DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the amendments filed on 04/03/2025. Claims 1-20 are currently pending in the application.
Response to Arguments
Applicant's arguments filed on 04/03/2025 have been fully considered but they are not persuasive. Applicant alleges that the office action cited VIJAYVARGIYA as disclosing instant or rapid screening test in the 103 rejections of claim13 with the citation of paragraph 100 of VIJAYVARGIYA. This seems like a mischaracterization of the office action. The office action in the last rejections of claim 13 cited Lakahani et al. (US 20160381049) as teaching the limitation of the screening test is an instant or rapid security analysis in paragraphs 17-18 where data packet is parsed to generate metadata by a sensor that provides a “high-speed packet analysis” without interrupting day-to-day network service. Applicant arguments that forwarding or dropping of packet after header analysis is not determining the security status of is not correct because packets are dropped/prevented from getting to the intended destination if they have security status of being malicious/risky and are forwarded to the intended destination if they have security status of being benign/safe. Packets are forwarded or dropped based on determination of the security status of the packets. This is in consonant with applicant’s disclosure in paragraphs 69 and 85 wherein packets are dropped or forwarded based on their security status.
Applicant’s arguments regarding instant/rapid test on a portion of data packet selected
based on the analysis of the header was not claimed previously and will be addressed in the rejections made below.
It is also noteworthy that any reference that discloses screening/scanning of data packet also teaches instant or rapid security analysis of data packet based on applicant disclosure in paragraph 70 wherein rapid or instant security analysis is referred to as screening test on data packet.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-2, 4, 6-8, 11-15, and 18-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11757837. Although the claims at issue are not identical, they are not patentably distinct from each other because most of the limitations of claims 1-2, 4, 6-8, 11-15, and 18-19 of the present application are conspicuously found in the limitation of claims 1, 2, 4-6, 8-12, 14, and 18, respectively of Patent No. 11757837.
Claim 1:
PAT No. 11757837
Present Application
Claim 1
Claim 1
A method for classifying data in real-time, the method comprising: capturing a plurality of data packets flowing between a data source machine and a data client; searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein the metadata includes at least one of machine information, network information, user information, and client information; if the search of the header indicates that the at least one data packet should be further analyzed, searching raw data of a payload of the at least one of the data packets for tokens, values, expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field;
if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis;
if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
A method for classifying data in real-time, the method comprising: capturing a plurality of data packets flowing between a data source machine and a data client; searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein searching comprises screening test and decrypting the plurality of data packets based on applying a plurality of header security rules to determine a security status to the data packet; wherein the screening test is an instant or rapid security analysis performed on a portion of the at least one data packet selected based on the analysis of the header; and if the search of the header indicates that the data packet should be further analyzed, searching raw data of a payload of the data packet for tokens, values, expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field.
The table above shows the difference between claim 1 of the present application and claim 1 of Pat. No. 11757837. “Wherein searching comprises screening test and decrypting the plurality of data packets based on applying a plurality of header security rules to determine a security status to the data packet” as recited in the amended claim 1 of the present application is equivalent to searching raw data of a payload of the at least one of the data packets for tokens, values, expressions, words or phrases associated with sensitive information as recited in claim 1 of Pat. No. 11757837. Applicant referred to instant/rapid security analysis as screening test on the data packet in paragraph 70 of the specification.
One of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in claim 1 of the present application to combine the art of VIJAYVARGIYA (US. 20200344210) which discloses the newly added limitation in claim 1 of the present application with the teaching of Pat. No. 11757837 in claim 1 to arrive at the claim 1 of the present claimed invention and be motivated in doing so in order to filter network traffic flowing into and out of virtual machines (VMs) running on the host system using the security policies- VIJAYVARGIYA ¶0002 in parts.
The further limitations in claims 14 and 18 of the present application are the same as what’s further recited in claims 11 and 18 respectively of Patent No. 11757837
Claim 12:
PAT No. 11757837 claim 9
Present Application claim 12
The method of claim 1, comprising: issuing a security alert if tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet and the offline comprehensive security analysis finds security issues.
The method of claim 2, comprising: issuing a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues.
The table above shows the difference between claim 12 of the present application and claim 9 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to remove the bolded portion of claim 9 in the patent No. 11757837 in order to arrive at claim 12 of the present claimed invention and be motivated in doing so in order to achieve the desired goal and optimize the system resources.
Claim 2:
Pat. No. 11757837 claim 1
Present Application claim 2
A method for classifying data in real-time, the method comprising: capturing a plurality of data packets flowing between a data source machine and a data client; searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein the metadata includes at least one of machine information, network information, user information, and client information; if the search of the header indicates that the at least one data packet should be further analyzed, searching raw data of a payload of the at least one of the data packets for tokens, values, expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field;
if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis;
if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
The method of claim 1, wherein if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis; and if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
The table above shows the difference between limitation of claim 2 of the present application and claim 1 of Pat. No. 11757837. All the limitations of claim 2 of the present application are conspicuously found in claim 1 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to remove the bolded portion of claim 1 in the patent No. 11757837 in order to arrive at claim 2 of the present claimed invention and be motivated in doing so in order to achieve the desired goal and optimize the system resources.
