Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1 – 25 are rejected under 35 U.S.C. 103 as being unpatentable over MT_ CN109543411A (Machine Translation of CN109543411A) in view of Kumar (US Pub. No. 2016/0019401) in view of Mohammed (US Pub. No. 20070289024 A1) in view of Kurmi (US Pub. No. 2020/0204558 A1).


Per claim 15, MT_ CN109543411A suggests a system comprising (reads on an electronic device, see MT_CN109543411A para 0148): 536000152-95 memory to store a record of application programming interface (API) interactions involving (reads on the necessary if not obvious memory needed to hold the collected historical call information of the application program, see MT_CN109543411A para 0031) a software application (reads on the application program, see MT_CN109543411A para 0031); and at least one processor to (reads on CPU or any programmable logic device, see MT_CN109543411A para 0150) generate a set of account permissions for an account (reads on generating a security policy that controls the permissions of the application, see MT_CN109543411A para 0031. The Examiner asserts a default account to operate the application is at least implied by the controlling of the permissions of the application) based on the record of API interactions (reads on based on the collected historical system call information of the application program, see MT_CN109543411A para 0011 and 0031). The prior art of record is silent on explicitly stating a software application accessing a set of resources of a computing system; and the set of account permissions allowing that account to access the set of resources of the computing system.  
[0009]
Determine the monitored system calls of the monitored application based on the collection policy;
[0010]
Collect historical system call information of the monitored system calls of the monitored application;
[0011]
Send the historical system call information to the cloud device, and receive the security policy of the monitored application generated by the cloud device based on the historical system call information;
 [0014]
Receive the historical system call information of the monitored system call of the monitored application program sent by the terminal device, and the monitored system call is determined by the terminal device from the system calls of the monitored application program based on the collection policy;
[0015]
Generate security policies for monitored applications based on historical system call information;
[0016]
Send security policies to end devices.
 [0020]
The data transceiver module is used to send the historical system call information to the cloud device, and receive the security policy of the monitored application generated by the cloud device based on the historical system call information;
[0021]
The authority control module is used to add the security policy to the local security policy library, and control the authority of the monitored application according to the security policy in the local security policy library.
 [0029]
In a sixth aspect, the present application provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the application program monitoring method shown in the first aspect of the present application or the method as described in the first aspect of the present application is implemented. The application monitoring method shown in the second aspect.
[0030]
The beneficial effects brought by the technical solutions provided in the embodiments of the present application are:
[0031]
The solution of the embodiment of the present application can accurately monitor the behavior of the application program by collecting the historical system call information of the application program, and generate a corresponding security policy to update the local security policy, so that the terminal device can update the local security policy according to the updated local security policy. The policy manages and controls the permissions of the application, realizes the effective monitoring of the application, and ensures the security of the terminal device system.
 [0045]
In the operating system, the operating system kernel is responsible for managing all hardware resources. Modern operating systems implement a layered structure. The application program is only responsible for the business logic of the application field. The operating system kernel is responsible for managing all hardware resources, while the application program and operation The only bridge between system kernels is system calls.
The system call itself belongs to the software and is a part of the operating system. The system call is completely exposed to the upper-layer application. It can be seen that if the application wants to implement the application business logic, it must pass the system call.
It can be seen that if the system calls used by the application program are mastered and controlled, the behavior of the application can be completely mastered in theory.
Therefore, the purpose of detecting malicious program applications can be achieved by monitoring the system calls used by the application programs.
If the behavior of the application program can be accurately monitored through system calls, and then the permissions of the application program can be managed and controlled, the effective monitoring of the application program can be realized.
 [0052]
In the embodiment of the present application, the historical system call information of the monitored system call may include, but is not limited to, the behavior of the system call, the result of the system call, and the operation result of the kernel Mandatory Access Control (MAC) system.
The historical system call information can be all system call information called by the monitored system of the monitored application before the current collection action, or it can be the monitored system of the monitored application within the set period before the current collection action The called system call information may also be the system call information called by the monitored system of the monitored application within the period from the current collection action to the last collection action.
 [0056]
In the embodiment of the present application, the cloud device may be a cloud big data platform or a cloud artificial intelligence platform. As a security decision center, it is responsible for receiving historical system call information sent by various network nodes (including terminal devices and gateway routing devices) in the network under its jurisdiction. , and analyzes the behavior of the monitored application program according to the historical system call information, generates a corresponding security policy based on the behavior of the monitored application program, and sends it to the terminal device.
