DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Isenberg (US 8,015,284 B1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 41-47, 51-52, and 56-65 is/are rejected under 35 U.S.C. 103 as being unpatentable over Arrowood (US 8,943,594 B1) in view of Wootton (US 2012/0110174 A1) and Isenberg (US 8,015,284 B1).

Regarding claim 41, Arrowood discloses: A method comprising: 
identifying, by one or more devices, a file; 
Refer to at least FIG. 2 and Col. 4, Ll. 32-49 of Arrowood with respect to a local system and associated security system.
Refer to at least Col. 3, Ll. 4-8, Col. 5, Ll. 3-11, and Col. 7, Ll. 1-6 of Arrowood with respect to intercepting a potentially malicious file. 
generating, by the one or more devices, exfiltration information associated with the file; 
Refer to at least Col. 3, Ll. 34-39, Col. 8, Ll. 12-19, and Col. 9, Ll. 17-20 of Arrowood with respect to dummy data which is inserted as bait for the file.
determining, by the one or more devices, that the exfiltration information is not detected in outbound network traffic; and 
Refer to at least Col. 3, Ll. 39-45, Col. 7, Ll. 58-64, Col. 8, Ll. 19-28, and Col. 9, Ll. 53-58 of Arrowood with respect to monitoring network communications and the dummy data; remediation and/or continued monitoring resultant therefrom.
Refer to at least Col. 8, Ll. 40-44 of Arrowood with respect to determinations of non-detection; in this case, declaring the file as safe if no detections occur after repeated testing.
providing, by the one or more devices, the exfiltration information to an exfiltration detection device that detects data exfiltration after the data exfiltration has occurred.
Refer to at least Col. 8, Ll. 8-11 and Col. 9, Ll. 39-58 of Arrowood with respect to implementing additional monitoring modules (e.g., monitoring subsequent communications) and also with respect to repeated monitoring.
Although Arrowood discloses repeated monitoring and monitoring via additional modules, Arrowood does not specify: [determining that the exfiltration information is not detected in outbound network traffic] after the outbound network traffic is monitored for a threshold amount of time; and based on determining that the exfiltration information is not detected in the outbound network traffic after the outbound network traffic is monitored for the threshold amount of time. However, Arrowood in view of Wootton discloses: and based on determining that the exfiltration information is not detected in the outbound network traffic.
Refer to at least FIG. 12, [0170], [0037], and [0093] of Wootton with respect to a first device providing data object information to a second analysis device responsive to an inability to determine an assessment. The data object information includes network traffic information and network characterization data.
The teachings of Arrowood-Wootton in view of Isenberg further disclose: [determining that the exfiltration information is not detected in outbound network traffic] after the outbound network traffic is monitored for a threshold amount of time; after the outbound network traffic is monitored for the threshold amount of time.
Refer to at least the abstract and Col. 11, Ll. 13-50 of Isenberg with respect to monitoring security detections made over a first period of time, determining whether no detections were made, and thereafter performing a second level of analysis.
The teachings of Arrowood and Wootton each concern malware detection and remediation and network analysis, and are considered to be within the same field of endeavor and combinable as such. Further, Arrowood considers repeated monitoring and additional modules for such, as well as timeframes for monitoring.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Arrowood to further include a second analysis of data object information for at least the purpose of reducing false negatives via additional analysis. It further would have been obvious to one of ordinary skill in the art to modify the teachings to include entering the second level of analysis based on monitoring over a period of time for at least the purpose of increasing operational efficiency (i.e., reducing the number of calls to additional analysis by aggregating information over time).

The method of claim 41, further comprising: receiving, by the one or more devices, the file after a client device requests the file and before the file is provided to the client device.
Refer to at least Col. 2, Ll. 33-36, Col. 2, Ll. 62-66, Col. 3, Ll. 4-7, and Col. 7, Ll. 1-6 of Arrowood with respect to obtaining and intercepting the file. 

Regarding claim 43, Arrowood-Wootton-Isenberg discloses: The method of claim 41, where the exfiltration information includes information that is designed to appear to be sensitive information.
Refer to at least Col. 8, Ll. 16-19 of Arrowood with respect to exemplary dummy data designed to be enticing. 

