SYSTEM AND METHOD FOR MONITORING AND MITIGATING DARK WEB DATA BREACHES

DETAILED ACTION Notice of Pre-AIA or AIA Status 1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment 2. The Amendment filed February 02, 2026 has been entered. Claims 1-10 have been amended. Claims 1-10 were presented for examination. Applicant’s amendments to claims 1-10 and drawings (Figs 1 and 3) have overcome the claim and drawing objections previously set forth in the Non-Final Office Action mailed October 01, 2025. The objections of claim 1-10 and drawings have been withdrawn. Response to Arguments 3. Applicant’s amendments to claim 7 have overcome the U.S.C. § 112(b) or U.S.C. § 112 (pre-AIA ), Second Paragraph rejection of claim 8 previously set forth in the Office Action mailed October 01, 2025. The rejection of claim 8 under U.S.C. § 112(b) has been withdrawn. 4. Applicant's arguments filed on February 02, 2026 have been fully considered, but they are not persuasive. 5. With respect to claim 1, applicant stated that Borzycki (US 2015/0089497A1) does not disclose generating the isolated environment by creating or using a virtual non-transitory computer-readable medium as a distinct entity. Examiner’s Response: The examiner disagrees. Borzycki provisions a temporary virtual machine in a disposable, isolated environment to open downloaded files (see paras. 12 and 107). As indicated in para. 126, Borzycki’s VM is a cross-device sandbox. A sandbox exemplifies an isolated environment generated by way of a virtual way of a virtual non-transitory computer-readable medium. 7. Applicant stated that Borzycki does not describe detecting a data breach, based on which a first mitigation signal is generated and destruction of the environment in Borzycki occurs unconditionally after use, not in response to any breach detection signal. Examiner’s Response: The examiner disagrees. As indicated in para. 127, before destroying the disposable environment, Borzycki compares the resulting image of the isolated environment with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behavior, allowing the system to detect a data breach. The findings may suggests that the malware modifies system registry file, manipulates critical system files, and embeds monitoring code onto the device. Such actions represent unauthorized access and modification, which are critical stages in the data breach lifecycle. A result indicating malicious behavior initiates a breach response that includes destroying the isolated environment. An output indicating malicious behavior corresponds to the first mitigation signal. Consequently, the destruction of the isolated environment is directly tied to the identification of malicious behavior, forming part of an automated breach response. 8. Applicant stated that Borzycki never generates a second mitigation signal, never distinguishes if the data is breached or not based on which mitigation signals are generated, and never discloses deleting a virtual non-transitory computer-readable medium. Examiner’s Response: The examiner disagrees. As indicated in para. 125-128, before destroying the disposable environment, Borzycki compares the resulting image of the isolated environment with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behavior. An innocuous result signifies no data breach. A result indicating innocuous behaviors also initiates a response that includes destroying the isolated environment. An output indicating innocuous behaviors corresponds to the second mitigation signal. Consequently, the destruction of the isolated environment is also directly tied to the identification of innocuous behavior. Additionally, when the connection between the user device and the temporary virtual machine is terminated, the virtual machine and the disposable environment are both destroyed. Accordingly, Borzycki teaches the claim-required mitigation logic involving (i) breach detection, (ii) generation of two different mitigation signals i.e. the first and the second mitigation signal, and (iii) if breach is detected, the first or second mitigation signals are generated so that deletion actions applied to the isolated environment. 9. Applicant stated that Borzycki et al. (US 2015/0089497 A1) does not describe downloading the files by way of file links. Examiner’s Response: While Borzycki does not describe downloading files by way of file links, Burns discloses downloading the files by way of file links. Burns discloses a threat analysis platform that analyzes a file in an isolated environment to determine a likelihood that the file contains malware. As indicated in paras. 23 and 54, the platform downloads a file from a provided URL, and also downloads a pdf from a website. Such actions exemplify a host device downloading a file by way of a file link. 10. Applicant stated that Borzycki performs no compression and encryption of the virtual non-transitory computer-readable medium based on any mitigation signal. Examiner’s Response: While Borzycki does not compress and encrypt the virtual non-transitory computer-readable medium based on a first mitigation signal, Fitzgerald (US 2014/0380412 A1) discloses compressing and encrypting a VM (see para.0239). Given that Borzycki deletes the isolated environment based on a data breach mitigation signal, combining Borzycki and Fitzgerald would teach compressing and encrypting the virtual non-transitory computer-readable medium based on the first mitigation signal. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki and Burns to include Fitzgerald’s teaching of compressing and encryption a virtual non-transitory computer-readable medium. Doing so would “provide effective VM control and management”(Fitzgerald, para. 0033) and “allows for eradication before the toxic payload actually has any opportunity to execute” (Fitzgerald, para. 0032). 11. Applicant stated that Fitzgerald (US 2014/0380412 A1) fails to teach the claimed requirement that the virtual non-transitory computer readable medium is compressed and encrypted and the isolated environment is deleted specifically based on a first mitigation signal generated upon detection of a data breach. Examiner’s Response: Applicant’s arguments have been considered but are not persuasive. Applicant is redirected to the examiner’s responses to arguments with respect to claim 1 (item #10), above. Accordingly, the combination of Borzycki, Burn and Fitzgerald teaches the features of amended claim 1. 12. Applicant stated that Burns (US 2024/0330454 A1) does not teach when a data breach associated with the one or more files is detected, the processing circuitry generates a first mitigation signal which specifically triggers two mandatory mitigation actions: (i) compressing and encrypting the virtual non-transitory computer-readable medium, and (ii) deleting the generated isolated environment. Examiner’s Response: Applicant’s arguments have been considered but are not persuasive. Applicant is redirected to the examiner’s responses to arguments with respect to claim 1 listed above. While Burns does not teach the aforementioned limitations, Burns does teach detecting a data breach associated with a malware-infected file and generating a mitigation signal. As indicated in para. 49, Burns identifies executable code in a file, runs the code in an isolated environment, and analyzes the executed code to identify malicious behaviors such as malware that exfiltrates data from an infected host. Data exfiltration is considered a data breach. Additionally, Burns logs code behavior, displays it in an interface, and feeds detection results to downstream threat analysis platform components (see para. 53). 