The cloud device can also display the monitored security status of each terminal device in the network under its jurisdiction in real time.
[0057]
The security policy is used to control the permissions of the monitored application. The security policy in the terminal device is stored in the local security policy library. The local security policy library can be preset according to the pre-installed applications in the terminal device at the beginning, and By continuously storing the security policy delivered by the cloud to the local, the local security policy is updated, and then the monitored application is controlled according to the security policy in the updated local security policy library.
[0058]
The solution of the embodiment of the present application can accurately monitor the behavior of the application program by collecting the historical system call information of the application program, and generate a corresponding security policy to update the local security policy, and then enable the terminal device to update the local security policy according to the updated local security policy. The policy manages and controls the permissions of the application, realizes the effective monitoring of the application, and ensures the security of the terminal device system.
 [0087]
In actual use of the embodiments of the present application, the security policy may be delivered in various ways. The cloud device may deliver the security policy when receiving the security policy acquisition request of the monitored application sent by the terminal device; of course, the cloud device may also issue the security policy. The security policy can be automatically issued, for example, the security policy is issued immediately after the security strategy is generated or the generated security strategy is issued on a regular basis.
 [0148]
An embodiment of the present application provides an electronic device. As shown in FIG. 6 , the electronic device 2000 shown in FIG. 6 includes: a processor 2001 and a memory 2003 .
The processor 2001 is connected to the memory 2003, for example, through the bus 2002.
Optionally, the electronic device 2000 may further include a transceiver 2004 .
It should be noted that, in practical applications, the transceiver 2004 is not limited to one, and the structure of the electronic device 2000 does not constitute a limitation to the embodiments of the present application.
[0149]
The processor 2001 is used in the embodiments of the present application to implement the methods shown in the foregoing method embodiments.
The transceiver 2004 may include a receiver and a transmitter, and the transceiver 2004 is applied in the embodiments of the present application, and is configured to implement the function of communicating between the electronic device and other devices in the embodiments of the present application during execution.
[0150]
The processor 2001 may be a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component or any combination thereof.
It may implement or execute the various exemplary logical blocks, modules and circuits described in connection with this disclosure.
The processor 2001 may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
[0151]
The bus 2002 may include a path to transfer information between the aforementioned components.
The bus 2002 may be a PCI bus, an EISA bus, or the like.
The bus 2002 can be divided into an address bus, a data bus, a control bus, and the like.
For ease of presentation, only one thick line is used in FIG. 6, but it does not mean that there is only one bus or one type of bus.
[0152]
The memory 2003 can be ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, or EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being executed by a computer Access any other medium without limitation.
[0153]
Optionally, the memory 2003 is used for storing the application code for executing the solution of the present application, and the execution is controlled by the processor 2001 .
The processor 2001 is configured to execute the application program code stored in the memory 2003 to implement the application program monitoring method shown in the above method embodiments.
[0154]
The embodiment of the present application provides an electronic device, which, compared with the prior art, can accurately monitor the behavior of the application program by collecting historical system call information of the application program, and generate a corresponding security policy to update the local security policy , so that the terminal device can manage and control the permissions of the application program according to the updated local security policy, realize the effective monitoring of the application program, and ensure the security of the terminal device system.
[0155]
Embodiments of the present application provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the program is executed by a processor, the application program monitoring method shown in the foregoing method embodiments is implemented.
[0156]
The embodiment of the present application provides a computer-readable storage medium, which, compared with the prior art, can accurately monitor the behavior of the application program by collecting historical system call information of the application program, and generate a corresponding security policy for local security The policy is updated, so that the terminal device can manage and control the permissions of the application program according to the updated local security policy, realize the monitoring of the application program, and ensure the security of the terminal device system.
[0157]

It should be understood that although the various steps in the flowchart of the accompanying drawings are sequentially shown in the order indicated by the arrows, these steps are not necessarily executed in sequence in the order indicated by the arrows.
Unless explicitly stated herein, the execution of these steps is not strictly limited to the order and may be performed in other orders.
Moreover, at least a part of the steps in the flowcharts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the execution sequence is also It does not have to be performed sequentially, but may be performed alternately or alternately with other steps or at least a portion of sub-steps or stages of other steps.