Claim 4:
Pat. No. 11757837 claim 2
Present Application claim 4
The method of claim 1, wherein if tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet during the searching of the raw data of the payload the method further comprises: permanently blocking the data packet from flowing between the data source machine and the data client or discarding the data packet, if the offline comprehensive security analysis finds security issues; and allowing the data packet to flow between the data source machine and the data client if the offline comprehensive security analysis finds no security issues.
The method of claim 1, comprising, if tokens associated with sensitive information are found in the data packet: continuing to prevent the data packet from flowing between the data source machine and the data client if the comprehensive security analysis finds security issues; and allowing the data packet to flow between the data source machine and the data client if the comprehensive security analysis finds no security issues.
The table above shows the difference between the limitation of claim 4 of the present application and claim 2 of Pat. No. 11757837. All the limitations of claim 4 of the present application are conspicuously found in claim 2 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to remove the bolded portion of claim 2 in the patent No. 11757837 in order to arrive at claim 4 of the present claimed invention and be motivated in doing so in order to achieve the desired goal and conserve the system resources.
Claim 6:
Pat. No. 11757837 claim 14
Present Application claim 6
The system of claim 12, wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.
The method of claim 1, wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.
The table above shows the difference between claim 6 of the present application and claim 14 of Pat. No. 11757837. All the limitations of claim 6 of the present application are conspicuously found in claim 14 of Pat. No. 11757837 except that one is a method claim and the other is a system claim.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to substitute the system claim of claim 14 in the patent No. 11757837 with a method claim in claim 6 of the present application with the rationale of simple substitution of one known element for another to obtain predictable results
Claim 14:
Pat. No. 11757837 claim 12
Present Application claim 14
A system for classifying data in real-time, the system comprising: a memory; and a processor configured to: capture a plurality of data packets flowing between a data source machine and a data client; search a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein the metadata includes at least one of machine information, network information, user information, and client information; if the search of the header indicates that the at least one data packet should be further analyzed, search raw data of a payload of the at least one of the data packets for tokens associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field; if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allow the data packet to flow between the data source machine and the data client and send a copy of the data packet to an offline comprehensive security analysis; if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: perform a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, prevent the data packet from flowing between the data source machine and the data client and send the data packet or a copy of the data packet, along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
A system for classifying data in real-time, the system comprising: a memory; and a processor configured to perform a method, the method comprising: capturing a plurality of data packets flowing between a data source machine and a data client; searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein searching comprises decrypting the plurality of data packets based on applying at least one header security rule to determine a security status to the data packet; and if the search of the header indicates that the at least one data packet should be further analyzed, searching raw data of a payload of the at least one of the data packets for tokens, values, expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field.
The table above shows the difference between claim 14 of the present application and claim 12 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in claim 14 of the present application to combine the art of VIJAYVARGIYA (US. 20200344210) which discloses the newly added limitation in claim 14 of the present application with the teaching of Pat. No. 11757837 in claim 12 to arrive at the claim 14 of the present claimed invention and be motivated in doing so in order to filter network traffic flowing into and out of virtual machines (VMs) running on the host system using the security policies- VIJAYVARGIYA ¶0002 in parts.
Claim 15:
Pat. No. 11757837 claim 11
Present Application claim 15
A system for classifying data in real-time, the system comprising: a memory; and a processor configured to: capture a plurality of data packets flowing between a data source machine and a data client; search a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein the metadata includes at least one of machine information, network information, user information, and client information; if the search of the header indicates that the at least one data packet should be further analyzed, search raw data of a payload of the at least one of the data packets for tokens associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field; if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allow the data packet to flow between the data source machine and the data client and send a copy of the data packet to an offline comprehensive security analysis; if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: perform a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, prevent the data packet from flowing between the data source machine and the data client and send the data packet or a copy of the data packet, along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis
The system of claim 14, wherein if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis; and if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
The table above shows the difference between claim 15 of the present application and claim 11 of Pat. No. 11757837. All the limitations of claim 15 of the present application are conspicuously found in claim 11 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to remove the bolded portion of claim 11 in the patent No. 11757837 in order to arrive at claim 15 of the present claimed invention and be motivated in doing so in order to achieve the desired goal and conserve the system resources.
Claim 19:
Pat. No. 11757837 claim 18
Present Application claim 19
A computer program product for classifying data in real-time, the computer program product comprising: one or more non-transitory computer readable storage media having computer-readable program instructions stored on the one or more computer readable storage media, said program instructions executes a computer-implemented method comprising: capturing a plurality of data packets flowing between a data source machine and a data client; searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed, wherein the metadata includes at least one of machine information, network information, user information, and client information; if the search of the header indicates that the at least one data packet should be further analyzed, searching raw data of a payload of at least one of the data packets for tokens, values, expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field; if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis; [[and]] if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet, along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
The computer program product of claim 18, wherein if during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet: allowing the data packet to flow between the data source machine and the data client and sending a copy of the data packet to an offline comprehensive security analysis; and if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet: performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms; and if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client and sending the data packet or a copy of the data packet, along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis.
