Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response to the original filing of 03/06/2025. Claims 1-20 are pending and have been considered below.
Priority
Acknowledgment is made of no claims of foreign priority.
Drawings
The drawings filed on 03/06/2025 are accepted.
Specification
The specification filed on 03/06/2025 is accepted.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claims recite the limitations of ” receiving a filesystem access ‘, “determining whether the filesystem access pertains to file creation”, “determining whether the file is user data” and “creating the file in encrypted form or unencrypted form based on that determination” . The steps are no more than an abstract idea ”if new file is user file data, encrypt it; otherwise do not”. The concept of classifying information and storing it in segregated area according to its classification is a fundamental, long standing data management practice that can be performed mentally or by a human administrator following a policy. The act of classifying data objects according to a predefined policy and selectively securing them is a classic abstract organized method. This judicial exception is not integrated into a practical application because the recited hardware elements ”” “processor”, “ persistent storage”, “memory”, are generic computing and storage components that merely provide a conventional environment for executing the abstract idea, The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because generic hardware are recited at a high level of generality and represent standard computing components.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 10-13 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pham U.S. 6,678,828 B1 in view of Black U.S. 2014/0258720 A1.
Claim 1, 10: Pham teaches a method performed by a network device for operating in a user data encryption (UDE) mode (Pham teaches method performed by “secure network file access appliance” that operate in network in fracture to provide selective policies based encryption of filesystem data. receives inbound network file data packets from client computer systems directed to network storage resources, which serve as the persistent storage accessible through the appliance. See col.2, ll. 50-67(teaches the appliance as” as a managed portal between client computer systems and network storage for the coordinated control over authentication, access, encryption and compression of data transferred to network connected data storage.” See col.3, ll.10-35, the data appliance is a network device operating in a mode defined by its policy configuration, which dictates what data is encrypted.), the method comprising:
processor (Fig.2, items 54);
a persistent storage(Fig.1, item 16); and a memory having stored thereon program code for operating in a user data encryption (UDE) mode(Fig.2, items 54, col.2, ll. 50-67) wherein upon being executed the program code causes the processor to
receiving a filesystem access directed to a persistent storage of the network device (Pham teaches at col.13, ll.62 to col. 14, ll. 7, that the appliance receives inbound network file data packets from client computer systems directed to network storage resources, which serve as the persistent storage accessible through the appliance see col.6, ll. 15-40 (teaches how the appliances intercepts all filesystem all file system access traffic passing between clients 22, 24 and network storage resource 16 through network interface 190, 192). The appliance is positioned in the network infrastructure to intercept all file-system-level see abstract, col.2, ll.60 to col.3, ll.10, ” The secure network file access appliance is provided in the network infrastructure between the client computer system and network data store to apply qualifying access policies and selectively pass through to file system requests”);
determining whether the filesystem access pertains to creation of a filesystem object on the persistent storage (Pham teaches at col.8, ll. 25-50, col.15, ll.15-65, that the appliance examines control information in each inbound packet, including the request type, to determine the operation requested. Pham teaches at col.21, ll.55 to col.22, ll.20, how policy parser 180 processes control information 114, 122 from each packet to identify the nature of the request. Specifically, the appliance determine s whether the file a packet involved creation of a new file as it applies specific policies for file creation: “ the target location of the file to be created is utilized to determine whether encryption and compression are to be applied and the applicable key and algorithms for implementation” file creation processing a “new file management header” is constructed “for new file, confirming that the appliance explicitly distinguishes file-creation events from other filesystem operations);
