Notice of Pre-AIA  or AIA  Status
The present application, filed on or after December 16, 2016, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/21/2021 has been entered.
Claims 1-9 and 11-22 are pending and are being considered.
Claims 1, 4-5, 11, 14 and 18-21 have been amended.
Response to 103
	Applicant arguments filled on 01/15/2021 have been fully considered and are not persuasive. In response to applicants argument on page 10 of remarks that the references fails to teach the limitation “ determining that a portion of the data object includes sensitive data based at least in part on a flag indicating a location of the sensitive data within the communication, information defining the flag included in configuration information associated with the backend service endpoint, the configuration information further comprising information separate from the data object and indicative of operations for securing the sensitive data, formatting the data object for transmission to the backend service endpoint to enable processing of the data object by the backend service endpoint within the communication”. The examiner acknowledges applicants point of view but respectfully disagrees because the above bolded portion of the limitation are taught by Margolin on para [0027 and 0034] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any key-based encryption algorithm (i.e. securing the sensitive information by encrypting it using key based on an encryption algorithm).

The rest of applicants argument are moot in view of new grounds of rejection, the argument do not apply to the art being used currently.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/21/2020 and 02/01/2021 was filed after the mailing date of the application 15382571 on 12/16/2016.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-6, 8-9 and 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Margolin (US 20140373165) in view of Singh et al (hereinafter Singh) (US 20070094394).
Regarding claim 1 Margolin teaches a computer-implemented method (Margolin on [abstract] teaches a method performed at computer system) comprising; 
 establishing a cryptographically protected communications session with a client (Margolin on [0085-0086, 0089, and 0092] teaches a secure communication protocol (e.g. SSL TLS) between source and destination. See also Fig 2 block 102, 106, 114-1 and associated text on [0036] teaches private network communication between client device and server);
obtaining, within a computing environment [[isolated from other processes of an operating system]] and from the client over the cryptographically protected communications session, a data object in a communication to be directed to a backend service endpoint (Margolin on [0083, 0090 and 0103-0104] teaches receiving a first data transmission from first client device sent to the destination system (e.g. server system) through privacy proxy system (i.e. protected communication));
determining that a portion of the data object includes sensitive data [[based at least in part on a flag indicating a location of the sensitive data within the communication information defining the flag included in configuration information associated with the backend service endpoint,]] (Margolin on [0023-0025 and 0038] teaches document 111 one or more portion that includes sensitive data and marking the sensitive portion of the document);
 the configuration information further comprising information separate from the data object and indicative of operations for securing the sensitive data (Margolin on [0027 and 0034] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any suitable key-based encryption algorithm (i.e. securing the sensitive information by encrypting it using key based on encryption algorithm));
and cryptographic material corresponding to the backend service endpoint (Margolin on [0077, 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material));
encrypting, using the cryptographic material associated with the backend service endpoint, the portion of the data object to result in an encrypted portion (Margolin on [0077, 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material));
(Margolin Fig 9 block 902 and associated text on [0108-0109] teaches a document with encrypted portion and unencrypted remainder portion (i.e. updated document). See Fig 6 block 604-B and text on [0105-0106] teaches replacing the marked portion of the document with replacement element. The replacement may be alternative text (e.g., a message informing the user that the content in the marked portions is private), obscured text (the text in the marked portions blacked out or obscured by a mosaic effect, to resemble redacted text), a blank area);
 generating a request to the backend service endpoint including the modified data object, the request including information indicating that the sensitive data has been protected  (Margolin on [0077] teaches generating a request to the privacy proxy system. Also teaches the document includes encrypted marked portion (i.e. modified). See on [0112] teaches partially encrypted data is still protected. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party);
and transmitting the request to the backend service endpoint (Margolin on [0033 and  0044] teaches transmitting request the server system 114. See also on [0077-0079 and 0100] teaches a user at a client device 102 may make a request for the document 600, and in response the document 600 is sent by the server system 114 to the privacy proxy system 106).
