DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to amendment filed on 7/22/2020.  The Applicant has amended claims 1-2, 4, 7-8, 10, 13-14, and 16 have been amended.  Claims 1-20 have been examined.  This office action is Non-Final.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/22/2020 has been entered.
 






Response to Amendment

Applicant's arguments filed 7/22/2020 have been fully considered but they are not persuasive. 
On page 8 of the Applicant’s remarks the Applicant states that the prior art of “Kaufmann does not disclose the plurality of entity specific policies”.    
(A).  The Examiner disagrees with the Applicant.  Kaufmann discloses organization specific policy, such the how the organization handles files, is a specific organization policy, and the entities are groups of users, and/or departments in an organization, thus the departments in an organization or a group of users have entity specific polices (Kaufmann: para. 0013-0014, 0083, entities (i.e. departments).
On pages 8-9 of the Applicant’s remarks the Applicant states that, “the prior art of Hutson and Kaufmann alone or in combination do not disclose or suggest each of the plurality of entity specific security policies corresponding to a respective entity, each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor”.  
(B). Applicant’s arguments, see Remarks, filed 7/22/2020, with respect to the rejection(s) of claims under Hutson and Kaufmann have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Kshirsagar et al (2013/0055367).
On page 9 of the Applicant’s arguments in regards to the prior art of Boss.  The Applicant’s arguments are moot in regards to the prior art of Boss, because new art has been applied in view of Gibson et al (8,776,168).

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
The claims recite limitations of monitoring user interactions and converting user interactions.  These limitations, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting, “a processor”, “data bus”, and “non-transitory computer-readable storage medium”, nothing in the claim elements precludes the step from practically being performed in the mind. For example, but for the “processor, data bus, and non-transitory computer-readable medium”, the claim encompasses a user simply monitoring information, and converting information in his/her mind. The mere nominal recitation of a generic processor, data bus, and non-transitory computer-readable storage medium does not take the claim limitation out of the mental processes grouping. Thus, the claim recites mental process.

The claim recite monitoring information, and using the information to apply a policy. The applying step is merely data gathering which is a form of insignificant extra-solution activity. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer components. The additional elements in the claims amount to no more than mere instructions to apply the exception using generic computer components. The Applicant’s specification does not provide any indication that the processor, data bus, and non-transitory computer readable medium is anything other than generic, off-the-shelf computer components, and the Symantec, TLI, and OIP Techs, court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection of information over a network is well-understood, routine, and conventional function when it is claimed in a merely generic manner. Accordingly, the gather step is well-understood, routine, conventional activity that is supported under Berkheimer.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5-7, 11-12, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0168453) in view of Kaufmann et al. (2009/0300712), and further in view of Kshirsagar et al (2013/0055367).

As per claim 1, Hutson discloses a computer-implementable method for enforcing security policies, comprising: 
monitoring electronically-observable user interactions of an entity (Hutson: para. 0014, 0018, monitoring improper behavior (i.e. user interactions) on a network (i.e. electronically-observable) of an entity (i.e. user); monitoring communications include email, instant messages, web postings, file transfers, and voice over Internet (i.e. electronically observable user interactions), the electronically-observable user interactions comprising corresponding user behavior of the entity (Hutson: para. 0015-0016, 0027, electronically-observable user interactions (i.e. social security numbers within email communications); 
converting the electronically-observable user interactions into electronic information representing the user behavior (Hutson: para. 0016-0017, converting the electronically-observable user interactions (i.e. improper behavior) into electronic information representing the user behavior (i.e. electronic information/incident notification includes a copy of the electronic communication);
applying an organization specific security policy based upon the electronic information representing the user behavior (Hutson: para. 0015-0018, applying the organization specific security policy (i.e. looks for a condition where nine numbers are found within eleven contiguous spaces) based on electronic information representing the user behavior).