13. Applicant stated that none of Shay (US2007/0300290 A1), Richards et al. (US 2020/0226291 A1), Nayshut (US 2014/0281486 A1) and Uchronski et al. (US 9,792, 131 B1) teaches the limitations of amended claim 1. Examiner’s Response: These references are used in combination with Borzycki, Burn and Fitzgerald for the 35 U.S.C. 103 rejections of dependent claims 2-6 set forth in the Non-Final Office Action mailed October 01, 2025 . Applicant’s arguments, with respect to the aforementioned references have been considered but are not persuasive. Applicant is redirected to the examiner’s responses to arguments with respect to claim 1, above. 14. Applicant’s arguments, with respect to dependent claims 2-6, independent claim 7 and its dependent claims 8-10 have been considered but are not persuasive. Applicant is redirected to the examiner’s responses to arguments with respect to claim 1, above. Claim Rejections - 35 USC § 103 15. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 16. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 17. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 18. Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki et al. (US 2015/0089497 A1), hereafter Borzycki, in view of Burns et al. (US 2024/0330454 A1), hereafter Burns, and further in view of Fitzgerald et al. (US 2014/0380412 A1), hereafter Fitzgerald. Noted that indicates what the cited art does not teach. Regarding claim 1, Borzycki teaches a system comprising: a client device; a host device that is coupled to the client device, the host device comprising processing circuitry, the processing circuitry is configured to: {Borzycki [Para. 0012, Fig. 7] “A system comprising a network interface, computer processor, and a tangible computer memory storing computer-executable instructions that, when executed by the computer processor, cause the system to perform one or more of the following:… instruct, by an orchestration service module, the provisioning of a temporary virtual machine in a disposable environment to open the downloaded unverified content, …connect the temporary virtual machine in the disposable environment through a network interface using at least a remote presentation protocol to a client agent in the user device;”} download one or more files by way of one or more file links; generate an isolated environment by way of a virtual non-transitory computer-readable medium such that the one or more files are received and processed in the isolated environment; {Borzycki [Para. 126] “Aspects of the aforementioned system may be referenced as a cross-device sandbox.” [Para. 12] “receive a request to open unverified content; cause the unverified content to be downloaded to the computer memory; instruct, by an orchestration service module, the provisioning of a temporary virtual machine in a disposable environment to open the downloaded unverified content, wherein the disposable environment is physically separate from an application resolver residing on a user device; …connect the temporary virtual machine in the disposable environment through a network interface using at least a remote presentation protocol to a client agent in the user device; open the downloaded unverified content in the temporary virtual machine in the disposable environment; send an output resulting from opening of the downloaded unverified content at the temporary virtual machine in the disposable environment to the user device;”} Also see para. 66, 107, 119, 121 and 124. Borzycki provisions a temporary virtual machine in a disposable, isolated environment to open downloaded files. Borzycki’s VM is a cross-device sandbox. A sandbox exemplifies an isolated environment generated by way of a virtual way of a virtual non-transitory computer-readable medium. and generate: a first mitigation signal when a data breach associated with the one or more files is detected, wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted; {Borzycki [Para. 0127] “In some embodiments, before destroying the disposable environment, the resulting image of the disposable environment may be compared to the original image of the disposable environment when it was first instantiated. The orchestration service 718 may request the controller interface 732 to capture the resulting image and run a comparison against the original image stored, for example, at the hypervisor 302. The output of the comparison may find that the potential malware in the PDF content was innocuous. Alternatively, the comparison may find that the malware in the PDF content was malicious and caused to modify system registry files, manipulate critical system files, embed monitoring code onto the device, and/or other nefarious acts. Information about the malware may be collected, organized, and transmitted to, for example, a database (e.g., third-party database) of known malware.” [Para. 11] “Infect, by the malicious code opened by the temporary virtual machine, the separate, disposable environment; and after the terminating the connection with the temporary virtual machine, destroy, by the virtualization server, the separate disposable environment comprising the temporary virtual machine.”} Also see para. 10. Before destroying the disposable environment, Borzycki compares the resulting image with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behavior, allowing the system to detect a data breach. The findings may suggests that the malware modifies system registry file, manipulates critical system files, and embeds monitoring code onto the device. Such actions represent unauthorized access and modification, which are critical stages in the data breach lifecycle. A result indicating malicious behavior initiates a breach response that includes destroying the isolated environment. An output indicating malicious behavior corresponds to the first mitigation signal. Consequently, the destruction of the isolated environment is directly tied to the identification of malicious behavior, forming part of an automated breach response. and a second mitigation signal when a data breach associated with the one or more files is not detected, wherein based on the second mitigation signal (i) the generated isolated environment is deleted and (ii) the virtual non-transitory computer-readable medium is deleted. {Borzycki [Para. 0127] “Before destroying the disposable environment, the resulting image of the disposable environment may be compared to the original image of the disposable environment when it was first instantiated. The output of the comparison may find that the potential malware in the PDF content was innocuous.” [Para. 0128] “In some examples the subject file to be opened at the user's mobile device 740 might not contain malware. In some examples in the aforementioned scenario, the use of a disposable environment may be seamlessly integrated with the opening of the content file such that once the content file is determined to be benign, the opening of the content file may be transferred from the disposable environment to the user device 740.” [Para. 0125] “The orchestration service 718 may be notified that the remote presentation protocol session has ended and cause it to orchestrate destruction of the disposable environment. In addition, the controller interface 732 may be immediately instructed to destroy the temporary virtual machine 332A. The hypervisor 302 may then immediately destroy the disposable environment instantiated for the temporary virtual machine 332A. ”} Before