The table above shows the difference between the limitation of claim 19 of the present application and that of claim 18 of Pat. No. 11757837. All the limitations of claim 15 of the present application are conspicuously found in claim 18 of Pat. No. 11757837.
However, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention in the present application to remove the bolded portion of claim 18 in the patent No. 11757837 in order to arrive at claim 19 of the present claimed invention and be motivated in doing so in order to achieve the desired goal and conserve the system resources.
The further limitations recited in Claims 6-8, 11, and 13 are substantially the same as that of claims 4-6, 8, and 10 of prior U.S. Patent No. 11757837. This is nonstatutory double patenting.
Claim 6:
Pat. No. 11757837 claim 4
Present Application claim 6
The method of claim 1, wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.
The method of claim 1, wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.
Claim 7:
Pat. No. 11757837 claim 5
Present Application claim 7
The method of claim 1, wherein capturing and searching are performed by a software agent that is installed on the data source machine.
The method of claim 1, wherein capturing and searching are performed by a software agent that is installed on the data source machine.
Claim 8:
Pat. No. 11757837 claim 6
Present Application claim 8
The method of claim 5, wherein performing the offline comprehensive security analysis is performed by a dedicated security server, and wherein the data packet is sent to the dedicated security server for performing the offline comprehensive security analysis.
The method of claim 2, wherein performing a comprehensive security analysis is performed by a dedicated security server, and wherein the data packet is sent to the dedicated security server for performing the comprehensive security analysis.
Claim 11:
Pat. No. 11757837 claim 8
Present Application claim 11
The method of claim 1, wherein the offline comprehensive security analysis comprises: parsing the data packet; mapping metadata to data; building hierarchy of the data; and processing policy rules.
The method of claim 2, wherein the comprehensive security analysis comprises: parsing the data packet; mapping metadata to data; building hierarchy of the data; and processing policy rules.
Claim 13:
Pat. No. 11757837 claim 10
Present Application claim 13
The method of claim 1, comprising: after capturing, decrypting the plurality of data packets to obtain a header of each packet; analyzing the headers to determine security status of packets associated with the headers; and selecting the at least one data packet based on the security status.
The method of claim 1, comprising: after capturing, decrypting the plurality of data packets to obtain a header of each packet; wherein the metadata comprises at least one of machine information, network information, user information, and client information; analyzing the headers to determine the security status of packets associated with the headers; and selecting the at least one data packet based on the security status.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Specifically in view of:
Claims 1-3, 12, and 14-20 that recite “if”. This clause is interpreted as “in the event that (a particular situation)”. See definitions from Oxford Languages. The Examiner notes that intended use clauses, such as “in case of” and “if’, may render parts of the claims optional or indefinite (see MPEP 2111.04). Notably, limitations recited after the intended use clause will be considered optional to the functionality of the claimed system. Replacements for intended use clauses include “when” (replacing “in case of”) which concretely define the functionality of the claimed system or method. Applicant may also make an admission on record that the intended use clauses do not render any of the functional language optional to the claimed invention.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 14, and 18 recite Claims 1, 14, and 18 recite decrypting the plurality of data packets based on applying a plurality header security rules to determine a security status of the data packet in one of the limitations. There is no support for such claim in the disclosure as originally filed. Paragraphs 16, 69, and 85 of the specification disclose decryption of the data packets to obtain the header of the packets before analysis of the headers. See paragraph 69 for example (“…agent 322 may decrypt captured data packets 350 to obtain a header of each data packet 350. Agent 322 may analyze the headers to determine security status of data packet 350 associated with the headers…”). The decryption of data packet disclosed in paragraph 69 is not based on application of header security rules. The header security rules are applied to determine the security status of the data packet such as whether to allow or block the data packet. See paragraph 69 in parts (“…Agent 322 may apply header security rules on the header data to obtain a security status of data packet 350. Agent 322 may determine based on the security status whether data packet 350 associated with the header should be blocked, should be allowed to flow without further analysis or whether further security analysis is required…”).
Other claims not specifically addressed are rejected due to dependency on one of claims 1, 14, or 18. However, for the purpose of the prosecution of the application, the claims will be addressed as written.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-7, 9, 13-14, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. No. 20190268379 to NARAYANASWAMY et al. (hereinafter NARAYANASWAMY) in view of US. PGPub. No. 20200344210 to VIJAYVARGIYA et al. (hereinafter VIJAYVARGIYA) and further in view of PGPub. No. 20080262991 to Kapoor et al. (hereinafter Kapoor).
