DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1 – 21 are currently pending in this application.
Claims 1, 4, 8, and 15 are amended as filed on 02/24/2026.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 4-9, 11-16, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Koshti et al (Pre-Grant Publication No. US 2021/0150024 A1), hereinafter Koshti, in view of Raghavan et al. (Pre-Grant Publication No. US 2023/0195755 A1), Raghavan, and in further view of Dala et al. (Pre-Grant Publication No. US 2013/0024382 A1), hereinafter Dala.
2. With respect to claims 1, 8, and 15, Koshti taught computer-implemented method for identifying a risk level of data in a response to a query made to a database (0028), the method comprising: receiving, by a computing device, the query (0028); receiving, by the computing device, a framework including data categorization rules for the data (0028, where the characteristics are categorizations under broadest reasonable interpretation); parsing the query to determine queried tables of data elements in the database (0028); jointly classifying a union of data elements in the queried tables to produce a classifications for the union of data elements (0034, the union of users A and B with respect to user C); determining a risk level R(Q) for each of the queried tables by comparing the classification for data elements in each table to the classifications in the union of data elements (0034, where the data is stored in tables in accordance with 0008); and presenting a risk level alert for the query when the risk level R(Q) of any of the queried tables is above a predetermined risk level (0032, the alert. See also, the preventing the access of 0034).
However, Koshti did not explicitly state classifying the data elements in the queried tables based on the data categorization rules in the framework to produce classification labelings for the data elements in each of the queried tables; and that the classifications where classification labels. On the other hand, Raghaven did teach classifying the data elements in the queried tables based on the data categorization rules in the framework to produce classification labelings for the data elements in each of the queried tables (0027); and that the classifications where classification labels (0027, the enrichment labels). Both of the systems of Koshti and Raghaven are directed towards securing data access and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Koshti to utilize producing classification labels for sensitive data, as taught by Raghaven, in order to provide a more complete data security.
However, Koshti did not explicitly state determining a risk level for each of the queried tables by comparing the classification labelings for the data elements in each of the queried tables. On the other hand, Dala did teach determining a risk level for each of the queried tables by comparing the classification labelings for the data elements in each of the queried tables (0297). Both of the systems of Kosti and Dala are directed towards securing data access and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Koshti, to utilize determining risk for each queried item, as taught by Dala, in order to provide a more accurate/detailed risk analysis.
3. As for claims 2, 9, and 16, they are rejected on the same basis as claims 1, 8, and 15 (respectively). In addition, Koshti taught preventing generation of the response to the query when the risk level R(Q) of any of the queried tables is above the predetermined risk level (0034, preventing the internal breach).
4. As for claims 4, 11, and 18, they are rejected on the same basis as claims 1, 8, and 15 (respectively). In addition, Koshti taught wherein presenting the risk level for the query comprises presenting the risk level alert when the differential risk level ΔR(Q) is above a predetermined differential risk level (0032).
5. As for claims 5, 12, and 19, they are rejected on the same basis as claims 1, 8, and 15 (respectively). In addition, Raghaven taught wherein the risk level R(Q) comprises a sensitivity level of exposure of data in the data elements (0027).
6. As for claims 6, 13, and 20, they are rejected on the same basis as claims 1, 8, and 15 (respectively). In addition, Raghaven taught determining a sensitivity level for each of the data elements needed to respond to the query based on the data categorization rules (0027).
7. As for claims 7, 14, and 21, they are rejected on the same basis as claims 1, 8, and 15 (respectively). In addition, Koshti taught wherein the risk level alert is configured to be produced in a message format (0032).
Claim(s) 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Koshti, in view of Raghavan, in view of Dala, and in further view of Besanson et al. (Pre-Grant Publication No. US 2021/0165913 A1), hereinafter Besanson.
8. As for claims 3, 10, and 17, they are rejected on the same basis as claims 1, 8, and 15 (respectively). However, Koshti did not explicitly state generating a differential risk level ΔR(Q)=R(Q)−Max(R(T.sub.1), R(T.sub.2), . . . , R(T.sub.n)), where R(T.sub.n) is a risk level for an n-th queried table. On the other hand, Besanson did teach generating a differential risk level ΔR(Q)=R(Q)−Max(R(T.sub.1), R(T.sub.2), . . . , R(T.sub.n)), where R(T.sub.n) is a risk level for an n-th queried table (0066 & 0069). Both of the systems of Koshti and Besanson are directed towards risk management and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Koshti to utilize differential risk management, as taught by Besanson, as doing so provided a more accurate risk assessment that was likely already performed by Koshti (albeit not explicitly stated).
Response to Arguments
Applicant’s arguments with respect to the claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSEPH L GREENE/Primary Examiner, Art Unit 2443