destroying the disposable environment, Borzycki compares the resulting image with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behaviors. An innocuous result signifies no data breach. A result indicating innocuous behaviors also initiates a response that includes destroying the isolated environment. An output indicating innocuous behaviors corresponds to the second mitigation signal. Consequently, the destruction of the isolated environment is also directly tied to the identification of innocuous behavior. Additionally, when the connection between the user device and the temporary virtual machine is terminated, the virtual machine and the disposable environment are both destroyed. However, Borzycki does not explicitly teach download one or more files by way of one or more file links; generate: a first mitigation signal when a data breach associated with the one or more files is detected, wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted. However, Burns teaches download one or more files by way of one or more file links; {Burns [Para. 0023] “The threat analysis platform 100 automatically identifies objects to investigate, including objects derived from an initial object provided for analysis (e.g., a file downloaded from a provided URL, where the file might contain additional URLs linking to more files, and so on), automates a collection of investigative actions depending on a type of the objects,… [Para. 0054] “FIG. 6 illustrates an example user interface displaying results information generated by the threat analysis platform responsive to the analysis of a provided file. In this example, a portable document format (PDF) file was provided for analysis by the threat analysis platform 100. The PDF file, for example, might have been included as an attachment in an email or downloaded from a website.”} Burns discloses a threat analysis platform that executes a file in an isolated container to determine a likelihood that the file contains malware (see para. 49 and 51). The threat analysis platform may download a file from a provided URL or download a pdf from a website. Both exemplifies a host device downloading a file by way of a file link. Burns is analogous art because each of Borzycki and Burns pertains to analyzing a file in a sandbox to determine if it contains malware. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki to include Burns’ teaching of downloading files by way of file links. Doing so would enable security teams “to investigate security threats more efficiently and accurately, thereby improving the security and operation of users' IT environments” (Burns, para. 0020). However, Burns also does not teach wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and (ii) the generated isolated environment is deleted. However, Fitzgerald teaches wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted. {Fitzgerald [Para. 0239] “The security process 507 is programmed or otherwise configured to compress and/or encrypt the VMs prior to storing them in the VM repository 511, if so desired. In one particular embodiment, the security process 507 implements VM compression using the GZIP compression, and VM encryption using AES128 encryption.”} Fitzgerald teaches compressing and encrypting a VM. Noted that Borzycki deletes the isolated environment based on a data breach mitigation signal, combining Borzycki and Fitzgerald would teach compressing and encrypting the virtual non-transitory computer-readable medium based on the first mitigation signal. Fitzgerald is analogous art because each of Borzycki, Burns and Fitzgerald pertains to executing a VM. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki and Burns to include Fitzgerald’s teaching of compressing and encrypting a virtual non-transitory computer-readable medium. One could use the combination to implement features of claim 1. Doing so would “provide effective VM control and management”(Fitzgerald, para.33) and “allows for eradication before the toxic payload actually has any opportunity to execute” (Fitzgerald, para. 32). 19. Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki, Burns and Fitzgerald as applied to claim 1 above, and further in view of Shay et al. (US 2007/0300290 A1), hereafter Shay. Regarding claim 2, Borzycki, Burns and Fitzgerald teach the elements of claim 1 as outlined above. However, Borzycki, Burns and Fitzgerald do not teach the limitations of claim 2. However, Shay teaches wherein the processing circuitry is configured to enable a handshake between the client device and the host device, wherein to perform the handshake, the processing circuitry is configured to (i) receive one or more handshake signals from the client device and (ii) acknowledge the one or more handshake signals. {Shay [Para. 0034, Fig. 1, &2] “The TCP connection protocol is a three-way handshake between the source node 110 and the destination node 160. As seen in both columns, the source node 110 first sends a TCP SYN 210 packet to the destination node 160 when attempting to establish a connection. If the destination node 160 is ready and able to accept the connection, it returns a TCP SYN-ACK 230 packet back to the source node 110 after receiving the TCP SYN 110 packet as shown in the left-hand column (without reset). Upon receiving a TCP SYN-ACK 230 packet, the source node 110 sends a TCP ACK 240 to the destination node 160 to confirm receipt. At this point, the connection is fully established.”} Shay is analogous art because each of Borzycki, Burns, Fitzgerald and Shay pertains to facilitating electronic communications over computer networks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Shay’s teaching of the limitations of claim 2, listed above. Doing so would improve efficiency and established secure communications (see Shay, para. 0036). 20. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki, Burns and Fitzgerald as applied to claim 1 above, and further in view of Richards et al. (US 2020/0226291 A1), hereafter Richards. Regarding claim 3, Borzycki, Burns and Fitzgerald teach the elements of claim 1 as outlined above. However, Borzycki, Burns and Fitzgerald do not teach the limitations of claim 3. However, Richards teaches wherein the client device is configured to implement a bot that is configured to crawl one or more dark web channels to scrape information associated with one or more online forums, one or more marketplaces, stolen and/or breached data available on the dark web links. {Richards [Para. 0022] “To detect theft of personal data, a system may scrape information from the Internet. For example, a crawler may index the surface web, and a scraper may then obtain data based on the index.” [Para. 0052] “Method 400 may, be executed by central server 107 of FIG. 1 or any other appropriate hardware and/or software.” [Para. 0053] “At step 401, the server may crawl and/or scrape data from the Internet. For example, the server may employ one or more known crawling and/or scraping techniques, as described above, to scrape data from surface web sources and/or from deep web sources.” [Para. 0034] “Deep web sources may also comprise dark web sources. For example, one or more dark web sources may comprise content accessible via friend-to-friend networks or peer-to-peer networks, websites accessible on networks like Tor, Freenet, or I2P.”