DETAILED ACTION
This communication is in respond to applicant's amendments filed 11/18/2025. Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
This communication is in respond to applicant’s amendments filed on 11/18/2025. Claims 1-20 are pending. Applicant's arguments filed on 11/18/2025 have been fully considered and are moot in view of the following new ground of rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims (1-9), (10-17), and (18-20) are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being unpatentable over Cosgrove (US 20220360594 A1) in view of Ma (US 20190332502 A1).
Regarding Claim 1, Cosgrove teaches:
A method ([0005] “In the method, determining the remediation act ion may be based on...”)
Performing a data migration operation, the method comprising: identifying data to be migrated from a source device to a target device ([0046] “… behavioral protection can identify malicious code at the gateway or on the file servers and delete the code before it can reach endpoint computers and the like.” [0079]] “In embodiments, the endpoint computer security facility 152 may provide enterprise facility 102 computing resources with threat protection against physical proximity threats 110, for instance, through scanning the device prior to allowing data transfers … through establishing a safe zone within the enterprise facility 102 computing resource to transfer data into for evaluation, and the like.”),
wherein the source device and the target device are endpoints; scanning, using a data migration agent, the target device to determine a target device risk level associated with the target device ([0104] “The endpoint 402 may be any of the endpoints described herein, or any other device or network asset that might join or participate in the enterprise 410 or otherwise operate on an enterprise network.”, [0064] “The detection techniques facility 130 may include monitoring the enterprise facility 102 network or endpoint devices… Detection techniques, such as scanning a computer's stored files, may provide the capability of checking files for stored threats, either in the active or passive state.” [0351] “in response to the indication of tampering identifying the source of tampering as an endpoint, remedial action may include evaluating a compromise status of the endpoint for potential unresolved compromise. Other remedial actions may include: running a malware scan on the endpoint…adjusting a security risk status of the endpoint;”, [0271] “Each time a new object is loaded into memory in the user space 1704, the endpoint defense driver 1750 can intercept that action and check the source or target object against items in the process cache 1752, protection cache 1754, and/or file cache 1756.”);
determining a low risk level, a medium risk level, or a high risk level associated with each portion of the data, wherein the medium risk level is higher than the low risk level and the high risk level is higher than the medium risk level ([0073] “… network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data. For instance, an internal enterprise facility 102 network may have a high level of trust … An example of a low level of trust is the Internet 154, because the source of data may be unknown. A zone with an intermediate trust level, situated between the Internet 154 and a trusted internal network, may be referred to as a “perimeter network.”);
migrating the data associated with the low risk level ([0058] “… security management facility 122 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per the enterprise facility 102 rules and policies.” [0073] “…network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data. For instance, an internal enterprise facility 102 network may have a high level of trust, because the source of all data has been sourced from within the enterprise facility 102.”);
And the medium risk level from the source device to the target device ([0044] teaches “In embodiments, scanning the client facility may include scanning some or all of the files stored to the client facility on a periodic basis, scanning an application when the application is executed, scanning files as the files are transmitted to or from the client facility, or the like” and [0073] teaches “… network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data.” One of ordinary art would appreciate that Cosgrove’s configuration enabling the invention to permit, deny, or proxy (migrate) data through a computer network based on different levels of trust (risk levels) predicts migrating the data associated with the medium risk level from the source device to the target device since medium risk level is equivalent to one of a plurality of levels of trust.)
while continuing to migrate the data associated with the low risk level to the target device after stopping migration of the data associated with the medium risk level ([0058] “… security management facility 122 may be used to scan an outgoing file and verify that the outgoing file is permitted to be transmitted per the enterprise facility 102 rules and policies.” [0073] “…network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data. For instance, an internal enterprise facility 102 network may have a high level of trust, because the source of all data has been sourced from within the enterprise facility 102.” [0239] “The network device may also or instead communicate with other network devices or resources to coordinate management of network traffic flows… The network device may also or instead provide notifications to a threat management facility, an endpoint security agent, or a malware remediation system or the like to take appropriate action. The network device may also or instead initiate procedures such as quarantining, endpoint isolation or termination, sandboxing, and so forth, or may instruct other network devices or resources to do any of the foregoing.”, as the transmitting of data is a continued process, which include devel levels of trust in source of data, therefore, the permitting of data with corresponding trust level (i.e. low risk level) after stopping of data with lower trust level (i.e. medium or high risk level) in implied).
