DETAILED ACTION
This Office action is in response to the Amendment filed on 11/18/2020.
Claims 1 and 11 have been amended.
Claims 1-20 are pending in the application.
Please note that this application has been assigned to different examiner.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/18/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claims 1, 10-11, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jones, III et al. (US 2017/0061345) hereinafter Jones in view of Muramatsu (US 2016/0378409) hereinafter Muramatsu and further in view of Hernacki et al. (US 9,146,953) hereinafter Hernacki.
Regarding Claims 1 and 11, Jones discloses “A computer-implementable method for mitigating security breaches associated with dissemination of protected data, comprising:” (Jones, ¶ [0006], discloses determining anomalies associated with the employee based on the employee profile and the legally Protected Information, and generating an alert relating to the anomalies. Further, Figs. 1-10, and related text. ¶ [0044], discloses the employee may intentionally or unintentionally be responsible for data breaches, which can result in the loss or copying of sensitive data held by an organization. ¶ [0049], discloses the term "anomaly" generally refers to received data or information regarding an employee that deviates from expected information regarding that employee. ¶ [0050], obtain information regarding the 
“receiving information communicated to a secured network from a source external to the secured network;” (Jones, ¶ [0049], discloses the term "anomaly" generally refers to received data or information regarding an employee that deviates from expected information regarding that employee. As such, a baseline regarding the employee's behavior is established such that the systems and methods described herein can determine whether an anomaly exists when information or data is received. ¶ [0050], obtain information regarding the employee, and generate an alert if anomalies are discovered according to embodiments shown and described herein. (¶ [0053], discloses receive electronic data from one or more sources e.g. one or more external feeds/sources. Furthermore, ¶ [0053], discloses the information are protected information such as financial, religious affiliation, etc.), 
“the secured network comprising an electronic security system that provides applications to avoid and track unauthorized access, exploitation, modification, or denial of network resources;” (Jones, ¶ [0071], discloses the server computing devices may provide a modeling application 422, a monitoring application 424, a workflow application 426, a behavior analysis application 428, a risk assessment application 430, a data services application 432, and/or a security application 434. These applications may generally allow the systems and methods described herein to monitor an employee, analyze received data, generate alerts, generate risk assessments, generate behavior models, determine legally Protected Information to 
“determining whether the received information includes protected data;” (Jones, ¶ [0053], discloses received information being Protected Information such as legal, financial, or religious affiliation of employees. ¶ [0042], discloses the information that is received from external sources includes legally Protected Information which is used in determining whether an anomaly is detected. ¶ [0112], discloses the determination generally includes processing all information received so as to classify and weight the information, and compare the processed and weighted information with information generated in the behavior model. Based on whether received information includes the legally protected information), 
“the protected data comprising data over which the secured network exercises controlled access and does not make available without the controlled access;” (Jones, ¶ [0047], discloses the legally Protected Information includes Regulated Data, which is data that is protected from public disclosure by various laws, rules, policies, and/or the like, and cannot be divulged without express authorization from the employee) and 
 “and if the received information includes protected data, determining whether the receipt of the protected data is anomalous;” (¶ [0112], discloses an 
“and if the receipt of the protected data is anomalous, performing a response to the detection.” (Jones, ¶ [0116], discloses If one or more anomalies are determined at step 1023, an alert may be generated at step 1025 and transmitted at step 1026. The alert may generally be related to the one or more anomalies that have been detected, but may not contain any references to the legally Protected Information.)
Jones does not explicitly disclose the following which would been obvious in view of Muramatsu from similar field of endeavor “identifying one or more sources of egress of the protected data from the secured network.”  (Muramatsu, ¶ [0026], discloses document containing specific keywords representing confidential/protected level of documents. ¶ [0031], discloses determining the leakage of document by checking/monitoring the keywords, further discloses if leakage of a document is found, a log image similar to the leaked document may be searched for from the log images 
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Muramatsu’s technique into Jones’s technique with motivation to provide a solution that would obviate the shortcomings of conventional countermeasure against information leakage form information systems. Refer to Muramatsu, ¶s [0006]-[0010]. 
The combination of Jones and Muramatsu does not explicitly disclose the security system that implements security policies. However, Hernacki discloses the security system that implements security policies (Hernacki discloses the policy manager is responsible for receiving parameters pertaining to policies  and creates DLP policies 210 based on these parameters… the DLP policies 210 may specify conditions for triggering a violation (col. 4, lines 39-64). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to modify the teachings of Jones to include implementing security policies as taught by Hernacki in order to prevent data leakage (Hernacki, abstract).

Regarding Claims 10 and 20, the combination of Jones, Muramatsu, and Hernacki discloses “wherein the determination of whether the received information includes protected data comprises one or more of: comparing key phrases extracted from the received information with key phrases associated with protected data stored in the secured network; comparing a file fingerprint of the received information with one or more file fingerprints of files containing protected data stored in the secured network; comparing a digital watermark extracted from the received information with one or more digital watermarks associated with protected data stored in the secured network; and comparing an image watermark extracted from the received information with one or more image watermarks associated with protected data stored in the secured network.” (Muramatsu, ¶ [0026], discloses document containing specific keywords representing confidential/protected level of documents. ¶ [0031], discloses determining the leakage of document by checking/monitoring the keywords, further discloses if leakage of a document is found, a log image similar to the leaked document may be searched for from the log images stored in the log database 310, for example, and thereby it is possible to find information (for example, the user who has issued an instruction for processing an image corresponding to the log image, the time and date of the processing, and the like) that helps to identify the source of the leakage of the document.)