Kumar suggests 
a software application (reads on one or more applications, see Kumar para 0008) accessing (reads on providing access of user resources to one or more applications, see Kumar para 0008) a set of resources of a computing system (reads on user resources and generally to any capability supported by an API, see Kumar para 0008 and 0019).

[0008] In one aspect of the present invention, techniques for managing access of user information by third party applications are provided. An exemplary computer-implemented method can include steps of compiling a set of user instructions for providing access of user resources to one or more third party applications, wherein the set of user instructions specifies a context in which each of multiple items of the user resources at one or more application programming interface providers can be accessed by the one or more third party applications; mapping a request from one of the third party applications for access to one or more items of the user resources to the one or more application programming interface providers, which correspond to one or more entities maintaining the user resources; and granting access to the one or more items of the user resources to said one third party application through the one or more application programming interface providers based on the set of user instructions. 

[0018] As described herein, an aspect of the present invention includes a framework for API access brokerage. At least one embodiment of the invention includes enabling a user to specify one or more contexts for allowing a third party application to access user information and/or user resources stored at multiple service providers via an access broker. By way of example, in an example embodiment of the invention, the access broker role is played by an enterprise managing marketplace of third party applications.

[0019] As used herein, the term “resources” refers not only to data elements such as a customer profile, contacts, messages, location, etc., but also refers more generally to any capability supported by an API provider to perform any operation, action or transaction on behalf of or with respect to the user. It should also be noted that resources exposed to third parties can be different from those available from API providers, due to the possibility of aggregation and combining of features.

[0020] Additionally, as used herein, the term “context” is not limited to variables such as time, location, device factors etc., and noted context information need not be available within the domain controlling access of third party applications. In general, any user action at any API provider domain can be utilized in the specification of context. 

[0041] As illustrated in FIG. 3, the user 302 starts and/or accesses the application marketplace 304, which obtains the available applications from the enterprise 306, which are then displayed to the user 302 in a list. The user buys and/or downloads a given application (A) from the list, and the application marketplace requests an authorization (R) from the user 302. The user 302 authorizes a specific instance of the application (A) to access user resources via the external API provider 308. One or more permissions associated with the authorization (R) are notified to the enterprise 306 (as access broker), and the enterprise 306 updates the user's local account (U). The enterprise 306 then checks if one or more permissions in the authorization (R) require access to one or more user resources at API provider 308, as well as if permissions for accessing resources which are not yet granted by the user to the enterprise. These external resource dependencies are communicated to the market place app. The marketplace app indicates to the user that in order to use the application, the user would have to allow some additional permissions to the marketplace (enterprise). If the user agrees, the user is directed to the external API provider's website (for example, by invoking a web browser within the marketplace app or another mechanism) to complete the workflow for granting these additional permissions to the marketplace. After successful delegation of permissions to the enterprise, the local user account (U) is updated with this information. The enterprise then processes the payment and, once successful, initiates download of the specific instance of the application. If no additional permissions are communicated to the user via the marketplace app, then the authorization flow with external provider can be skipped.

[0068] In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

[0069] It should be noted that any of the methods described herein can include an additional step of providing a system comprising distinct software modules embodied on a computer readable storage medium; the modules can include, for example, any or all of the components detailed herein. The method steps can then be carried out using the distinct software modules and/or sub-modules of the system, as described above, executing on a hardware processor 602. Further, a computer program product can include a computer-readable storage medium with code adapted to be implemented to carry out at least one method step described herein, including the provision of the system with the distinct software modules.