while migrating the data associated with the medium risk level to the target device([0044] teaches “In embodiments, scanning the client facility may include scanning some or all of the files stored to the client facility on a periodic basis, scanning an application when the application is executed, scanning files as the files are transmitted to or from the client facility, or the like” and [0073] teaches “… network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data.” One of ordinary art would appreciate that Cosgrove’s configuration enabling the invention to permit, deny, or proxy (migrate) data through a computer network based on different levels of trust (risk levels) predicts migrating the data associated with the medium risk level to the target device since medium risk level is equivalent to one of a plurality of levels of trust.) , making a determination that a threat is present on the target device, wherein the threat is based on additional operations on the target device being indicative of suspicious activity([0044] “The security management facility 122 may have the ability to scan the client facility files for malicious code, remove or quarantine certain applications and files, prevent certain actions, perform remedial actions and perform other security measures.” [0165] “In general, the threat monitor 720 provides monitoring of a security state and an exposure state of the endpoint. The security state may, for example, be ‘compromised’, ‘secure’, or some other state or combination of states. This may be based on detections of known malware, suspicious activity, policy violations and so forth.” One of ordinary skill in the art would appreciate that detecting “suspicious activity, policy violations and so forth.” in order to monitor and set a security state teaches making a determination that a threat is present on the target device, wherein the threat is based on additional operations on the target device being indicative of suspicious activity);
Sending a notification comprising a detail of the threat to a user in response to making the determination; and stopping, based on the determination, migration of the data associated with the medium risk level to the target device [0239] “The network device may also or instead communicate with other network devices or resources to coordinate management of network traffic flows. For example, the network device may provide suitable notifications to an administrator, and may proactively suggest possible actions associated with a network traffic flow. The network device may also or instead provide notifications to a threat management facility, an endpoint security agent, or a malware remediation system or the like to take appropriate action. The network device may also or instead initiate procedures such as quarantining, endpoint isolation or termination, sandboxing, and so forth, or may instruct other network devices or resources to do any of the foregoing.” Since Cosgrove teaches both sending a notification comprising a detail of the threat to a user in response to making the determination and “device may also or instead initiate procedures such as quarantining, endpoint isolation or termination, sandboxing, and so forth, or may instruct other network devices or resources to do any of the foregoing.” one of ordinary skill in the art would appreciate that Cosgrove teaches “Sending a notification comprising a detail of the threat to a user in response to making the determination; and stopping, based on the determination, migration of the data associated with the medium risk level to the target device to the target device”. ).
Further regarding claim 1, Cosgrove teaches the limitations previously demonstrated. Cosgrove does not appear to teach, but in a related art Ma (US 20190332502 A1) teaches:
scheduling, based on the target device risk level, migration of the data associated with the high risk level after completing migration of the data associated with the low risk level and the medium risk level ([0045] “the control module 350 may determine the risk level of each of the stripes 330-4 and 330-5 is below the second threshold. At this point, the control module 350 may schedule a data recovery operation to the stripe on the basis of the determined risk level.”);
Since Cosgrove and Ma are from the same field of endeavor as both are directed to rule-based data transmission and storage, which is within the same field of endeavor as the claimed invention, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of Cosgrove by incorporating the teachings of Ma into Cosgrove. The motivation to combine is to improve rule-based access and security management (Cosgrove [AB]; Ma [AB]).
