DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/02/2020 has been entered.
3.	Claims 1-21 are pending. 


Response to Arguments and Amendments
4.	Applicant’s arguments, see page 3-4 on remarks, filed 09/24/2020, with respect to the rejection(s) of claim(s) 1-21 under 103 rejection have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Mustafa Gurel (US 20110213971).

Claim Rejections - 35 USC § 103
5.	Claims 1-9, 11-19 and 21 are rejected under 35U.S.C 103 as being unpatentable over Mei Yan (US 8443207), in view of Mustafa Gurel (US 20110213971), hereinafter Gurel.

	Regarding claim 1:
Yan discloses identifying, by the data protection module, a plurality of protected data files in the plurality of data files stored on the at least one storage module, wherein the plurality of data files stored on the at least one storage module includes the plurality of protected data files and a plurality of unprotected data 10files the secure memory device protects against unauthorized access of content stored in the secure partition of the secure memory device. The secure memory device may also protect against unauthorized access of content stored in the public partition of the secure memory device if the content is protected. Content is protected in the secure memory device if the content is encrypted. Content is unprotected in the secure memory device if the content is unencrypted and is stored in a public partition (Yan, paragraph 4, [lines 1-9]). Yan shows how to identify protect data and unprotect data by identified the content is encrypted or unencrypted. Encrypted content is protect data and unencrypted content is unprotected data. 
	And wherein each protected data file in the plurality of protected data files is stored on the at least one storage module in an encrypted format content is protected in the secure memory device if the content is encrypted. Content is unprotected in the secure memory device if the content is unencrypted and is stored in a public partition (Yan, paragraph 4, [lines 1-9]).
 Associating each of the protected data files stored on the at least one storage module with a protected file identifier; receiving, by the data protection module, a file access request from a 15requesting process instance operating on the computer system when a user, through an application or application launcher 105, requests access to content, the file system filter interface layer 125 determines whether the requested content is protected in the secure memory device 145 (Yan, column 6, [lines 3-6]). 
And providing the requesting process instance with a level of access to the particular data file based on the determined authorization level of the requesting process instance in step 880, the permissions associated with the requested protected content are accessed by the protected content access manager 320. The protected content access manager 320 will access the permissions for the protected content. For example, a CEK for decrypting the protected content stored in the secure memory device 145 or a session key may be accessed (Yan, column, 14, [lines 47-55]). However, Yan fails to disclose the requesting process instance being an execution of an application program on the computer system; wherein the file access request includes file identifying information corresponding to a particular data file in the plurality of data files,  identifying, by the data protection module, the particular data file from the file identifying information; 20determining, by the data protection module, that the particular data file is one of the protected data files by identifying the associated protected file identifier; and determining, by the data protection module, an authorization level of the requesting process instance based on a process authorization level of a 25corresponding process 
Gurel teaches the requesting process instance being an execution of an application program on the computer system; wherein the file access request includes file identifying information corresponding to a particular data file in the plurality of data files an application 119 sends a request to the virtual file system 121 to access a file in database 123 which is protected by a technology applied by the rights management system 107. The virtual file system 121 alerts the rights management application 125 to invoke relevant file operation bindings that link operations of the virtual file system 121 to the physical layer operations (Gurel, paragraph 31), and further such a virtual file system facilitates access control for protected files of different types (e.g., content files, executable files, etc.) using different protection methods (e.g., password, encryption, license, etc.) (Gurel, paragraph 23).
identifying, by the data protection module, the particular data file from the file identifying information; 20determining, by the data protection module, that the particular data file is one of the protected data files by identifying the associated protected file identifier if an application needs to access three files where the first file is password protected, the second file is encrypted using technology A, and a third file encrypted using technology B, the application typically must have access to the password and decryption keys for both technologies A and B in order to be able to gain access to the three files. This may cause considerable amount of extra processing spent on gaining access to a file before the application can actually use the content (Gurel, paragraph 26), and further in order for the authorized entity to be able to convert the encrypted data back into the original content, the entity may need a guide (a key) for applying the decryption process on the encrypted data. In one embodiment, a key database 111 contains decryption keys. The content database 113 contains the content that the users would like to download from the service provider 103 (e.g., music tracks in the above example) (Gurel, paragraph 28). Music tracks is an example of protected file identifier in the claim.
determine the authorization level for each application 119, monitor changes in authorization level and keep an up to date list of authorizations associated with the applications 119 in the UE 101. Further, the credentials validation module 201 can communicate with the rights management system 107 to obtain decryption information (e.g., a decryption key) associated with the credentials (Gurel, paragraph 53), and further step 345, the encryption/decryption component 203 determines the authorization level associated with the requesting application 119 based on the received credentials. The authorization level may be associated with a decryption key that allows for the decryption of the file. The encryption/decryption component 203 decrypts the requested file according to the access rights associated with the requesting application per step 345 (Gurel, paragraph 54). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Yan with that of Gurel in order to protect from unauthorized use, distribution, and/or access.