	Although Margolin teaches marking the portion of data stream containing sensitive data, but fails to explicitly teach determining that a portion of the data object includes sensitive data based at least in part on a flag indicating a location of the sensitive data within the communication information defining the flag included in configuration information associated with the backend service endpoint, formatting the data object for transmission to the backend service endpoint to enable processing of the 
a computing environment isolated from other processes of an operating system (Singh Fig 2 and text on [0029-0032] teaches each application 204 can operate in conjunction with device operating system 202, can be part of device operating system 202, or can operate independently in effect as its own operating system (i.e. independent kernel level process). Host device 200 can also include a sensitive data agent 208);
determining that a portion of the data object includes sensitive data based at least in part on a flag indicating a location of the sensitive data within the communication information defining the flag included in configuration information associated with the backend service endpoint (Singh Fig 2 and text on [0029-0032] teaches sensitive data agent 208 can further detect sensitive data packetization, create sensitive data flags, and insert sensitive data flags into packets that carry all or a portion of identified sensitive data, tag files that contain sensitive data, and create and distribute policy and rules to control sensitive data transmission. Flags contained within flag type database 212 can be inserted into packets carrying sensitive data to other devices within the network to allow for the detection of the presence of sensitive data within the packet (i.e. interpreted in view of para [0046 and 0063] of spec). See also on [0039] teaches presence of flags in the data stream is indication of sensitive data in a packet. See also Fig 6-8 discloses flags indicating sensitive data in a packet. See on [0073] teaches inserting a flag in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to the means for detecting the packetization of the identified sensitive data);
formatting the data object for transmission to the backend service endpoint to enable processing of the data object by the backend service endpoint within the communication (Singh on [0067-0069] options field 902 of TCP Frame 900 may be used as a location for placement of sensitive data flags. For the case of a TCP-options field being used to carry sensitive data flags, there are two options for the format of that option field. The first could be a single octet (8 bits) of option kind, and a second could be an octet of option kind followed by an octet of option length and then the actual option data octets (i.e. formatting data object)).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Singh into the teaching of Margolin by having flag locating sensitive data in an information stream. One would be motivated to do so in order identify and protect sensitive data in information based on flag associated with the sensitive data (Singh on [0009-001]).

Regarding claim 2 the combination of Margolin and Singh teaches all the limitations of claim 1 above, Margolin further teaches wherein the computer-implemented method further comprises: receiving a second data object over the cryptographically protected communications session (Margolin on [0086 and 0089] teaches a second data transmission to a destination The second data transmission includes a second document. encryption applied to secure the second data transmission in accordance with a secure communication protocol, such as SSL or TLS);
and transmitting a second request to the backend service endpoint including the second data object (Margolin on [0086 and 0089] teaches a second data transmission to a destination The second data transmission includes a second document. encryption applied to secure the second data transmission in accordance with a secure communication protocol, such as SSL or TLS).
determining the second data object does not include sensitive data (Margolin on [0086] teaches the second data transmission includes the unencrypted unmarked remainder of the first document. The unmarked remainder is not encrypted beyond any encryption applied to the second data transmission as a whole).
4 the combination of Margolin and Singh teaches all the limitations of claim 1 above, Margolin further teaches wherein the(Margolin on [0083, 0090 and 0103-0104] teaches receiving a first data transmission from first client device sent to the destination system (e.g. server system) through privacy proxy system (i.e. protected communication));
and wherein the cryptographic material further comprises a public key associated with the backend service endpoint (Margolin on [0077, 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm).
