Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received January 29, 2021.  Claims 1, 9, 17, and 24 have been amended.  Claims 31-33 have been added.  Therefore, claims 1-33 are pending and addressed below. 


Allowable Subject Matter
Claims 31 and 33 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-30 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Reid et al. (US 2015/0074409 A1, publish date 03/12/2015) in view of Liang (US2015/0106342 A2, publish date 04/16/2015).

Claims 1, 17, 24:
With respect to claims 1, 17, 24, Reid et al. discloses A computer-implemented method comprising/A non-transitory computer-readable storage medium including instructions (comparing Activity Logs, Figure 5) comprising:
a memory storing a discrepancy detection application; and a processor that is coupled to the memory, wherein, when executed by the processor, the discrepancy detection application (Figure 5) configures the processor to perform the steps of:
accessing, via a data intake and query system, a request log (The activity logs as illustrated in FIG. 5 contain transactional information to monitor access to patient's file, 0190) (An Activity Log UHE API 111, an Activity Log File Broker 264 and an Activity Log Cloud Lockbox 216 capture information representative of writing and reading of UHE files as well as information representative of changes to access by different members, 0231) (Activity Log data may be obtained from one or more of a variety of sources: when the UHE API 261 that is integrated with HCP #1 EHR 110 sends a file write or read request to the API Engine 260 in the Key Master 112, 0232),
wherein the request log includes a first plurality of activities initiated by a first client associated with one or more authorization keys; 
accessing, via the data intake and query system, a provider log (The activity logs as illustrated in FIG. 5 contain transactional information to monitor access to patient's file, 0190) (An Activity Log UHE API 111, an Activity Log File Broker 264 and an Activity Log Cloud Lockbox 216 capture information representative of writing and reading of UHE files as well as information representative of changes to access by different members, 0231) (Activity Log data may be obtained from one or more of a variety of sources: when the UHE API 261 that is integrated with HCP #1 EHR 110 sends a file write or read request to the API Engine 260 in the Key Master 112, 0232), wherein the provider log includes a second plurality of activities performed by a cloud provider (This medical home HCP #1 EHR 110 using UHE API 261 and Key Master 112 generates a unique pair of encryption keys using a public-private key combination for the patient.  The public key is shared with the HCP #1 EHR 110 but the private key is retained only in the Key Manager and File Broker 262 component of the Key Master 112.  This activity is depicted by reference numeral 2, 0158)(The activity logs provide an essential cross check of file access for security purposes and also provide a rich source of information to inform the patient regarding access to and sharing of the EHR files, private key, etc, 0190);
comparing a first set of activities in the first plurality of activities with a second set of activities in the second plurality of activities; determining that one or more unauthorized activities have occurred (comparing Activity Logs, Activity Logs Compare module 280 at the HIE Registry 120 provides a method for detecting and halting unauthorized access to files, 0230-0231) (Periodically, the HIE Registry 120 will analyze activity logs, using Activity Log Compare module 280, to detect anomalies that could indicate unauthorized access to Encrypted EHR Files 210 stored at the Cloud Lockbox 130, 0235); 
performing a first action to address the one or more unauthorized activities (if such an anomaly is detected, then the HIE Registry 120 may alter the Permissions Directory 212 of the Cloud Lockbox 130 in order to halt file retrieval from the suspect Key Master 112, denial of file retrieval, notify responsible members, a notification may include an email message, a text message, a telephone call, a pager alert, 0235).

Reid et al. does not disclose comparing a first set of activities that occur within a first time period with a second set of activities that also occur within the first time period, wherein the first set of activities are initiated by the first client in association with the one or more authorization keys, wherein the second set of activities are performed by the cloud provider in response to receiving one or more requests associated with the one or more authorization keys, and wherein the second set of activities performed by the cloud provider are attributed to the first client;
determining, based on comparing the first set of activities with the second set of activities, that a subset of the second plurality of activities is performed in response to one or more activities initiated by a second client that is different than the first client; 
determining that one or more unauthorized activities have occurred based on determining that the subset of the second plurality of activities is performed in response to the one or more activities as claimed.

