Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received on 12/2/2020. Claims 1-6, 9-14 and 20-21 are pending. Claims 7, 8 and 19 are cancelled, claims 15-18 were withdrawn previously.

Response to Arguments
Applicant’s amendments and arguments received on 12/2/2020 are respectfully considered and are addressed as follows: 
Regarding the prior art rejection, the amendments to the claims changed the scope of the claim, the claims are being rejected in a new ground of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.




Claims 1-6, 9-10, 13-14 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over US 20170126724 to Zhong et al., hereinafter Zhong, in view of US 20180248902 to Danila et al., hereinafter Danila.
Regarding claim 1, Zhong discloses 
A computer-implemented method for identifying a data breach, the method comprising: monitoring movement of data over a computer network relative to at least one of a user, a device, or a software application ([0087]: monitor access request or analysis-target data from network, the request directed to a web server from the client (Fig. 1, [0070], the analysis-target data is a file [0103]); wherein the user directly or indirectly manipulates the data, the device is operable to manipulate the data, and the software application handles sending or receiving the data relative to a computing device (Fig. 7 shows the analysis-target data is a file obtained by a browser using http, the client device (fig. 1, [0070]) requesting the analysis-data is a computing device is inherently usable by a user device to manipulate the data, the browser (software application) sends/receives the data); comparing the monitored movement of the data to a baseline movement of the data relative to at least one of the user, the device, or the software application; detecting an anomalous movement of the data that differs from an expected movement of the data as indicated based on the baseline movement ([0087][0102], Fig. 3, element 53: calculate degree of similarity between the analysis target data ‘s parameters and the profile (baseline) class sequence, determine whether the access is faulty); Zhong does not explicitly teach monitoring ..., comparing ..., identifying ... in real-time or near real-time, and does not explicitly teach and identifying an ongoing data breach based on a relationship among the data and the user, the device, and the software application.
In an analogous art, Danila discloses detecting in real-time or near real time a breach ([0041], [0240]) using a machine learning method ([0235]). Data regarding user interactions with network is collected (metadata), the interaction data including user, action performed, application involved, device involved ([0010]); the metadata along with  contextual data ([0229]) are saved in a graph database ([0149]) . The collected data is saved in a log file, normalized and compared to previous normalized files to detect normal or malicious behavior ([0190][0191][0240]); Danila discloses monitoring movement of data over a computer network relative to at least one of a user, a device, or a software application ([0010]); wherein the user directly or indirectly manipulates the data, the device is operable to manipulate the data, and the software application handles sending or receiving the data relative to a computing device ([0230]: download document using browser (software application), saving a document, sending an email with document attached ...) identifying an ongoing data breach based on a relationship among the data and the user, the device, and the software application ([0260]: graph-based detection using relationship between objects/user/events including user roles, device or object (data) usage, application permission). It would have been obvious to a skilled artisan before the invention was filed to monitor and detect data breach in real-time or near real-time  and identifying an ongoing data breach based on a relationship among the data and the user, the device, and the software application as taught by Danila because it would allow 1) detecting an attack while it is occuring and efficiently applying 

Regarding claim 2, Zhong in view of Danila discloses the method of claim 1, wherein monitoring the movement of data over a computer network comprises: obtaining an indication of a path taken by the data over the computer network such that the comparison is between the path taken by the data and a baseline path of the data over the computer network (Zhong, Fig. 4, 102, 103: generate profile or baseline by extracting parameters converted into class sequences, including data from http request (path) (Fig. 5), and comparing the class sequences with class sequences of the current request (test data) ([0102], Fig. 6)).
Regarding claim 3, Zhong in view of Danila discloses the method of claim 2, wherein the path is between a first plurality of computing devices coupled to one or more computer networks, and the baseline path is between a second plurality of computing devices different from the first plurality of computing devices (Zhong Fig. 7: the baseline uses learning data including path or http data, different from the http data in the data used to compare with the baseline). 
Regarding claim 4, Zhong in view of Danila discloses the method of claim 2, wherein the path is within the computer network, and the baseline path includes a cloud resource external to the computer network (Danila:  (0058] extract metadata from stream from a file server, where the server is a cloud server [0167], extracted parameters including URI [0216] it would have been obvious to a skilled artisan to have 
Regarding claim 5, Zhong in view of Danila discloses the method of claim 1, wherein monitoring the movement of data over a computer network comprises: ascertaining a characteristic of the data at a point in time such that the comparison is between the characteristic of the data at the point in time and a baseline characteristic of the data at the point in time (Zhong Fig. 7: compare the path between the baseline and the current data, the path corresponding to the location of the data to access; Danila [0053]: real-time analysis of malicious data).
Regarding claim 6, Zhong in view of Danila discloses the method of claim 5, wherein the characteristic is a location of the data on the computer network (Zhong Fig. 7: compare the path between the baseline and the current data, the path corresponding to the location of the data to access).
Regarding claim 9, Zhong in view of Danila discloses the method of claim 1, wherein identifying the ongoing data breach comprises: identifying a relationship between the data and each of the user, the device, or the software application (Danila [0197][0229]: relationship between user, device, location, parameters of events; see claim 1 for motivation to combine).
Regarding claim 10, Zhong in view of Danila discloses the method of claim 1, wherein identifying the ongoing data breach comprises: identifying a relationship between the data and a physical location of the ongoing data breach (Danila [0197][0245]: relationship between user, device, location, parameters of events, [0260] non-typical location login to perform tasks or storing data in a cloud storage; see claim 1 for motivation to combine).
Regarding claim 13, Zhong in view of Danila discloses the method of claim 1, wherein the data breach is sensitive, protected, or confidential data that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so (Danila [0259]: acquire copies of confidential document).
Regarding claim 14, Zhong in view of Danila discloses the method of claim 1, wherein comparing the monitored movement of the data to the baseline movement of the data is relative to each of the user, the device, or the software application (Zhong [0087]: monitor request to access data from client device using a browser (application) see http request in Fig. 7).
Regarding claim 21, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1.
Regarding claim 20, Zhong in view of Danila  discloses the computer system of claim 21, wherein the expected behavior is described in a profile of a user, device, software application, or data (Zhong [0087]: compare with profile obtained from learning data).   

Claims 11-12 are rejected under 35 USC 103 as being unpatentable over Zhong and Danila, in view of US 20200273040 to Novick et al., hereinafter Novick.

Regarding claim 11, Zhong in view of Gil discloses the method of claim 1, wherein the data is sensitive data ((Danila [0259]: sensitive data normally accessed by a manager).  The combination Zhong-Danila does not explicitly specify sensitive data 
Regarding claim 12, Zhong in view of Danila and Novick discloses the method of claim 11, wherein the sensitive data comprises at least one of: personal health information; personally identifiable information (Danila [0257]: unauthorized use of a user’s credentials); payment card industry data; confidential information (Danila [0259]); design document; trade secret; source code; or customer-defined information.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Gabaev 20180278647 discloses an attack detection model that include a mapping of an attack type, data source (file name, file extension, port ...) and detect the occurrence of an event and its departure from the model.
Zafer et al 20170302505 dislcoses the identification of a network incident using machine learning model with  information on users, application, protocol, device, and their learned relationships.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        2/24/2021