} A crawler is a bot and could be implemented by any appropriate hardware and/software, which includes a client device. Richards is analogous art because each of Borzycki, Burns, Fitzgerald and Richards pertains to implementing cybersecurity tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Richards’ teaching of implementing a bot that is configured to crawl one or more dark web channels to scrape information. Doing so “may allow for more secure detection of data theft” (Richards, para. 6). 21. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki, Burns and Fitzgerald as applied to claim 1 above, and further in view of Nayshtut et al. (US 2014/0281486 A1), hereafter Nayshtut. Regarding claim 4, Borzycki, Burns and Fitzgerald teach the elements of claim 1 as outlined above. However, Borzycki, Burns and Fitzgerald do not teach the limitation of claim 4. However, Nayshtut teaches wherein prior to the transmission of the one or more files to the virtual non-transitory computer-readable medium, the processing circuitry is configured to (i) break each file of the one or more files into a plurality of chunks, (ii) encrypt each chunk of the plurality of chunks by way of an asymmetric encryption technique to generate a plurality of encrypted chunks, and (iii) transfer each encrypted chunk of the plurality of encrypted chunks to the virtual non-transitory computer-readable medium one by one. {Nayshtut [Para. 0032] “Computing device 102 may break the file into fixed-length blocks in which the block length/size is established by the content data server 106.” [Para. 0033] “In block 306, the computing device 102 generates a file encryption key 212 and encrypts each of the blocks using the file encryption key 212 of the computing device 102 selected for use with the file. The computing device 102 generates a file encryption key 212 (and decryption key in the case of asymmetric cryptography) “on the fly" to encrypt each file block. Computing device 102 generates a list of blocks belonging to the fragmented file in block 306. The list of blocks includes information indicating which blocks are associated with the fragmented file and the order in which the blocks should be combined (i.e., put back together) once decrypted.” [Para. 0034] “In block 314, the computing device 102 transmits the encrypted blocks, the keyed hash of each block, and the member identification of the computing device 102 to the content data server 106.”} Computing device 102 breaks a file into multiple blocks, and encrypts each block using an asymmetric encryption technique to generate encrypted blocks. Subsequently, it transfers each encrypted block to a content server. Nayshtut is analogous art because each of Borzycki, Burns, Fitzgerald and Nayshtut pertains to facilitating electronic communications over computer networks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Nayshtut’s teaching of the limitations of claim 4, listed above. Doing so “establishes a trust relationship between community members and permits de-duplicating content with the community with minimal risk of unauthorized or undesirable data exposure” (Nayshtut, para. 0025). 22. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki, Burns and Fitzgerald as applied to claim 1 above, and further in view of Nayshtut et al. (US 2014/0281486 A1), hereafter Nayshtut, and further in view of Richards et al. (US 2020/0226291 A1), hereafter Richards. Regarding claim 5, Borzycki, Burns and Fitzgerald teaches the elements of claim 1 as outlined above. The combination of Borzycki and Burns further teaches wherein, to detect the data breach, the processing circuitry is configured to (i) implement a file processing engine by way of the virtual non-transitory computer-readable medium within the generated isolated environment, (ii) receive, by way of the file processing engine, the encrypted chunks, (ii) decrypt and assemble, by way of the file processing engine, the decrypted chunks into a file, and (iii) process, by way of the file processing engine, the file using file decompression and iterative keyword matching functions. {Burns [Para. 0049] “The file analysis engines 500 can emulate extracted macros or other code in an isolated environment, such as a container or VM, to observe its behavior and analyze its functionality, thereby allowing the file analysis engines 500 to identify malicious or suspicious behavior in the macro code or other encoded instructions, such as the use of known malware or the ability to exfiltrate data from an infected host system. For example, the file analysis engine 500 can launch an isolated computing environment using resources provided by the provider network 102, and execute or emulate execution of at least a portion of the macro code or encoded instructions to identify artifacts generated by the executed code.” [Para. 0021] “The computing-related resources provided by a cloud provider network 102 can include compute resources (e.g., virtual machines (VMs), containers, etc.), storage resources.” [Para. 0046] “FIG. 5 is a diagram illustrating additional details of file analysis engines 500 used by the threat analysis platform to analyze documents and other types of files 502 for security-related threats. The analysis of documents and files, e.g., text-based files, images, compressed files, etc.”} Also see para. 0047, 0051 and 0052. File analysis engine 500 launches an isolated computing environment using a VM, and executes a file to detect malware that exfiltrates data from an infected host system. Data exfiltration incidents constitute a data breach. In addition, the file analysis engine 500 also processes compressed file, which includes decompressing the file. Burns is analogous art because each of Borzycki, Burns and Fitzgerald pertains to pertains to executing a VM. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki and Fitzgerald to include Burns’ teaching of the limitation of claim 5, listed above. Doing so would enable security teams “to investigate security threats more efficiently and accurately” (Burns, para. 0020). However, the combination of Borzycki, Burns and Fitzgerald do not teach (ii) receive, by way of the file processing engine (208), the encrypted chunks, (ii) decrypt and assemble, by way of the file processing engine (208), the decrypted chunks into a file, and (iii) process, by way of the file processing engine (208), the file using file decompression and iterative keyword matching functions. However, Nayshtut teaches (ii) receive, by way of the file processing engine, the encrypted chunks, (ii) decrypt and assemble, by way of the file processing engine, the decrypted chunks into a file, and (iii) process, by way of the file processing engine, the file using file decompression and iterative keyword matching functions.{Nayshtut [Para. 0037] “If the computing device 102 has requested the data blocks associated with the desired file, in block 410, the computing device 102 receives the corresponding encrypted blocks, keyed hashes, and member IDs from the content data server 106. In block 412, the computing device 102 requests the file decryption key 212 associated with each encrypted block from the key server 108.” [Para. 0039] “In block 418, the computing device 102 decrypts each encrypted block using the corresponding file decryption key 212 received from the key server 108. [Para. 0040] “In block 422, the computing device 102 combines the decrypted blocks to obtain the reconstructed and desired file.” [Para. 0027] “The file management module 202 performs file deconstruction, reconstruction, compression, decompression, and other file management functions.”} Computing device 102 receives encrypted blocks, decrypts the encrypted blocks, and combines the decrypted block into a file. Nayshtut is analogous art because each of Borzycki, Burns, Fitzgerald and Nayshtut pertains to facilitating electronic communications over computer networks. