Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-2, 4-5, 8-11 and 16 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Amiga (US 2022/0360607)
As per claim 1, Amiga discloses a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for securing sensitive data during web sessions, the operations comprising: initiating, by a browser component executing on an endpoint device, a browser session associated with a user; ([0049]; In another example, policy engine 102 censors specific content on a retrieved webpage, such as by applying a predefined regular expression to the Document Object Model (DOM) of the webpage to find Personally Identifiable Information (PII) which policy engine 102 then hides or masks. In another example, policy engine 102 reports specific events to an analytical database or a Security Operations Center (SOC), such as when a user performs a “share document” action in Google™ Docs™, and may do so even if Google™ Docs™ doesn't provide an application programming interface (API) for the action where web browser 100 is configured to monitor use of any user interface share functionality)
monitoring, by the browser component, browser session data associated with the browser session, the browser session data being derived from one or more actions taken by the user; detecting at least one sensitive data element within the browser session data; determining whether the at least one sensitive data element triggers a control action; and based on a determination that the at least one sensitive data element triggers the control action, causing the control action to be performed. ([0079] Policies may be defined and applied to protect sensitive data, such as may be triggered by detecting attempts to submit data to websites via HTML forms, upon detecting attempts to copy, cut, paste, save, or print data, upon detecting specific webpage elements, or upon accessing specific websites. Sensitive data may be identified using a predefined list of data types and formats, such as credit card number formats or Social Security Number formats, or by using predefined regular expressions. Identified sensitive data may then be protected in accordance with conventional techniques, such as by masking, redacting, or hiding the sensitive data. The protection of sensitive data may be performed by the web browser, a web browser extension or RPA module, or on a remote computer.)
As per claim 2, Amiga discloses the non-transitory computer readable medium of claim 1, wherein monitoring the browser session data includes intercepting an API call during the browser session. ([0049]; In one example, policy engine 102 disables a specific browser application programming interface (API), such as to defend the API against a known exploit, when web browser 100 accesses websites that have a reputation score below a predefined minimum score, where such reputation scores may be determined in accordance with conventional techniques.)
As per claim 4, Amiga discloses the non-transitory computer readable medium of claim 1, wherein monitoring the browser session data includes identifying a Data Object Model associated with a web application accessed by the user during the browser session. ([0049]; In another example, policy engine 102 censors specific content on a retrieved webpage, such as by applying a predefined regular expression to the Document Object Model (DOM) of the webpage to find Personally Identifiable Information (PII) which policy engine 102 then hides or masks. )
As per claim 5, Amiga discloses the non-transitory computer readable medium of claim 4, wherein detecting the at least one sensitive data element includes analyzing the Data Object Model. ([0049]; In another example, policy engine 102 censors specific content on a retrieved webpage, such as by applying a predefined regular expression to the Document Object Model (DOM) of the webpage to find Personally Identifiable Information (PII) which policy engine 102 then hides or masks.)
As per claim 8, Amiga discloses the non-transitory computer readable medium of claim 1, wherein monitoring the browser session data includes scanning at least one file uploaded or downloaded during the browser session. ([0059]; In FIG. 3J a screen 316 is shown for defining a file download protection profile indicating policy enforcement actions to be performed when a file download is performed in which multiple types of antimalware scans are to be performed on the downloaded file.)
As per claim 9, Amiga discloses the non-transitory computer readable medium of claim 1, wherein detecting the at least one sensitive data element includes comparing a format of the at least one sensitive data element to a predefined format associated with sensitive data. ([0079]; Sensitive data may be identified using a predefined list of data types and formats, such as credit card number formats or Social Security Number formats, or by using predefined regular expressions. Identified sensitive data may then be protected in accordance with conventional techniques, such as by masking, redacting, or hiding the sensitive data. The protection of sensitive data may be performed by the web browser, a web browser extension or RPA module, or on a remote computer.)
As per claim 10, Amiga discloses the non-transitory computer readable medium of claim 1, wherein detecting the at least one sensitive data element includes determining whether the at least one sensitive data element triggers at least one predefined rule. ([0082]; FIG. 4A shows a code snippet illustrating a policy matching operation with rules, matchers, and built in cache, where the code accepts a policy object and a browser context object that provides current browser context information.)