Regarding claim 5 Margolin teaches a system (Margolin on [0005] teaches a method performed at computer system) comprising:
 at least one computing device implementing one or more services (Margolin on [0030] teaches a computer or device to process, receive and send document (i.e. one or more services ));
wherein the one or more services: receive, over a cryptographically protected communications session, a set of data objects directed towards an endpoint (Margolin Fig 1 block 106, 102 and associated text on [0333-0034] teaches privacy proxy system receives data transmission which is then sent to client device (i.e. endpoint). Also teaches data transmission is sent using secure socket layer SSL or TLS);
determine, [[within an environment isolated from other processes of an operating system by a kernel level process,]] that a subset of data objects of the set of data objects includes sensitive data [[based at least in part on a set of flags indicating a location of the sensitive data within the set of data, the kernel level process including access to configuration information provided separately from the set of data objects]] (Margolin on [0023-0025 and 0038] teaches document 111 one or more portion that includes sensitive data and marking the sensitive portion of the document);
wherein the configuration information further comprises information that at least indicates operations for securing the sensitive data and enables obfuscation of the subset of data objects based at least in (Margolin on [0027 and 0034] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any suitable key-based encryption algorithm (i.e. securing the sensitive information by encrypting it using key based on encryption algorithm));
[[indicates formatting of the subset of data objects for transmission to the endpoint]] and enables obfuscation of the subset of data objects based at least in part on a cryptographic key associated with the endpoint (Margolin on [0005-0007, 0027, 0077 and 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material). See on [0034] teaches the privacy proxy system 106 decrypts the encrypted marked portions of encrypted document);
obfuscate the subset of data objects using the cryptographic key to generate a set of obfuscated data objects that can be de-obfuscated by a backend service associated with the endpoint (Margolin on [0005-0007, 0027, 0077 and 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material). See on [0034] teaches the privacy proxy system 106 decrypts the encrypted marked portions of encrypted document);
modify the set of data objects to include the set of obfuscated data objects thereby generating a modified set of data objects based at least in part on replacing the portion of the data object with the encrypted portion (Margolin Fig 9 block 902 and associated text on [0108-0109] teaches a document with encrypted portion and unencrypted remainder portion (i.e. updated document). See Fig 6 block 604-B and text on [0105-0106] teaches replacing the marked portion of the document with replacement element. The replacement may be alternative text (e.g., a message informing the user that the content in the marked portions is private), obscured text (the text in the marked portions blacked out or obscured by a mosaic effect, to resemble redacted text), a blank area);
(Margolin on [0033 and  0044] teaches transmitting request the server system 114. See also on [0077-0079 and 0100] teaches a user at a client device 102 may make a request for the document 600, and in response the document 600 is sent by the server system 114 to the privacy proxy system 106).
	Although Margolin teaches Marking the sensitive portion of document to indicate sensitive date in the data stream, but fails to explicitly teach determine, within an environment isolated from other processes of an operating system by a kernel level process, that a subset of data objects of the set of data objects includes sensitive data based at least in part on a set of flags indicating a location of the sensitive data within the set of data, the kernel level process including access to configuration information provided separately from the set of data objects, wherein the configuration information further comprises information that at least: enables detection of sensitive data by at least including information to detect a flag of the set of flags, and indicates formatting of the subset of data objects for transmission to the endpoint, However Singh from analogous art teaches 
 determine, within an environment isolated from other processes of an operating system by a kernel level process, that a subset of data objects of the set of data objects includes sensitive data based at least in part on a set of flags indicating a location of the sensitive data within the set of data, the kernel level process including access to configuration information provided separately from the set of data objects (Singh Fig 2 and text on [0029-0032] teaches each application 204 can operate in conjunction with device operating system 202, can be part of device operating system 202, or can operate independently in effect as its own operating system (i.e. independent kernel level process). Host device 200 can also include a sensitive data agent 208, which can operate in conjunction with device operating system 202 and/or application 204, can be part of device operating system 202 and/or application 204, or can operate independently. Sensitive data agent 208 can further detect sensitive data packetization, create sensitive data flags, and insert sensitive data flags into packets that carry all or a portion of identified sensitive data, tag files that contain sensitive data, and create and distribute policy and rules to control sensitive data transmission. Flags contained within flag type database 212 can be inserted into packets carrying sensitive data to other devices within the network to allow for the detection of the presence of sensitive data within the packet. See also on [0039] teaches presence of flags in the data stream is indication of sensitive data in a packet. See also Fig 6-8 discloses flags indicating sensitive data in a packet. See on [0073] teaches inserting a flag in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to the means for detecting the packetization of the identified sensitive data);