Kaufmann discloses the organization specific security policy comprising an automatically generated organization specific rule (Kaufmann: para. 0011, 0013-0014, business rule (i.e. organization specific rule)), the organization specific security policy comprising an aggregation of a plurality of entity specific security policies, each of the plurality of entity specific security policies corresponding to respective entity (Kaufmann: para. 0013-0014, 0083, the Examiner asserts that a policies are for a group of users, such as a department in an organization, the department or group of users the Examiner asserts are the entities, and Kaufmann discloses more than one policy can be defined for the entity, which the Examiner asserts are the entity specific security policies).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy comprising an aggregation of a plurality of entity specific security policies,  each of the plurality of entity specific security policies corresponding to respective entity of Kaufmann with Hutson both are analogous in the art of enforcing security polices, the motivation is that a dynamic policy is more flexible and can allow one to apply policies at run-time (Kaufmann: para. 0009, 0078).


Kshirsagar discloses each respective entity having a corresponding user profile (Kshirsagar: para. 0018, each respective entity (i.e. user) having a corresponding data structure called a profile (i.e. user profile)), each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor (Kshirsagar: para. 0018-0023, the profile includes a collection of information that describes the identity of the entity, the profile includes the factors, user behavior factor stored in the profile, usage patterns (i.e. user profile attribute), user mindset factor (i.e. user preferences), the Examiner asserts that the user mindset preference is that the user is able to determine the preferences).
It would have been obvious to one of ordinary skill at the time of the effective filing date of the claimed invention to include each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor of Kshirsagar with Hutson and Kaufmann all are analogous in the part of observing events on a network, the motivation is that the factors are used to identify information of a user, thus this is a security measure that can be used to identify patterns in the information to look for security attacks or threat monitoring (Kshirsagar: para. 0025).

As per claim 5, Hutson, Kaufmann, and Kshirsagar disclose the method of claim 1.
Hutson further discloses detecting occurrence of an event (Hutson: para. 0018, detecting occurrence of an event (i.e. incident)); associating the event with an entity (Hutson: para. 0015-0016, associating the event (i.e. incident) with an entity (i.e. user and/or organization)); and applying the organization specific security policy to the entity based upon the event (Hutson: para. 0015-0018, applying the organization specific security policy (i.e. looks for a condition where nine numbers are found within eleven contiguous spaces) to the entity (i.e. user and/or organization based upon the event) .

