Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Applicant’s election without traverse of Species I in the reply filed on 03/29/2021 is acknowledged.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 10, 21 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Pridgen (US 2020/0167498)

Regarding Claim 1,

Pridgen (US 2020/0167498) teaches a method, comprising:
monitoring communications, between a user device and a server system, in which the user device requests access to a first resource provided via the server system (Paragraph [0019] teaches monitoring communication between user and server)(Paragraph [0034] teaches user account is monitored to detect when user commits content to the version control system);
 performing an initial scan of the first resource, wherein the initial scan captures an initial version of the first resource corresponding to an establishment of a connection between the user device and the server system (Paragraph [0034] teaches scheduling an initial scan); 
performing, by a computer system, data loss prevention operations that include: 
in response to detecting a triggering event associated with the communications between the user device and the server system, performing a subsequent scan that captures a subsequent version of the first resource (Paragraph [0035] and Figure 3, 330, teaches determining if any changes to content were made); 
and based on the initial and subsequent scans, determining whether any of a set of data loss prevention rules were violated; and in response to one or more of the set of data loss prevention rules being violated, initiating one or more corrective actions (Paragraph [0036], Figure 3, 360, teaches based on the scan, determining whether sensitive information has been leaked and then initiating remediation).

Regarding Claim 10, 21

Claims 10, 21 are similar in scope to Claim 1 and is rejected for a similar rationale.

Claim Rejections - 35 USC § 103

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-9, 13-15, 22-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pridgen (US 2020/0167498) in view of Gula (US 2013/0227714)

Regarding Claim 2,

Pridgen teaches the method of claim 1, but does not explicitly teach wherein the determining whether any of the set of data loss prevention rules were violated includes: performing a hash function on a portion of the initial version of the first resource to generate a first hash value; performing the hash function on a portion of the subsequent version of the first resource to generate a second hash value; and comparing the first and second hash values to determine whether the first resource was modified with content added by a user of the user device during the connection between the user device and the server system.

Gula (US 2013/0227714) teaches performing a hash function on a portion of the initial version of the first resource to generate a first hash value (Paragraph [0021] teaches performing a hash on the baseline system); performing the hash function on a portion of the subsequent version of the first resource to generate a second hash value (Paragraph [0021] teaches performing hash on the reference system); and comparing the first and second hash values to determine whether the first resource was modified with content added by a user of the user device during the connection between the user device and the server system (Paragraph [0021] teaches tracking changes from the baseline to the reference).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Pridgen with the hash function of Gula
The motivation is to track data leakage (Paragraph [0021] of Gula)

Regarding Claim 3,

Pridgen and Gula teaches the method of claim 2. Pridgen teaches wherein the determining whether any of the set of data loss prevention rules were violated further includes: in response to detecting that the first resource was modified during the connection, parsing the subsequent version of the first resource to determine whether the subsequent version includes any data from a particular set of sensitive data (Fig 3, 350, 360 and supporting text teaches search for potentially sensitive information, is sensitive information present).

Regarding Claim 4,

Pridgen and Gula teaches the method of claim 3. Pridgen teaches wherein the particular set of sensitive data is selected based on an identity of the user of the user device (Fig. 3, 310 and associated text, teaches selecting user account to monitor).

Regarding Claim 5,

Pridgen and Gula teaches the method of claim 3. Pridgen teaches wherein the particular set of sensitive data is selected based on the first resource (Fig. 3, 320, teaches wherein sensitive data is selected based on activity on the version control system)

Regarding Claim 6,

Pridgen and Gula teaches the method of claim 3. Pridgen teaches wherein the detecting the triggering event includes: comparing the first resource to a set of restricted resources (Paragraph [0009] teaches version control system may be GitHub or Bitbucket)

Regarding Claim 7,

Pridgen and Gula teaches the method of claim 1. Pridgen teaches wherein detecting the triggering event includes: determining that the user device has attempted to upload content belonging to a specified restricted category of content (Paragraph [0022] teaches determining user device has attempted to upload content that was emailed).

Regarding Claim 8,

Pridgen and Gula teaches the method of claim 1. Pridgen teaches wherein the performing the initial scan further includes: parsing at least a portion of the first resource to determine whether the first resource includes any data from a particular set of sensitive data (Paragraph [0023] scan for sensitive information)
While Pridgen teaches scanning periodically (Paragraph [0032]) Pridgen does not explicitly teach scanning upon the establishment of the connection.
The Examiner takes Official Notice scanning upon establishment of a connection is well known
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to substitute scanning periodically with scanning on connection and the results would be predictable (i.e. timing of scans would be upon connection)

Regarding Claim 9,

Pridgen and Gula teaches the method of claim 1. Pridgen teaches wherein the data loss prevention operations further includes: during the connection, monitoring one or more of the communications sent between the user device and the server system for any data from a particular set of sensitive data (Paragraph [0023])

Regarding Claim 13-15,

Claims 13-15 is similar in scope to Claims 2-3, 8 and is rejected for a similar rationale.

Regarding Claim 22-24,

Claims 22-24 are similar in scope to Claims 2-3, 6 and is rejected for a similar rationale.


Claims 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pridgen (US 2020/0167498) 

Regarding Claim 11,

Pridgen teaches the non-transitory, computer-readable medium of claim 10, wherein the data loss prevention operations further include: scanning a domain associated with the first resource to determine whether the domain includes any data from a particular set of sensitive data (Paragraph [0027] teaches scanning a domain associated with a version control server for sensitive information)
Pridgen does not explicitly teach scanning a subdomain
The Examiner takes Official Notice subdomains are well known
It would have been obvious to one of ordinary skill in the art to modify Pridgen from scanning a domain associated a first resource with scanning a subdomain associated with a first resource and the results would be predictable 


Claims 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pridgen (US 2020/0167498) in view of Roundy (US 2015/0261940)

Regarding Claim 12,

Pridgen teaches the non-transitory, computer-readable medium of claim 10, but does not explicitly teach wherein the operations further comprise: generating a severity score based on the one or more data loss prevention rules that were violated; and selecting the one or more corrective actions to initiate based on the severity score.
Roundy (US 2015/0261940) teaches generating a severity score based on the one or more data loss prevention rules that were violated; and selecting the one or more corrective actions to initiate based on the severity score (Paragraph [0059] teaches security actions based on the degree of leakage threat) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Pridgen with severity score of Roundy
The motivation is to prevent attacks on leaked information (Paragraph [0060] of Roundy)

Claims 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pridgen and Gula in view of Janssen (US 2016/0127417)


Regarding Claim 16,

Pridgen and Gula teaches the non-transitory, computer-readable medium of claim 15, but does not explicitly teach wherein the particular set of sensitive data is selected based on a role of a user of the user device.
Janssen (US 2016/0127417) teaches wherein the particular set of sensitive data is selected based on a role of a user of the user device (Paragraph [0025] teaches sensitive data is based on role)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Pridgen and Gula with the role based system of Janssen
The motivation is to allow a data loss protection system to take into account user’s roles and responsibilities (Paragraph [0004] of Janssen


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462.  The examiner can normally be reached on M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HARRIS C WANG/Primary Examiner, Art Unit 2439