wherein the configuration information further comprises information that at least: enables detection of sensitive data by at least including information to detect a flag of the set of flags (Singh on [0032] teaches flags contained within flag type database 212 can be inserted into packets carrying sensitive data to other devices within the network to allow for the detection of the presence of sensitive data within the packet);
indicates formatting of the subset of data objects for transmission to the endpoint (Singh on [0067-0069] the options field 902 of TCP Frame 900 may be used as a location for placement of sensitive data flags. For the case of a TCP-options field being used to carry sensitive data flags, there are two options for the format of that option field. The first could be a single octet (8 bits) of option kind, and a second could be an octet of option kind followed by an octet of option length and then the actual option data octets).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Singh into the teaching of Margolin by having flag locating sensitive data in an information stream. One would be motivated to do so in order identify and protect sensitive data in information based on flag associated with the sensitive data (Singh on [0009-001]).
6 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Margolin further teaches wherein generating the set of obfuscated data objects further comprises encrypting the subset of data objects with the cryptographic key according to a symmetric encryption algorithm (Margolin on [0027] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any suitable key-based encryption algorithm).
Regarding claim 8 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Margolin further teaches wherein the endpoint is accessible to customers via a publicly addressable communications network (Margolin Fig 2 block 204 and associated text on [0031, 0033, 0036-0039] teaches the client system and the proxy system are connected by one or more communication network (e.g. VPN LAN)).
Regarding claim 9 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Margolin further teaches wherein the configuration information further defines, for a set of endpoints of which the endpoint is a member: an encryption algorithm used to encrypt sensitive data the encryption algorithm satisfying a security policy associated with the sensitive data, and set of encryption keys of which cryptographic key is member (Margolin on [0027 0084 and 0113] teaches encrypting the marked portion (i.e. sensitive data) with key based encryption algorithm. Also teaches one or more encryption keys may be used for encryption. Also on [0023 and 0042-0044] teaches the privacy proxy system 106 decrypts the partially encrypted document 113 in accordance with the requesting user's rights level. See on [0110] teaches the privacy proxy system 106 may add metadata indicating the version of the key used to encrypt the document. As another example, the privacy proxy system 106 may add additional rights metadata (e.g., corporate-wide special rights policies) to the document).
11 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Singh further teaches wherein the configuration information indicates a type of data that is sensitive data (Singh on [0039] teaches presence of flags in the data stream is indication of sensitive data in a packet. See also Fig 6-8 discloses flags indicating sensitive data in a packet. See on [0073] teaches inserting a flag in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to the means for detecting the packetization of the identified sensitive data);
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Singh into the teaching of Margolin by having flag locating sensitive data in an information stream. One would be motivated to do so in order identify and protect sensitive data in information based on flag associated with the sensitive data (Singh on [0009-001]).

Regarding claim 12 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Margolin further teaches wherein generating the set of obfuscated data objects further comprises encrypting the subset of data objects using public key associated with endpoint and obtained from the configuration information (Margolin on [0027 and 0034] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any suitable key-based encryption algorithm (i.e. securing the sensitive information by encrypting it using key based on encryption algorithm));
Regarding claim 13 the combination of Margolin and Singh teaches all the limitations of claim 5 above, Margolin further teaches wherein the cryptographic key being designated by the backend service (Margolin on [0039] teaches The privacy proxy system 106 includes the encryption/decryption key(s) 108 and a document encryption/decryption module or application 206. The encryption/decryption module 206 uses the key(s) 108 to encrypt or decrypt marked portions in documents).