Regarding Claim 2, Cosgrove-Ma teaches:
Rolling back, based on the determination, the data migrated associated with the medium risk level from the source device to the target device during the data migration operation (Cosgrove [0008] “In embodiments, the remediation action to mitigate the at least one threat may include restoring the tamper-protected computing resource to an untampered condition.”, [0073] “A zone with an intermediate trust level, situated between the Internet 154 and a trusted internal network, may be referred to as a “perimeter network.” Since firewall facilities 138 represent boundaries between threat levels, the endpoint computer security facility 152 associated with the firewall facility 138 may provide resources that may control the flow of threats at this enterprise facility 102 network entry point.”).
Regarding Claim 3, Cosgrove-Ma teaches:
Receiving a second notification from the user that the threat has been addressed (Cosgrove [0180] “The process may also or instead be adapted to be responsive to detecting suspicious activity at a network device ... A network device receiving labeled network traffic from an endpoint may then take additional measures, such … inspecting the content of the network traffic, verifying the reputation of the destination(s) of the network traffic, verifying the endpoint(s) generating the network traffic, determining whether there is other network traffic from other devices on the network directed to the destination, notifying an administrator, and so forth.” One of ordinary skill in the art would appreciate that verifying network traffic details of suspicious activity (addressing threats) and notifying an administrator teaches a notification that a threat has been addressed.); migrating, based on the second notification([0036] References to items in the singular should be understood to include items in the plural, and vice versa, unless explicitly stated otherwise or clear from the context.), the data associated with the medium risk level to the target device ([0349] “Likewise, a process that is indicated as a source of the tampering may be added to a list of processes that are suspect of being compromised. Processes on this list may require added security steps (e.g., multi-factor authentication) to access system resources and the like.” One of ordinary skill in the art would appreciate that within the context of Cosgrove’s disclosure, providing access to resources based on the response of a multi-factor authentication notification teaches migrating, based on the second notification, the data associated with the medium risk level to the target device);
Migrating, based on the second notification, the data associated with the high risk level to the target device (Cosgrove [0073] “network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data.”, [0349] “Likewise, a process that is indicated as a source of the tampering may be added to a list of processes that are suspect of being compromised. Processes on this list may require added security steps (e.g., multi-factor authentication) to access system resources and the like.” One of ordinary skill in the art would appreciate that within the context of Cosgrove’s disclosure, providing access to members of a suspect list resources based on the response of a multi-factor authentication notification teaches migrating, based on the second notification, the data associated with the high risk level to the target device. Further, it is appreciated that Cosgrove teaches proxying (migrating) and controlling data based on a range of levels of trust (risk level) that would include a low level of trust (high risk level).).
Regarding Claim 4, Cosgrove-Ma teaches:
Adjusting a security setting of the data before migrating the data from the source device to the target device (Cosgrove [0350] “This global reputation could be used in a remediation that extends beyond the affected endpoint of the attempted tampering. For example, this information may be used to identify potential malicious activity on other endpoints based on the unique identifier, or this may be used to adjust thresholds locally or globally for the file/process to increase detection sensitivity and response speed. In one aspect, the unique identifier may be used to block any action by the process unless/until further analysis determines that the process is not malicious.”).
Regarding Claim 5, Cosgrove-Ma teaches:
Wherein the determination is based on determining that an attempt was made to adjust the security setting while the data is being migrated (Cosgrove [0004] “The steps may also include instrumenting an endpoint of an enterprise network to detect an attempted modification to one of the tamper-protected computing objects by reference to an entry in the cache corresponding to the one of the tamper protected computing objects.”, [0056] “As threats are identified and characterized, the threat management facility 100 may create definition updates that may be used to allow the threat management facility 100 to detect and remediate … configuration and policy changes, and the like.” [0107] “The object 418 may also or instead include a computing component upon which an action is taken, e.g., a system setting (e.g., a registry key or the like), a data file, a URL, or the like.” One of ordinary skill in the art would appreciate that detecting a modification of a tamper protected policy or system setting predicts determining that an attempt was made to adjust a security setting.).
Regarding Claim 6, Cosgrove-Ma teaches:
Wherein the determination is based at least in part on a policy (Cosgrove [0056] “As threats are identified and characterized, the threat management facility 100 may create definition updates that may be used to allow the threat management facility 100 to detect and remediate the latest malicious software, unwanted applications, configuration and policy changes, and the like.”).