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Nayshtut’s teaching of the limitations of claim 5 identified above. Doing so “establishes a trust relationship between community members and permits de-duplicating content with the community with minimal risk of unauthorized or undesirable data exposure” (Nayshtut, para. 0025). However, Nayshtut also does not teach (iii) process, by way of the file processing engine (208), the file using file decompression and iterative keyword matching functions. However, Richards teaches (iii) process, by way of the file processing engine, the file using file decompression and iterative keyword matching functions. {Richards [Para. 0059] “At step 501, the server may receive and/or retrieve scraped data.” [Para. 0060] “The scraped data may be indexed by pattern.” [Para. 0062] “At step 503, the server may receive at least one search term.” [Para. 0063] “The server may also generate a plurality of variations of the at least one search term using one or more fuzzy algorithms.” [Para. 0065] “At step 505, the server may determine one or more patterns corresponding to the at least one search term. The server may determine that the at least one search represents a credit card number, social security number, mailing address, name, or the like based on pattern recognition.” [Para. 0066] “At step 507, the server may search the scraped data indexed by pattern for the at least one search term. In embodiments where a plurality of variations have been generated, the server may also compare each of the variations with the scraped data.” [Para. 0068] “In some embodiments, when a match is detected, each match may be flagged and stored.” [0069] “Method 500 may further include generating a report indicating that the matched data may represent a theft of personal data.”} Richards performs keyword matching to detect data breach. Richards is analogous art because each of Borzycki, Burns, Fitzgerald, Nayshtut and Richards pertains to implementing defensive tool to enhance information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns, Fitzgerald and Nayshtut to include Richards’ teaching of implementing iterative keyword matching functions. Doing so “may allow for more secure detection of data theft” (Richards, para. 0006). 23. Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Borzycki, Burns and Fitzgerald as applied to claim 1 above, and further in view of Uchronski et al. (US 9,792,131 B1), hereafter Uchronski. Regarding claim 6, Borzycki, Burns and Fitzgerald teaches the elements of claim 1 as outlined above. Borzycki further teaches wherein, to generate the isolated environment, the processing circuitry is configured to create the virtual non-transitory computer-readable medium having a size that is 4 times a size of the one or more files. {Borzycki [Para. 0119] “The controller interface may send a request from the virtualization server to the hypervisor 302 to cause provisioning of a temporary virtual machine using a known stored image. (See step 808). The hypervisor 302 may load a virtual machine image to create the temporary virtual machine 332. The image may include the necessary components (e.g., software applications, drivers, etc.) to handle opening the appropriate file type (e.g., PDF files) in a disposable environment. In any case, the hypervisor 302 may select an appropriately provisioned virtual machine 332A and assign it to the user device 740 corresponding to the received request. The hypervisor 302 may select the appropriate virtual machine 332 by identifying any requirements (e.g., requirement to open a particular file type, requirement to play audio/video content, or others) associated with the received request and assigning the user's device 740 a virtual machine 332A that meets those requirements.”} As disclosed in Borzycki, a hypervisor 302 creates a VM and selects the appropriate VM for handling a received request based on the requirements associated with the received request. However, the combination of Borzycki, Burns and Fitzgerald do not teach wherein, to generate the isolated environment, the processing circuitry (120) is configured to create the virtual non-transitory computer-readable medium having a size that is 4 times a size of the one or more files. However, Uchronski teaches wherein, to generate the isolated environment, the processing circuitry is configured to create the virtual non-transitory computer-readable medium having a size that is 4 times a size of the one or more files. {Uchronski [Col. 16 line 10-32 ] “Every virtual machine created in client 220 is instantiated using a template selected from one or more templates 238 stored in VM0 230. Each of one or more templates 238 may be used to instantiate or create a virtual machine with different characteristics or operational parameters. The characteristics or operational parameters described by a template may be configured, tailored, or suited for a particular context or type of processing activity. For example, each template may specify what type of code is to be run within a virtual machine created using the template, a size of the virtual machine created using the template, firewall settings for the virtual machine created using the template.”} Uchronski teaches creating a VM using a template, and the template specifies the size of the VM created using the template. Uchronski is analogous art because each of Borzycki, Burns, Fitzgerald and Uchronski pertains to provisioning and managing VMs. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Uchronski’s teaching of creating a virtual non-transitory computer-readable medium. One could use the combination to implement features of claim 6. Doing so would “prevent any malicious code from effecting any lasting change to a computer system” (Uchronski, col. 7 line 55-61). 24. Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Borzycki et al. (US 2015/0089497 A1), hereafter Borzycki, in view of Burns et al. (US 2024/0330454 A1), hereafter Burns, and further in view of Fitzgerald et al. (US 2014/0380412 A1), hereafter Fitzgerald, and further in view of Richards et al. (US 20200226291 A1), hereafter Richards. Noted that indicates what the cited art does not teach. Regarding claim 7, Borzycki teaches downloading, by way of processing circuitry of a host device coupled to a client device, one or more files by way of one or more file links; generating, by way of the processing circuitry, an isolated environment by way of a virtual non-transitory computer-readable medium such that the one or more files are processed in the virtual non-transitory computer-readable medium; {Borzycki [Para. 0012, Fig. 7] “A system comprising…computer processor,…cause the system to perform…: receive a request to open unverified content; cause the unverified content to be downloaded to the computer memory; instruct, by an orchestration service module, the provisioning of a temporary virtual machine in a disposable environment to open the downloaded unverified content, wherein the disposable environment is physically separate from an application resolver residing on a user device;… connect the temporary virtual machine in the disposable environment through a network interface using at least a remote presentation protocol to a client agent in the user device; open the downloaded unverified content in the temporary virtual machine in the disposable environment;”} Also see para. 66, 107, 119, 121 and 