in response to determining that the filesystem access pertains to creation of a filesystem object, determining whether the filesystem object is user data (Pham teaches upon identifying a file creation operation, the policy parser 180 evaluates the file against the policies data store 182 to determine whether encryption should be applied to the file being created. See col.9, ll.40-65 (teaches policy parser 180 consulting the policy data store 182 to determine applicable encryption key and algorithm for the file); Col.11, ll.5-35 further teaches ”a default encryption key to be used, particularly for file creation”. The policy sets define which files and directory identifying by path specification, file type, and file extension are subject to encryption versus passthrough unchanged, constituting a determination of whether the object is the type of data that should be encrypted (user data) versus not (unqualified data));
in response to determining that the filesystem object is user data, creating the filesystem object in encrypted form in an encrypted area of the persistent storage(Pham teaches files qualifying as subject to encryption under the applicable policy sets are encrypted by appliance and written to network storage in encrypted form. See col. 10, ll. 30-55 (teaches how payload data of qualifying packet processed into logical blocks and encrypted using the applicable key and algorithm, then transmitted to storage resource 16.) The encrypted file are stored in network storage as conventional data files on network, which constitutes the “encrypted area” of the persistent storage. See col.7, ll.50-65, col.11, ll.60 to col.12, ll.35, (teaches encrypted files stored as conventional data files on network storage, viewable as encrypted data by the storage system).The policy sets for the virtual mount points may be configured to encrypt files written to archival network storages:” the policy set for the virtual mount point /dev/td_d preferably provides for the encryption and compression of previously unencrypted files upon writing to the archival network storage resources 158 ); and
in response to determining that the filesystem object is not user data, creating the filesystem object in unencrypted form in an unencrypted area of the persistent storage (Pham teaches at col. 11, ll.55-65, col.15, ll.15-56, that packets do not qualify under any applicable encryption policy set are passed through to storage in unencrypted form” The packet payload data 116 of unqualified network file data packets are processed 194 unchanged into network data packets and provided to the network interface 192 for transmission to the network storage resources 16.” These unencrypted files are written to the storage unchanged, constituting storage in an “unencrypted area” of the persistent storage. Virtual mount points may also be configured wit policies that provide access without encryption” read write access of the network storage resources 156 by the client 154 …. May be broadly supported through the virtual mount point /dev/hd_c” without applying encryption. See col.12, ll.1-8)).
Pham teaches that the predetermined list (policy data store 182) is defined primary by virtual mount point mapping and path extension specifications rather than explicitly by an enumerated list of OS/boot data filesystem objects, however Black in the same field of endeavor teaches
(teaches at ¶[0010] utilizes metadata of the files associated with the software application to determine the files to be encrypted and decrypted and to monitor various properties of the files including the sizes of the unencrypted files for accurate reporting of information about the files. ¶[0019]- ¶[0024] teaches “ wherein the metadata includes information on which of the file(s) are to be encrypted/decrypted or to be left alone (unencrypted)”.(teaches metadata based system for identifying files to encrypt and files to leave unencrypted, including application source code distinguished from OS- level libraries).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Pham with the additional features of Black in order to support encryption and decryption of files including data and source code associated with a software application running in a virtual environment on a per-file basis outside of a kernel of an operating system, as suggested by Black abstract.