Claim 3 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Margolin (US 20140373165) in view of Singh et al (hereinafter Singh) (US 20070094394) and further in view of Golden (US 20100292556).
Regarding claim 3 the combination of Margolin and Singh teaches all the limitations of claim 1 above, the combination fails to explicitly teach wherein the computing environment further comprises a kernel module that restricts interactions between the other processes and resources of the operating system, but Golden teaches wherein the computing environment further comprises a kernel module that restricts interactions between the other processes and resources of the operating system (Golden on [0102-0103] teaches a secure environment in which kernel is used to protected unauthorized access to system resources).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Golden into the combined teaching of Margolin, and Singh by having kernel restricting access to other process in a secure protected environment. One would be motivated to do so in order to facilitate control of the processes and functions and to facilitate application quality control, regulatory compliance, security and other related features (Golden on [0032]).
Regarding claim 7 the combination of Margolin and Singh teaches all the limitations of claim 5 above, the combination fails to explicitly teach wherein the cryptographically protected communications session further comprises a Hypertext Transfer Protocol Secure (HTTPS) connection, However Golden from analogous art teaches wherein the cryptographically protected communications session further comprises a Hypertext Transfer Protocol Secure (HTTPS) connection (Golden on [0073-0075] HTTP communication session protocol).
 into the combined teaching of Margolin, and Singh by having kernel restricting access to other process in a secure protected environment. One would be motivated to do so in order to facilitate control of the processes and functions and to facilitate application quality control, regulatory compliance, security and other related features (Golden on [0032]).

Claims 14-16, 19 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Margolin (US 20140373165) in view of Singh et al (hereinafter Singh) (US 20070094394) and further in view of Wilkinson et al (hereinafter Wilkinson) (US 20140109107).
Regarding claim 14 Margolin teaches a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system (Margolin on [0007] teaches a non-transitory computer readable storage medium stores one or more programs configured for execution by a computer) cause the computer system to at least: obtain, [[at a first process of an operating system isolated from a set of processes of the operating system unauthorized to communicate with the first process,]] a request including a set of encrypted data objects directed towards a service endpoint implemented by another computer system (Margolin Fig1 block 102,106, 114 and associated text on [0033] teach a request from client system 102 for the partially encrypted document which is directed towards 106 privacy proxy system);
the request received [[by a second process of the operating system authorized to communicate with the first process]] in a data stream generated by the other computer system (Margolin on [0077] teaches request is made from client device to proxy system);
decrypt the set of encrypted data objects to generate a set of data objects (Margolin on [0034] teaches the privacy proxy system 106 decrypts the encrypted marked portions of encrypted document);
Margolin on [0027 and 0034] teaches the privacy proxy system 106 encrypts the marked portions of the document 111 using an appropriate key from one or more encryption and/or decryption keys 108 in accordance with any suitable key-based encryption algorithm (i.e. securing the sensitive information by encrypting it using key based on encryption algorithm));,
 [[information indicative of the flag identifying a location within the set of data objects of data not to be exposed, information indicative of formatting data for transmission to the service endpoint]] and cryptographic material associated with the service endpoint, that one or more data objects of the set of data objects includes data not to be exposed to one or more intermediaries along one or more routes between the computer system and the service endpoint (Margolin on [0077, 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material). See on [0111] teaches determining whether a document has a marked portion and the server system avoid marked portion of the document when processing the document. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party. Also on [0087] teaches encrypted marked portion of document is not available to destination system)5 of 8;