[0070] In any case, it should be understood that the components illustrated herein may be implemented in various forms of hardware, software, or combinations thereof, for example, application specific integrated circuit(s) (ASICS), functional circuitry, an appropriately programmed general purpose digital computer with associated memory, and the like. Given the teachings of the invention provided herein, one of ordinary skill in the related art will be able to contemplate other implementations of the components of the invention.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the access teachings of the primary reference (reads on generating a security policy that controls the permissions of the application, see MT_CN109543411A para 0031)  by incorporating the access teachings of Kumar to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the access policy art would have recognized that applying the known technique of providing access of resources to one or more applications would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Kumar to the teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such providing access features into similar systems.  Further, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself. The motivation to combine applies to all claims under this heading.
Kurmi suggests 
system comprising (see Kurmi Figure 1, 6 and para 0042): memory to store (reads on the necessary if not obvious data structure that holds the access logs that are analyzed, see Kurmi para 0019 – 0020, 0040 and 0042 and Figure 6) a record of application programming interface (API) interactions (reads on access logs which include information related to requests made by an application to a particular resource such as a time stamp associated with the request and the result of the request, see Kurmi para 0020) involving a software application (reads on an application, see Kurmi para 0011 and 0016) accessing a set of resources of a computing system (reads on internal and/or external resources accessed by the application, see Kurmi para 0011 and 0016); and at least one processor to generate a set of account permissions for an account based on the record of API interactions (reads on generate a restricted access policy based on the analyzed access logs, see Kurmi para 0011, 0012, 0016, 0020, 0042 and Figure 6), the set of account permissions allowing that account to access the set of resources of the computing system (reads on if the application’s access policy determines the application is authorized to perform the action on the resource then the action is allowed, see Kurmi para 0016).
SUMMARY
[0003] Described embodiments enable access privileges of system identities to be adjusted dynamically. Over privileged system identities (e.g., an identity that has access to services that it does not need access to) can lead to system breaches and/or compromise of system functions. A method of dynamically adjusting access privileges of system identities can mitigate consequences in the event of a system malfunction and/or breach. In various embodiments, access logs associated with a system are collected and analyzed to generate a restricted access policy for an over privileged system identity. An initial access policy of the system identity is replaced with the restricted access policy. A continuous monitoring and access management (CMAM) module collects access logs for a monitoring time window (e.g., a pre-defined time period such as an hour, six hours, two days, etc.), and an access denied error can be extracted from the collected access logs. The access denied error is associated with an action, a resource, and a system identity. In some embodiments, the access denied error is compared to an ignore list and/or added to the ignore list. Authorization checks are performed to determine if the system identity is authorized to perform the action associated with the access denied error. If the action is authorized, the access policy of the system identity is adjusted to allow for performance of the action. The CMAM module can subsequently identify and analyze another error in the collected access logs. If another error is not identified, access logs are collected for another monitoring time window. Access logs can be collected for a series of monitoring time windows until errors do not exist in access logs collected over a monitoring time duration (e.g., a pre-defined time period including a plurality of monitoring time windows). As such, the system identity is considered to have an appropriate level of privilege (e.g., follow the principle of least privilege) and the system may be more secure.
[0011] A system identity is an identity, such as an application, an online service, a user, and/or other resource, associated with a software system. A software system can include one or more system identities where each system identity has an access policy that dictates the system identity's access level to one or more resources. To promote greater security, access policies should follow a principle of least privilege, according to which a system identity can only access resources that are necessary for the functionality of the system identity. A system identity is often over privileged—that is, it has an access policy that allows the system identity more access than is required for its functionality—because system owners may grant more authority than a system identity requires in order to improve system experience (e.g., it may be preferred that a system identity is over privileged rather than under privileged). Over privileged system identities increase the risk of security incidents and can compromise secure information. On the other hand, underprivileged system identities can negatively affect system experience and/or productivity, leading to inefficiency. It can be difficult and time consuming to manually adjust access privileges of a system identity to an appropriate level (e.g., to follow the principle of least privilege). Creating an automated process can allow for access policies to be adjusted without requiring extensive time from a human moderator.

