DETAILED ACTION


1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-25 are pending.  Claims 1, 17 and 19 are independent claims.

3.	Two IDS’es submitted on 3/10/2020 have been considered.

Claim Objections
4.	Claims 9-11, 13, 14 and 25 are objected to as being dependent upon a rejected base claim, but would be allowable over prior art if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Double Patenting
5.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

6.	Claims 1-25 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-24 of U.S. Patent No. 10,628,600. Although the claims at issue are not identical, they are not patentably distinct from each other.

Claim Rejections - 35 USC § 102
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


8.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

9.	Claims 1-8, 12 and 15-24 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hahn (US PG Pub. 2010/0058291).
	As regarding claim 1, Hahn discloses A computer-implemented method for automatically generating audit logs, the computer-implemented method comprising: 
	identifying, by a computer, audit log statement insertion points in components of an application based on a static code analysis identifying start and end operations on sensitive data in the components of the application [FIGS. 5A & 5B, para. 7, 48, 82, and 84-88; identifying the appropriate location in the source code to collect and store compliance information, such as sensitive data PII, in a log]; 
instrumenting, by the computer, the application with audit log statements at the audit log statement insertion points in the components of the application [para. 48, 82, and 84-88; inserting audit record generation code into the application source code to collect compliance information at the identified locations]; and 
generating, by the computer, audit logs of monitored sensitive data activity events in the application using the audit log statements at the audit log statement insertion points in the components of the application [para. 22 and 48; collecting and storing compliance information in a log using the inserted audit record generation code].  

As regarding claim 2, Hahn further discloses The computer-implemented method of claim 1 further comprising: performing, by the computer, a dynamic code analysis on the application to ensure that none of the sensitive data flows into the audit logs [para. 51 and 78; compliance information data may not be logged based on the compliance policies || FIG. 4 and para. 81-83; the user may prevent executing the code that collects sensitive data PII for audit selecting button 464 of the user interface 460].  

As regarding claim 3, Hahn further discloses The computer-implemented method of claim 2 further comprising: analyzing, by the computer, the audit logs for compliance with audit requirements [para. 20 and 80; analyzing the collected audits/log information to demonstrate compliance requirements].  

As regarding claim 4, Hahn further discloses The computer-implemented method of claim 3 further comprising: performing, by the computer, an action step regarding non-compliance of the audit logs with the audit requirements [para. 21-22; automatically generating audit event logging code to collect sufficient audits/log information].  


5, Hahn further discloses The computer-implemented method of claim 1 further comprising: receiving, by the computer, the application with labeled sensitive data and ingestion points within the application [para. 46 and 79; recompiling the application including the inserted audit record generation code before executing the application], wherein the application performs a regulated service via a network [para. 33-35; applications performing services, regulated by auditors and regulatory bodies [para. 48], via a network in commercial, governmental, and educational systems].  

As regarding claim 6, Hahn further discloses The computer-implemented method of claim 5 further comprising: identifying, by the computer, hardware components of a system hosting a regulated service [para. 46; identifying a computing device, on which the executable code generated from the source code of the application is deployed, authorized to access the sensitive data PII] and software components of the application that are authorized to access the sensitive data located at the labeled sensitive data and ingestion points within the application[para. 66; determining sensitivity level of the tagged keyword/library function].  

As regarding claim 7, Hahn further discloses The computer-implemented method of claim 6 further comprising: performing, by the computer, a taint analysis on workflows tracking the sensitive data through the hardware components and the software components authorized to access the sensitive data [para. 18-20, 47-51, 64, 80 and 93; performing non-compliance analysis].  

8, Hahn further discloses The computer-implemented method of claim 7 further comprising: determining, by the computer, input and output sensitive data flow points for software components of the application based on the taint analysis on the workflows tracking the sensitive data [para. 18-20, 47-51, 64, 80 and 93; determining appropriate portion of the source code to identify reasons for non-compliance].  

As regarding claim 12, Hahn further discloses The computer-implemented method of claim 1 further comprising: identifying, by the computer, a trust level of each component authorized to access the sensitive data [para. 61; determining sensitivity level of the software object].  

As regarding claim 15, Hahn further discloses The computer-implemented method of claim 1 further comprising: generating, by the computer, a fifth audit log statement and a sixth audit log statement for each call that makes a call for the sensitive data within a same component [para. 48, 82, and 84-88; inserting audit record generation code into the application source code to collect compliance information at the identified locations]; and 
inserting, by the computer, the fifth audit log statement before the call for the sensitive data within the same component and inserting the sixth audit log statement after the call [para. 48, 82, and 84-88; inserting audit record generation code into the application source code to collect compliance information at the identified locations].  