However, Liang teaches at each data center, a cluster log module 116A, 116B, … 116N maintains a log of each key that a user accesses in the data center cluster, whether through a read request or write request, Log entries can include a timestamp of the user request, the key, the requested operation (0030, Figure 1), comparing a first set of activities that occur within a first time period with a second set of activities that also occur within the first time period, wherein the first set of activities are initiated by the first (process 300 for identifying key candidates with inconsistent cache values, also referred to herein as inconsistent keys, a log entry in the global log is selected and read, 0036) (log entries having a timestamp within ten minutes prior to the timestamp of the first selected operation chosen at block 302 are evaluated, 0037) (the predetermined log search duration can be selected to be five minutes.  Then, log entries having a timestamp within five minutes after the timestamp of the first selected operation chosen at block 410 are evaluated, 0044), wherein the second set of activities are performed by the cloud provider in response to receiving one or more requests associated with the one or more authorization keys, and wherein the second set of activities performed by the cloud provider are attributed to the first client (As long as the key is accessed by a user, the history of the activity relating to the key should be logged and analyzed.  Once the entire history relating to a key is recorded, it can be analyzed to determine if there is an inconsistency, and which data center the inconsistency originated from, 0029) (maintains a log of each key that a user accesses in the data center cluster… Log entries can include a timestamp of the user request, the key, the requested operation, the hash value of the key using a predetermined hash function, and the data center that the request was received at, 0030) (the global log is a chronological history of every key acted upon by a user throughout every data center in the system, 0031);
determining, based on comparing the first set of activities with the second set of activities, that a subset of the second plurality of activities is performed in response to one or more activities initiated by a second client that is different than the first client; 
determining that one or more unauthorized activities have occurred based on determining that the subset of the second plurality of activities is performed in response to the one or more activities (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Liang in Reid et al. for comparing a first set of activities that occur within a first time period with a second set of activities that also occur within the first time period, wherein the first set of activities are initiated by the first client in association with the one or more authorization keys, wherein the second set of activities are performed by the cloud provider in response to receiving one or more requests associated with the one or more authorization keys, and wherein the second set of activities performed by the cloud provider are attributed to the first client; determining, based on comparing the first set of activities with the second set of activities, that a subset of the second plurality of activities is performed in response to one or more activities initiated by a second client that is different than the first client;  determining that one or more unauthorized activities have occurred based on determining that the subset of the second plurality of activities is performed in response to the one or more activities as claimed to enhance the system of Reid et al. by identifying candidate inconsistent keys and therefore maximizing the protection of data/keys. (see Liang 0014)

Claims 2, 18, 25:
With respect to claims 2, 18, 25, the combination of Reid et al. and Liang discloses the limitations of claims 1, 17, and 24, as addressed. 

Reid et al. discloses wherein determining that the one or more unauthorized activities have occurred comprises comparing a first number of activities included in the first plurality of activities to a second number of activities included in the second plurality of activities (Activity Logs Compare module 280 at the HIE Registry 120 provides a method for detecting and halting unauthorized access to files, 0231) (Periodically, the HIE Registry 120 will analyze activity logs, using Activity Log Compare module 280, to detect anomalies that could indicate unauthorized access to Encrypted EHR Files 210 stored at the Cloud Lockbox 130, 0235).

Liang teaches wherein determining that the one or more unauthorized activities have occurred comprises comparing a first number of activities included in the first plurality of activities to a second number of activities included in the second plurality of activities (process 300 for identifying key candidates with inconsistent cache values, also referred to herein as inconsistent keys, a log entry in the global log is selected and read, 0036) (log entries having a timestamp within ten minutes prior to the timestamp of the first selected operation chosen at block 302 are evaluated, 0037) (the predetermined log search duration can be selected to be five minutes.  Then, log entries having a timestamp within five minutes after the timestamp of the first selected operation chosen at block 410 are evaluated, 0044).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claims 1, 17, and 24. 

Claim 3:
With respect to claim 3, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.

Liang teaches wherein determining that the one or more unauthorized activities have occurred comprises: identifying activities included in the first plurality of activities that occurred within a predetermined time window to generate a first plurality of current activities; identifying activities included in the second plurality of activities that occurred within the predetermined time window to generate a second plurality of current activities; and determining that a first number of current activities included in the first plurality of current activities is less than a second number of current activities included in the second plurality of current activities (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claims 4, 19, 26:
With respect to claims 4, 19, 26, the combination of Reid et al. and Liang discloses the limitations of claims 1, 17, and 24, as addressed.