         As per claim 6, Hutson, Kaufmann, and Kshirsagar disclose the method of claim 1.
         Hutson discloses associating the organization specific security policy with the particular entity; and applying the organization security policy to the entity (Hutson: para. 0015-0018, applying the organization specific security policy (i.e. looks for a condition where nine numbers are found within eleven contiguous spaces) with a particular entity (i.e. user); and applying the organization security policy to the user). 
         Hutson does not explicitly disclose the automatically generated rule comprises a rule associated with an event, the rule associated with the event comprising an indication of whether to allow a particular entity to perform the event.
         Kaufmann discloses the automatically generated rule comprises a rule associated with an event (Kaufmann: para. 0086, business rule), the rule associated with the event comprising an indication of whether to allow a particular entity to perform the event (Kaufmann: para. 0097, allowing a user (i.e. user) to perform the event (i.e. open the file)).
(Kaufmann: para. 0009).
            As per claim 7, Hutson discloses a system comprising: 
a processor (Hutson: para. 0006); 
a data bus coupled to the processor (Hutson: para. 0006, data bus is disclosed because Hutson discloses a computer); and 
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for (Hutson: para. 0019-0020): 
monitoring electronically-observable user interactions of an entity (Hutson: para. 0014, 0018, monitoring improper behavior (i.e. user interactions) on a network (i.e. electronically-observable) of an entity (i.e. user); monitoring communications include email, instant messages, web postings, file transfers, and voice over Internet (i.e. electronically observable user interactions), the electronically-observable user interactions comprising corresponding user (Hutson: para. 0015-0016, 0027, electronically-observable user interactions (i.e. social security numbers within email communications); 
converting the electronically-observable user interactions into electronic information representing the user behavior (Hutson: para. 0016-0017, converting the electronically-observable user interactions (i.e. incidents) into electronic information representing the user behavior (i.e. electronic information/incident notification includes a copy of the electronic communication), and 
applying an organization specific security policy based upon the electronic information representing the user behavior (Hutson: para. 0015-0018, applying the organization specific security policy (i.e. looks for a condition where nine numbers are found within eleven contiguous spaces) based on electronic information representing the user behavior).
Hutson does not explicitly disclose the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy comprising an aggregation of a plurality of entity specific security policies, each of the plurality of entity specific security policies corresponding to a respective entity. 
Kaufmann discloses the organization specific security policy comprising an automatically generated organization specific rule (Kaufmann: para. 0011, 0013-0014, business rule (i.e. organization specific rule)), the organization specific security policy comprising an aggregation of a plurality of entity specific security policies, each of the plurality of entity specific security policies corresponding to respective entity (Kaufmann: para. 0013-0014, 0083, the Examiner asserts that a policies are for a group of users, such as a department in an organization, the department or group of users the Examiner asserts are the entities, and Kaufmann discloses more than one policy can be defined for the entity, which the Examiner asserts are the entity specific security policies).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the organization specific security policy comprising an automatically generated organization specific rule, the organization specific security policy comprising an aggregation of a plurality of entity specific security policies,  each of the plurality of entity specific security policies corresponding to respective entity of Kaufmann with Hutson both are analogous in the art of enforcing security polices, the motivation is that a dynamic policy is more flexible and can allow one to apply policies at run-time (Kaufmann: para. 0009, 0078).
Hutson and Kaufmann do not explicitly disclose each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor.
Kshirsagar discloses each respective entity having a corresponding user profile (Kshirsagar: para. 0018, each respective entity (i.e. user) having a corresponding data structure called a profile (i.e. user profile)), each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor (Kshirsagar: para. 0018-0023, the profile includes a collection of information that describes the identity of the entity, the profile includes the factors, user behavior factor stored in the profile, usage patterns (i.e. user profile attribute), user mindset factor (i.e. user preferences), the Examiner asserts that the user mindset preference is that the user is able to determine the preferences).
It would have been obvious to one of ordinary skill at the time of the effective filing date of the claimed invention to include each respective entity having a corresponding user profile, each corresponding user profile comprising a collection of information that uniquely describes an identify of the respective entity, the collection of information comprising a user profile attribute, a user behavior factor and a user mindset factor of Kshirsagar with Hutson and Kaufmann all are analogous in the part of observing events on a network, the motivation is that the factors are used to identify information of a user, thus this is a security measure that can be used to identify patterns in the information to look for security attacks or threat monitoring (Kshirsagar: para. 0025).

As per claims 11 and 17, rejected under similar scope as claim 5.
As per claims 12 and 18, rejected under similar scope as claim 6.

Claims 2, 8, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0168453) in view of Kaufmann et al. (2009/0300712), and in view of Kshirsagar et al (2013/0055367), and further in view of Mehrabanzad et al (2016/0330746).
            As per claim 2, Hutson, Kaufmann, and Kshirsagar disclose the method of claim 1.  
Hutson does not explicitly disclose evolving a security policy according to the electronically observable user interactions associated with the event. 
(Kaufmann: para. 0059, 0079, evolving security policy (i.e. dynamic policy) according to the electronically observable user interactions (i.e. user actions/activities associated with the file).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include evolving a security policy according to the electronically observable user interactions associated with the event of Kaufmann with Hutson, both are analogous in the art of enforcing security polices, the motivation is that a policy that can evolve is dynamic, and is more flexible and can allow one to apply policies at run-time (Kaufmann: para. 0009, 0078).
Hutson, Kaufmann, and Kshirsagar do not explicitly disclose evolving the organization specific security policy comprising revising rules associated with the organization specific security policy according to enactment of a user behavior corresponding to an event.
Mehrabanzad discloses evolving the organization specific security policy comprising revising rules associated with the organization specific security policy according to enactment of a user behavior corresponding to an event (Mehrabanzad: para. 0048-0049, organization specific security policy (i.e. user permitted to access a particular access point, and the user’s permitted QoS level), revising rules (i.e. alter rules) associated with the organization specific security policy according to enactment of user behavior corresponding to an event (i.e. the corporate executive may require a higher QoS level; however, if the executive stops coming into the office and/or is no longer determined to be an executive, the rules can be revised based on the user behavior corresponding to the event).
(Mehrabanzad: para. 0049).

As per claims 8 and 14, rejected under similar scope as claim 2.