Regarding claims 1, 14, and 18, NARAYANASWAMY discloses a method for classifying data in real-time, the method comprising (¶0068, “Cloud-based content sensitivity scanner 165 can perform the sensitivity classification in real-time when the documents are intercepted by the inspection service 155, while in transit to or from the cloud-based services 128A-Z.”):
capturing a plurality of data packets flowing between a data source machine and a data client ¶0096, FIG. 1, “…Sensitivity lists 144A-Z are maintained at the endpoints 102A-Z and made available to the endpoint traffic monitor 142A-Z to monitor network traffic directed to and from these sensitive cloud-based services.”, wherein traffic between cloud-based services and endpoints is being monitored), (¶0051, “…The technology disclosed detects a user's visit to the sensitive cloud-based service by analyzing the application layer traffic using deep application programming interface inspection (DAPII), and further detects that the document was saved to the endpoint as result of the visit by monitoring the endpoint's file system.”);
searching a header of at least one of the data packets for metadata to determine whether the data packet should be allowed or should be further analyzed (¶0082, “The local anchor pattern scanner 112A is a minimalist DLP engine that acts a pre-filter for determining whether a document needs to be further inspected by the cloud-based content sensitivity scanner 165…”), (¶0100, “…in the case of a secure tunneling agent, network packets destined to IP addresses that match the DNS resolution of a URL in the sensitivity list 144A are identified. Thus, if “subdomain.domain.tld” and “www.domain.tld” share the same network address, both will be deemed sensitive even if the sensitivity list 144A identifies one and not the other”, wherein the header of the packet includes the destination IP address), (¶0088, “…Periodic updates of sensitivity metadata 406 from the cloud-based metadata data store 145 to the local metadata store 134A, 134Z ensure that the endpoint policy enforcer 132A, 132Z that needs sensitivity information on a document can look up the file in the local metadata store 134A, 134Z, based on the document checksum, and receive the associated metadata without redoing DLP sensitivity classification for the document...”);
and
if the search of the header indicates that the at least one data packet should be further analyzed (¶0082, “…If the document scores positive on the anchor pattern check, it is sent to the cloud-based content sensitivity scanner 165 for deep inspection. The local metadata store 134A and the cloud-based metadata store 145 are updated with the results of the deep inspection.”),
searching raw data of a payload of the at least one of the data packets for tokens, values,
expressions, words or phrases associated with sensitive information streaming in or out of a database in real-time without parsing the data packets or knowing which values in the payload fit into each field without parsing the data packets or knowing which values in the payload fit into each field (¶0087, “…Deep inspection produces a sensitivity classification by subjecting the document to content analysis techniques like language-aware data identifier inspection, document fingerprinting, file type detection, keyword search, pattern matching, proximity search, regular expression lookup, exact data matching, metadata extraction, and language-agnostic double-byte character inspection.”), (¶0095, “…The technology disclosed adds another level of computational efficiency to endpoint DLP by generating sensitivity metadata without the need to perform any content-based analysis either at the endpoint or on the server-side.”, wherein without the need to perform any content-based analysis either at the endpoint or on the server-side is interpreted as without parsing the data packet).
However, NARAYANASWAMY does not explicitly disclose the limitation of:
wherein searching comprises decrypting the plurality of data packets based on applying a plurality of header security rules to determine a security status of the data packet;
VIJAYVARGIYA discloses searching comprises decrypting the plurality of data packets based on applying a plurality of header security rules to determine a security status of the data packet (¶0014, “… in the case where security policies 108 include IP-based policies, at the time a new connection is established between a VM 116 and a remote machine, policy enforcer 110 will typically receive one or more security policies from policy manager 104 pertaining to the IP addresses of these machines. Policy enforcer 110 will then apply these policies to the network packets flowing between the machines and take an appropriate action on each packet (e.g., allow or drop it)”, wherein allowing or dropping the packet is determining the security status of the packet as disclosed by applicant in ¶0069, and ¶0085 of the specification), (¶0015-¶0016, “… , policy enforcer 110 must decrypt each encrypted packet to determine its packet header information (e.g., source IP address, destination IP address, etc.) and apply security policies 108. Once the appropriate policies are applied, the packet is either dropped or the encrypted version is forwarded onward to its intended destination.. …”, wherein dropping or forwarding the packet based on security rules is interpreted as determining the security status of the packet based on security rules);
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of NARAYANASWAMY to include decryption of data packets based on security rules as disclosed by VIJAYVARGIYA and be motivated in doing so in order to filter network traffic flowing into and out of virtual machines (VMs) running on the host system using the security policies-VIJAYVARGIYA ¶0002 in parts.