[0012] In accordance with various embodiments, a system includes an over privileged system identity with an initial access policy. Access logs associated with the system are analyzed to generate a restricted access policy for the system identity, as described below. The initial access policy of the system identity is replaced with the restricted access policy. A continuous monitoring and access management (CMAM) service is subsequently configured to monitor access logs associated with the system over a pre-defined time period, as described in greater detail below. Access logs are collected for a monitoring time window (MTW) and an access-denied error in the collected access logs can be identified. If an access-denied error is identified, an identity, resource, and action are extracted from the error. In some embodiments, the error is compared to an ignore list to determine whether it can be ignored. If the error is not in the ignore list, the error is analyzed to determine if the error should be included in the ignore list. If the error should be included in the ignore list, the ignore list is updated to include the error and the error is subsequently ignored.

[0016] FIG. 1 is a block diagram illustrating a system environment 100 for adjusting access policies of system identities, according to one or more embodiments. In FIG. 1, the system environment 100 includes a system 110 connected to an access facility 120 and a client device 140 over a network 130. In other embodiments, the system environment 100 for adjusting access policies of system identities contains different and/or additional elements. In addition, the functions may be distributed among the elements in a different manner than described. The system 110 includes a plurality of system identities. For ease of illustration, FIG. 1 includes three system identities 115a, 115b, 115c, but in alternative embodiments, there are greater or fewer system identities associated with the system 110. In some embodiments, the system 110 can include hundreds or thousands of system identities. The system identities 115a, 115b, and 115c may be referred to herein in the singular or plural, i.e. as identities, system identities, an identity, a system identity, etc. A system identity (e.g., 115a, 115b, 115c) is an identity associated with a software system, such as an application, an online service, a user, and/or other software solution. A system identity (e.g., 115a, 115b, 115c) has an access policy that designates the system identity's level of access to internal and/or external resources. An access policy may be implemented prior to a system identity interacting with the system 110. When a system identity attempts to perform an action on a resource, a module may check a system identity's access policy to determine if the system identity is authorized to perform the action on the resource. If the system identity's access policy includes the action, the system identity can be allowed to perform the action. If the system identity's access policy does not include the action, the action may be denied (e.g., the system identity is prevented from performing the action, an error message is returned to the system identity, etc.). In the embodiment of FIG. 1, we assume for purposes of an illustrative example that the system identities 115a, 115b, and 115c are over privileged, though in an actual implementation, system identities may be under-, over-, or correctly privileged. An over privileged system identity has an access policy that allows the system identity more privileges than are necessary for its functionality.

[0017] The client device 140 is a computing device capable of receiving user input as well as transmitting and/or receiving data via the network 130. The client device 140 can have various forms such as a computer, a personal digital assistant (PDA), a tablet device, and other suitable devices. The client device 140 can be configured to interact with and/or provide input to the access facility 120. In some embodiments, the client device 140 can determine a time period for collecting access logs (e.g., a monitoring time window, a monitoring time duration), described in greater detail below. Although only one client device 140 is shown, in practice, fewer or greater client devices 150 may be connected to the network 130 at a given time.

[0018] The access facility 120 adjusts the access policy of a system identity (e.g., 115a, 115b, 115c). The access facility 120 is configured to receive a system identity (e.g., 115a, 115b, 115c) and/or its associated access policy via the network 130. The access facility 120 includes a log analysis module 122, an access privilege module 124, a continuous monitoring and access management (CMAM) module 126, and an ignore list 128. In alternative embodiments, the access facility 120 can include greater or fewer components than described herein. The components can also be distributed in a different manner or can perform different functions than described below.


[0020] The log analysis module 122 analyzes access logs associated with the system 110. Access logs can include information related to requests made by an identity to a particular resource such as a time stamp associated with the request and the result of the request (e.g., the request was denied, the request was approved, a file was downloaded, etc.). In the embodiment of FIG. 1, an over privileged system identity (e.g., system identity 115a, system identity 115b, system identity 115c) is identified, and the log analysis module 122 analyzes access logs collected over a period of time. The period of time can be selected by the implementer, set by a client device 140 or automated by the log analysis module 122. The period of time can be any length of time (e.g., hours, days, weeks, etc.). In a typical implementation, the period of time is chosen to be long enough to collect an adequate number of access logs for sufficient analysis, as it may reduce a number of monitoring time windows, described in greater detail below in relation to FIG. 3. In other embodiments, the access logs may be retrieved from a database. The log analysis module 122 generates a restricted access policy for the over privileged system identity based on past requests made by the over privileged system identity. For example, system identity 115a has an initial access policy that grants the system identity 115a access to three resources: webpage A, webpage B, and webpage C. The access logs of a plurality of resources, including access logs of webpages A, B, and C, are collected for a period of time. The log analysis module 122 analyzes the collected access logs and determines that the system identity 115a requested access to webpage A, but did not request access to webpage B or C during the period of time. Subsequently, the log analysis module 122 generates a restricted access policy that allows the system identity 115a access to webpage A, but not webpage B or C.