Regarding Claim 7, Cosgrove-Ma teaches:
Wherein the determination is based on a number of user authentications made on the target device while the data is being migrated exceeding a threshold value (Cosgrove [0059] “In addition, the manager of the enterprise facility 102 may want to restrict user access based on certain criteria, such as the user's location, usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration, or the like.” One of ordinary skill in the art would appreciate that the number of user authentications is inherent within a user’s history that includes methods of authentication. Given that Cosgrove’s system provides for both multi-factor authentication and reauthentication, a count for authentications is inherent. Further, [0351] teaches “Other remedial actions may include: … reducing a threshold for taking a threat management action in response to a detection of potentially malicious activity...requiring re-authentication of each process executing on the endpoint;” in which an authentication could be interpreted as a threat management action and the “re-authentication” demonstrates at least a quantification concept of authentication since a re-authentication can only exist in the case of at least one preceding authentication. Further, [0221] teaches “It will also be appreciated that any combination of the foregoing techniques may be used to manage network traffic as contemplated herein... This may also or instead include the use of thresholds for quantitative metrics, as well as multi-factor scoring of different criteria or characteristics of network traffic…” to demonstrate using a threshold of authentications to manage network traffic.).
Regarding Claim 8, Cosgrove-Ma teaches:
Wherein the determination is made using a learning model (Cosgrove [0039] “The threat management facility 100 may be multi-dimensional in that it may be designed to protect corporate assets from a variety of threats and it may be adapted to learn about threats in one dimension (e.g., worm detection) and apply the knowledge in another dimension (e.g., spam detection).”, [0262] “A variety of techniques may be used by the file protection system 1730. In one aspect, this may include a scanner for local file reputation based on, e.g., local signature or hash caches, file metadata, file header information, and so forth. This may also or instead include a machine learning antivirus system using a model trained to identify malicious components within executables and other files.”).
Regarding Claim 9, Cosgrove-Ma teaches:
Providing, to the learning model, the detail; and updating the learning model based at least in part on the detail (Cosgrove [0262] This may also or instead include a machine learning antivirus system using a model trained to identify malicious components within executables and other files. The file protection system 1730 may also or instead include a global reputation service that obtains information from files and accesses a remote resource such as the reputation service 1732 to determine a corresponding reputation. A variety of other protection systems may also or instead be employed. For example, the file protection system 1730 may include a data collector that gathers streams of event data, which may be communicated to a remote service periodically or in response to a malware detection or other indication of compromise for the endpoint.).
Regarding Claim 10, the claim recites similar limitation as corresponding claim 1 and is rejected for similar reasons as claim 1 using similar rationale. Cosgrove-Ma also teaches:
A non-transitory computer readable medium comprising computer readable program code (Cosgrove [0004] “In one aspect, a computer program product of computer executable code that may be embodied in a non-transitory computer-readable medium may cause one or more computing devices to perform a set of steps for detecting and remediating attempts at tampering in context of a threat management environment for an enterprise network.”).
Pausing initiating migration of the data associated with the high risk level to the target device. (Cosgrove [0072] “The personal firewall may permit or deny communications based on a security policy ... Personal firewalls may be able to control network traffic by providing prompts each time a connection is attempted and adapting security policy accordingly. Personal firewalls may also provide some level of intrusion detection, which may allow the software to terminate or block connectivity where it suspects an intrusion is being attempted. Other features that may be provided by a personal firewall may include alerts about outgoing connection attempts, control of program access to networks… monitoring and regulation of incoming and outgoing network traffic, prevention of unwanted network traffic from installed applications … and the like.
Regarding Claim 11, the claim recites similar limitation as corresponding claim 3 and is rejected for similar reasons as claim 3 using similar rationale.
Regarding Claim 12, the claim recites similar limitation as corresponding claim 4 and is rejected for similar reasons as claim 4 using similar rationale.