However, the combination of NARAYANASWAMY and VIJAYVARGIYA does not explicitly disclose the limitation of wherein searching comprises screening test and wherein the screening test is an instant or rapid security analysis performed on a portion of the at least one data packet selected based on the analysis of the header;
Kapoor discloses the limitation (¶0424-¶0425, Fig. 22, “…A packet parser 2206 may divide the input ("traffic in 2204"; which, in embodiments, may be "the packets 402") into "chunks" from which the system may extract respective feature vectors. A typical "chunk" may be an Internet Protocol ("IP") datagram or other link- or other-level protocol data unit. As FIG. 22 suggests, packet parser 2206 may divide those "chunks" into header and payload portions, from which header analyzer 2208 and content analyzer 2210 may extract the features in different ways, as outlined in the following description… Header analyzer 2208 may extract features that may include, without limitation, the various fields within the IP header and/or with an encapsulated transport-layer header. In addition, header analyzer 2208 may also derive other features from statistics taken over multiple "chunks"…”), (¶0023, “… network security policies may be enforced by inspecting a packet and, as necessary, responding to a result of the packet inspection. The packet inspection may be directed at a header of the packet and/or a payload of the packet. Such packet inspection may be performed at any and all layers of a network communication protocol stack (such as and without limitation the Internet Protocol stack). Inspecting the payload of the packet may be referred to as "deep packet inspection" or "payload inspection." In any case, any and all packet inspection may be directed at the inspection of data that encompasses a packet or flow of packets…”, wherein either the header or the payload is a portion of a data packet), (¶0081, “…In these methods and systems, processing may include inspecting one or more of data packet headers, data packet payloads, network layer packets, application layer packets, and transport layer packets.”), (¶0461, “the content search logic 312 of the flow processing facility 102 may be used to inspect the payload of a network layer packet to detect strings that may match a form of invalid application layer packet header. A network layer packet with such a violation may be acted upon by the UTM application to prevent the packet from reaching the network, and any and all connection or data flow 444 associated with the packet may be terminated or dropped.”, Applicant in paragraph 70 of the specification as originally filed referred to instant or rapid security analysis as screen test on the data packet)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of NARAYANASWAMY and VIJAYVARGIYA to include inspection of portion of data packet to detect abnormality as disclosed by Kapoor and be motivated in doing so in order to conserve network resources that would have been used to inspect the entire packet.
Regarding claims 4 and 17, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses comprising,
if tokens associated with sensitive information are found in the data packet: continuing to prevent the data packet from flowing between the data source machine and the data client if the comprehensive security analysis finds security issues ¶0089, “…If the document is determined to be potentially sensitive, the local anchor pattern scanner 112A, 112Z sends the file in question to the cloud-based content sensitivity scanner 165 for classification. The copy action will be blocked until the sensitivity metadata is returned from the scanner 165 and the endpoint policy enforcer 132A, 132Z deems the copy action to be allowed for the file being scrutinized. If the document is determined to be potentially sensitive, the local anchor pattern scanner 112A, 112Z sends the file in question to the cloud-based content sensitivity scanner 165 for classification. The copy action will be blocked until the sensitivity metadata is returned from the scanner 165 and the endpoint policy enforcer 132A, 132Z deems the copy action to be allowed for the file being scrutinized”); and
allowing the data packet to flow between the data source machine and the data client if the comprehensive security analysis finds no security issues (¶0087, “…Endpoint policy enforcer 132A, 132Z allows fulfillment of the data egress request when it determines that the retrieved sensitivity metadata identifies the document as non-sensitive.”)
.
Regarding claim 5, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses wherein the data source machine is selected from the list consisting of: a database server, a file server, a proxy and a database server, a combination of a proxy and a file server, a combination of a network gate and a database server, and a combination of a network gate and a file server (¶0039, “… In both the use of network mounted file servers and cloud storage services, users either mount the network file servers on the endpoint or use a sync application to access the cloud-stored documents…”).
Regarding claim 6, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses wherein the data packet is one of:
a query sent from the data client to the data source machine (¶0089, “FIG. 5 shows a third exfiltration control example 500 for enforcing data loss prevention policies at an endpoint in the environment 100—for a scenario in which a user makes a data regress request 502 at the endpoint and no sensitivity metadata is available for the document locally 515 or in the cloud 526”), and
a response sent from the data source machine to the data client (¶0087, In response to receiving the data egress request 332 for a document, endpoint policy enforcer 132A, 132Z determines sensitivity of the document by retrieving the sensitivity metadata for the document from the cloud-based metadata store 145, and endpoint policy enforcer 132A, 132Z enforces a data loss prevention policy at the endpoint based on the retrieved sensitivity metadata and without performing a sensitivity scan of the document at the endpoint. Endpoint policy enforcer 132A, 132Z enforces DLP policy for data egress requests 362. Some implementations include blocking a request if it is determined that the retrieved sensitivity metadata identifies the document as sensitive. Other implementations include additional response security actions including but not limited to quarantine, encryption, justification, and coaching...”), (¶0087, “Upon determining that the document is sensitive, the sf-EDLP enforces one or more security polices (or DLP policies) at the endpoint to prevent exfiltration of the document. This can include executing security actions like blocking the data egress request, seeking user justification, encrypting the document, quarantining the document, or coaching the user on the security policies.”)