[0040] A system identity with an initial access policy is received 510. A first set of access logs associated with a system are analyzed 520. The access logs can be stored in and retrieved from a database. In other embodiments, access logs associated with a system are collected for a period of time (e.g., a day, a week, a month, etc.). Based on the analysis of the first set of access logs, a restricted access policy for the system identity is generated 530. The initial access policy of the system identity is replaced 540 with the restricted access policy. Another set of access logs are collected 550 for a monitoring time window. The set of access logs are analyzed to identify 560 an access denied error. If an access denied error is identified, a validation check is performed 570 to determine whether the system identity is allowed to perform the action associated with the access denied error. An action associated with an access denied error may be compared to the initial access policy to determine if it is authorized, or the system may provide an index of authorized actions. Responsive to the error passing the validation check, the access policy of the system identity is increased 580 to include (e.g., allow for performance) of the action on the resource associated with the access denied error. After the access policy is adjusted, the set of access logs can be analyzed to identify 560 another access denied error in the monitoring time window. If there are no remaining access denied errors, another set of access logs may be collected for a subsequent monitoring time window.


    PNG
    media_image1.png
    1337
    900
    media_image1.png
    Greyscale





    PNG
    media_image2.png
    1495
    755
    media_image2.png
    Greyscale


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the account permissions based on collected historical system/API call teachings of the primary reference by incorporating the generate a restricted access policy based on the analyzed logs teachings of Kurmi to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the access policy art would have recognized that applying the known technique of reading access logs which include information related to requests made by an application to a particular resource would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Kurmi to the teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such access log into similar systems.  Further, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself. The motivation to combine applies to all claims under this heading.
Mohammed suggests 
a set of resources of a computing system (reads on particular computer resources, see Mohammed para 0001 and 0003); and the set of account permissions allowing that account to access (reads on access is provided to a particular user account only upon determining one or more conditions for the particular user account are satisfied, see Mohammed para 0003) the set of resources of the computing system (reads on particular computer resources, see Mohammed para 0001 and 0003).  

[0001] Computer resources such as individual files, registry keys, network file shares, local and on-line services, and so forth are accessed from a user account that has been used to log-in to a computer system or network. User accounts include individual accounts, such as Active Directory accounts, emails accounts and so forth. As used herein, user accounts may also include groupings of individual such as domains.
SUMMARY
[0003] Embodiments address these issues and others by allowing one or more conditions to be specified for a particular user account and a particular computer resource so that those conditions can be checked before permitting the user account to have access to the resource. For example, an administrator may be provided a user interface upon which to select conditions for a given computer resource and user account. When a user account attempts to access the computer resource for which the one or more conditions have been specified, the one or more conditions are found and implemented by a computer system. Access is provided to the user only upon the computer system determining that the one or more conditions are satisfied. Thus, access to computer resources may be controlled without requiring an administrator to keep track of whether a particular user account should have access and to manually set a permission for a given resource as access granted or access denied.
[0015] The example of FIG. 1 also shows a computer resource 122 to be accessed. The computer resource 122 may be of various types. The computer resource may be a single file, a registry key of registry 116, a network file share, a local or on-line service, and the like. In the example shown, the resource is a file named FILE1.PRODUCTXEXTENSION, where this file is one file of an application referred to as Product X.
[0016] In some embodiments, the computer system 100 acts as a host system where client systems access the computer resources being controlled by the host system, such as the network file share and/or the on-line services such as Internet services. In the example shown, the computer system 130 is a client system where the user of the computer system 130 wishes to access a computer resource under the control of host system 100. Furthermore, a client computer 130 may be used by an administrator to configure the conditional permissions for the resources of the host system 100. The computer system 130 of this example includes similar components to those of computer system 100, such as a processor 132, memory 134, data bus 136, display 138, input device 140, mass storage 142, operating system 144, and network interface 146.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the resource teachings of the primary references by incorporating the resource teachings of Mohammed to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, one of ordinary skill in the resource art would have recognized that applying the known technique of specifying specific conditions for particular user accounts to access particular computer resources (see Mohammed para 0001 and 0003) would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Mohammed to the teachings of the prior art of record would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such user account to computer resource mappings into similar systems.  Further, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself. The motivation to combine applies to all claims under this heading.

