DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Luna et al (US20130205366A1). Systems and methods of dynamic categorization of applications for network use and access in a mobile network.
Zimmermann et al (US20180027006). System and method for securing enterprise computing environment. The methods and systems described herein address the needs of enterprises to have visibility as to the IT resources being used by their users, including shadow IT.
Status of Claims
The amendment filed 1/7/2021 has been entered. Claims 1-2, 4, 6-8, 10, 12-14, 16 and 18 are currently amended claims. Claims 3, 9 and 15 have been cancelled. Claims 21-23 are newly added claims. Claims 1-2, 4-8, 10-14, 16-23 are pending in the application. 
Examiner notes: Claim 22-23 are newly added claims although the claims are shown as “Currently Amended” as submitted by applicant.
The objection of claims 1, 4, 6-7, 10, 12-14, 16 and 18 due to informalities has been withdrawn in light of applicant’s amendment to the claims. 
The rejection of claims 4, 10 and 16 under 35 USC 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
The Applicant's arguments filed on 1/7/2021 with respect to Claims 1-20 have been fully considered. 
Applicant’s argument, see pg. 8-9 of the Remarks filed 1/7/2021, regarding to independent claims 1, 7 and 13, as well as all other dependent claims, rejected under 35 USC 103 has been fully considered. Examiner acknowledges applicant has amended independent claims 1 (similarly claims 7 and 13) with underlined amended limitations reciting “wherein the interactions between the user and the cloud service are monitored via a shadow information technology discovery system, the shadow information technology discovery system performing a shadow information technology discovery operation, the shadow information technology discovery operation detecting shadow information technology activity, the shadow information technology activity comprising a cyber behavior associated with accessing the cloud service, the cyber behavior comprising submission of a Hypertext Transfer Protocol (HTTP) request for a particular cloud server, the cyber behavior being enriched by associating contextual information to the HTTP request”. Applicant argued 
“Specifically, the examiner cites to a portion of Rotem which generally discloses shadow
IT discovery and specifically discloses monitoring enterprise messaging system for the presence of messages relating to cloud services (see e.g., Rotem, Paragraph [0032]). However, nowhere within Rotem is there any disclosure or suggestion of a shadow information technology discover system which monitors interactions between a user and a cloud service, much less the shadow information technology discovery system performing a shadow information technology discovery operation, the shadow information technology discovery operation detecting shadow information technology 