Reid et al. discloses wherein determining that the one or more unauthorized activities have occurred comprises determining that at least one activity included in the second plurality of activities does not correspond to any activity included in the first plurality of activities (Activity Logs Compare module 280 at the HIE Registry 120 provides a method for detecting and halting unauthorized access to files, 0231) (Periodically, the HIE Registry 120 will analyze activity logs, using Activity Log Compare module 280, to detect anomalies that could indicate unauthorized access to Encrypted EHR Files 210 stored at the Cloud Lockbox 130, 0235).

Liang teaches wherein determining that the one or more unauthorized activities have occurred comprises determining that at least one activity included in the second plurality of activities does not correspond to any activity included in the first plurality of activities (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claims 1, 17, and 24. 

Claim 5:
With respect to claim 5, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.

Reid et al. discloses wherein determining that the one or more unauthorized activities have occurred comprises: determining that at least one activity included in the second plurality of activities does not correspond to any activity included in the first plurality of activities (Activity Logs Compare module 280 at the HIE Registry 120 provides a method for detecting and halting unauthorized access to files, 0231) (Periodically, the HIE Registry 120 will analyze activity logs, using Activity Log Compare module 280, to detect anomalies that could indicate unauthorized access to Encrypted EHR Files 210 stored at the Cloud Lockbox 130, 0235).

Liang teaches wherein determining that the one or more unauthorized activities have occurred comprises: determining that at least one activity included in the second plurality of activities does not correspond to any activity included in the first plurality of activities (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5) and 
determining that a first activity included in the at least one activity is not associated with one or more false positive characteristics (a real time comparison of actual cache values stored in the data centers is performed on the verified candidate keys to eliminate a false positive candidate inconsistent key, 0014) (to minimize likelihood that false positive inconsistent keys are identified, 0035) (false positives, 0049, 0053).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claims 6, 10:
With respect to claims 6, 10, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.

Reid et al. discloses further comprising generating the request log based on a first request log that specifies activities requested by a first compute resource and associated with a first authorization key included in the one or more authorization keys and a second request log that specifies activities requested by a second compute resource and associated with a second authorization key included in the one or more authorization keys (This medical home HCP #1 EHR 110 using UHE API 261 and Key Master 112 generates a unique pair of encryption keys using a public-private key combination for the patient.  The public key is shared with the HCP #1 EHR 110 but the private key is retained only in the Key Manager and File Broker 262 component of the Key Master 112.  This activity is depicted by reference numeral 2, 0158)(The activity logs provide an essential cross check of file access for security purposes and also provide a rich source of information to inform the patient regarding access to and sharing of the EHR files, private key, etc, 0190).

Liang teaches request log (Log entries can include a timestamp of the user request, the key, the requested operation, 0030).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claims 7, 20, 27:
With respect to claims 7, 20, 27, the combination of Reid et al. and Liang discloses the limitations of claims 1, 17, and 24, as addressed.

Reid et al. discloses further comprising generating the request log based on a first request log that specifies activities requested by a first compute resource and associated with a first authorization key included in the one or more authorization keys and a second request log that specifies activities requested by a second compute resource and associated with a second authorization key included in the one or more authorization keys  (This medical home HCP #1 EHR 110 using UHE API 261 and Key Master 112 generates a unique pair of encryption keys using a public-private key combination for the patient.  The public key is shared with the HCP #1 EHR 110 but the private key is retained only in the Key Manager and File Broker 262 component of the Key Master 112.  This activity is depicted by reference numeral 2, 0158)(The activity logs provide an essential cross check of file access for security purposes and also provide a rich source of information to inform the patient regarding access to and sharing of the EHR files, private key, etc, 0190), wherein the first compute resource is included in an on-premises deployment associated with the first client, and the second compute resource is included in a cloud deployment associated with the first client (Figure 5).

Liang teaches request log (Log entries can include a timestamp of the user request, the key, the requested operation, 0030).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claims 1, 17, and 24. 

