DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 3/22/2019. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/15/2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Notes
Analysis under 35 U.S.C. 101, Double Patenting, and 35 U.S.C. 112 have been conducted, but no issues are found.
Non-transitory computer-readable storage medium claims 14-18 depend on dependent claim 13, while corresponding method claims 3-5, 8-9 depend on independent claim 1. Please ensure this inconsistency is intended.

Claim Objections
Claims 2 and 13 are objected to because of the following informalities: 
Claims 2 and 13 recite “wherein said determining … a risk score for the first user comprises”, wherein “a risk score” should be “the risk score”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-7, 9-14, 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20190319945 A1) in view of Stamos (US 20040221172 A1).

Regarding claim 1, Levy teaches a method comprising:
obtaining and storing, by one or more servers associated with an enterprise network, information regarding historical user behavior of a plurality of users of the enterprise network by observing file access requests initiated by the plurality of users; ([0060] The threat management facility 100 may control access to the enterprise facility 102 networks. A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under  usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration.) Here Levy discloses in ¶50 that “the threat management facility 100 may include a policy management facility 112 that manages rules or policies for the enterprise facility 102. Exemplary rules include access permissions associated with networks, applications, compute instances, users, content, data, and the like. The policy management facility 112 may use a database, a text file, other data store, or a combination to store policies.”
receiving, by the one or more servers, a file access request initiated by a first user of the plurality of users, wherein the file access request relates to a file stored within the enterprise network in encrypted form; ([0207] FIG. 17 As shown in step 1702, the method 1700 may include receiving a request for a remote resource from a compute instance in an enterprise network, such as a request for authenticated access to the remote resource. This may include any resource that might usefully be accessed by a compute instance from within the enterprise network.) Here Levy discloses in ¶78 that “privacy may be addressed in some cases by user notifications and permissions, anonymization, tokenization, and encryption.”
responsive to receipt of the file access request, determining, by the one or more servers, a risk score for the first user based on a plurality of factors, including information regarding historical user behavior, the file access request and observed data determined based on the file access request; and ([0208] As shown in step 1704, the method 1700 may include calculating risk scores, for example by calculating a first risk score for a user of the compute instance. In one aspect, the entity models described herein provide useful computer-implemented tools for measuring expected behavior and deviations therefrom, and may be usefully employed in this context to calculate risk scores for the particular entities of interest: the user of the compute instance.) Here Levy discloses in ¶ 156 “to draw policy or security history of users and file usage.”
based on the risk score, permitting or denying, by the one or more servers, access to the file. ([0210, 0211, 0217] As shown in step 1706, the method 1700 may include selecting an authentication model for access to the remote resource by the user and the device. More generally, the authentication models may provide various sets of authentication requirements using various combinations of the foregoing authentication factors or any other authentication factors, with the particular authentication factors varying based on the user and device risk scores. As shown in step 1708, the method 1700 may include authenticating the user to the remote resource according to the authentication model selected in step 1706.)

Levy teaches based on the risk score, permitting or denying, access to the file, but does not explicitly teach this is done by returning a decryption key for the file or withholding the decryption key. This aspect of the claim is identified as a difference.
However, Stamos in an analogous art explicitly teaches
based on the risk score, permitting or denying, by the one or more servers, access to the file by returning a decryption key for the file or withholding the decryption key. ([0008, 0009] Encryption techniques such as those employing a Public Key Infrastructure (PKI) enable an enterprise to provide authentication, access control and confidentiality for its applications and data. Before accessing any information, the recipient must first authenticate with the policy server. The policy sever then issues copies of required keys to permit the recipient to decrypt the information.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “dynamic authentication” concept of Levy, and the “adaptive encryption” approach of Stamos. One of ordinary skill in the art would have been motivated (Stamos [0018]).

Regarding claim 2, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein said determining, by the one or more servers, a risk score for the first user comprises evaluating the file access request with reference to a model of user behavior developed by machine-learning. ([Levy 0209] while event models for a user/device combination can provide a useful measure of riskiness, other measures may also or instead be used, either alone or in combination with such techniques. For example, other risk scores based on, e.g., signatures, context, behavior, machine learning or the like may be used in addition to, or instead of the risk scores described above to dynamically control authentication requirements based on assessed risk.)