Examiner asserts applicant’s argument is not fully persuasive. First, Rotem teaches a shadow IT discovery system for monitoring an enterprise messaging service that provides communication between users and cloud service (i.e. the interactions between the user and the cloud service are monitored via a shadow information technology discovery system), discovering a message relating to a specific cloud service, a message analyzer analyzing the message discovered by the message monitor (i.e. the shadow information technology discovery system performing a shadow information technology discovery operation), and one or more enterprise users who use the specific cloud service (i.e. the shadow information technology discovery operation detecting shadow information technology activity), and monitoring employees accessing cloud-based services (i.e. the shadow information technology discovery operation detecting shadow information technology activity, the shadow information technology activity comprising a cyber behavior associated with accessing the cloud service). 
Second, examiner agrees with applicant that the reference of records do not specifically teaches amended limitations reciting “the cyber behavior comprising submission of a Hypertext Transfer Protocol (HTTP) request for a particular cloud server, the cyber behavior being enriched by associating contextual information to the HTTP request”. However upon further search the examiner found prior art Backholm that appears to teach the above features. Therefore applicant’s argument is moot in view of new ground of rejection presented below.
 the independent claims that they are depending upon are not patentable.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 1-2, 4, 7-8, 10, 13-14, 16, 19, 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Roskind et al (US9465668B1, hereinafter, "Roskind"), in view of Barton et al (US20140109174A1, hereinafter, “Barton”), further in view of Rotem et al (US20170134506A1, hereinafter, “Rotem”) and Backholm et al (US20190174319A1, hereinafter, “Backholm”).
Regarding claim 1, Roskind teaches:
		A computer-implementable method for performing a shadow information 2technology discover operation, comprising: 
		monitoring interactions initiated via [a protected] endpoint, [the protected] endpoint comprising an endpoint device [and an endpoint agent] (Roskind, Col. 6 lines 35-38, user detection module 302 can monitor communications (i.e. interactions) from client device 104 (i.e. endpoint device) to a cloud-based service application for which an address has been configured in network gateway 110), [the protected endpoint providing a policy-based approach to network security, the policy-based approach to network security requiring the endpoint device to comply with a particular criteria when accessing network resources]; (see Barton below teaching the limitation(s) in bracket for protected endpoint, endpoint agent and policy-based approach to network security)
		determining when the interactions comprise a cloud services request, the cloud 5services request comprising a request by a user to access a cloud service (Roskind, [Abstract] detecting an access by a user through the network device to a cloud-based service; determining a cloud-based identity of the user based upon the received access information. Col. 15 lines 3-5, FIG. 7 illustrates a flowchart of a method 700 (steps 702-708) of determining an authenticated cloud-based identity for a user in accordance with an implementation); 
		monitoring interactions between the user and the cloud service when a request to 7access the cloud service is detected (Roskind, Col. 6 lines 35-45, user detection module 302 can monitor communications from client device 104 to a cloud-based service application for which an address has been configured in network gateway 110… According to an implementation, the monitoring may be based upon detecting HTTP protocol messages to the uniform resource locators (URLs) of the servers providing the respective cloud-based service applications);
		While Roskind does not explicitly teach the protected endpoint and endpoint agent, as well as determining non-authorized use of service and managing risk, however in the same field of endeavor Bardon teaches: 
		a protected endpoint, the protected endpoint comprising an endpoint device and an endpoint agent (Barton, See Fig. 6, and [0084] an enrolled mobile device 602 with a client agent 604, which interacts with gateway server 606 (which includes access gateway and application controller functionality) to access various enterprise resources 608. Fig. 6 further shows the client agent software interacts with Gateway server for logon, policies certificates and keys, all related in security protection),
		the protected endpoint providing a policy-based approach to network security, the policy-based approach to network security requiring the endpoint device to comply with a particular criteria when accessing network resources (Barton, [0134] At step 909, the mobile device may analyze the policy information (i.e. policy-based) for compliance (i.e. comply) with any condition or rule related to the application accessing the enterprise resource (i.e. particular criteria). For example, the current policy information may be checked to determine if network access should be permitted. And [0135] If policy information dictates no network access, then the mobile device may fail to connect to the enterprise. If the network access policy permits network usage but does not permit VPN access, then network service calls are routed directly to the mobile device platform network services though the local network);
		determining whether the interactions between the user and the cloud service represent 9a non-authorized use of the cloud service (Barton, [0080] Threat detection services 564 may include intrusion detection services, unauthorized access attempt detection services, and the like. Unauthorized access attempt detection services may include unauthorized attempts to access devices, applications, data, and the like); 
		managing risk associated with non-authorized use of the cloud service (Barton, [0151] Furthermore, such information may be created, accessed, modified and/or stored (i.e. managing) by the access gateway based on one or more risk determinations). 
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Barton in the cloud-based network device configuration and control system of Roskind by using client agent software to interact with gateway server in accessing various enterprise resources and detecting unauthorized access attempt to cloud-based computerized resource through per-application policy-controlled VPN. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine the non-authorized attempt 
While the combination of Roskind-Barton does not explicitly teach shadow information technology discovery system, however in the same field of endeavor Rotem teaches: 
and wherein the interactions between the user and the cloud service are monitored via a shadow information technology discovery system (Rotem, [Abstract] A system for shadow IT discovery, including a message monitor monitoring an enterprise messaging service that provides communication (i.e. interactions) between users belonging to the enterprise and cloud services), the shadow information technology discovery system performing a shadow information technology discovery operation (Rotem, [Abstract] discovering a message relating to a specific cloud service, a message analyzer analyzing the message discovered by the message monitor), the shadow information technology discovery operation detecting shadow information technology activity (Rotem, [Abstract] one or more enterprise users who use the specific cloud service), the shadow information technology activity comprising a cyber behavior associated with accessing the cloud service (Rotem, [0022] Employees 1, 2 and 5 are working within the organization or within virtual private networks of the organization, and their data traffic is indeed monitored by network traffic inspector 110.  Employees 3 and 4, however, are accessing cloud-based services…), [the cyber behavior comprising submission of a Hypertext Transfer Protocol (HTTP) request for a particular cloud server, the cyber behavior being enriched by associating contextual information to the HTTP request] (See Backholm below for limitation(s) in bracket).