Regarding claim 7, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses wherein capturing and searching are performed by a software agent that is installed on the data source machine (¶0041, “… An endpoint DLP solution is installed on the endpoints as an active agent that performs constant validation as data is accessed by applications…”), (¶0073, “… Configuration service 175 can deploy the endpoint security module as an agent, downloadable via e-mail or silently installed using mass deployment tools like CONFIGMGR™, ALTRIS™, and JAIVIF™.”).
Regarding claim 9, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
Kapoor further discloses (¶0195, “Embodiments of the content search logic 312 may encompass hardware-based regular expression logic while performing a search for position dependent substrings. To this end, a regular expression may first be partitioned into a set of position dependent substrings. A pattern tree may then be constructed which represents and enacts the search for substrings. When a substring is found, the relative positions of the substrings may be examined and, depending upon the result of the examination, a positive or negative match may be effectively determined. The logic may include the capability of detecting character classes (such as /[abc]/) and wildcards (such as * and .) which may be included in the regular expression…”), (¶0180, “The content search logic 312 may include an implementation of the Aho-Corasick algorithm, an optimization or modification thereof, or any other algorithm or heuristic for performing pattern matching, such as and without limitation regular expression matching, on a data flow. The content search logic 312 may locate all instances of strings in the data flow that match strings in a dictionary…”); (¶0536, “… The management server 228 may provide network security related metrics gathered from one or more flow processing facilities 102 to the NEMS for further analysis or presentation to a network administrator. In an example and without limitation, a roll-out campaign for content inspection may be proceeding with two flow processing facilities 102 operating in parallel on the same network traffic wherein one flow processing facility 102 is not inspecting content and the other is inspecting content…”); and
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of NARAYANASWAMY, VIJAYVARGIYA, and Kapoor to include performing a wildcard search, a dictionary search, and a regular expression search on the input data as disclosed by Kapoor and be motivated in doing so in order to construct a pattern tree which represents and enacts the search for substrings-Kapoor ¶0195.
Regarding claim 13, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses comprising:
wherein the metadata comprises at least one of machine information, network information, user information, and client information (¶0069, “Some examples of the sensitivity metadata generated by the inspection service 155 and the cloud-based content sensitivity scanner 165 are unique document identifier, document integrity checksum such as MD5, document fingerprint such as Rabin fingerprint, document true file type such as portable document format (PDF), name of the cloud-based service on which a document is stored, sensitivity (or non-sensitivity) of the document, type of sensitivity such as PCI, PII, and ePHI, name and sensitivity (or non-sensitivity) of the source from which the document originated (e.g., a source cloud-based service, a source website, a source server, a source database, a source partition, a source user, a source user group, a source folder, a source device…”), (¶0016, “Enterprise organizations have a business need to store sensitive data, such as financial or patient information, intellectual property (IP) and other information, depending on the business and industry. For example, personally identifiable information (PII) refers to information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number, and biometric records,…”);
after capturing, analyzing the headers to determine the security status of packets associated with the headers (¶0100, “… in the case of a secure tunneling agent, network packets destined to IP addresses that match the DNS resolution of a URL in the sensitivity list 144A are identified. Thus, if “subdomain.domain.tld” and “www.domain.tld” share the same network address, both will be deemed sensitive even if the sensitivity list 144A identifies one and not the other.”, wherein the headers include the IP addresses); and
selecting the at least one data packet based on the security status (¶0100, “if a document is determined to be potentially sensitive based on the anchor pattern scan, the local anchor pattern scanner 112A, 112Z preliminarily classifies the document as sensitive, and the endpoint policy enforcer 132A, 132Z invokes the cloud-based content sensitivity scanner 165 for confirmatory classification 568 (sensitive or non-sensitive)”).
VIJAYVARGIYA further discloses decrypting the plurality of data packets to obtain a header of each packet (¶0016, “…, policy enforcer 110 must decrypt each encrypted packet to determine its packet header information (e.g., source IP address, destination IP address, etc.) and apply security policies 108…”);
analyzing the headers to determine the security status of packets associated with the headers (¶0016, “…Once the appropriate policies are applied, the packet is either dropped or the encrypted version is forwarded onward to its intended destination.”, wherein forwarding or dropping the packet after header after applying the security policies to the header is determining the security status of the packet, this is in consonant with applicant disclosure in ¶0069);
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of NARAYANASWAMY to include decryption of data packets to obtain the header of each packet as disclosed by VIJAYVARGIYA and be motivated in doing so in order to forward the packet to its intended destination- VIJAYVARGIYA ¶0016 in parts, thus preventing corporate/personal confidential documents and /or sensitive information being accidentally sent to an unauthorized receiver.