encrypt the one or more data objects using the cryptographic material to generate one or more encrypted data objects (Margolin on [0005-0007, 0027, 0077 and 0084] teaches encrypting the marked portion using appropriate key based on encryption algorithm (i.e. cryptographic material). See on [0034] teaches the privacy proxy system 106 decrypts the encrypted marked portions of encrypted document); 
(Margolin Fig 9 block 902 and associated text on [0108-0109] teaches a document with encrypted portion and unencrypted remainder portion (i.e. updated document). See Fig 6 block 604-B and text on [0105-0106] teaches replacing the marked portion of the document with replacement element. The replacement may be alternative text (e.g., a message informing the user that the content in the marked portions is private), obscured text (the text in the marked portions blacked out or obscured by a mosaic effect, to resemble redacted text), a blank area. See on [0102 and 0106] teaches the application 104 may obscure or replace the marked portions on the display with one or replacement elements or other content. The replacement element (i.e. format information) or other content is alternative text, obscured text, a graphic, or a blank area (826). The marked portions, when they are not displayed in the clear, may be replaced with one or more replacement elements, on the display, for display purposes. See on [0041] teaches The application 104 displays the unmarked portions of the partially encrypted document 113 in the clear but the encrypted marked portions are replaced with other displayed content, such as a message or symbol indicating that the marked portions of the document are encrypted);
and forward the request to the service endpoint (Margolin on [0033 and  0044] teaches transmitting request the server system 114. See also on [0077-0079 and 0100] teaches a user at a client device 102 may make a request for the document 600, and in response the document 600 is sent by the server system 114 to the privacy proxy system 106).
Although Margolin teaches marking the sensitive portion of document to indicate sensitive date in the data stream, but fails to explicitly teach determine, based at least in part on a flag and configuration information provided separately from the set of encrypted data objects, where the 
determine, based at least in part on a flag and configuration information provided separately from the set of encrypted data objects, where the configuration information includes [[information indicative of operations for securing data,]] information indicative of the flag identifying a location within the set of data objects of data not to be exposed, information indicative of formatting data for transmission to the service endpoint  (Singh Fig 2 and text on [0029-0032] teaches each application 204 can operate in conjunction with device operating system 202, can be part of device operating system 202, or can operate independently in effect as its own operating system (i.e. independent kernel level process). Host device 200 can also include a sensitive data agent 208, which can operate in conjunction with device operating system 202 and/or application 204, can be part of device operating system 202 and/or application 204, or can operate independently. Sensitive data agent 208 can further detect sensitive data packetization, create sensitive data flags, and insert sensitive data flags into packets that carry all or a portion of identified sensitive data, tag files that contain sensitive data, and create and distribute policy and rules to control sensitive data transmission. Flags contained within flag type database 212 can be inserted into packets carrying sensitive data to other devices within the network to allow for the detection of the presence of sensitive data within the packet. See also on [0039] teaches presence of flags in the data stream is indication of sensitive data in a packet. See also Fig 6-8 discloses flags indicating sensitive data in a packet. See on [0073] teaches inserting a flag in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to the means for detecting the packetization of the identified sensitive data. See on [0067-0069] The options field 902 of TCP Frame 900 may be used as a location for placement of sensitive data flags. For the case of a TCP-options field being used to carry sensitive data flags, there are two options for the format of that option field. The first could be a single octet (8 bits) of option kind, and a second could be an octet of option kind followed by an octet of option length and then the actual option data octets).
	Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Singh into the teaching of Margolin by having flag locating sensitive data in an information stream. One would be motivated to do so in order identify and protect sensitive data in information based on flag associated with the sensitive data (Singh on [0009-001]).