124. Borzycki provisions a temporary virtual machine in a disposable, isolated environment to open downloaded files. Borzycki’s VM is a cross-device sandbox. A sandbox exemplifies an isolated environment generated by way of a virtual way of a virtual non-transitory computer-readable medium. generating, by way of the processing circuitry: a first mitigation signal when a data breach is detected, wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted; {Borzycki [Para. 0127] “In some embodiments, before destroying the disposable environment, the resulting image of the disposable environment may be compared to the original image of the disposable environment when it was first instantiated. The orchestration service 718 may request the controller interface 732 to capture the resulting image and run a comparison against the original image stored, for example, at the hypervisor 302. The output of the comparison may find that the potential malware in the PDF content was innocuous. Alternatively, the comparison may find that the malware in the PDF content was malicious and caused to modify system registry files, manipulate critical system files, embed monitoring code onto the device, and/or other nefarious acts. Information about the malware may be collected, organized, and transmitted to, for example, a database (e.g., third-party database) of known malware.” [Para. 11] “Infect, by the malicious code opened by the temporary virtual machine, the separate, disposable environment; and after the terminating the connection with the temporary virtual machine, destroy, by the virtualization server, the separate disposable environment comprising the temporary virtual machine.”} Also see para. 10. Before destroying the disposable environment, Borzycki compares the resulting image with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behavior, allowing the system to detect a data breach. The findings may suggests that the malware modifies system registry file, manipulates critical system files, and embeds monitoring code onto the device. Such actions represent unauthorized access and modification, which are critical stages in the data breach lifecycle. A result indicating malicious behavior initiates a breach response that includes destroying the isolated environment. An output indicating malicious behavior corresponds to the first mitigation signal. Consequently, the destruction of the isolated environment is directly tied to the identification of malicious behavior, forming part of an automated breach response. and a second mitigation signal when a data breach is not detected, wherein based on the second mitigation signal (i) the generated isolated environment is deleted and (ii) the virtual non-transitory computer-readable medium is deleted. {Borzycki [Para. 0127] “Before destroying the disposable environment, the resulting image of the disposable environment may be compared to the original image of the disposable environment when it was first instantiated. The output of the comparison may find that the potential malware in the PDF content was innocuous.” [Para. 0128] “Although the preceding example assumes a scenario where the subject file contains malicious content, in some examples the subject file to be opened at the user's mobile device 740 might not contain malware. In some examples in the aforementioned scenario, the use of a disposable environment may be seamlessly integrated with the opening of the content file such that once the content file is determined to be benign, the opening of the content file may be transferred from the disposable environment to the user device 740.” [Para. 0125] “The orchestration service 718 may be notified that the remote presentation protocol session has ended and cause it to orchestrate destruction of the disposable environment. In addition, the controller interface 732 may be immediately instructed to destroy the temporary virtual machine 332A. The hypervisor 302 may then immediately destroy the disposable environment instantiated for the temporary virtual machine 332A.”} Before destroying the disposable environment, Borzycki compares the resulting image with the original instantiation image and outputs the findings. This comparison determines whether potential malware exhibits innocuous or malicious behavior. An innocuous result signifies no data breach. A result indicating innocuous behaviors also initiates a response that includes destroying the isolated environment. An output indicating innocuous behaviors corresponds to the second mitigation signal. Consequently, the destruction of the isolated environment is also directly tied to the identification of innocuous behavior. Additionally, when the connection between the user device and the temporary virtual machine is terminated, the virtual machine and the disposable environment are both destroyed. However, Borzycki does not explicitly teach a method for monitoring dark web, analyzing one or more files downloaded from the dark web, and mitigating one or more data breaches caused by the downloaded one or more files, wherein the method comprising: downloading, by way of processing circuitry of a host device coupled to a client device, one or more files by way of one or more file links; generating, by way of the processing circuitry (120), a first mitigation signal when a data breach is detected, wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted; However, Richards teaches a method for monitoring dark web, {Richards [Para. 0053] “At step 401, the server may crawl and/or scrape data from the Internet. The server may employ one or more known crawling and/or scraping techniques, to scrape data from surface web sources and/or from deep web sources. [Para. 0034] “Deep web sources may also comprise dark web sources.”} Also see para. 0037. analyzing one or more files downloaded from the dark web, {Richards [Para. 0007] “Receiving from a user, an electronic communication containing a first search term; extracting via pattern recognition, one or more patterns corresponding with the first search term; comparing the one or more patterns with a subset of data scraped from the Internet, the subset of data scraped from the Internet being indexed by pattern for the first search term; flagging one or more matches of the one or more patterns with the subset of data based on the comparison;”} and mitigating one or more data breaches caused by the downloaded one or more files, wherein the method comprising: {Richards [Para. 0007] “Transmitting information associated with the one or more matches in a report indicating a possible theft of personal data. The computer-implemented method further comprises instructions for causing a takedown service to be initiated in response to the one or matches in the report.”