As per claim 11, Amiga discloses the non-transitory computer readable medium of claim 10, wherein the user is associated with an organization and wherein the at least one predefined rule is specific to the organization. ([0087] If the website is not a business-related website, where such information is provided by a third-party website category provider or in a pre-defined list of all of the websites and applications that are used by an organization that provides policies that are to be enforced by web browser 600)
As per claim 16, please see the discussion under claim 1 as similar logic applies.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Amiga et al. – hereinafter Amiga (US 20220360607) in view of Inoue (US 2024/0176567)
As per claim 6, Amiga discloses the non-transitory computer readable medium of claim 1. Amiga fails to disclose wherein the browser session data includes at least one image and wherein monitoring the browser session data includes scanning the at least one image.
Inoue discloses wherein the browser session data includes at least one image and wherein monitoring the browser session data includes scanning the at least one image. ([0002]; At this time, in the case that the scanned image is obtained by scanning a document containing personal information or confidential information, such as a personal identification document, an application document, a contract document, a design drawing, or the like, masking (so-called redacting) may be performed in which a part of the scanned image (for example, confidential matters within the scanned image) is painted black to make it invisible.)
It would have been obvious before the earliest effective filing date so that the browser session data includes scanning one image for sensitive information. This would have been advantageous to secure the personal information from unauthorized persons.
As per claim 7, Amiga / Inoue disclose the non-transitory computer readable medium of claim 6. Inoue discloses wherein detecting the at least one sensitive data element includes comparing the at least one image to at least one reference image. ([0002]; At this time, in the case that the scanned image is obtained by scanning a document containing personal information or confidential information, such as a personal identification document, an application document, a contract document, a design drawing, or the like, masking (so-called redacting) may be performed in which a part of the scanned image (for example, confidential matters within the scanned image) is painted black to make it invisible.)
Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Amiga et al. – hereinafter Amiga (US 2022/0360607) in view of Smaagard et al. – hereinafter Smaagard (US 11,924,379)
As per claim 12, Amiga discloses the non-transitory computer readable medium of claim 1. Amiga fails to disclose wherein detecting the at least one sensitive data element includes inputting at least a portion of the browser session data into a machine learning model.
Smaggard discloses wherein detecting the at least one sensitive data element includes inputting at least a portion of the browser session data into a machine learning model. (Col 7 line 66-Col 8 line 26; To fine-tune a compliance model the general large language model may receive training data derived from one or more relevant phrase lists specifically generated for the industry and/or enterprise. For example, one compliance model could be generated for the banking industry to recognize common compliance related contextual triggers for multiple topics like loans, interest rates, credit cards, etc. Another compliance model could be developed for a hospital to recognize multiple common compliance related contextual triggers for topics like privacy related personal information, hospital bills, diagnosis and test result notifications, etc)
It would have been obvious before the earliest effective filing date for the teachings of Amiga to be modified so that the sensitive data elements is input into the machine learning model. This would have been advantageous to better secure and protect the customer’s information.
As per claim 13, Amiga / Smaagard disclose the non-transitory computer readable medium of claim 12. Smaagard discloses wherein the machine learning model includes a large language model. (Col 7 line 66-Col 8 line 26; To fine-tune a compliance model the general large language model may receive training data derived from one or more relevant phrase lists specifically generated for the industry and/or enterprise. For example, one compliance model could be generated for the banking industry to recognize common compliance related contextual triggers for multiple topics like loans, interest rates, credit cards, etc. Another compliance model could be developed for a hospital to recognize multiple common compliance related contextual triggers for topics like privacy related personal information, hospital bills, diagnosis and test result notifications, etc)
Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Amiga et al. – hereinafter Amiga (US 2022/0360607) in view of Smaagard et al. – hereinafter Smaagard (US 11,924,379) / Colon et al. – hereinafter Colon (US 12,411,945)
As per claim 14, Amiga / Smaagard disclose the non-transitory computer readable medium of claim 13. The combined teachings of Amiga / Smaagard fail to disclose wherein the large language model is implemented by the browser component.
Colon discloses wherein the large language model is implemented by the browser component. (Col 10 line 64-Col 11 line 3; ) At block 404, an LLM may be trained using the set of training data. For example, the LLM may be trained to receive one or more messages from a customer service agent and output one or more messages that may be associated with malicious behavior, which may be sent to the customer service agent. Training may include supervised learning, fine-tuning, or any other form of configuration a model.; Col 15 lines 15-26; User computers 62 may also be utilized to configure aspects of the computing resources provided by data center 65. In this regard, data center 65 might provide a gateway or web interface through which aspects of its operation may be configured through the use of a web browser application program executing on user computer 62.)