Regarding claim 2:
Yan discloses wherein the configuration map defines a first group of processes from the plurality of processes having a plaintext authorization level, and a second group of processes from the plurality of processes having a cypher-text authorization level the secure memory device protects against unauthorized access of content stored in the secure partition of the secure memory device. The secure memory device may also protect against unauthorized access of content stored in the public partition of the secure memory device if the content is protected. Content is protected in the secure memory device if the content is encrypted. Content is unprotected in the secure memory device if the content is unencrypted and is stored in a public partition (Yan, paragraph 4, [lines 1-9]).


Yan and Gurel disclose the process authorization level of the corresponding process for the particular data file is determined to be a plaintext authorization level determine the authorized access level to the protected file for the requesting application 119. In another embodiment, the level of access may be determined by the credentials validation module 201 which can then transfer the determined information to the encryption/decryption component 203 (Gurel, paragraph 53).
And providing the requesting process instance with the level of access to 10the particular data file comprises: decrypting the particular data file to provide a decrypted data file; temporarily storing the decrypted data file in the cache of the computer system; and 15providing the requesting process instance with access to the decrypted data file in plaintext in step 880, the permissions associated with the requested protected content are accessed by the protected content access manager 320. The protected content access manager 320 will access the permissions for the protected content. For example, a CEK for decrypting the protected content stored in the secure memory device 145 or a session key may be accessed (Yan, column, 14, [lines 47-55]). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Yan with that of Gurel in order to protect from unauthorized use, distribution, and/or access.

Regarding claim 4:
Yan and Gurel disclose the process authorization level of the corresponding process for the 20particular data file is determined to be a cypher-text authorization level; and providing the requesting process instance with the level of access to the particular data file comprises providing the requesting process instance with access to the particular data file in the encrypted format provide rights management operations at the file system level. More specifically, instead of including or linking to a rights management system on an application-by-application basis, the system 100 enables a client application to request access to protected content from the file system itself (Gurel, paragraph 22). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Yan with that of Gurel in order to protect from unauthorized use, distribution, and/or access.

Regarding claim 5:
Yan and Gurel disclose the process authorization level of the corresponding process for the particular data file is determined to be neither a plaintext authorization level nor a cypher-text authorization level; and providing the requesting process instance with the level of access to 30the particular data file comprises denying the requesting process instance access to the particular data  the authentication data base 129 may include credentials (e.g., an user identifier, a UE identifier, etc.) to Verify, via a rights management system 107, that the user, UE 101, application 119, or a combination thereof has sufficient rights to access the file. If the credentials are invalid for one or more of the requested protected files, the requesting application 119 is denied access to the files (Gurel, paragraph 46). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Yan with that of Gurel in order to protect from unauthorized use, distribution, and/or access.

Regarding claim 6:
Yan discloses wherein, for each of at least one protected data file, associating that protected data file with the protected file identifier comprises storing that protected data file in a file location within a predefined file directory area on the at least one storage module; and 5the protected file identifier for that protected data file is the predefined file directory area once the content is located or filed using either the host file system 130 or secure file system 135, the content can be accessed or stored on the secure memory device 145 in the appropriate location using the device driver 140 on the host device. This is performed through the physical interface 142 that physically connects the host device 100 and the secure memory device 145. The content may be accessed or stored using a secure channel 155 or an open channel 150. The file system filter interface layer 125 determines whether the content should be transferred between the secure memory device 145 and the host device using a secure channel 155 or an open channel 150 (Yan, column 6, [lines 49-60]).

Regarding claim 7:
if the content is associated with a session key indicating that the content should be transferred using a secure channel 155, the content will be encrypted using the session key before it is transferred through the secure channel 155. Once the encrypted content is transferred, the content will be decrypted using the same session key. The content is encrypted or decrypted on the host device 100 using the file system filter crypto library 168 (Yan, column 7, [lines 1-7]).