Claims 2 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Jones, Muramatsu, and Hernacki as applied to claim 1 above and further in view of Bacastow (US 2016/0080397) hereinafter Bacastow.

Regarding Claims 2 and 12, in view of claims 1 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would wherein the receipt of the protected data is determined to be anomalous under one or more conditions comprising: determining that the external source is not authorized to access the protected data; determining that the external source utilizes an unauthorized device to electronically communicate the protected data to the secured network; and/or determining that there are no identifiable sources of egress of the protected data from the secured network.” (Bacastow, ¶ [0088], Anomalies may also be sent back to Prospectus (5.9) to be included in the activity reporting. In Step 77, Trumpet (5.11) creates an alert in accordance with the configuration of the Forensic Computing Platform. In this exemplary embodiment, an alert may be generated based on an anomaly wherein one of the Plurality of Devices (5.F) is a Registered Internal Endpoint (device) that has received files from an Unauthorized Device (5.E).)
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Bacastow’s technique into Jones as modified by Muramatsu’s technique with motivation to address shortcomings in the prior art by tracking the movement of data files and data elements as they are shared and moved between authorized and unauthorized devices. Refer to Bacastow, ¶ [0004].

Claims 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Jones, Muramatsu, and Hernacki as applied to claim 1 above and further in view of Seetharaman et al. (US 2017/0237779) hereinafter Seetharaman.

Regarding Claims 3 and 13, in view of claims 1 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Seetharaman from similar field of endeavor “wherein determining whether the received information includes protected data comprises one or more of: determining whether the received protected data includes a duplicate of one or more protected files stored in the secured network; and/or determining whether the received protected data includes one or more files derived from one or more protected files stored in the secured network.”  (Seetharaman, ¶[0051] and ¶[0065], discloses CMADC module 308 determines extent of overlap between thresholds breached by adulteration parameters in duplicated communication data received from the multiple gateways having content duplication functionality. At 706, CMADC module 308 computes difference in number of packets in the duplicated communication data received from the multiple gateways having content duplication functionality. CMADC module 308 then determines extent of abnormal difference in contents of packets in the duplicated communication data received.)
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Seetharaman’s technique into Jones as modified by Muramatsu’s technique with motivation to provide a capability to detect corrupted packets in a manner that complies with legal and regulatory requirements. Refer to Seetharaman, ¶ [0004].

Claims 4-9 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Jones, Muramatsu, and Hernacki as applied to claim 1 above and further in view of Zou et al. (US 2017/03022665) hereinafter Zou.

Regarding Claims 4 and 14, in view of claims 1 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “if the receipt of the protected data is anomalous, saving session data for a session in which the protected data was received; and tagging the session data as including an anomalous receipt of the protected data to thereby facilitate identification of the external source.” (Zou, ¶ [0036], discloses detecting a breach and unusual movement of data from corporation network to external network. ¶ [0037], discloses performed analysis on a network hologram, ¶ [0039], discloses using network hologram to uncover that which user or entity has manipulated data breach or loss. Further see, ¶s [0039]-[0043], ¶s [0050]-[0053]. ¶ [0068], discloses the security system records the network session associating the identity of the user device with an identity of the software application. The association of elements contributes to the formation of a network hologram for real-time visibility and anomaly detection of data in the computer network. In some embodiments, the recording of the network session can associate an identity of the user with the identity of the user device and the identity of the software application. For example, the user may have one or more email addresses that can be associated with the network session. The recording of the network session may also associate the user device and software application with one or more other elements such as files, 
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Zou’s technique into Jones as modified by Muramatsu’s technique with motivation to provide a network tools having adequate visibility. Refer to Zou, ¶ [0005].

Regarding Claims 5 and 15, in view of claims 4 and 14, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “further comprising: if the receipt of the protected data is anomalous, searching analytics data to identify entities within the secured network that have transmitted the protected data to the external source based, at least in part, on the tagged session data.” (Zou, ¶ [0060], disclose the traffic data and metadata from the layer-3 devices 40 are collected by the "HoloFlow" agent 44. The HoloFlow agent 44 generates its own metadata. The combined metadata can then be fed to an analytics engine 46 by the HoloFlow agent 44. The analytics engine 46 can then build a network hologram to link a user with the data/file to detect network anomalies in real-time, and determine suitable remediation measures.)
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Zou’s technique into Jones as modified by Muramatsu’s technique with motivation to provide a network tools having adequate visibility. Refer to Zou, ¶ [0005].