Regarding claim 3, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the information regarding historical user behavior includes for each user of the plurality of users: 
historical data regarding general file access, including one or more of a number of files accessed by the user over a predetermined period of time, types of the files accessed, and applications used by the user over the predetermined period of time; ([Levy 0111] The valuation model may, for example, estimate value based on file location, based on an access control content, based on content, or based on any other context, usage, feature or combination of the foregoing. For example, the valuation model may estimate value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, file content, and file author.)
historical data regarding observed locations of the user; and historical data regarding observed times at which the user accesses files. ([Levy 0060] A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under certain conditions, such as the user's location, usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration, or the like.)

Regarding claim 5, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the observed data includes a status indicative of whether the connection through which the first user initiated the file access request is trusted or untrusted. ([Levy 0060] A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under certain conditions, such as the user's location, usage history, need to know, job position, connection type, time of day, method of authentication, client-system configuration, or the like.) Here Levy depicts in [0033] that connection including “one or more gateways, bridges, wired networks, wireless networks, virtual private networks, other compute instances.” It would have been prima facie obvious to one of ordinary skill in the art to conclude that connection through wired networks is more secure/trustworthy than through wireless networks (https://aberdeencybersecurity.co.uk/wired-vs-wireless-networking); as well as to conclude that connection with virtual private networks is more secure/trustworthy than without virtual private networks (https://www.tomsguide.com/us/-vpn-for-beginners,news-17514.html). 

Regarding claim 6, Levy in view of Stamos teaches all the features with respect to claim 5, as outlined above. The combination further teaches wherein the connection is trusted when the first user is on the enterprise network or accessing the enterprise network remotely via a secure connection. ([Levy 0216] Other secondary techniques may also or instead be used to support authentication models or provide additional authentication factors. For example, a secondary authentication may be based on information such as whether a user recently logged in to the device, whether a user recently provided a token passcode, whether the device recently connected to the enterprise network, the current IP address for a device, the geolocation of a device, or whether the user/device combination recently logged in to the remote resource.) Here Levy discloses that connection is more trustworthy if user is on the enterprise network by citing “the compute instances 10-26 may be protected from threats even when a compute instance 10-26 is not connected to the enterprise facility 102 network” [0038].

Regarding claim 7, Levy in view of Stamos teaches all the features with respect to claim 5, as outlined above. The combination further teaches wherein the connection is untrusted when the first user is not on the enterprise network or accessing the enterprise network remotely via an insecure connection. ([Levy 0216] Other secondary techniques may also or instead be used to support authentication models or provide additional authentication factors. For example, a secondary authentication may be based on information such as whether a user recently logged in to the device, whether a user recently provided a token passcode, whether the device recently connected to the enterprise network, the current IP address for a device, the geolocation of a device, or whether the user/device combination recently logged in to the remote resource.) Here Levy discloses that connection is less trustworthy if user is not on the enterprise network by citing “the compute instances 10-26 may be protected from threats even when a compute instance 10-26 is not connected to the enterprise facility 102 network” [0038].

Regarding claim 9, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein said permitting or denying further comprises when the risk score is less than a first threshold, returning the decryption key and providing full access to the file. ([Levy 0213] if the risk score for the device or the user (or some combination of these) is below a threshold such that it indicates that the user and device are safe, then the authentication model may forego an additional authentication factor.)

Regarding claim 10, Levy in view of Stamos teaches all the features with respect to claim 9, as outlined above. The combination further teaches wherein said permitting or denying further comprises when the risk score is between the first threshold and a second threshold, returning the decryption key and providing limited access to the file. ([Levy 0211] The risk scores may also generally be used as an authentication factor, e.g., by using the risk score as a property of the user and requiring a minimum or maximum value, or indirectly by using the risk score as a threshold for whether to select an authentication model requiring one or more additional authentication factors. [Levy 0213] if the risk score for the device or the user (or some combination of these) is below a threshold such that it indicates that the user and device are safe, then the authentication model may use an additional authentication factor (analogous to claim limitation “less than second threshold”). If the risk score for the device or the user is above the threshold such that it indicates that the user or the device is compromised or unsafe, then the authentication model may require the additional authentication factor as a condition for access by the device to the remote resource (analogous to claim limitation “greater than first threshold”).)

Regarding claim 11, Levy in view of Stamos teaches all the features with respect to claim 10, as outlined above. The combination further teaches wherein said permitting or denying further comprises when the risk score is greater than the second threshold, withholding the decryption key. ([Levy 0213] if the risk score for the device or the user is above the threshold such that it indicates that the user or the device is compromised or unsafe, then the authentication model may withhold the additional authentication factor to prevent access by the device to the remote resource.)