} Richards is analogous art because each of Borzycki and Richards pertains to implementing security tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki to include Richards’ teaching of the limitations of claim 7, listed above. Doing so “may allow for more secure detection of data theft” (Richards, para. 0006). However, Richards also does not teach downloading, by way of processing circuitry of a host device coupled to client device, one or more files by way of one or more file links; generating, by way of the processing circuitry (120), a first mitigation signal when a data breach is detected, wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted. However, Burns teach downloading, by way of processing circuitry of a host device coupled to a client device, one or more files by way of one or more file links; {Burns [Para. 0023] “The threat analysis platform 100 automatically identifies objects to investigate, including objects derived from an initial object provided for analysis (e.g., a file downloaded from a provided URL, where the file might contain additional URLs linking to more files, and so on), automates a collection of investigative actions depending on a type of the objects,… [Para. 0054] “FIG. 6 illustrates an example user interface displaying results information generated by the threat analysis platform responsive to the analysis of a provided file. In this example, a portable document format (PDF) file was provided for analysis by the threat analysis platform 100. The PDF file, for example, might have been included as an attachment in an email or downloaded from a website.”} Also see para. 21 and 24. Burns discloses a threat analysis platform that executes a file in an isolated container to determine a likelihood that the file contains malware (see para. 49 and 51). The threat analysis platform may download a file from a provided URL or download a pdf from a website. Both exemplifies a host device downloading a file by way of a file link. Burns is analogous art because each of Borzycki, Richards, and Burns pertains to analyzing a file to detect security threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki and Richards to include Burns’ teaching of downloading files by way of file links. Doing so would enable security teams “to investigate security threats more efficiently and accurately, thereby improving the security and operation of users' IT environments” (Burns, para. 0020). However, Burns also does not teach wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted (ii) the generated isolated environment is deleted. However, Fitzgerald teaches wherein based on the first mitigation signal (i) the virtual non-transitory computer-readable medium is compressed and encrypted and (ii) the generated isolated environment is deleted. {Fitzgerald [Para. 0239] “The security process 507 is programmed or otherwise configured to compress and/or encrypt the VMs prior to storing them in the VM repository 511, if so desired. The security process 507 implements VM compression using the GZIP compression, and VM encryption using AES128 encryption.”} Fitzgerald teaches compressing and encrypting a VM. Noted that Borzycki discloses deleting the isolated environment based on a first mitigation signal indicating detection of a data breach associated with a file, combining Borzycki and Fitzgerald would teach compressing and encrypting the virtual non-transitory computer-readable medium based on the first mitigation signal. Fitzgerald is analogous art because each of Borzycki, Richards, Burns and Fitzgerald pertains to pertains to implementing security tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Richards and Burns to include Fitzgerald’s teaching of compressing and encrypting a virtual non-transitory computer-readable medium. One could use the combination to implement features of claim 7. Doing so would “provide effective VM control and management”(Fitzgerald, para. 0033) and “allows for eradication before the toxic payload actually has any opportunity to execute” (Fitzgerald, para. 0032). Claim 8: Regarding claim 8, Borzycki, Richards, Burns and Fitzgerald teach the elements of claim 7 as outlined above. However, Borzycki, Burns and Fitzgerald do not teach the limitations of claim 8. However, Richards teaches wherein prior to the download of the one or more files, the method comprising crawling, by way of a bot running on the client device, one or more dark web channels to scrape information associated with one or more online forums, one or more marketplaces, stolen and/or breached data available on the dark web links. {Richards [Para. 0022] “A crawler may index the surface web, and a scraper may then obtain data based on the index.” [Para. 0052] “Method 400 may, be executed by central server 107 of FIG. 1 or any other appropriate hardware and/or software.” [Para. 0053] “At step 401, the server may crawl and/or scrape data from the Internet. The server may employ one or more known crawling and/or scraping techniques, to scrape data from surface web sources and/or from deep web sources.” [Para. 0034] “Deep web sources may also comprise dark web sources.”} A crawler is a bot and may be implemented by any appropriate hardware and/software, which includes a client device. Richards is analogous art because each of Borzycki, Burns, Fitzgerald and Richards pertains to implementing security tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Richards’ teaching of implementing a bot that crawls one or more dark web channels to scrape information. Doing so “may allow for more secure detection of data theft” (Richards, para. 6). 24. Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Borzycki,, Richards, Burns and Fitzgerald as applied to claim 7 above, and further in view of Nayshtut et al. (US 2014/0281486 A1), hereafter Nayshtut. Regarding claim 9, Borzycki, Richards, Burns and Fitzgerald teach the elements of claim 7 as outlined above. However, Borzycki, Burns and Fitzgerald do not teach the limitations of claim 9. However, Nayshtut teaches wherein prior to the transmission of the one or more files to the virtual non-transitory computer-readable medium, the method comprising (1) breaking, by way of the processing circuitry, each file of the one or more files into a plurality of chunks, (ii) encrypting, by way of the processing circuitry, each chunk of the plurality of chunks by way of an asymmetric encryption technique to generate a plurality of encrypted chunks, and (iii) transmitting, by way of the processing circuitry, each encrypted chunk of the plurality of encrypted chunks to the virtual non-transitory computer-readable medium one by one. {Nayshtut [Para. 0032] “Computing device 102 may break the file into fixed-length blocks in which the block length/size is established by the content data server 106.” [Para. 0033] “In block 306, the computing device 102 generates a file encryption key 212 and encrypts each of the blocks using the file encryption key 212 of the computing device 102 selected for use with the file. The computing device 102 generates a file encryption key 212 (and decryption key in the case of asymmetric cryptography) "on the fly" to encrypt to encrypt each file block. The computing device 102 generates a list of blocks belonging to the fragmented file in block 306. The list of blocks includes information indicating which blocks are associated with the fragmented file and the order in which the blocks should be combined (i.e., put back together) once decrypted.” [Para. 0034] “In block 314, the computing device 102 transmits the encrypted blocks, the keyed hash of each block, and the member identification of the computing device 102 to the content data server 106.”