DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to communication: response to original application filed on 03/28/2024.
Claims 1-20 are currently pending in this application.
The IDS filed on 05/01/2024 and 05/23/2024 has been accepted.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 13-19 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
Claim elements “a detection module configured to detect,” “a surveillance module configured to detect,” “remediation module configured to perform,” “event storage module configured to store,” “matching module configured to match,” and “a remediation-determination module configured to select” are limitations that invokes 35 U.S.C. 112(f). However, the written description fails to clearly link or associate the disclosed structure, material, or acts to the claimed function such that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112 (f); or
(b) Amend the written description of the specification such that it clearly links or associates the corresponding structure, material, or acts to the claimed function without introducing any new matter (35 U.S.C. 132(a)); or
(c) State on the record where the corresponding structure, material, or acts are set forth in the written description of the specification and linked or associated to the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 6, 7, 10, 11, 13-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kaidi US Patent Application Publication 2021/0126926 (Kaidi), in view of Avrahami et al. US Patent Application Publication 2019/0068620 (Avrahami)
As per claim 1, Kaidi teaches a method for providing a data governance policy feedback to a user, the method comprising: detecting sensitive data within data assets accessible by an endpoint device (paragraph 13, 14, and throughout with scanning for sensitive data being accessed by user; see also paragraph 18 with detecting sensitive information); detecting, by a sensor, a potentially noncompliant action involving the sensitive data performed by the user at the endpoint device (paragraph 14-16 with monitoring user and checking activities; see also paragraph 18; see also paragraph 21 with triggering event); matching the potentially noncompliant action against a condition defined by a rule from as et of rules implementing the data governance policy (paragraph 21, 27, 31 and throughout with checking data loss prevention rules); and applying at least one remediation action from a set of remediation actions defined by the rule, the at least one remediation action comprising a workflow-disruptive action (paragraph 28, 39, 40 and throughout with corrective actions based on rules; corrective action may include terminating connections, invalidating sensitive information, etc).
Kaidi does not explicitly teach storing information relating to the potentially noncompliant action, the user, and the rule. However, storing information relating to the leak of sensitive information would have been obvious. For example, see Avrahami (paragraph 39 and throughout, such as with sotring history of data leakage information).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Kaiki with Avrahami. One of ordinary skill in the art would have been motivated to perform such an addition to reduce sensitive data leakage (paragraph 16 of Avrahami).
As per claim 2, the Kaidi combination teaches quantifying a noncompliance level of the potentially noncompliant action, wherein the noncompliance level is quantified based on at least one of: a predefined importance level of the rule; a frequency in which the rule is triggered or broken by the user; a quantity of sensitive data involved in the potentially noncompliant action; a type of sensitive data involved in the potentially noncompliant action; a combination of types of sensitive data; and a metric based on at least a behavior of the user and a behavior of a set of peers of the user, wherein the at least one remediation action from the set of remediation actions defined by the rule is selected based at least in part on the noncompliance level (Kaidi paragraph 40 with severity/importance score; Kaidi paragraph 39 wherein correction actions depend on nature or extent of sensitive data leaked or severity).
As per claim 3, it would have been obvious over the Kaidi combination wherein detecting the sensitive data comprises identifying a portion of text within the data asset matching a predefined pattern, the method further comprising counting a number of matches of the matched pattern with a scope of the data assets to obtain a quantity of the sensitive data detected, wherein: the condition defined by the rule is based at least in part on the quantity of the sensitive data detected; the noncompliance level is quantified based at least in part on the quantity of the sensitive data detected; and/or the at least one remediation action from the set of remediation actions defined by the rule is selected based at least in part on the quantity of the sensitive data leaked (obvious to one of ordinary skill in the art over Kaidi; Kaidi teaches in paragraph 40 with a severity score that may be based on the amount of sensitive data exposed; this requires a count; the amount contributes to a severity score which determines what corrective actions to be taken; see also paragraph 28).
