DETAILED ACTION

1. 	This Office Action is in response to an application filed on Dec. 11, 2019. The original filing includes claims 1-20. Therefore, Claims 1-20 are presented for examination. Now claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Drawings
3. 	The drawing filed on 12/11/2019 are accepted.

Oath/Declaration
4. 	For the record, the Examiner acknowledges that the Oath/Declaration submitted on 12/11/2019 has been accepted. 
Information Disclosure Statement
5.	The information disclosure statements (IDSs) submitted on 12/11/2019 and 03/15/2021 have been considered. The submissions are in compliance with the provisions of 37 CFR 1.97. Forms PTO-1449 are signed and attached hereto. 

Priority
6.	Applicant Claims NO priority on the instant application. 

Claim Objections
7.	Claims 2-4, 6-9, 11-12, 14-15, and 17-20 are objected to because of the following informalities: Claim 2-4 recite “a particular number”; “a particular data object” (See claim listing pages 33 and 34). The phrase of “particular” give it uncertainty that from one system to another changes. Therefore, The Examiner suggests removing the phrase of “particular” so to make the claim clear and give the reader for certainty. Similarly, Claims 6-9, 11-12, 14-15, and 17-20 have similar issues. Appropriate corrections are requested.

Claim Rejections - 35 USC § 101
8.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


9.	Claims 1, 4-7, 10-11, and 14 are not patent eligible for directed to an abstract idea.
10.	Method claim 1 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites maintaining a first database within a first security zone having a first set of security rules,

security zone; maintaining a second database within a second security zone having a second set of security rules, wherein the second set of security rules defines restrictions for storing data objects within the second security zone; performing, by a computer system within the first security zone, a first scan of the first database to determine whether a randomly selected first group of data objects stored in the first database comply with the first set of security rules; performing, by the computer system within the second security zone, a second scan of the second database to determine whether a randomly selected second group of data objects stored in the second database comply with the second set of security rules; and conveying, by the computer system, results of the first and second scans to a repository zone for review by an administrator, wherein the results are conveyed without conveying the data objects stored in the first and second databases to the repository zone, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “by the computer system” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by the computer system” language, “maintaining, performing, and conveying the results” in the context of this claim encompasses the steps from practically being performed in the mind (set some restrictions in different databases and scan databases objects if the restrictions comply with the scan database objects and report the results).
Specifically, the limitations of performing …, conveying, results of the first and second scans to a repository zone for review by an administrator, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “by the computer system,” language, “performing and conveying” in the context of this claim encompasses comparing content index of a plurality of content items maintained in a repository. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using computer system to perform the performing, conveying, and returning the results steps. The computer system in all the steps is recited at a high-level of generality (i.e., as a generic computer system performing a generic computer function of scanning, evaluating information based on a determined use permissions) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a computer system to perform the performing, conveying, and returning the results steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
Claim 4-7 further recites details of performing, and rules that leads to results of comparisons does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea and does not add significantly more limitation. This limitation merely further the abstract idea. 
11.	Claims 10-11 and 14 are a non-transitory, computer-readable storage medium storing claims recite substantially the same limitations as claim 1 and 4-7 and the use of a non-transitory, computer-readable storage medium does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract 

Claim Rejections - 35 USC § 102
12.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

13.	Claims 16-17 and 19 are rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” provisionally filed on Sep. 23, 2019.

Regarding claim 16, Meghji teaches:  A method, comprising:
receiving, at a repository zone of a computer system, first metadata generated from a first risk analysis performed within a first security zone, wherein the first risk analysis evaluates whether a first set of randomly selected database objects stored in the first security zone comply with a set of security rules, and wherein the first metadata is received without removing the first set of database objects from the first security zone; receiving, at the repository zone, second metadata generated from a second risk analysis performed within a second security zone, wherein the second risk analysis evaluates whether a second set of randomly selected database objects stored in the second security zone comply with a set of security rules, and wherein the second metadata is received without removing the second set of database objects from the second security zone; ((Meghji in FIG. 1 discloses Intermediate System(s) item 150 that is ; 
and based on the received first and second metadata, presenting, within the repository zone, a user interface depicting results of the first and second risk analyses (Meghji, stating at ¶ [0047] discloses a general description based on received first and second metadata (evaluating access rights) within storages of intermediate system that is depicted in FIG. 4 regarding metadata received and compared after evaluation analysis that can be presented through physical access control of item 432 to communicate with item 412 and clustered items 414, 416, 418 and 420 that the results are presented within a user interface through network interface 402 that leads to FIG. 5-FIG. 7A and FIG. 7B and related texts where FIG. 8 and FIG. 9 discloses various scenarios regarding displays and user interface).

Regarding claim 17, Meghji teaches: determining, based on the first metadata, that a particular data object in the first security zone does not comply with the set of security rules for the first security zone; and generating an alert for the particular data object (Meghji, see ¶¶ [0042, 0065, and 0217] that discloses how the access management dynamically generate access right and send notifications such as alert to users for particular data object such as via emails, app or website which facilitate distribution of access right and processing of requests for such rights).

Regarding claim 19, Meghji teaches all the limitations of claim 17. Further Meghji teaches:  wherein the determining includes identifying, using the first metadata, that the particular data object is an unencrypted telephone number, and wherein the generating includes generating the alert in response to determining that the set of security rules for the first security zone requires telephone numbers to be encrypted (Meghji, see ¶ [0016], “storing, at a private database, one or more sensitive data items (e.g., member identifier, access-right holder's email address or phone number, resource identifier, access code, etc.), each sensitive data item of the one or more sensitive data items being capable of uniquely identifying an access-right holder, a resource, or an access right by itself or in combination with one or more additional data items …. In response to inputting the one or more sensitive data items into the one or more HD cryptography algorithms, deriving an anonymous address that uniquely and anonymously represents the access-right holder. The computer-implemented method also includes deriving a resource-specific private key and public key ( e.g., key pair) using the unique identifier representing the specific resource”; also see ¶¶ [0134 and 0213], and at the end see ¶ [0231], “access codes 1030a and load data 1020 may each be secure databases within a network of computing devices operated by the primary load management system. Access codes 1030a and load data 1020 may store private or sensitive information relating to access-right holders or resources, and thus, access codes 1030a and load data 1020 may not be accessible to the public”; which reads on applicant’s limitations … load data 1020 may store the unique member identifier of each access-right holder, the .