As regarding claim 16, Hahn further discloses The computer-implemented method of claim 1 further comprising: 
identifying, by the computer, a software package corresponding to the application [para. 64; identifying the source code]; 
responsive to the computer determining that a set of one or more cryptographic libraries exist in the software package corresponding to the application, identifying, by the computer, cryptographic functions in the set of one or more cryptographic libraries identified in the software package that process the sensitive data [para. 58-59 and 65-66; identifying functions with “protection” label, e.g. encryption function, that process sensitive data]; 
monitoring, by the computer, sensitive data input and output events in the cryptographic functions that process the sensitive data [para. 22 and 48; collecting logged data in the identified “protection” function]; and 
generating, by the computer, audit logs for the input and output data events of the cryptographic functions that process the sensitive data [para. 22 and 48; collecting logged data in the identified “protection” function].  

As regarding claim 17, Hahn discloses A computer system for automatically generating audit logs, the computer system comprising: 
a bus system [para. 38, 43, and 96]; 
a storage device connected to the bus system, wherein the storage device stores program instructions [para. 9, 25, and 27-28]; and 
a processor connected to the bus system [para. 9, 25, and 27-28], wherein the processor executes the program instructions to: 
identify audit log statement insertion points in components of an application based on a static code analysis identifying start and end operations on sensitive data in the components of the application [FIGS. 5A & 5B, para. 7, 48, 82, and 84-88; identifying the appropriate location in the source code to collect and store compliance information, such as sensitive data PII, in a log]; 
instrument the application with audit log statements at the audit log statement insertion points in the components of the application [para. 48, 82, and 84-88; inserting audit record generation code into the application source code to collect compliance information at the identified locations]; and 
generate audit logs of monitored sensitive data activity events in the application using the audit log statements at the audit log statement insertion points in the components of the application [para. 22 and 48; collecting and storing compliance information in a log using the inserted audit record generation code].  

As regarding claim 18, Hahn further discloses The computer system of claim 17, wherein the processor further executes the program instructions to: perform a dynamic code analysis on the application to ensure that none of the sensitive data flows into the audit logs [para. 51 and 78; compliance information data may not be logged based on the compliance policies || FIG. 4 and para. 81-83; the user may prevent executing the code that collects sensitive data PII for audit selecting button 464 of the user interface 460].  

As regarding claim 19, Hahn discloses A computer program product for automatically generating audit logs, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising: 
identifying, by the computer, audit log statement insertion points in components of an application based on a static code analysis identifying start and end operations on sensitive data in the components of the application [FIGS. 5A & 5B, para. 7, 48, 82, and 84-88; identifying the appropriate location in the source code to collect and store compliance information, such as sensitive data PII, in a log]; 
instrumenting, by the computer, the application with audit log statements at the audit log statement insertion points in the components of the application [para. 48, 82, and 84-88; inserting audit record generation code into the application source code to collect compliance information at the identified locations]; and  Docket No. YOR920151452US03 
Page 35 of 38generating, by the computer, audit logs of monitored sensitive data activity events in the application using the audit log statements at the audit log statement insertion points in the components of the application [para. 22 and 48; collecting and storing compliance information in a log using the inserted audit record generation code].  

As regarding claim 20, Hahn further discloses The computer program product of claim 19 further comprising: performing, by the computer, a dynamic code analysis on the application to ensure that none of the sensitive data flows into the audit logs [para. 51 and 78; compliance information data may not be logged based on the compliance policies || FIG. 4 and para. 81-83; the user may prevent executing the code that collects sensitive data PII for audit selecting button 464 of the user interface 460].  

As regarding claim 21, Hahn further discloses The computer program product of claim 19 further comprising: receiving, by the computer, the application with labeled sensitive data and ingestion points within the application [para. 46 and 79; recompiling the application including the inserted audit record generation code before executing the application], wherein the application performs a regulated service via a network [para. 33-35; applications performing services, regulated by auditors and regulatory bodies [para. 48], via a network in commercial, governmental, and educational systems].  

As regarding claim 22, Hahn further discloses The computer program product of claim 21 further comprising: identifying, by the computer, hardware components of a system hosting a regulated service [para. 46; identifying a computing device, on which the executable code generated from the source code of the application is deployed, authorized to access the sensitive data PII] and software components of the application that are authorized to access the sensitive data located at the labeled sensitive data and ingestion points within the application [para. 66; determining sensitivity level of the tagged keyword/library function].  

As regarding claim 23, Hahn further discloses The computer program product of claim 22 further comprising: performing, by the computer, a taint analysis on workflows tracking the sensitive data through the hardware components and the software components authorized to access the sensitive data [para. 18-20, 47-51, 64, 80 and 93; performing non-compliance analysis].  

As regarding claim 24, Hahn further discloses The computer program product of claim 23 further comprising: determining, by the computer, input and output sensitive data flow points for software components of the application based on the taint analysis on the workflows tracking the sensitive data [para. 18-20, 47-51, 64, 80 and 93; determining appropriate portion of the source code to identify reasons for non-compliance].  















Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433