It would have been obvious before the earliest effective filing date of the invention for the teachings of Amiga / Smaagard to be modified so that the large language model is implemented by the browser component. This would have been beneficial because it detects malicious behaviors.
As per claim 15, Amiga / Smaagard disclose the non-transitory computer readable medium of claim 14. Colon discloses wherein the large language model is implemented by a resource external to the browser component and wherein detecting the at least one sensitive data element further includes providing the at least a portion of the browser session data to the resource external to the browser component. (Col 11 lines 4-9; At block 406, the LLM may generate one or more messages associated with malicious behavior. The message may be sent by the training bot of the server to the customer service agent (e.g., at computing device 206) and may appear to the customer service agent as being sent from a purported user.)
Claims 3, 17-19 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Amiga (US 2022/0360607) in view of Hickman et al. – hereinafter Hickman (US 2013/0167192)
As per claim 3, Amiga discloses the non-transitory computer readable medium of claim 1. Amiga fails to disclose wherein the at least one sensitive data element is encrypted.
Hickman discloses wherein the at least one sensitive data element is encrypted. ([0029] The system and method may also include ability to mask (i.e., encrypt) parts of unstructured (i.e., free form) data. Data encryption tools generally encrypt the entire unstructured data. The methods and systems defined herein can selectively encrypting data within unstructured (i.e., free form) text. The selective and granular application of the encryption logic is enabled by the systems and methods described herein.)
It would have been obvious before the earliest effective filing date of the invention for the teachings of Amiga to be modified so that the sensitive data is encrypted. This would have secured the data the user’s data from unauthorized people.
As per claim 17, Amiga discloses the computer-implemented method of claim 16.
Amiga fails to disclose wherein the method further comprises recording the browser session data and making the browser session data available for review during a review session.
Hickman discloses wherein the method further comprises recording the browser session data and making the browser session data available for review during a review session. ([0017]; In step 120, a sensitive data handling approach is selected. In step 130, the data is reviewed for sensitive data that is to be masked and, in step 140, the data is reviewed for sensitive data that is to be removed. In step 150, data is verified for compliance with applied sensitive data policies. In step 160, the processed data is output and can be used, for example, for training data.)
It would have been obvious before the earliest effective filing date for the teachings of Amiga to be modified so that the browser session data is reviewed as taught by Hickman. This would have been advantageous to remove sensitive data from
unstructured text.
As per claim 18, Amiga / Hickman disclose the computer-implemented method of claim 17. Hickman discloses wherein the control action includes masking the at least one sensitive data element during the review session. ([0017]; In step 120, a sensitive data handling approach is selected. In step 130, the data is reviewed for sensitive data that is to be masked and, in step 140, the data is reviewed for sensitive data that is to be removed. In step 150, data is verified for compliance with applied sensitive data policies. In step 160, the processed data is output and can be used, for example, for training data.)
As per claim 19, Amiga/ Hickman disclose the computer-implemented method of claim 17. Hickman discloses wherein the control action includes replacing the at least one sensitive data element with a placeholder data element ([0017]; In step 120, a sensitive data handling approach is selected. In step 130, the data is reviewed for sensitive data that is to be masked and, in step 140, the data is reviewed for sensitive data that is to be removed. In step 150, data is verified for compliance with applied sensitive data policies. In step 160, the processed data is output and can be used, for example, for training data.)
As per claim 21, Amiga discloses the computer-implemented method of claim 16. Hickman discloses wherein the control action includes preventing a capturing of the at least one sensitive data element. ([0003]; The policy enforcement action may be to remove sensitive data in generating the response to the request and/or to mask sensitive data in generating a response to the request. An initial response to the request is generated by retrieving unstructured data from the unstructured data repository. )
As per claim 22, Amiga discloses the computer-implemented method of claim 16. Hickman discloses wherein the control action includes preventing a dissemination of information associated with the at least one sensitive data element. ([0021]; Further, in this example, for the content in which the transaction type is a case inquiry, the policy enforcement action is to remove PHI attributes. Referring back to engine 310, structured data elements 420 (e.g., attributes and values), which are identified to be protected/considered sensitive 420, is retrieved from repository 350. In this example, the structured data elements that are identified as being sensitive are the member ID, the name, and the date of birth. Engine 310 uses the structured data elements 420 to recognize and identify the data elements that are to be protected in the raw data 400 (i.e., in this example, the member ID, the member name, and his date of birth) and applies the rule accordingly. Engine 310 renders outputs 440 of the desensitized, unstructured data 340. )
Claims 20 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Amiga (US 2022/0360607) in view of Lockhart, III et al. – hereinafter Lockhart, III (US 2023/0385451)
As per claim 20, Amiga discloses the computer-implemented method of claim 17. Amiga fails to disclose wherein the review session is performed using an additional browser component executing on an additional endpoint device.