While the combination of Roskind-Barton-Rotem does not explicitly teach the following limitation(s), however in the same field of endeavor Backholm teaches: 
the cyber behavior comprising submission of a Hypertext Transfer Protocol (HTTP) request for a particular cloud server, the cyber behavior being enriched by associating contextual information to the HTTP request (Backholm, [Abstract] Systems and methods for detecting and identifying malware/potentially harmful applications based on behavior characteristics of a mobile application. And [0104] The host server 100 can use, for example, contextual information obtained for client devices 150, networks 106/108, applications … to detect and/or prevent malware in the system (i.e. enriched by associating contextual information) or any of the client devices 150 (e.g., to satisfy application or any other request including HTTP request)).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Backholm in the cloud-based network device configuration and control system of Roskind-Barton-Rotem by 

As per claim 7, Roskind-Barton-Rotem-Backholm combination discloses:
		A system comprising:  2a processor (Roskind, Fig. 2 Processor 202); 3a data bus coupled to the processor (Roskind, Fig. 2 interconnect infrastructure 212); and 4a non-transitory, computer-readable storage medium embodying computer program 5code, the non-transitory, computer-readable storage medium being coupled to 6the data bus, the computer program code interacting with a plurality of 7computer operations and comprising instructions executable by the processor (Roskind, Col. 9 lines 51-55, a computer program product may have logic including the computer program logic of the modules recorded on a computer readable medium) 8and configured for: performing method steps substantially similar to the method claim 1, therefore is rejected with same reason set forth as rejection of claim 1 above.

As per claim 13, Roskind-Barton-Rotem-Backholm combination discloses:
A non-transitory, computer-readable storage medium embodying computer 2program code, the computer program code comprising computer executable instructions (Roskind, Col. 9 lines 51-55, a computer program product may have logic including the computer program logic of the modules recorded on a computer readable medium) 3configured for: performing method steps 

Regarding claim 2, similarly claim 8, claim 14, the combination of Roskind-Barton-Rotem-Backholm further teaches: The method of claim 1, the system of claim 7, the non-transitory computer-readable storage medium of claim 13, wherein: 2the managing risk comprises elevating a risk level associated with the user when the 3interactions between the user and the cloud service represent the non-authorized use of the cloud service (Barton, [0151] Furthermore, such information may be created, accessed, modified and/or stored by the access gateway based on one or more risk determinations… if the risk score is above the threshold, the access gateway may require a more secure authentication process before allowing access to a resource or allowing creation of an application-specific VPN tunnel). 
		
Regarding claim 4, similarly claim 10, claim 16, the combination of Roskind-Barton-Rotem-Backholm further teaches: The method of claim 1, the system of claim 7, the non-transitory computer-readable storage medium of claim 13, wherein: 2the monitoring interactions between the user and the cloud service includes review of web proxy traffic logs (Roskind, Refer to Fig. 6, and Col. 14 lines 40-43, The additional configurations may be with respect to network interfaces, traffic and/or access logging functions, or any other configurable function performed by the network gateway).

Regarding claim 19, the combination of Roskind-Barton-Rotem-Backholm further teaches: The non-transitory, computer-readable storage medium of claim 13, wherein: 2the computer executable instructions are deployable to a client system from a server 3system at a remote location (Roskind, Col. 10 lines 18-20, the network connectivity may be restricted to access only remote network locations that are listed in a configured list stored in network gateway 110. Also see Fig. 1 where cloud based service application, identity provider etc. are remote through remote network 118).