} Computing device 102 breaks a file into multiple blocks, encrypts each block using asymmetric encryption to generate encrypted blocks, and transmits each encrypted block to a content server. Nayshtut is analogous art because each of Borzycki, Richards, Burns, Fitzgerald and Nayshtut pertains to implementing defensive tool to enhance information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Richards, Burns and Fitzgerald to include Nayshtut’s teaching of the limitations of claim 9, listed above. Doing so “establishes a trust relationship between community members and permits de-duplicating content with the community with minimal risk of unauthorized or undesirable data exposure” (Nayshtut, para. 0025). Claim 10: Regarding claim 10, Borzycki, Richards, Burns and Fitzgerald teaches the elements of claim 7 as outlined above. The combination of Borzycki and Burns teaches wherein, for detecting the data breach, the method comprising (i) implementing, by way of the processing circuitry, a file processing engine by way of the virtual non-transitory computer-readable medium within the generated isolated environment, (ii) receiving, by way of the file processing engine, the encrypted chunks, (ii) decrypting and assembling, by way of the file processing engine, the decrypted chunks into a file, and (iii) processing, by way of the file processing engine, the file using file decompression and iterative keyword matching functions. {Burns [Para. 0049] “The file analysis engines 500 can emulate extracted macros or other code in an isolated environment, such as a container or VM, to observe its behavior and analyze its functionality, thereby allowing the file analysis engines 500 to identify malicious or suspicious behavior in the macro code or other encoded instructions, such as the use of known malware or the ability to exfiltrate data from an infected host system. For example, the file analysis engine 500 can launch an isolated computing environment using resources provided by the provider network 102, and execute or emulate execution of at least a portion of the macro code or encoded instructions to identify artifacts generated by the executed code.” [Para. 0021] “The computing-related resources provided by a cloud provider network 102 can include compute resources (e.g., virtual machines (VMs), containers, etc.), storage resources, and the like.” [Para. 0046] “FIG. 5 is a diagram illustrating additional details of file analysis engines 500 used by the threat analysis platform to analyze documents and other types of files 502 for security-related threats. The analysis of documents and files, e.g., text-based files, images, compressed files, etc.”} Also see para. 0047, 0051 and 0052. As disclosed in Burns, the file analysis engine 500 launches an isolated computing environment using a VM, and executes a file in the isolated environment to detect malware that exfiltrates data from an infected host system. Data exfiltration incidents constitute a data breach. In addition, the file analysis engine 500 also processes compressed file, which includes decompressing the file. Burns is analogous art because each of Borzycki, Burns, Fitzgerald and Richards pertains to implementing security tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Richards and Fitzgerald to include Burns’ teaching of the limitation of claim 10 identified above. Doing so would enable security teams “to investigate security threats more efficiently and accurately” (Burns, para. 0020). However, the combination of Borzycki, Burns and Fitzgerald does not teach (ii) receiving, by way of the file processing engine (208), the encrypted chunks, (ii) decrypting and assembling, by way of the file processing engine (208), the decrypted chunks into a file, and (iii) processing, by way of the file processing engine (208), the file using file decompression and iterative keyword matching functions. However, Richards teaches (iii) processing, by way of the file processing engine (208), the file using file decompression and iterative keyword matching functions. {Richards [Para. 0059] “At step 501, the server may receive and/or retrieve scraped data.” [Para. 0060] “The scraped data may be indexed by pattern.” [Para. 0062] “At step 503, the server may receive at least one search term.” [Para. 0063] “The server may also generate a plurality of variations of the at least one search term using one or more fuzzy algorithms.” [Para. 0065] “At step 505, the server may determine one or more patterns corresponding to the at least one search term.” [Para. 0066] “At step 507, the server may search the scraped data indexed by pattern for the at least one search term. In embodiments where a plurality of variations have been generated, the server may also compare each of the variations with the scraped data.” [Para. 0068] “When a match is detected, each match may be flagged and stored.” [0069] “Method 500 may further include generating a report indicating that the matched data may represent a theft of personal data.”} Richards performs keyword matching to detect data breach. Richards is analogous art because each of Borzycki, Burns, Fitzgerald and Richards pertains to implementing security tools to detect and prevent cyber threats. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Burns and Fitzgerald to include Richards’ teaching of implementing iterative keyword matching functions. Doing so “may allow for more secure detection of data theft” (Richards, para. 0006). However, Richard also does not teach (ii) receiving, by way of the file processing engine (208), the encrypted chunks, (ii) decrypting and assembling, by way of the file processing engine (208), the decrypted chunks into a file and iterative keyword matching functions. However, Nayshtut teaches (ii) receiving, by way of the file processing engine, the encrypted chunks, (ii) decrypting and assembling, by way of the file processing engine, the decrypted chunks into a file, and (iii) processing, by way of the file processing engine, the file using file decompression and iterative keyword matching functions. {Nayshtut [Para. 0037] “If the computing device 102 has requested the data blocks associated with the desired file, in block 410, the computing device 102 receives the corresponding encrypted blocks, keyed hashes, and member IDs from the content data server 106.” [Para. 0039] “In block 418, the computing device 102 decrypts each encrypted block using the corresponding file decryption key 212 received from the key server 108.” [Para. 0040] “In block 422, the computing device 102 combines the decrypted blocks to obtain the reconstructed and desired file.” [para. 0027] “The file management module 202 performs file deconstruction, reconstruction, compression, decompression, and other file management functions.”} Computing device 102 receives encrypted blocks, decrypts the encrypted blocks, and combines the decrypted blocks into a file. Nayshtut is analogous art because each of Borzycki, Richards, Burns, Fitzgerald and Nayshtut pertains to implementing defensive tool to enhance information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Borzycki, Richards, Burns and Fitzgerald to include Nayshtut’s teaching of the limitations of claim 10 identified above. Doing so “establishes a trust relationship between community members and permits de-duplicating content with the community with minimal risk of unauthorized or undesirable data exposure” (Nayshtut, para. 0025). Conclusion 25. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Walsh (US 2011/0296487 A1) discloses a sandbox tool that could cooperate with components of a secure operating system to create an isolated execution environment for accessing content without exposing other processes and resources of the computing system to the untrusted content. 26. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 27. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BIN QING ZHENG whose telephone number is (703)756-1535. The examiner can normally be reached on M-F 9:30 am -5:30 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J. Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BIN QING ZHENG/ Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499