Claim 8:
With respect to claim 8, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.
Reid et al. discloses further comprising, prior to comparing the request log to the provider log, receiving a first request log that specifies activities requested by a first compute resource and associated with a first authorization key included in the one or more authorization keys from either a firewall application or a data intake and query system application, and generating the request log based on the first request log (application programming interfaces, API, Figure 5).

Liang teaches request log (Log entries can include a timestamp of the user request, the key, the requested operation, 0030).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 




Claim 9:
With respect to claim 9, Reid et al. discloses further comprising generating the request log based on data received from a cloud provider infrastructure (cloud lockbox, Figure 5).

Claims 11, 21, 28:
With respect to claims 11, 21, 28, Reid et al. discloses further comprising, prior to comparing the request log to the provider log:
transmitting a request to a cloud provider infrastructure to provide an audit log of activities associated with the one or more authorization keys that the cloud provider infrastructure performed (an audit log of access gives the patient complete visibility regarding who has accessed what and when, 0130); and
generating the provider log based on the audit log received from the cloud provider infrastructure (An Activity Log UHE API 111, an Activity Log File Broker 264 and an 
Activity Log Cloud Lockbox 216 capture information representative of writing and reading of UHE files as well as information representative of changes to access by different members, 0231).

Claim 12:
With respect to claim 12, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.

Liang teaches wherein comparing the request log to the provider log comprises: normalizing the first plurality of activities and the second plurality of activities to generate, respectively, a first plurality of normalized activities and a second plurality of normalized activities; and performing one or more comparison operations between the first plurality of normalized activities and the second plurality of normalized activities (process 300 for identifying key candidates with inconsistent cache values, also referred to herein as inconsistent keys, a log entry in the global log is selected and read, 0036) (log entries having a timestamp within ten minutes prior to the timestamp of the first selected operation chosen at block 302 are evaluated, 0037) (the predetermined log search duration can be selected to be five minutes.  Then, log entries having a timestamp within five minutes after the timestamp of the first selected operation chosen at block 410 are evaluated, 0044) (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claim 13:
With respect to claim 13, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed. 

Liang teaches determining that a first time associated with a first activity included in the first plurality of activities is within a predetermined tolerance of a second time associated with a second activity included in the second plurality of activities;
associating both the first activity and the second activity with one of the first time, the second time, or a third time to generate, respectively, a first plurality of normalized activities and a second plurality of normalized activities (process 300 for identifying key candidates with inconsistent cache values, also referred to herein as inconsistent keys, a log entry in the global log is selected and read, 0036) (log entries having a timestamp within ten minutes prior to the timestamp of the first selected operation chosen at block 302 are evaluated, 0037) (the predetermined log search duration can be selected to be five minutes.  Then, log entries having a timestamp within five minutes after the timestamp of the first selected operation chosen at block 410 are evaluated, 0044); and 
performing one or more comparison operations between the first plurality of normalized activities and the second plurality of normalized activities (If the log entry matches the key being evaluated (block 315--Yes), then at decision block 325, the system determines if the operation in the log entry is a write operation that modified the value of the key, Only if the operation is a read operation, does the system compare the hash value for the log entry to a prior known hash value because the value of the key is not expected to change for a read operation 0039) (If the hash value is different than the last accessed hash value for the key (block 330--No), at block 335 the key is identified as a candidate for having inconsistent cache values, 0041) (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claims 14, 22, 29:
With respect to claims 14, 22, 29, the combination of Reid et al. and Liang discloses the limitations of claims 1, 17, and 24, as addressed.

Reid et al. discloses wherein performing the first action comprises generating an alert indicating that the one or more unauthorized activities have occurred, and transmitting the alert to at least one of the first client and the cloud provider (if such an anomaly is detected, then the HIE Registry 120 may alter the Permissions Directory 212 of the Cloud Lockbox 130 in order to halt file retrieval from the suspect Key Master 112, denial of file retrieval, notify responsible members, a notification may include an email message, a text message, a telephone call, a pager alert, 0235).

Liang teaches wherein performing the first action comprises generating an alert indicating that the one or more unauthorized activities have occurred (the system sends a request to each of the data center clusters for the hash value stored in the cache for a specific candidate key identified by phase 1 and phase 2.  The query is a real time query, the system compares the received hash values for the key to determine whether the cluster values are all consistent, If the hash values are inconsistent among the received hash values (block 520--No), at block 525, the system sends an alert, 0050-0052, Figure 5).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claims 1, 17, and 24. 