Claims 3, 9, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0168453) in view of Kaufmann et al (2009/0300712), in view of Kshirsagar et al (2013/0055367) and further in view of Lang (2019/0014153).
As per claim 3, Hutson, Kaufmann, and Kshirsagar disclose the method of claim 1.
Hutson, Kaufmann, and Kshirsagar do not explicitly disclose each of the plurality of entity-specific security policies comprise an automatically generated entity-specific rule.
Lang discloses each of the plurality of entity specific security policies comprise an automatically generated entity-specific rule (Lang: para. 0065-0066, entity (i.e. IT system) specific security policies received a plurality of policy inputs, and automatically generate machine-enforceable rule).  
(Lang: para. 0005).  

As per claims 9 and 15, rejected under similar scope as claim 3.


Claims 4, 10, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0168453) in view of Kaufmann et al (2009/0300712), in view of Kshirsagar et al (2013/0055367) and further in view of Gibson et al (8,776,168).

As per claim 4, Hutson, Kaufmann, and Kshirsagar discloses the method of claim 1.
            Hutson further discloses the organization specific security policy comprises a risk-adaptive security policy(Hutson: See Fig. 2, para. 0016, 0025, 0027,  organization specific security policy the policy looks at social security numbers within email, comprises a risk adaptive security policy (i.e. how many social security numbers within email communications). 	Hutson, Kaufmann, and Kshirsagar do not explicitly disclose a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user 
	Gibson discloses a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor (Gibson: col. 4, lines 26-51, col. 7, lines 25-34, col. 9, lines 10-24, Gibson discloses only one needs to be disclosed, which Gibson discloses user behavior factor, the security policy is revised to remediate risk associated with a user behavior).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a security policy implemented to be revised to adaptively remediate risk associated with a user behavior, the user behavior being represented via a plurality of risk-adaptive behavior factors, the plurality of risk-adaptive behavior factors comprising at least one user behavior factor and a user mindset factor of Gibson with Hutson-Kaufmann-Kshirsagar all are analogous in the art of security policies, the motivation is that revising a security policy based on risk is an efficient security measure that allows system administrators to take preventive measure that limit the harm caused by users/groups (Gibson: col. 4, lines 47-51).

	As per claims 10 and 16, rejected under similar scope as claim 4.


Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0198453) in view of Kaufmann et al. (2009/0300712), and in view of Kshirsagar et al (2013/0055367) and further in view of Williams et al (2012/0079107).

As per claim 19, Hutson, Kaufmann, and Kshirsagar disclose the non-transitory, computer-readable storage medium of claim 13.
Hutson, Kaufmann, and Kshirsagar do not explicitly disclose wherein the computer executable instructions are deployable to a client system from a server system at a remote location.
Williams discloses the computer executable instructions are deployable to a client system for a server system at a remote location (Williams: para. 0074, 0094, compliance server instructions to be deployable on a client system).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to include the computer executable instructions are deployable to a client system for a server system at a remote location of Williams with Hutson-Kaufmann-Kshirsagar are analogous in the art of security policy, the motivation is that policy may be tested by the policy deployment for effectiveness and impact on the network prior to deployment of the policy (Williams: para. 0094).



Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Hutson et al (2008/0198453) in view of Kaufmann et al. (2009/0300712) in view of Kshirsagar et al (2013/0055367) and further in view of Dwyier (2016/0277360).
As per claim 20, Hutson, Kaufmann, and Kshirsagar disclose the non-transitory, computer-readable storage medium of claim 13.
Hutson, Kaufmann, and Kshirsagar do not explicitly disclose wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Dwyier discloses the computer executable instructions are provided by a service provider to a user on an on-demand basis (Dwyier: para. 0013, 0053, on demand basis (i.e. real-time)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the computer executable instructions are provided by a service provider to a user on an on-demand basis of Dwyier with Hutson-Kaufmann-Kshirsagar are analogous in the art of security policies, the motivation is that this is an efficient method that protects sensitive data in real-time by programming data protection policies (Dwyier: para. 0005).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


2/18/2021
/J.E.J/Examiner, Art Unit 2439                                                                                                                                                                                                        
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439