Regarding claim 8:
Yan and Gurel disclose prior to providing the requesting process instance with the level of 15access, authenticating the requesting process instance by: determining an application program associated with the corresponding process; determining that the requesting process instance includes additional process instructions that do not correspond to the known 20application program; and modifying the determined authorization level whereby the providing the requesting process instance with the level of access to the particular data file comprises denying the requesting process instance access to the particular data file the binding process may invoke restrictions imposed on the file such as credentials required for granting access to the file to a requesting application. The rights management application 125 may communicate with the license server 115 and query updates on the license required for accessing the file. In step 305, the rights management application 125 determines the credentials received from the requesting application and the required credentials determined during the binding process. In step 307, the rights management application 125 checks whether the credentials received from the requesting application match with the determined credentials or whether the credentials are otherwise authenticated. If the credentials do not match or cannot be authenticated, meaning that the requesting application does not have access rights to the file, an error message is issued and returned to the requesting application per step 309 (Gurel, paragraph 49). It would have been obvious to someone skilled in the art before the 

Regarding claim 9:
Yan and Gurel disclose determining, by the data protection module, an initial process authorization level of the corresponding process by accessing the configuration map, wherein the initial authorization level indicates that the 30corresponding process is to be denied access to the particular data file; displaying a denial notification through a user application installed on the computer system;  - 52 -receiving a modification input through the user application in response to the denial notification; and updating, by the data protection module, the configuration map based on the modification input to change the initial authorization level of the 5corresponding process the rights management application 125 checks whether the credentials received from the requesting application match with the determined credentials or whether the credentials are otherwise authenticated. If the credentials do not match or cannot be authenticated, meaning that the requesting application does not have access rights to the file, an error message is issued and returned to the requesting application per step 309. In this case, access to the protected file is denied. The error message may appear on a monitor or other user interface to alert the user about inadequate credentials (Gurel, paragraph 49), and further a separate component of the rights management application 125 (not shown) may determine the authorization level for each application 119, monitor changes in authorization level and keep an up to date list of authorizations associated with the applications 119 in the UE 101. Further, the credentials validation module 201 can communicate with the rights management system 107 to obtain decryption information (e.g., a decryption key) associated with the credentials. It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Yan with that of Gurel in order to protect from unauthorized use, distribution, and/or access.




Claim 11 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 12:
Claim 12 is rejected under the same reason set forth in rejection of claim 2.

Regarding claim 13:
Claim 13 is rejected under the same reason set forth in rejection of claim 3.

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 5.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 17:
Claim 17 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 8.

Regarding claim 19:
Claim 19 is rejected under the same reason set forth in rejection of claim 9.

	Regarding claim 21:
.


6.	Claims 10 and 20 are rejected under 35U.S.C 103 as being unpatentable over Mei Yan (US 8443207), in view of Mustafa Gurel (US 20110213971), and further in view of Richard Hayton (US 20120297189), hereinafter Hayton.

Regarding claim 10:
Yan and Gurel disclose receiving, by the data protection module, a second file access request from a second process instance operating on the computer system while the 10requesting process instance has the level of access to the particular data file, wherein the second file access request includes file identifying information corresponding to the particular data file; determining that the authorization level of the process corresponding to the second process instance is different from the level of access provided to 15the process corresponding to the requesting process instance step 345, the encryption/decryption component 203 determines the authorization level associated with the requesting application 119 based on the received credentials. The authorization level may be associated with a decryption key that allows for the decryption of the file. The encryption/decryption component 203 decrypts the requested file according to the access rights associated with the requesting application per step 345 (Gurel, paragraph 54), but fail to disclose generating a copy of the particular data file; and providing the second process instance with the second level of access to the copy of the particular data file.
However, Hayton teaches a security component may assign a location for mounting a virtual disk volume using a copy or representation of the stored encrypted file assigning the location for mounting the virtual disk volume may include running a particular process or application that acts as a network drive. In other embodiments, assigning the location for mounting the virtual disk volume may include running a process or application that provides a copy or representation on an encrypted file stored by the external storage provider to a user (Hayton, paragraph 178). It would have been obvious to someone skilled in the art before the effective 

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claim 10.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thanh Le whose telephone number is 571-272-8556.  The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nickerson Jeffrey L can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THANH H LE/             Examiner, Art Unit 2432                                                                                                                                                                                           
/Kevin Bechtel/             Primary Examiner, Art Unit 2491