		Regarding claim 21, similarly claim 22, claim 23, the combination of Roskind-Barton-Rotem-Backholm further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein: the contextual information comprises at least one of log-in information, authentication information, role information, access rights information, cloud service interaction information, date, time and frequency information and location information (Backholm, [0130] The context API 206 may be a plug-in to the operating system 204 or a particular client/application on the device 250.  The context API 206 can detect signals indicative of user or device activity, for example, sensing motion, gesture, device location, changes in device location,…).  

Claims 5, 11, 17 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Roskind-Barton-Rotem-Backholm as applied above to claims 1, 7, 13 respectively, further in view of McCreary et al (US20180165463A1, hereinafter, “McCreary”).
Regarding claim 5, similarly claim 11, claim 17, the combination of Roskind-Barton-Rotem-Backholm teaches: The method of claim 1, the system of claim 7, the non-transitory computer-readable storage medium of claim 13, 
		While Roskind-Barton-Rotem-Backholm does not explicitly teach enforcing policy for restricted cloud service, however in the same field of endeavor McCreary teaches: 
		further comprising:  2determining whether the cloud service corresponds to a restricted cloud service, the determining comprising comparing the cloud service to a list of restricted cloud services; and, when the cloud service corresponds to the restricted cloud service then a security policy corresponding to the restricted cloud service is enforced (McCreary, [0009] … provide a resource evaluation system for processing restricted content (i.e. restricted cloud service). The resources evaluation system … configured by code implemented thereto receive at least request containing at least one content access link from a sender device, extract the at least one content access link from the request, access a database including a list of restricted access link entries, compare the extracted content access link to the list of the database, remove the content access link (i.e. enforced) if the extracted content is matched to an entry in the database, and provide a notification that access has been restricted to the content access link. Also see Fig. 1 for cloud based system).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of McCreary in the cloud-based network device configuration and control system of Roskind-Barton-Rotem-Backholm by extracting content access link from message and compare the access link to a list of restricted access link entries. This would have been obvious because the person having .

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Roskind-Barton-Rotem-Backholm as applied above to claim 13, further in view of De Armas et al (US20130340029A1, hereinafter, “De Armas”).
Regarding claim 20, the combination of Roskind-Barton-Rotem-Backholm teaches: The non-transitory, computer-readable storage medium of claim 13, 
		While Roskind-Barton-Rotem-Backholm does not explicitly teach the following limitation however in the same field of endeavor De Armas teaches: 
		wherein: 2the computer executable instructions are provided by a service provider to the user on an on-demand basis (De Armas, [0020] Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources. And [0022] On-demand self-service: a cloud consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the service's provider). 
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of De Armas in the cloud-based network device configuration and control system of Roskind-Barton-Rotem-Backholm by enforcing policy regarding to consumer access to cloud service and on-demand basis. This would have been obvious because the person having ordinary skill in the art would .

Claims 6, 12, 18 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Roskind-Barton-Rotem-Backholm as applied above to claims 1, 7, 13 respectively, further in view of Kellerman et al (US20130091214A1, hereinafter, “Kellerman”).
Regarding claim 6, similarly claim 12, claim 18, the combination of Roskind-Barton-Rotem-Backholm teaches: The method of claim 1, the system of claim 7, the non-transitory computer-readable storage medium of claim 13, 
		While Roskind-Barton-Rotem-Backholm does not explicitly teach restricting the cloud service to non-authorized use, however in the similar field of endeavor Kellerman teaches: 
		wherein: the 2managing risk associated with the non-authorized use of the cloud service includes 3restricting use of the cloud service (Kellerman, [0048] To facilitate secure transmission of protected content within and between the different SNETs and SNET groups to which a single device or service belongs, a device can store different keys for each of SNET group and SNET in separate, restricted portions of memory.  In addition, content offered by a service or stored on a member or docked device can be maintained in restricted device memory, content storage devices, or the like which can help to limit unauthorized access to individual content instances based on rules, preferences, and security requirements). 
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kellerman in the cloud-based network device configuration and control system of Roskind-Barton-Rotem-.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436