As per claim 4, it would have been obvious over the Kaidi combination further comprising assigning a class to the sensitive data, wherein the type of the sensitive data corresponds to the class of the sensitive data, and wherein: the condition defined by the rule is based at least in part on the class of the sensitive data; the noncompliance level is quantified based at least in part on the class of the sensitive data; and/or the at least one remediation action fromt eh set of remediation actions defiend by the rule is selected based at least in part on the class of the sensitive data (paragraph 39 with remediation action selected based at least in part on class of sensitive data).
As per claim 6, it would have been obvious over the Kaidi combination wherein the disruptiveness level of the remediation action increases as the noncompliance level increases (paragraph 39 with actions based on nature/extent of sensitive data; for example, with authentication credential leak, actions require rotation of credentials; with leaks of information regarding database, an administrator is notified).
As per claim 7, the Kaidi combination teaches wherein applying the remediation action occurs in real-time with detecting the potentially noncompliant action (paragraph 24 with scan of resource is performed at time user device access resource; paragraph 26 wherein subsequent scan occurs within seconds or less, or performed based on action).
As per claim 10, the Kaidi combination teaches wherein the potentially noncompliant action comprises at least one of: copying a sensitive file to a local storage; copying the sensitive file to a removable storage; retaining the sensitive file on the local storage longer than first configurable duration; copying the sensitive data to a clipboard, sending the sensitive data via an internal communication channel; sending the sensitive data via an external communication channel; causing the sensitive data to be displayed longer than a second configurable duration; and causing a quantity of the sensitive data above a configurable quantity threshold to be displayed over a duration shorter than a third configurable duration (Kaidi paragraph 42 with sending information via external communication channel).
As per claim 11, the Kaidi combination teaches wherein the remediation action comprises at least one of: causing information about the potential noncompliant action to be stored; sending a report to an analyist; sending a report to a manager of the user; invoking a first API to cause a dialog box to appear on a display of the endpoint device to alert the user; invoking a second API to cause an instant message to be sent to the user; invoking a third API to cause an email address to be sent to the user; encrypting a file containing the sensitive data; moving the file to a storage local to or distant from the endpoint device, and inaccessible to the user; quarantining the file, deleting the file; and locking the endpoint device (Kaidi paragraph 28 with sending report to user).
As per claim 13, Kaldi teaches a system for providing data governance policy feedback to a user, the system comprising: a customer environment comprising: at least one endpoint device, a plurality of data assets accessible via the at least one endpoint device, and at least one sensor configured o monitor usage of the plurality of data assets by the at least one endpoint device (paragraph 13, 14, and throughout with scanning for sensitive data being accessed by user; see also paragraph 18 with detecting sensitive informationsee also Figure 1);, the sensor comprising: a detection module configured to detect sensitive data from data assets accessible via the at least one endpoint device; a surveillance module configured to detect a potentially noncompliant action performed by the user on a particular device from the at least one endpoint device, and at least one remediation module configured to perform at least one remediation action in response to a potentially noncompliant action being deted by the surveillance module (paragraph 14-16 with monitoring user and checking activities; see also paragraph 18; see also paragraph 21 with triggering event; paragraph 21, 27, 31 and throughout with checking data loss prevention rules; paragraph 28, 39, 40 and throughout with corrective actions based on rules; corrective action may include terminating connections, invalidating sensitive information, etc); and a service provider environment in communication with the at least one sensor to receive information relating to the potentially noncompliant action and to send the at least one remediation action to be performed, the service provider environment comprising: a memory comprising a set of rules implementing the data governance policy, wherein each rule defines at least a condition and a set of remediation actions, a matching module configured to match the information against the condition of each rule from the set of rules, and a remediation determination module configured to select the at least one remediation action from the set of remediation actions of matched rule (paragraph 21 with triggering event; paragraph 21, 27, 31 and throughout with checking data loss prevention rules; paragraph 28, 39, 40 and throughout with corrective actions based on rules; corrective action may include terminating connections, invalidating sensitive information, etc).
Kaidi does not explicitly teach an event storage module configured to store the information in a database. However, storing information relating to the leak of sensitive information would have been obvious. For example, see Avrahami (paragraph 39 and throughout, such as with sotring history of data leakage information).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Kaidi with Avrahami. One of ordinary skill in the art would have been motivated to perform such an addition to reduce sensitive data leakage (paragraph 16 of Avrahami).
