected conditions pertinent to determining the satisfaction of conditions of authorization required of the user 100, and sends information such as notifications of changes in the selected conditions to its registered listeners. The broadcast object 112 may send information in an event-driven manner according to changes in the selected conditions, or periodically, or aperiodically according to a predetermined schedule.) Here Carroll discloses broadcast object sending information to change access based on predetermined intervals of time.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “adaptive access control” concept of Argento, and the “dynamic control of authorization” approach of Carroll. One of ordinary skill in the art would have been motivated to perform such a modification to provide an efficient way to dynamically manage authorization to access Internet services by enabling the termination of earlier-authorized access when conditions change, as well as by granting and denying access (Carroll [0012]).

Regarding claim 8, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. Argento in view of Simpson and Carroll further teaches to receive an authentication and access control request from a user of a client computing device and determining if the user of the client computing device is authorized to access a computing resource based on the adjusted privilege level. ([Carroll 0018-0019] One purpose of the session object 114 is to identify the user 100 and its characteristics and privileges to the server 110 and to the application program 118 that is executed by the server 110 to provide the service selected by the user 100. Consequently, the session object 114 may contain authorization-to-access information, including conditions of authorization, that describe privileges of the user 100 to access (or not) the N services provided by the server 110. Once a session is established, the user 100 selects a service to be provided by the server 110, and the server 110 receives a request from the user 100 to access the selected service (step 215). The server 110 then consults the session object 114 to determine whether the session object 114 includes authorization to access the selected service (step 220).)

Regarding claims 14, 17 and 20, the scope of the claims are similar to that of claims 5 and 8, respectively.  Accordingly, the claims are rejected using a similar rationale.

Claims 6-7 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Argento (“Towards Adaptive Access Control”, https://doi.org/10.1007/978-3-319-95729-6_7, 2018-Jul, listed in IDS) in view of Simpson (US 20080319999 A1) and Parimi (US 20170295197 A1).

Regarding claim 6, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. But the combination does not teach to determine that a number of events decrease over a period of time and shortening a duration of the adjusted privilege level responsive to the at least one machine learning rule. This aspect of the claim is identified as a difference.
However, Parimi in an analogous art explicitly teaches to determine that a number of events decrease over a period of time and shortening a duration of the adjusted privilege level responsive to the at least one machine learning rule. ([0040-0041] The method dynamically adjusts access privileges 110 to at least one of the set of heterogeneous cloud-based services based on the monitoring of the activity of the user 104 over the period of time. The adjustment to the access privileges 110 may include a revocation 1800 and/or a grant 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services. The adjustment to the access privileges 110 may include a revocation 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services when the monitored activity of the user indicates that the user 104 does not access the particular service within the period of time.) Here Parimi discloses an example of determining privileges (claim limitation “a duration of the adjusted privilege level”) based on activity of the user over the period of time (claim limitation “a number of events over a period of time”). Decreasing user activity means less trustworthy, resulting in less privileges (shorten duration of adjusted privilege level).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “adaptive access control” concept of Argento, and the “dynamic user privileges” approach of Parimi. One of ordinary skill in the art would have been motivated to perform such a modification to improve infrastructure security by adopting policies to prevent and/or monitor unauthorized access, misuse, modification, and/or denial of the computer network infrastructure (Parimi [0003]).

Regarding claim 7, Argento in view of Simpson teaches all the features with respect to claim 1, as outlined above. Argento in view of Simpson and Parimi further teaches to determine that a number of events increase over a period of time and increasing a duration of the adjusted privilege level responsive to the at least one machine learning rule. ([Parimi 0040-0041] The method dynamically adjusts access privileges 110 to at least one of the set of heterogeneous cloud-based services based on the monitoring of the activity of the user 104 over the period of time. The adjustment to the access privileges 110 may include a revocation 1800 and/or a grant 1800 of access to the user 104 to a particular service of the set of heterogeneous cloud-based services.) Here Parimi discloses an example of determining privileges (claim limitation “a duration of the adjusted privilege level”) based on activity of the user over the period of time (claim limitation “a number of events over a period of time”). Increasing user activity means more trustworthy, resulting in more privileges (increasing duration of adjusted privilege level).

Regarding claims 15-16, the scope of the claims are similar to that of claims 6-7, respectively.  Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 10999290 B2, "Dynamic authorization control system and method", by Spurlock, teaches to continually monitor at least one resource associated with the computing network for a condition in the computing network that may trigger an authorization control modification, the condition comprising a state of a project that uses the at least one resource, wherein the state of the project comprises an operational state within a project lifecycle, and wherein the operational state is selected from the group consisting of design, prototype, validation, pre-production, production, steady-state, sunset, and decommissioned; determine that the condition has occurred in the computing network; dynamically and automatically modify at least one user authorization control for at least one particular user responsive to a change in the state of the project; and receive an authentication and access control request from a user of a client computing device and determine if the user of the client computing device is authorized to access the at least one resource based on the at least one user authorization control modified in response to the change in the state of the project.
US 20210250362 A1, "Dynamic authorization control system and method", by Spurlock, teaches to continually monitor at least one resource associated with a computing network for a condition in the computing network that may trigger an authorization control modification, determine that the condition has occurred in the computing network, and dynamically and automatically modify a user authorization control for at least one particular user responsive to the condition.
US 20210136077 A1, "User access and identity life-cycle management", by Kemme, teaches modifying the user access to the corresponding resource includes one or more of granting the user access to the corresponding resource, suspending user access to the corresponding resource for a period of time, modifying the times during which the user is authorized to access the corresponding resource, limiting the user's access to the corresponding resource to a certain duration of time, changing a level of user access to the corresponding resource, changing which portions of the corresponding resource that the user is authorized to access, or revoking the user's access to the corresponding resource.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493