Claim 19: Pham teaches a method performed by a network device, the method comprising:
receiving a filesystem access directed to a persistent storage of the network device (Pham teaches at col.13, ll.62 to col. 14, ll. 7, that the appliance receives inbound network file data packets from client computer systems directed to network storage resources, which serve as the persistent storage accessible through the appliance see col.6, ll. 15-40 (teaches how the appliances intercepts all filesystem all file system access traffic passing between clients 22, 24 and network storage resource 16 through network interface 190, 192). The appliance is positioned in the network infrastructure to intercept all file-system-level see abstract, col.2, ll.60 to col.3, ll.10, ” The secure network file access appliance is provided in the network infrastructure between the client computer system and network data store to apply qualifying access policies and selectively pass through to file system requests”));
determining that the filesystem access pertains to creation of user data on the persistent storage (Pham teaches upon identifying a file creation operation, the policy parser 180 evaluates the file against the policies data store 182 to determine whether encryption should be applied to the file being created. See col.9, ll.40-65 (teaches policy parser 180 consulting the policy data store 182 to determine applicable encryption key and algorithm for the file); Col.11, ll.5-35 further teaches ”a default encryption key to be used, particularly for file creation”. The policy sets define which files and directory identifying by path specification, file type, and file extension are subject to encryption versus passthrough unchanged, constituting a determination of whether the object is the type of data that should be encrypted (user data) versus not (unqualified data)); and
in response to the determining, creating the user data in encrypted form in an encrypted area of the persistent storage(Pham teaches files qualifying as subject to encryption under the applicable policy sets are encrypted by appliance and written to network storage in encrypted form. See col. 10, ll. 30-55 (teaches how payload data of qualifying packet processed into logical blocks and encrypted using the applicable key and algorithm, then transmitted to storage resource 16.) The encrypted file are stored in network storage as conventional data files on network, which constitutes the “encrypted area” of the persistent storage. See col.7, ll.50-65, col.11, ll.60 to col.12, ll.35, (teaches encrypted files stored as conventional data files on network storage, viewable as encrypted data by the storage system).The policy sets for the virtual mount points may be configured to encrypt files written to archival network storages:” the policy set for the virtual mount point /dev/td_d preferably provides for the encryption and compression of previously unencrypted files upon writing to the archival network storage resources 158 ).
Pham teaches that the predetermined list (policy data store 182) is defined primary by virtual mount point mapping and path extension specifications rather than explicitly by an enumerated list of OS/boot data filesystem objects, however Black in the same field of endeavor teaches
(teaches at ¶[0010] utilizes metadata of the files associated with the software application to determine the files to be encrypted and decrypted and to monitor various properties of the files including the sizes of the unencrypted files for accurate reporting of information about the files. ¶[0019]- ¶[0024] teaches “ wherein the metadata includes information on which of the file(s) are to be encrypted/decrypted or to be left alone (unencrypted)”.(teaches metadata based system for identifying files to encrypt and files to leave unencrypted, including application source code distinguished from OS- level libraries).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Pham with the additional features of Black in order to support encryption and decryption of files including data and source code associated with a software application running in a virtual environment on a per-file basis outside of a kernel of an operating system, as suggested by Black abstract.
Claims 2, 11, 20: the combination teaches
wherein the filesystem access originated from a user of the network device and wherein the creating of the filesystem object in encrypted form is transparent to the user (Pham teaches at col.3, ll. 45-60 that encryption is transparent to users and storages system. ”that the authorization, access and security services performed by the secure network file access appliance are performed at wire-speed, enabling the full function of the secure network file access appliance to be transparent to the normal operation of both client systems and network storage systems”. Pham further teaches “Data files, as encrypted by the secure network file access appliance, are presented as conventional data files to the network storage system”. The user initiates filesystem accesses through their client system, and encryption occurs transparently in the appliance without the user’s awareness or involvement.”).
Claims 3, 12: the combination teaches
wherein determining whether the filesystem object is user data comprises: checking whether the filesystem object is included in a predefined list (Pham teaches at col. 10, ll.1-35, policy sets stored in policies data store 182 that function as a predefined list of criteria for determining which files are subject to encryption. Black ¶[0019]-¶[0024], the metadata ….. include numerous attributes ….. wherein such attributes can be……an encryption key index or other key selector, flags to specify encryption method (or even the "no encryption" method, meaning that the file has been explicitly left unencrypted on the physical storage device 116), or other notes such as licensing information of the files”) .
The same motivation to modify Pham in view of Black applied to claims 1, 10 above applies here.
Claims 4, 13: the combination teaches
wherein the predefined list comprises filesystem objects representative of operating system (OS) and boot data used by the network device, and wherein the filesystem object is determined to be user data if the filesystem object is not present in the predefined list (Pham teaches at col.9, ll. 50-68, col. 10, ll.1-35, policy sets stored in policies data store 182 defines the set of virtual mount points, path specification and files type subject to selective access and encryption. Pham further teaches at col.14, ll. 50 to col.15, ll.15, ” Policy data is administratively established to define the set of virtual mount points and the mapping of virtual mount points to real mount points.” Black teaches distinguishing application and OS-level file system objects (kernel libraries, OS component) from user-level data files for purposes of the encryption decision. See ¶[0027] “ where the file is encrypted and/or decrypted transparently on a per-file basis based on metadata of the file without changing any of the application, kernel and/or the libraries of the operating system, or any proprietary component of the operating system based on metadata of the file.”).