Per claim 16, the prior art of record further suggests wherein the at least one processor is to: map a particular API interaction (reads on mapping a specific instance of an application to access internal and/or external resources via an API, see MT_CN109543411A para 0008, 0018 – 0020 and 0041, and Mohammed para 0001 and 0003, and Kurmi para 0011, 0012, 0016, 0019 – 0020 and 0040) in the record of API interactions  (reads on based on the collected historical system call information of the application program, see MT_CN109543411A para 0011 and 0031, Kumar para 0020 and Kurmi para 0020) to a particular resource of the set of resources of the computing system (reads on particular internal and/or external resources accessed by the application, see Mohammed para 0001 and 0003 and see Kurmi para 0011 and 0016 and Kumar para 0019); and add at least one permission to the set of account permissions that enables the account to access (reads on dynamically adjusting access privileges to an account for accessing particular resources, see Kurmi para 0003 and Mohammed para 0001 and 0003) the particular resource (reads on particular computer resources, see Mohammed para 0001 and 0003 and Kumar para 0008 and 0019).  
Per claim 17, the prior art of record further suggests wherein: the memory is further to store a mapping between portions of an API (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of mapping access to one or more resources to one or more application programming interface providers, see Kumar para 0008) and resources of the computing system (reads on particular computer resources, see Mohammed para 0001 and 0003 and Kumar para 0008 and 0019); and the mapping is used by the at least one processor to map the particular API interaction to the particular resource  (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of mapping access to one or more resources to one or more application programming interface providers, see Kumar para 0008).  
Per claim 18, the prior art of record further suggests wherein: the record of API interactions comprises a time period for the particular API interaction (reads on collecting a set of access logs for a monitoring time window, see Kurmi Figure 5 block 550 and para 0003, 0012, 0017, 0020); the particular resource enables access to a data set on the computing system (reads on particular computer resources, see Mohammed para 0001 and 0003 and Kumar para 0008 and 0019); and the at least one account permission limits the account's access to portions of the data set (reads on access is provided to a particular user account only upon determining one or more conditions for the particular user account are satisfied, see Mohammed para 0003 and Kumar para 0008) that correspond to the time period (reads on the permissions are determined based on the monitored time period, see Kurmi Figure 5 block 550 and para 0003, 0012, 0017, 0020).  
Per claim 19, the prior art of record further suggests, wherein the at least one processor is to: map a group of API interactions (reads on mapping a specific instance of an application to access internal and/or external resources via an API, see MT_CN109543411A para 0008, 0018 – 0020 and 0041, and Mohammed para 0001 and 0003, and Kurmi para 0011, 0012, 0016, 0019 – 0020 and 0040) in the record of API interactions  (reads on based on the collected historical system call information of the application program, see MT_CN109543411A para 0011 and 0031 and Kurmi para 0020) to a workflow of the computing system (reads on the exemplary action on a resource that requires a level of access to proceed, see Kurmi para 0016); and add at least one permission to the set of account permissions that enables the account to perform the workflow (reads on dynamically adjusting access privileges to an account for accessing particular resources, see Kurmi para 0003 and Mohammed para 0001 and 0003) the particular resource (reads on particular computer resources, see Mohammed para 0001 and 0003).  
Per claim 20, the prior art of record further suggests wherein: the memory is further to store a mapping between portions of an API (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of mapping access to one or more resources to one or more application programming interface providers, see Kumar para 0008) and workflows of the computing system (reads on actions to access particular computer resources, see Kurmi para 0016); and the mapping is used by the at least one processor to map the group of API interactions (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of mapping access to one or more resources to one or more application programming interface providers, see Kumar para 0008) to the workflow  (reads on actions to access particular computer resources, see Kurmi para 0016).  