Claims 2, 8, 10-12, 15, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over USPGPub. No. 20190268379 to NARAYANASWAMY et al. (hereinafter NARAYANASWAMY) in view of US. PGPub. No. 20200344210 to VIJAYVARGIYA et al. (hereinafter VIJAYVARGIYA) and further in view of PGPub. No. 20080262991 to Kapoor et al. (hereinafter Kapoor) and further in view of USPGPub. No. 20190095808 to Chattopadhyay et al. (hereinafter Chattopadhyay).
Regarding claim 2, 15, and 19, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses wherein if, during the searching of the raw data of the payload, the tokens, values, expressions, words or phrases associated with sensitive information are not found in the payload of a data packet:
allowing the data packet to flow between the data source machine and the data client (¶0087, “…Endpoint policy enforcer 132A, 132Z allows fulfillment of the data egress request when it determines that the retrieved sensitivity metadata identifies the document as non-sensitive.”)
and
if, during the searching of the raw data of the payload, tokens, values, expressions, words or phrases associated with sensitive information are found in the data packet:
if identified terms are detected, preventing the data packet from flowing between the data source machine and the data client (¶0087, “…Endpoint policy enforcer 132A, 132Z enforces DLP policy for data egress requests 362. Some implementations include blocking a request if it is determined that the retrieved sensitivity metadata identifies the document as sensitive. Other implementations include additional response security actions including but not limited to quarantine, encryption, justification, and coaching…”).
Kapoor further discloses:
performing a wildcard search, a dictionary search, and a regular expression search of the payload in parallel in parallel for identified terms (¶0195, “Embodiments of the content search logic 312 may encompass hardware-based regular expression logic while performing a search for position dependent substrings. To this end, a regular expression may first be partitioned into a set of position dependent substrings. A pattern tree may then be constructed which represents and enacts the search for substrings. When a substring is found, the relative positions of the substrings may be examined and, depending upon the result of the examination, a positive or negative match may be effectively determined. The logic may include the capability of detecting character classes (such as /[abc]/) and wildcards (such as * and .) which may be included in the regular expression…”), (¶0180, “The content search logic 312 may include an implementation of the Aho-Corasick algorithm, an optimization or modification thereof, or any other algorithm or heuristic for performing pattern matching, such as and without limitation regular expression matching, on a data flow. The content search logic 312 may locate all instances of strings in the data flow that match strings in a dictionary…”); (¶0536, “… The management server 228 may provide network security related metrics gathered from one or more flow processing facilities 102 to the NEMS for further analysis or presentation to a network administrator. In an example and without limitation, a roll-out campaign for content inspection may be proceeding with two flow processing facilities 102 operating in parallel on the same network traffic wherein one flow processing facility 102 is not inspecting content and the other is inspecting content…”); and
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of NARAYANASWAMY, VIJAYVARGIYA, and Kapoor to include performing a wildcard search, a dictionary search, and a regular expression search on the input data as disclosed by Kapoor and be motivated in doing so in order to construct a pattern tree which represents and enacts the search for substrings-Kapoor ¶0195.
However, the combination of NARAYANASWAMY, VIJAYVARGIYA, and Kapoor does not explicitly disclose the following limitations:
sending a copy of the data packet to an offline comprehensive security analysis if sensitive information are not found in the packet; and
and sending the data packet or a copy of the data packet along with results from the searching of the raw data of the payload, to the offline comprehensive security analysis if sensitive information are found in the packet.
Chattopadhyay discloses sending the packet for an offline security analysis regardless of whether sensitive information is found or not in the data packet (¶0016, “Condition monitoring and alert generation based on a predetermined threshold, computed based on an offline analysis of healthy and faulty data, is a method used for anomaly or fault detection…”, wherein healthy data is understood to be data without sensitive information and faulty data is the data associated with sensitive information which are both analyzed offline to detect anomaly).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of NARAYANASWAMY, VIJAYVARGIYA and Kapoor to include offline analysis of data packets regardless of whether or not the data is associated with sensitive information as disclosed by Chattopadhyay and be motivated in doing so in order to dynamically adjust analytics thresholds (Chattopadhyay ¶0001) where initial or early data values are not properly analyzed using a preselected or set threshold value-Chattopadhyay ¶0016.
Regarding claim 8, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor and further in view of Chattopadhyay discloses the method of claim 2.
Kapoor further discloses wherein performing a comprehensive security analysis is performed by a dedicated security server, and wherein the data packet is sent to the dedicated security server for performing the comprehensive security analysis (¶0536, “… The management server 228 may provide network security related metrics gathered from one or more flow processing facilities 102 to the NEMS for further analysis or presentation to a network administrator. In an example and without limitation, a roll-out campaign for content inspection may be proceeding with two flow processing facilities 102 operating in parallel on the same network traffic wherein one flow processing facility 102 is not inspecting content and the other is inspecting content…”, wherein the Network Management System (NMS) is interpreted as a dedicated server)
Thus, one of ordinary skill in the art would have found it obvious before the effective
filing date of applicant claimed invention to modify the method of NARAYANASWAMY, VIJAYVARGIYA, Kapoor, and Chattopadhyay to include the concept of further comprehensive analysis of data packets using a dedicated sever as disclosed by Kapoor and be motivated in doing so in order to improve on the accuracy of data classification and reduce network latency.