Claim 15:
With respect to claim 15, the combination of Reid et al. and Liang discloses the limitations of claim 1, as addressed.

Reid et al. discloses wherein both the request log and the provider log are associated with the data intake and query system, and performing the first action comprises generating an event associated with the data intake and query system application, wherein the event is associated with a specific point in time and includes a portion of data that is generated by one or more components in an information technology environment (the time-to-live feature limits the period of time that HCP #2 is authorized to retain the Patient's 116 files, 0171).

Liang teaches wherein the event is associated with a specific point in time and includes a portion of data that is generated by one or more components in an information technology environment (log entries having a timestamp within ten minutes prior to the timestamp of the first selected operation chosen at block 302 are evaluated, 0037) (the predetermined log search duration can be selected to be five minutes.  Then, log entries having a timestamp within five minutes after the timestamp of the first selected operation chosen at block 410 are evaluated, 0044).

Reid et al. and Liang are analogous art because they are from the same field of endeavor of computing environments.  

The motivation for combining Reid et al. and Liang is recited in claim 1. 

Claims 16, 23, 30:
With respect to claims 16, 23, 30, Reid et al. discloses wherein performing the first action comprises at least one of disabling one or more of the one or more authorization keys, deactivating a user account associated with the one or more unauthorized activities, causing a firewall application or a virtual private network server to perform one or more blocking operations, and installing a software application on a device that is associated with the one or more unauthorized activities (if such an anomaly is detected, then the HIE Registry 120 may alter the Permissions Directory 212 of the Cloud Lockbox 130 in order to halt file retrieval from the suspect Key Master 112, denial of file retrieval, notify responsible members , a notification may include an email message, a text message, a telephone call, a pager alert, 0235).




Claim 32:
With respect to claim 32, Reid et al. discloses wherein comparing the request log to the provider log comprises:
identifying a subset of the first plurality of activities and a subset of the second plurality of activities as superfluous; and collapsing the subset of the first plurality of activities or the subset of the second plurality of activities into a single event (the UHE approach can eliminate duplication of records within a single HCP as well as the duplication of records received from other health care providers, 0121).


Response to Remarks/Arguments
Applicant's arguments filed on January 29, 2021 have been fully considered but they are not persuasive.  In the remarks, Applicant argues that: 

Claims 1, 17, and 24:
(1) Liang merely discloses techniques for detecting cache inconsistencies by logging each key that a user accesses in a data center cluster, and executing a cache inconsistency detection algorithm that compares hash values for a log entry to a prior known hash value if the operation in the log entry is a read operation. However, Liang does not teach or suggest comparing activities initiated by a user with activities performed by a data center provider, let alone detecting cache inconsistencies by comparing log entries associated with a user accessing a data center cluster using candidate keys with log entries associated with a data center provider performing activities in response to the user’s requests associated with the candidate keys, wherein the log entries associated with the data center provider’s activities are attributed to the user, as required by the amended claim language.

In response to remark/arguments (1), Examiner respectfully disagrees.  Liang teaches “As long as the key is accessed by a user, the history of the activity relating to the key should be logged and analyzed.  Once the entire history relating to a key is recorded, it can be analyzed to determine if there is an inconsistency, and which data center the inconsistency originated from” (0029), “maintains a log of each key that a user accesses in the data center cluster… Log entries can include a timestamp of the user request, the key, the requested operation, the hash value of the key using a predetermined hash function, and the data center that the request was received at” (0030), “the global log is a chronological history of every key acted upon by a user throughout every data center in the system” (0031).  Examiner holds that Liang teaches comparing activities initiated by a user with activities performed by a data center provider, detecting cache inconsistencies by comparing log entries associated with a user accessing a data center cluster using candidate keys with log entries associated with a data center provider performing activities in response to the user’s requests associated with the candidate keys, wherein the log entries associated with the data center provider’s activities are attributed to the user, as required by the amended claim language.  Therefore examiner holds that the combination of Reid et al. and Liang discloses the limitation.  


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433