Regarding claim 44, Arrowood-Wootton-Isenberg discloses: The method of claim 41, where the exfiltration information is encoded with a file identifier that identifies the file.
Refer to at least [0039] of Wootton with respect to exemplary identifier information included with the data object information.
It would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Arrowood to further include file identifier information for at least the reasons discussed in [0041] of Wootton (i.e., improving analysis).

Regarding claim 45, Arrowood-Wootton-Isenberg discloses: The method of claim 41, further comprising: executing the file in a testing environment associated with a virtual machine of a security device of the one or more devices; and monitoring outbound network traffic that leaves one or more of the security device or the virtual machine.
Refer to at least Col. 4, Ll. 50-65 and Col. 9, Ll. 40-47 of Arrowood with respect to exemplary decoy environments, including virtual machine environments associated with the security system. 

Regarding claim 46, Arrowood-Wootton-Isenberg discloses: The method of claim 41, further comprising: performing an action to permit the file to be accessed based on determining that the exfiltration information is not detected in the outbound network traffic.
Refer to at least Col. 8, Ll. 40-44 and Col. 10, Ll. 56-65 of Arrowood with respect to aborting monitoring and marking a file as being safe for use. 

Regarding claim 47, Arrowood-Wootton-Isenberg discloses: The method of claim 41, further comprising: storing the exfiltration information, in a memory local to the one or more devices, based on determining that the exfiltration information is not detected in the outbound network traffic.
Refer to at least Col. 8, Ll. 59-64 and Col. 7, Ll. 26-33 of Arrowood with respect to whitelisting and/or adapting rules to allow known safe files. 

Regarding claim 64, it is rejected for substantially the same reasons as claims 41 and 43 above (i.e., the citations concerning dummy data).

Regarding independent claim 51, it is substantially similar to independent claim 41 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claim 52, it is substantially similar to claim 42 above, and is therefore likewise rejected.

Regarding independent claim 56, it is substantially similar to independent claim 41 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claims 57-60, they are substantially similar to claims 42-46 above, and are therefore likewise rejected.

Regarding claim 61, it is  rejected for substantially the same reasons as claim 56 above (e.g., FIG. 12 of Wootton).

Regarding claim 62, it is rejected for substantially the same reasons as claims 41 and 43 above (i.e., the citations concerning dummy data).

Regarding claim 63, Arrowood-Wootton-Isenberg discloses: The non-transitory computer-readable medium of claim 56, where the one or more instructions further cause the at least one processor to: store the exfiltration information, in a memory of a device that includes the at least one processor, based on determining that the exfiltration information is not detected in the outbound network traffic.
Refer to at least [0170] of Wootton with respect to providing the data object information, which is necessarily collected and stored beforehand. 
This claim would have been obvious for substantially the same reasons as the parent claim.

Regarding claim 65, it is substantially similar to claims 61 and 63 above, and is therefore likewise rejected.

67 is/are rejected under 35 U.S.C. 103 as being unpatentable over Arrowood-Wootton-Isenberg as applied to claims 41-47, 51-52, and 56-65 above, and further in view of Nachenburg (US 8,181,036 B1).

Regarding claim 67, Arrowood-Wootton-Isenberg does not disclose: wherein the exfiltration information is not detected in the outbound network traffic due to the outbound network traffic or the exfiltration information, in the outbound network traffic, being encrypted. However, Arrowood-Wootton-Isenberg in view of Nachenburg discloses: wherein the exfiltration information is not detected in the outbound network traffic due to the outbound network traffic or the exfiltration information, in the outbound network traffic, being encrypted.
Refer to at least Col. 1, Ll. 20-28 of Nachenburg with respect to failure to detect encrypted exfiltration information. 
The teachings of Arrowood-Wootton-Isenberg and Nachenburg concern exfiltration detection and prevention, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Arrowood-Wootton-Isenberg to further include support for encrypted exfiltration detection in the second level of analysis for at least the purpose of increasing security by further scrutinizing malware detection (e.g., Col. 1, Ll. 34-36 of Nachenburg).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access 

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432