Regarding claim 10, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor and further in view of Chattopadhyay discloses the method of claim 2.
NARAYANASWAMY further discloses comprising: updating the tokens associated with
sensitive information based on results of the comprehensive security analysis (¶0049, “...If the document scores positive on the anchor pattern check, it is sent to the content sensitivity scanner for deep inspection. The local metadata store and the cloud-based metadata store are updated with the results of the deep inspection.”)
Regarding claim 11, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor and further in view of Chattopadhyay discloses the method of claim 2.
NARAYANASWAMY further discloses wherein the comprehensive security analysis comprises: parsing the data packet (¶0100, “… Endpoint traffic monitor 142A parses the URL 618 to determine whether it belongs to one of the cloud-based services identified as sensitive in the sensitivity list 144A.”);
mapping metadata to data (¶0079, “In response to receiving data egress requests, the endpoint policy enforcer 132A retrieves the sensitivity metadata and enforces a data loss prevention policy at the endpoint, based on the retrieved sensitivity metadata and without performing content sensitivity scan of the document at the endpoint”);
building hierarchy of the data (¶0100, “…Further, as part of its operating system (OS), endpoint 102A has a file system driver that interprets a structure of the file system and presents a logical hierarchical view to applications that make the data egress requests.”); and
processing policy rules (¶0079, “… Common rules enforced by endpoint policy enforcer 132A include a rule that once a file has been deemed sensitive, it will remain sensitive for the life of the document”).
Regarding claim 12, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor and further in view of Chattopadhyay discloses the method of claim 2.
NARAYANASWAMY further discloses comprising: issuing a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues (¶0073, “…Event service 185 receives and records any security events generated by the endpoint policy enforcers 132A-Z, for logging and machine learning-type analysis. Examples of security events include notifications and audit trails of security actions taken as part of DLP policy enforcement at the endpoints 102A-Z.”, wherein notifications is interpreted as alerts), (¶0076, “… It then notifies an endpoint policy enforcer 132A of the data egress requests, which in turn subjects them to policy enforcement. The endpoint policy enforcer 132A includes one or more security policies (or DLP policies) that specify what security actions to take when a data egress request involves exfiltration of sensitive data.”).
Claims 3, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over USPGPub. No. 20190268379 to NARAYANASWAMY et al. (hereinafter NARAYANASWAMY) in view of US. PGPub. No. 20200344210 to VIJAYVARGIYA et al. (hereinafter VIJAYVARGIYA) and further in view of PGPub. No. 20080262991 to Kapoor et al. (hereinafter Kapoor) and further in view of USPGPub. No. 20100125900 to Dennerline et al. (hereinafter Dennerline).
Regarding claim 3, 16, and 20 NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor discloses the method of claim 1.
NARAYANASWAMY further discloses wherein if tokens associated with sensitive information are not found in a data packet: allowing the data packet to flow between the data source machine and the data client (¶0087, “…Endpoint policy enforcer 132A, 132Z allows fulfillment of the data egress request when it determines that the retrieved sensitivity metadata identifies the document as non-sensitive.”);
and
if tokens associated with sensitive information are found in the data packet:
preventing the data packet form flowing between the data source machine and the data client (¶0087, “…Some implementations include blocking a request if it is determined that the retrieved sensitivity metadata identifies the document as sensitive. Other implementations include additional response security actions including but not limited to quarantine, encryption, justification, and coaching.”); and
sending the data packet to a comprehensive security analysis (¶0082, “…If the document scores positive on the anchor pattern check, it is sent to the cloud-based content sensitivity scanner 165 for deep inspection. The local metadata store 134A and the cloud-based metadata store 145 are updated with the results of the deep inspection.” Wherein deep packet inspection is interpreted as comprehensive security analysis).
However, NARAYANASWAMY in view of VIJAYVARGIYA and further in view of Kapoor does not explicitly disclose sending the data packet to a comprehensive security
analysis when tokens are not associated with sensitive information.
Dennerline discloses sending the data packet to a comprehensive security analysis when
tokens are not associated with sensitive information (¶0072, “…If the packet is not fast forwarded, it is released for backend processing that performs the deep inspections (which is typically Layer 5 and above).
Thus, one of ordinary skill in the art would have found it obvious before the effective
filing date of applicant claimed invention to modify the method of NARAYANASWAMY, VIJAYVARGIYA, and Kapoor to include sending the data packet to a comprehensive security analysis when the packet is not associated with sensitive information (does not pose a significant threat) as disclosed by Dennerline and be motivated in doing so in order to prevent data from exceeding the maximum allowed delay time in the queue-Dennerline ¶0072 in parts.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495
/MAUNG T LWIN/Primary Examiner, Art Unit 2495
Prosecution Insights