The same motivation to modify Pham in view of Black applied to claims 1, 10 above applies here.
Claims 5-9 and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Pham U.S. 206,678,828 B1 in view of Black U.S. 2014/0258720 A1 in further view of French et al U.S. 7,877,602 B2.
Claims 5, 14: the combination teaches (Pham teaching of virtual point mount points and policy based routing approximates the file ”the filesystem orchestration layer” limitations, but fails to teach an independent mounted orchestration layer operating in distinct “passthrough mode’ while a separate merger layer provides a unified merged view of encrypted and unencrypted areas).
The combination fails to teach, however French et al in the same field of endeavor teaches
a filesystem orchestration layer that is mounted to a storage mount point associated with the persistent storage (French et al teaches mounting a cryptographic filesystem layer above the local network file system, wherein the cryptographic layer operate at a local mount point level See claim 1 &2, col.9, ll.52-65, ” the cryptographic file system layered above a network file system in the client queries the network file system for various attributes of the file system (step 604) ”) .
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Pham with the additional features of French et al in order to provide a mechanism for enabling efficient encryption and integrity validation of network files, as suggested by French et al abstract.
Claims 6, 15: the combination teaches in response to determining that the filesystem access does not pertain to creation of a filesystem object:
passing, by the filesystem orchestration layer, the filesystem access to a filesystem merger layer for handling, the filesystem merger layer being configured to provide a merged view of the encrypted area and the unencrypted area (French et al teaches the cryptographic filesystem layer passes non-qualifying filesystem accessing through the lower filesystem while maintaining access to both encrypted files and unencrypted files from an unified interface see col.7, ll.25-68, col.8, ll. 35-40).
The same motivation to modify Pham in view of French et al applied to claims 5, 14 above applies here.
Claims 7, 16: the combination teaches
wherein when the UDE mode is disabled, the filesystem orchestration layer transitions to operating in a passthrough mode that comprises passing all received filesystem accesses through to a partition mount point associated with the unencrypted area (French et al teaches the stacked layer can operate in a mode where it passes all operations through unchanged (passthrough) by virtue of the encryption being selectively applied only to qualifying files see abstract (teaching omitting encryption where cryptographic attributes indicated files are already encrypted(a form of conditional passthrough). The concept of unmounting the orchestrator layer and binding directly to the unencrypted partition. see col.9, ll.60, col.10, ll. 40).
The same motivation to modify Pham in view of French et al applied to claims 5, 14 above applies here.
Claims 8, 17: the combination teaches
wherein when the UDE mode is disabled, the filesystem orchestration layer is unmounted from the storage mount point and the storage mount point is bound to a partition mount point associated with the unencrypted area (Pham teaches the appliance manages the binding of virtual mount points and can be configured to remap virtual mount points to point directly to the unencrypted real mount point see col.9, ll.30-65. When no encryption policy is associated with virtual mount point , that mount point effectively binds directly to the unencrypted storage partition, corresponding to the above limitations see col.12, ll.10-35).
Claims 9, 18:the combination teaches
wherein when the UDE mode is enabled, the filesystem orchestration layer moves all filesystem objects considered to be user data from the unencrypted area to the encrypted area (Pham teaches at col.12, ll.30-50, col.9, ll.50-65,“ The policy set for the virtual mount point /dev/td_d preferably provides for the encryption and compression of previously unencrypted files upon writing to the archival network storage resources 158 )”.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Miller U.S. 8,538,020 B1 teaches Hybrid Client-server Cryptography For Network Applications.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Friday, June 19, 2026
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436