Regarding Claim 13, the claim recites similar limitation as corresponding claim 5 and is rejected for similar reasons as claim 5 using similar rationale.
Regarding Claim 14, the claim recites similar limitation as corresponding claim 6 and is rejected for similar reasons as claim 6 using similar rationale.
Regarding Claim 15, the claim recites similar limitation as corresponding claim 7 and is rejected for similar reasons as claim 7 using similar rationale.
Regarding Claim 16, the claim recites similar limitation as corresponding claim 8 and is rejected for similar reasons as claim 8 using similar rationale.
Regarding Claim 17, the claim recites similar limitation as corresponding claim 9 and is rejected for similar reasons as claim 9 using similar rationale.
Regarding Claim 18, the claim recites similar limitation as corresponding claims 1 & 10 is rejected for similar reasons as claims 1 & 10 using similar rationale. Cosgrove-Ma also teaches:
While migrating the data associated with the low risk level to the target device, making a determination that a threat is present on the target device (Cosgrove [0044] teaches “In embodiments, scanning the client facility may include scanning some or all of the files stored to the client facility on a periodic basis, scanning an application when the application is executed, scanning files as the files are transmitted to or from the client facility, or the like” and [0073] teaches “… network firewall facility 138, which may be a hardware or software device that may be configured to permit, deny, or proxy data through a computer network that has different levels of trust in its source of data.” One of ordinary art would appreciate that Cosgrove’s configuration enabling the invention to permit, deny, or proxy (migrate) data through a computer network based on different levels of trust (risk levels) predicts migrating the data associated with the low risk level to the target device since low risk level is equivalent to one of a plurality of levels of trust)
Pausing initiating migration of the data associated with the high risk level to the target device (Cosgrove [0072] “The personal firewall may permit or deny communications based on a security policy ... Personal firewalls may be able to control network traffic by providing prompts each time a connection is attempted and adapting security policy accordingly. Personal firewalls may also provide some level of intrusion detection, which may allow the software to terminate or block connectivity where it suspects an intrusion is being attempted. Other features that may be provided by a personal firewall may include alerts about outgoing connection attempts, control of program access to networks… monitoring and regulation of incoming and outgoing network traffic, prevention of unwanted network traffic from installed applications … and the like.)
Receiving a second notification from the user that the threat has been addressed (Cosgrove [0180] “The process may also or instead be adapted to be responsive to detecting suspicious activity at a network device ... A network device receiving labeled network traffic from an endpoint may then take additional measures, such … inspecting the content of the network traffic, verifying the reputation of the destination(s) of the network traffic, verifying the endpoint(s) generating the network traffic, determining whether there is other network traffic from other devices on the network directed to the destination, notifying an administrator, and so forth.” One of ordinary skill in the art would appreciate that verifying network traffic details of suspicious activity (addressing threats) and notifying an administrator teaches a notification that a threat has been addressed.); migrating, based on the second notification([0036] References to items in the singular should be understood to include items in the plural, and vice versa, unless explicitly stated otherwise or clear from the context.), the data associated with the high risk level to the target device ([0349] “Likewise, a process that is indicated as a source of the tampering may be added to a list of processes that are suspect of being compromised. Processes on this list may require added security steps (e.g., multi-factor authentication) to access system resources and the like.” One of ordinary skill in the art would appreciate that within the context of Cosgrove’s disclosure, providing members of a suspected compromised list access to resources based on the response of a multi-factor authentication notification teaches migrating, based on the second notification, the data associated with the high risk level to the target device);
Regarding Claim 19, the claim recites similar limitation as corresponding claims 6 & 7 and is rejected for similar reasons as claims 6 & 7 using similar rationale.
Regarding Claim 20, the claim recites similar limitation as corresponding claims 8 & 9 and is rejected for similar reasons as claims 8 & 9 using similar rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kamryn Gillespie whose telephone number is 703-756-5498. The examiner can normally be reached on Monday through Thursday from 9am to 6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pairdirect.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/K.J.G./Examiner, Art Unit 2408
/LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408