Regarding Claims 6 and 16, in view of claims 1 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “further comprising: if the receipt of the protected data is anomalous, searching analytics data to identify entities within the secured network that have transmitted the protected data to one or more entities external to the secured network.” (Zou, ¶ [0036], discloses detecting a breach and unusual movement of data from corporation network to external network. ¶ [0037], discloses performed analysis on a network hologram, ¶ [0039], discloses using network hologram to uncover that which user or entity has manipulated data breach or loss. Further see, ¶s [0039]-[0043], ¶s [0050]-[0053]. ¶ [0068], discloses the security system records the network session associating the identity of the user device with an identity of the software application. The association of elements contributes to the formation of a network hologram for real-time visibility and anomaly detection of data in the computer network. In some embodiments, the recording of the network session can associate an identity of the user with the identity of the user device and the identity of the software application. For example, the user may have one or more email addresses that can be associated with the network session. The recording of the network session may also associate the user device and software application with one or more other elements such as files, data, additional user devices, or software applications. Hence, the associations can be used to discover or build relationships of the network hologram.)


Regarding Claims 7 and 17, in view of claims 6 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “further comprising: searching analytics data to identify entities that have accessed the protected data within the secured network when no occurrences of transmission of the protected data to one or more entities external to the secured network are identifiable.” (Zou, ¶ [0070], identify unusual behavior such as types of sensitive files being moved (e.g., financial documents moved from enterprise server). The data movement is linked with a user and devices in real-time (e.g., a CFO moving the financial documents from the enterprise server). The security system can learn patterns of how the data is normally accessed to build a profile of normal behavior. When the hacker gets control of the laptop, the pattern changes (e.g., source code is accessed from a second server). Accordingly, the disclosed technology can detect such unusual behavior indicative of a security threat.)
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Zou’s technique into Jones as modified by Muramatsu’s technique with motivation to provide a network tools having adequate visibility. Refer to Zou, ¶ [0005].

Regarding Claim 8 and 19, in view of claim 7 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “prioritizing a security breach investigation of entities that have accessed protected data within the secured network based on user behaviors of the entities.” (Zou, ¶ [0036], discloses detecting a breach and unusual movement of data from corporation network to external network. ¶ [0037], discloses performed analysis on a network hologram, ¶ [0039], discloses using network hologram to uncover that which user or entity has manipulated data breach or loss. ¶ [0048], discloses the discovery and building of relationships of elements allows for real-time identification of abnormal behavior of users and data, and enables mitigating possible security threats by automatically altering network configurations or issuing warnings to a network security operator to manually trigger remediation measures.  ¶ [0060], discloses the analytics engine 46 can then build a network hologram to link a user with the data/file to detect network anomalies in real-time, and determine suitable remediation measures. ¶ [0070], identify unusual behavior such as types of sensitive files being moved (e.g., financial documents moved from enterprise server). The data movement is linked with a user and devices in real-time (e.g., a CFO moving the financial documents from the enterprise server). The security system can learn patterns of how the data is normally accessed to build a profile of normal behavior. When the hacker gets control of the laptop, the pattern changes (e.g., source code is accessed from a second server). Accordingly, the disclosed technology can detect such unusual behavior indicative of a security threat.)


Regarding Claims 9 and 18, in view of claims 1 and 11, the combination of Jones, Muramatsu, and Hernacki does not explicitly disclose the following which would have been obvious in view of Zou from similar field of endeavor “wherein identifying one or more sources of egress of the protected data from within the secured network comprises: identifying business processes through which the protected data was manually conveyed to third parties.” (Zou, ¶ [0036], discloses detecting a breach and unusual movement of data from corporation network to external network. ¶ [0037], discloses performed analysis on a network hologram, ¶ [0039], discloses using network hologram to uncover that which user or entity has manipulated data breach or loss. ¶ [0046], discloses software application used or file move must be associated with a user device, and each device must be operated by a person (or automated by a hacker). Therefore, being able to uniquely discover and reconstruct the relationship between a user, devices, applications, and files/data is the foundation of enterprise information security. ¶ [0060], discloses the analytics engine 46 can then build a network hologram to link a user with the data/file to detect network anomalies in real-time, and determine suitable remediation measures.)
Therefore it would have been obvious to a person with ordinary skill in the art at the time the invention was effectively filed to incorporate Zou’s technique into Jones as .

Response to Arguments
Applicant's arguments filed 11/18/2020 regarding to amended limitation “suggest the secured network comprising an electronic system that implement security policies to avoid and track unauthorized access, exploitation, modification, or denial of network resources, as required by claims 1 and 11” have been fully considered have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

On page 9 of Remarks, Applicant appears to argue that Jones does not disclose suggest the protected data comprising data over which the secured network exercises controlled access and does not make available without the controlled access, as required by claims 1 and 11.
This is found unpersuasive because Jones, ¶ [0047], discloses the legally Protected Information includes Regulated Data, which is data that is protected from public disclosure by various laws, rules, policies, and/or the like, and cannot be divulged without express authorization from the employee.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (See PTO-892).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BAOTRAN N TO whose telephone number is (571)272-8156.  The examiner can normally be reached on M-F: 7-3.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOSEPH P HIRL can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


	/BAOTRAN N TO/           Primary Examiner, Art Unit 2435