Regarding claims 12-14, 16 and 18-20, the scope of the claims are similar to that of claims 1-3, 5 and 9-11, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20190319945 A1) in view of Stamos (US 20040221172 A1) and Lof (US 20140310779 A1).

Regarding claim 4, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the observed data includes a current location of the first user as determined based on a source Internet Protocol (IP) address contained in the file access request. This aspect of the claim is identified as a difference.
However, Lof in an analogous art explicitly teaches wherein the observed data includes a current location of the first user as determined based on a source Internet Protocol (IP) address contained in the file access request. ([0130] the media content provider can use geo-location techniques to determine a geographic location of the client device (e.g., the country in which the client device resides). Such techniques include using the IP address of the client device (which can be determined from an HTTP request, for example) to lookup the user's probable location in an IP address 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “dynamic authentication” concept of Levy, and the “geo-location techniques using IP address” approach of Lof. One of ordinary skill in the art would have been motivated to perform such a modification to provide efficient and secure access to content by obtaining information about the client device that is not explicitly provided or reported by the client device, but available through the communication between the client device and the content provider (Lof [0130, 0010]).

Regarding claim 15, the scope of the claim is similar to that of claim 4, respectively. Accordingly, the claim is rejected using a similar rationale.

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Levy (US 20190319945 A1) in view of Stamos (US 20040221172 A1) and Pigin (US 20050229258 A1).

Regarding claim 8, Levy in view of Stamos teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the encrypted form involves the file being encapsulated in a cryptographic wrapper. This aspect of the claim is identified as a difference.
However, Pigin in an analogous art explicitly teaches wherein the encrypted form involves the file being encapsulated in a cryptographic wrapper. ([0230] These operations manipulate cryptographic objects at the file level. File-level wrappers are based on the crypto container concept. All cryptographic objects, associated with a single original file, are encapsulated into a single file of compound structure (cryptocontainer).)
(Pigin [0001, 0004]).

Regarding claim 17, the scope of the claim is similar to that of claim 8, respectively. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20110126293 A1, "System and method for contextual and behavioral based data access control", by Berengoltz, teaches controlling access to information. An encrypted version of the information is stored. An attempt to access encrypted information may be intercepted and an access authorization rank may be computed. If computed access authorization rank is above a predefined level then a decrypted version of the information may be provided.
US 8688980 B2, "Trust verification schema based transaction authorization", by Davis, teaches for determining one or more behavioral fingerprints associated with one or more network accessible users; relationally mapping the one or more behavioral fingerprints to generate a trust verification schema associated with the one or more network accessible users; and determining whether to authenticate one or more transactions via the trust verification schema.
US 20110016534 A1, "Implicit authentication", by Jakobsson, teaches method and system for implicitly authenticating a user to access controlled resources. The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern. The recent contextual data, which comprise a plurality of data streams, are collected from one or more user devices without prompting the user to perform an action explicitly associated with authentication. The plurality of data streams provide basis for determining the user behavior score, but a data stream alone provides insufficient basis for the determination of the user behavior score. The system also provides the user behavior score to an access controller of the controlled resource.
US 20210176264 A1, "Leveraging user-behavior analytics for improved security event classification", by Yavo, teaches improving security event classification by leveraging user-behavior analytics are provided. According to an embodiment, a UEBA-based security event classification service of a cloud-based security platform maintains information regarding historical user behavior of various users of an enterprise network. An endpoint protection platform running on an endpoint device that is part of the enterprise network performs an initial classification of the event, based on which the endpoint protection platform blocks activity by the process. The endpoint production platform requests input from the cloud-based security platform which causes the cloud-based security platform performs a reclassification of the event based on contextual information, multiple data feeds and the UEBA-based security event classification service. Based on the reclassification of the event, the cloud-based security platform 
US 20200195672 A1, "Analyzing user behavior patterns to detect compromised nodes in an enterprise network", by Mugambi, teaches analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.
US 20160261606 A1, "Location-based network security", by Salvador, teaches providing a location-aware firewall and/or a network security/gateway device that can authorize and/or deny access of a secured resource to a requester/user based on one or more rules related to physical location and/or IP address tagged geo-location of the user's device.
CN 112491876 A, "Geographic position access control method and device", by Zhang, teaches acquiring an IP address of an access request; determining a geographic location of the access request based on the IP address, the geographic location including a country or province or city; comparing the geographic location to a plurality of masks in .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/H.Y./Examiner, Art Unit 2493


/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493