Claim 14 is rejected using the same basis of arguments used to reject claim 2 above.
Claim 15 is rejected using the same basis of arguments used to reject claim 3 above.
Claim 16 is rejected using the same basis of arguments used to reject claim 4 above.
Claim 18 is rejected using the same basis of arguments used to reject claim 10 above.
Claim 19 is rejected using the same basis of arguments used to reject claim 11 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 1 above.
Claim(s) 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over the Kaidi combination as applied above, and further in view of Hensley et al. US Patent No. 11,671,513 (Hensley).
As per claim 5, the Kaidi combination teaches wherein a remediation action is defined based on the severity (paragraph 40), but does not explicitly teach measuring an age corresponding to at least one of a time elapsed since the sensitive data was first detected and a time elapsed since the data asset was created, wherein: the condition defined by the rule is based at least in part on the age; the noncompliance level is quantified based at least in part on the age; and/or the at least one remediation action from the set of remediation actions defined by the rule is selected based at least in part on the age. However, measuring an age or time elapsed based on potential noncompliance and utilizing such numbers would have been obvious. For example, see Hensley (col. 8 lines 25-68 with alerts and exposure clock, with the exposure clock adjusting the risk score; see also claim 5).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Kaidi combination with Hensley. One of ordinary skill in the art would have been motivated to perform such an addition to increase security by prioritizing issues that need to be addressed (col. 1 lines 50-62).
Claim 17 is rejected using the same basis of arguments used to reject claim 5 above.
Claim(s) 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over the Kaidi combination as applied above, and further in view of Datsenko et al. US Patent Application Publication 2012/0311696 (Datsenko)
As per claim 8, the Kaidi combination does nto explicitly teach wherein applying the remediation action comprises soliciting the user via the endpoint device to provide an input to justify the potentially noncompliant action. However, soliciting a user for a justification for a potentially noncompliant action is well known in the art. For example, see Datsenko (abstract, paragraph 10, 11, and throughout with user providing justification for a potentially non-compliant action).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Kaidi combination with Datsenko. One of ordinary skill in the art would have been motivated to perform such an addition to provide flexibility by providing exceptions (paragraphs 2-3 of Datsenko).
As per claim 9, it would have been obvious over the Kaidi combination for analyzing the input to determine whether the potentially noncompliant action is compliant or noncompliant; and in response to the potentially noncompliant action being determined to be compliant, stopping and/or reverting the at least one remediation action (Datsenko paragraph 39-43 and throughout).
Claim(s) 12 is rejected under 35 U.S.C. 103 as being unpatentable over the Kaidi combination as applied above, and further in view of Chatterjee et al. US Patent Application Publication 2021/0097020 (Chatterjee)
As per claim 12, the Kaidi combination does not explicitly teach wherein applying the at least one remediation action comprises at least: moving a file containing the sensitive data to a new data asset, wherein the user has no file-system permissions over the new data asset; and creating create an information file, wherein the pathname of the information file is the pathname of the file containing the sensitive data before moving. However, this would have been obvious. Kaidi already teaches initiating the removal of the leaked sensitive data and also terminating the connection between the user device and the server (paragraph 28), which would effectively move the sensitive data and also prevent the user to access the information as the user has no permissions. However, for a further showing of the obviousness of migrating a file and generating an information file, see Chatterjee (abstract, paragraph 20, and throughout with migrating a file and generating a parquet file). Further, it would have been obvious to one of ordinary skill in the art wherein the pathname of the information file is the pathname of the file containing the sensitive data before moving (obvious and merely a design choice to select pathnames). Chatterjee further teaches adjusting the permissions of different users in different environments (paragraph 13, 21 and throughout)
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Kaidi combination with Chatterjee. One of ordinary skill in the art would have been motivated to perform such an addition to inhibit the leakage of sensitive data (paragraph 13).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431. The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/JASON K GEE/Primary Examiner, Art Unit 2495