	The combination of Margolin and Singh fails to teach obtain, at a first process of an operating system isolated from a set of processes of the operating system unauthorized to communicate with the first process, a request, the request received by a second process of the operating system authorized to communicate with the first process, However Wilkinson from analogous art teaches obtain, at a first process of an operating system isolated from a set of processes of the operating system unauthorized to communicate with the first process, a request [[including a set of encrypted data objects directed towards a service endpoint implemented by another computer system]] (Wilkinson Fig 1 block 108 and text on [0015] teaches service process (i.e. firs process) receives command through file system API 112-2. Service 108 can then process the commands and return any results to file system filter driver 102. See [0012-0013] teaches Application process 106 (i.e. another process of set of processes of an OS which is unauthorized to communicate with first process) may be running in an environment that restricts inter-process communication with service process 108 (i.e. first process). Application 106 runs in an environment referred to as a sandbox that includes restrictions on inter-process communication. See on [0024-0025] teaches For example, service 108 may be a Win32 service, and which are services provided by the Windows 8 operating system. Service 108 may also be other services, such as applications (e.g., word processing applications). Service 108 may also be running in user mode. However, service 108 may run in an environment that has fewer restrictions than application 106. For example, service 108 may have more access to more memory or APIs than application 106). 
the request received by a second process of the operating system authorized to communicate with the first process in a data stream generated by the other computer system (Wilkinson on [0012] teaches other applications, such as desktop application 114 (i.e. second process), that are running in another process (e.g., process #3) may have access to IPC API 112-1 in a less restricted environment. Because desktop application 114 has access to IPC API 112-1, desktop application 114 may communicate in an inter-process communication with process #2 (i.e. service 108 application as first process) through IPC API 112-1).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Wilkinson into the combined teaching of Margolin and Singh by receiving a request on first process of OS in sandbox environment. One would be motivated to do so in order increase efficiency and performance of system and protect other processes access that are not trustworthy (Wilkinson on [0002]).

Regarding claim 15 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Margolin further teaches wherein: the request is received from a client device (Margolin on [0077] teaches a user at client device make a request for the document);
the second process comprises a Transport Layer Security terminator (Margolin on [0025, 0028, 0033, 0085] teaches data transmission 118 may be sent using the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol);
 instructions further comprise instructions that(Margolin on [0085-0086, 0089, and 0092] teaches a secure communication protocol (e.g. SSL TLS) between source and destination. See also Fig 2 block 102, 106, 114-1 and associated text on [0036] teaches private network communication between client device and server).
Regarding claim 16 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Margolin further teaches wherein: the service endpoint is associated with a service of a plurality of services; and the computer system processes requests for the service (Margolin on [0025-0026] teaches document is sent to proxy system and is decrypted. Proxy system process data and transmit data to and from other system. See also on [0033] teaches processing request by client system 102).
Regarding claim 19 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Margolin further teaches wherein the executable instructions that cause the computer system to determine that the one or more data objects of the set of data objects includes data not to6 of 8 Application No. 15/382,571 PATENTPreliminary Amendment dated March 28, 2018be exposed (Margolin on [0111] teaches determining whether a document has a marked portion and the server system avoid marked portion of the document when processing the document. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party. Also on [0087] teaches encrypted marked portion of document is not available to destination system)5 of 8.
further include instructions that cause the computer system to determine that the one or more data objects include address information of a user associated with the request based at least in part on information obtained from the configuration information (Fig 7-8 and text on [0066-0068 and 0078] teaches packet associated with address).

21 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Margolin further teaches wherein the executable instructions that cause the computer system to determine that the one or more data objects of the set of data objects includes data not to be exposed (Margolin on [0111] teaches determining whether a document has a marked portion and the server system avoid marked portion of the document when processing the document. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party. Also on [0087] teaches encrypted marked portion of document is not available to destination system)5 of 8;
further include instructions that cause the computer system to determine that the one or more data objects include data not to be exposed based at least in part on one or more fields associated with the one or more data objects indicated in information obtained from the configuration information (Margolin on [0111] teaches determining whether a document has a marked portion and the server system avoid marked portion of the document when processing the document. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party. Also on [0087] teaches encrypted marked portion of document is not available to destination system)5 of 8.
Regarding claim 22 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Singh further teaches wherein the computer system is a network edge device (Singh on [0022-0023] teaches type of network edge devices).

Claims 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Margolin (US 20140373165) in view of Singh et al (hereinafter Singh) (US 20070094394), in view of Wilkinson et al (hereinafter Wilkinson) (US 20140109107) and further in view of Manges (US 20130091351).