Per claim 21, the prior art of record further suggests wherein the set of account permissions allows the account to access (reads on dynamically adjusting access privileges to an account for accessing particular resources, see Kurmi para 0003 and Mohammed para 0001, 0003 and 0015)   a software instance (reads on a specific instance of the application, see Kumar para 0041) on the computing system (reads on internal and/or external resources accessed by the application, see Kurmi para 0011 and 0016) that is associated with the software application (reads on the application program, see Kumar para 0031 and see Kurmi para 0011 and 0016).  
Per claim 22, the prior art of record further suggests wherein the at least one processor is further to determine that a relationship exists between the software instance and the account before the set of account permissions is generated (reads on determine the account has permission to access the computer resource before generating an access policy allowing the access, see Kurmi para 0003 and 0016).  
Per claim 23, the prior art of record further suggests wherein: the set of resources is specific to (reads on internal and/or external resources accessed by the application, see Kurmi para 0011 and 0016) the software instance (reads on an application, see Kurmi para 0011 and 0016 and see Kumar para 0041); and the set of account permissions is limited to (reads on generate a restricted access policy based on the analyzed access/API logs, see Kurmi para 0011, 0012, 0016, 0020, 0042 and Figure 6) the software instance (reads on if the application’s access policy determines the application is authorized to perform the action on the resource then the action is allowed, see Kurmi para 0016 and see Kumar para 0041).  
Per claim 24, the prior art of record further suggests wherein the record of API interactions is based on API calls received by (reads on based on the collected historical system call information of the application program, see MT_CN109543411A para 0011 and 0031 and Kurmi para 0020) the computing system (see Kurmi Figure 1) from an external device executing (reads on components of the system can be distributed, see Kurmi para 0018) the software application (reads on an application, see Kurmi para 0011 and 0016).
Claim 25 the non-transitory computer readable medium (see MT_CN109543411A para 0156) is analyzed with respect to claim 15.
Claim 1 is analyzed with respect to claim 15. 
Claim 2 is analyzed with respect to claim 16. 
Claim 3 is analyzed with respect to claim 17. 
Claim 4 is analyzed with respect to claim 18. 
Claim 5 is analyzed with respect to claim 19. 
Claim 6 is analyzed with respect to claim 20. 
Per claim 7, the prior art of record further suggests wherein the set of account permissions restricts the account's access to other resources of the computing system that do not correspond to the record of API interactions (reads on the account’s permissions are dynamically adjusted based on the collected historical system call information, see MT_CN109543411A para 0011 and 0031 and Kurmi para 0003 and 0020).  
Per claim 8, the prior art of record further suggests wherein the set of resources includes data that is accessible via API calls in the record of API interactions (reads on the computer resource may be of various types, see Mohammed para 0001, 0003 and 0015).  
Per claim 9, the prior art of record further suggests wherein the account allows a user to access the computing system (reads on the user account is used to log-in to a computer system, see Mohammed para 0001).
Claim 10 is analyzed with respect to claim 21. 
Claim 11 is analyzed with respect to claim 22. 
Claim 12 is analyzed with respect to claim 23. 
Claim 13 is analyzed with respect to claim 24. 
Per claim 14, the prior art of record further suggests obtaining a record of API permissions for (reads on based on the collected historical system call information of the application program, see MT_CN109543411A para 0011 and 0031 and Kurmi para 0020) the software application (reads on an application, see Kurmi para 0011 and 0016), wherein generating the set of account permissions for the account is further based on the record of API permissions (reads on generate a restricted access policy based on the analyzed historical system call information of the application program, see MT_CN109543411A para 0011 and 0031 and Kurmi para 0011, 0012, 0016, 0020, 0042 and Figure 6).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).




/BRIAN F SHAW/Primary Examiner, Art Unit 2496