Lockhart, III discloses wherein the review session is performed using an additional browser component executing on an additional endpoint device. ([0011]; The system may then process the extracted links to extract and process the data to determine whether the data includes PII data. The scraped data may be provided to an Artificial Intelligence (AI) engine for processing against particular rules to verify PII data or may be elevated to an administrator for review. Confirmed PII data may be treated like compromised PII data, and may be disassociated before being added to a database of compromised PII data.)
It would have been obvious before the earliest effective filing date for the teachings of Amiga to be modified so that an administrator with a browser reviews the sensitive data. This would have been beneficial to determine potentially compromised personally identifiable information on the Internet. (Lockhart, III; [0002])
As per claim 23, Amiga disclose the computer-implemented method of claim 16. Lockhart, III discloses wherein the control action includes generating at least one of a report or an alert indicative of the at least one sensitive data element. ( [0104]; Further, the exposed companies 204, 206, and 208 may search their respective exposed PII data 214, 216, and 218 and may report the results to the compromised PII exchange system 102, which may aggregate the results together with the results from the risk assessment module 126 and which may report the response (without PII data) to the requesting computing device 606. [0146]; Further, an operator or administrator could be alerted to review any identified URL data to confirm that it is valid.)
Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Amiga (US 2022/0360607) in view of Joshi (US 2022/0 222089)
As per claim 24, Amiga discloses The computer-implemented method of claim 16. Amiga fails to disclose wherein the control action includes altering at least one browser setting relative to at least one sensitive data element.
Joshi discloses wherein the control action includes altering at least one browser setting relative to at least one sensitive data element. ([0028]; An extension can read sensitive user inputs and data, such as username, password, social security number, bank account number, credit card details, and other personally identifiable information (PII). It can also alter browser settings, add user interface items, or even replace website content. Even when a user is browsing in “incognito” or “private” mode, data exfiltration can still occur from extensions. )
It would have been obvious before the earliest effective filing date of the invention for the teachings of Amiga to be modified so that the control action includes monitoring settings of a browser in response to detection of sensitive data. This would have yielded predictable results of protecting the user from malicious websites and prevent the secure information from being compromised.
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Amiga (US 2022/0360607) in view of Checkik et al. – hereinafter Checkik (US 2023/0231878)
As per claim 25, Amiga discloses the computer-implemented method of claim 16. Amiga fails to disclose wherein the control action includes terminating the browser session. Checkik discloses wherein the control action includes terminating the browser session. ([0119]; The Report and Leave 362 button may enable the user to report Page 340 as being a phishing page, such as to relevant authorities, and to leave Page 340, while Continue 364 may enable to user to continue to browse Page 340. In some exemplary embodiments, the agent may present a protective measure to prevent the user from falling victim to a phishing attack. In some exemplary embodiments, the agent may perform one or more responsive action, instead of or in addition to presenting Alert 360. For example, the agent may block interactions with the page, terminate the browser session, or the like.)
It would have been obvious before the earliest effective filing date for the teachings of Amiga to be modified so that the browser session is terminated upon security or phishing issues with the data. This would have advantageous to protect the user’s data from unauthorized access.
Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Amiga (US 2022/0360607) / Checkik (US 2023/0231878) further in view of Dror et al. – hereinafter Dror (US 2023/0185866)
As per claim 26, Amiga / Checkik disclose the computer-implemented method of claim 25. The combined teachings of Amiga / Checkik fail to disclose wherein terminating the browser session includes removing data associated with the user.
Dror discloses wherein terminating the browser session includes removing data associated with the user. ([0001] Web browsers that store sensitive data, such as cookies, typically allow users to either manually delete such data or configure the web browsers to delete all such data, such as when terminating execution of the web browser.)
It would have been obvious before the earliest effective filing date of the invention for the combined teachings of Amiga / Checkik to be modified so that the data associated with the user is deleted upon termination of the browser. This would have protected the user’s data from malicious actors. (Dror, [0001])
Conclusion
Any inquiry concerning this communication or earlier communications from theexaminer should be directed to Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free).
/Chirag R Patel/
Primary Examiner, Art Unit 2454