17 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Although the combination teaches HTTP request but fails to explicitly teach wherein the request is Hypertext Transfer Protocol POST request, However Manges from analogous art teaches wherein the request is Hypertext Transfer Protocol POST request (Manges on [0052] teaches HTTP post request).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mnages into the combined teaching of Margolin and Sigh by having HTTP POST request. One would be motivated to do so in order to protect sensitive information over secure communication channel (Manges on [0002-0003]).
Regarding claim 18 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 17 above, Singh further teaches wherein the executable instructions further comprise instructions that cause the computer system to determine, based at least in part on one or more headers included in the request, that the request is directed towards the service endpoint  (Singh on [0047] teaches Packet analyzer 308 can interpret the incoming packet stream and parse packet headers for sensitive data flags. When a sensitive data flag is found in a packet header, enforcer entity 306 can be notified to act upon the received packet. See on [0055 and 0062] teaches the flag can be inserted into the packet frame or frame header and at block 430 any packets associated with the file can be transmitted over the network);
 and wherein the executable instructions that cause the computer system to modify the request further include instructions that, as a result of being executed by the one or more processors of the computer system, cause the computer system to modify the one or more headers based at least in part on the information indicative of formatting data for transmission to the service endpoint (Singh on [0047] teaches Packet analyzer 308 can interpret the incoming packet stream and parse packet headers for sensitive data flags. When a sensitive data flag is found in a packet header, enforcer entity 306 can be notified to act upon the received packet. See on [0055 and 0062] teaches the flag can be inserted into the packet frame or frame header and at block 430 any packets associated with the file can be transmitted over the network).

Regarding claim 20 the combination of Margolin, Singh and Wilkinson teaches all the limitations of claim 14 above, Margolin further teaches wherein the executable instructions that cause the computer system to determine that the one or more data objects of the set of data objects includes data not to be exposed (Margolin on [0111] teaches determining whether a document has a marked portion and the server system avoid marked portion of the document when processing the document. See also on [0004] teaches data file may contain private or confidential contents which may be protected from attacks on third party. Also on [0087] teaches encrypted marked portion of document is not available to destination system)5 of 8.
The combination fails to explicitly teach further include instructions that cause the computer system to determine that the one or more data objects include payment information, but Manges teaches further include instructions that cause the computer system to determine that the one or more data objects include payment information indicates in information obtained from configuration information (Manges on [0032,0060, 0064, 0084 ] teaches A payment system (e.g., an intermediary party server) may receive encrypted credit card information from an entity, such as a credit card number and credit verification value (CVV), and verify with the credit card company that the card number's user is authorized to make a purchase from the entity. see on [0005] teaches request the sensitive information from the user, not for use by the requestor, but for processing by a third party, such as a credit card system).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mnages into the combined teaching of Margolin, Singh and Wilkinson by (Manges on [0002-0003]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Mohler et al (US 20090158441) the present invention relate to information management. More specifically, an exemplary embodiment is directed toward management of sensitive information, including deletion of sensitive information upon detection of a triggering event. Furthermore, identity theft is currently affecting about 1 in 15 people, and corporate espionage is becoming more commonly used to gain an unlawful competitive advantage.
Nagasundaram et al (US 9665722) the present invention solve these problems by anonymizing sensitive or private information in order to transform information from an identity-rich state to an identity-free state, while still maintaining the functionality of the information for management, analysis, customer service, and/or any other useful purposes. Furthermore, embodiments of the present invention allow protection from unlawful use of consumer information or other private information, provide prevention from identification of people (i.e., "anonymizes" any sensitive data such that an individual cannot be readily identified by the data), and can render data useless from a privacy and security standpoint, while still allowing efficient access and use for specific purposes.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOEEN KHAN/Examiner, Art Unit 2436                                                                                                                                                                                                        



/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436