Claim Rejections - 35 USC § 103
14.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
15.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


16.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
17.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later .

18.	Claims 1 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Czarny et al. US 9,749,349 hereinafter “Czarny” Patented Aug. 29, 2017. 

Regarding claim 1, Meghji teaches:  A method, comprising:
maintaining a first database within a first security zone having a first set of security rules, wherein the first set of security rules defines restrictions for storing data objects within the first security zone; maintaining a second database within a second security zone having a second set of security rules, wherein the second set of security rules defines restrictions for storing data objects within the second security zone (Meghji in FIG. 1 discloses Intermediate System(s) item 150 that is equated to applicant’s first and second databases, see ¶ [0082], “A storage engine can manage data access and use the rowset ( e.g., to access tables and indices) to retrieve query-responsive data from one or more relational databases”, then see details of item 150 Intermediate system(s) of FIG. 1 in FIG. 3 item 330 that discloses access right through relational engine between databases items 341 and 342 along with  ¶¶ [0080- 0085], “SQL system 341 can include one or more SQL processors (e.g., included in one or more server farms, which may be geographically separated). SQL processors can be configured to query, update and otherwise use one or more relational data stores. SQL processors can be configured to execute ( and, in some instances, generate) code ( e.g., SQL code) to query a relational data store” which discloses these databases are being configured within each databases security zones that the rules are stored in database engine that includes storage engine and relational engine which can identify matching search criteria or value such as to access tables and indices to retrieve from relational databases that reads on applicant’s limitations, also see FIG. 6 and related texts for additional details);
performing, by a computer system within the first security zone, a first scan of the first database to determine whether a randomly selected first group of data objects stored in the first database comply with the first set of security rules; performing, by the computer system within the second security zone, a second scan of the second database to determine whether a randomly selected second group of data objects stored in the second database comply with the second set of security rules  (Examiner notes: Meghji in the ¶ [0003] BACKGROUND discloses scanning access code validates the access right which an ordinary skilled in the art of security can easily identify such functions like scanning databases are known in the art of security and Meghji uses scanning in order to avoid fraudulent actors and entry; Meghji in FIG. 1 discloses Intermediate System(s) item 150 that is equated to applicant’s first and second database, see ¶ [0082], “A storage engine can manage data access and use the rowset ( e.g., to access tables and), then see FIG. 14 ACL Scanner items 1460 and 1445 that ACL Scanner verifies validity by using specific public key (with set of security rules in different databases) that reads on applicant’s limitations also see ¶ [0126], “access rights for Section 1 may be provided for a first intermediate system to assign, and access rights for Section 2 may be provided to a second intermediate system to assign”); and conveying, by the computer system, results of the first and second scans to a repository zone for review by an administrator, wherein the results are conveyed without conveying the data objects stored in the first and second databases to the repository zone (Meghji in ¶ [0126] discloses conveying information of the results of resource access rights in different databases (section 1 and section 2 are provided the access right information to intermediate system to be published to individual intermediate systems to coordinate assignment) and continues in ¶ [0127] that in such instances (providing reports or information to intermediate systems) coordination engine 510 (repository zone) can respond to intermediate system send notifications to each of intermediate systems that access right are granted or unavailable without revealing the data objects (first see ¶ [0116] for data objects and then see in ¶ [0233] that discloses the data objects are being stored in secure storage database and where the pair of keys at Root-level seed passwords are being used also see 
Meghji does not explicitly disclose: the results are conveyed for review to administrator  
However Czarny teaches: the results are conveyed for review to administrator  (Czarny in col. 2 lines 20-28 discloses security vulnerability based on device scanning in order to either grant or deny access, then in col. 15 continues that the system administrator 119 receive the venerability report to review the report in order to determine to grant access to secure environment).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji with the teaching of Czarny because the use of Czarny’s idea (Czarny, abstract) could provide Meghji (Meghji, abstract) the ability to perform report and convey scanning results regarding security environment of a user or a device, to an administrator to review the results and determine the access rights accordingly, “the user I/O 1204 represents multiple user interface devices for multiple computer devices at multiple physical locations. The system administrator 119, for example, may use these devices to access, setup and control the computing system 1200 and, in some embodiments, to review the target device vulnerability report 117 and determine whether to grant access by the target device 103 to the secure environment 104” (Czarny, col. 15 lines 11-18). 

Regarding claim 9, the combination of Meghji and Czarny teach all the limitations of claim 1. Meghji further teaches: adding a new security rule to the first security zone without interrupting performance of a particular scan currently in progress; and in response to determining that the particular scan has completed, performing, within the first security zone, a new scan of the first database using the new security rule  (Meghji, see ¶ [0136], “the code may be generated prior to allocating access rights ( e.g., such that each of some or all allocated access rights are associated with an access-enabling code), prior to or while assigning one or more access right(s) 

Regarding claim 10, this claim defines a computer readable storage medium claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 10 is rejected with the same rational as in the rejection of claim 1. Furthermore, Meghji in para. [0017-0018] discloses computer readable storage medium where the storage medium executes instructions from a computer system.

19.	Claims 2, 4-5, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Czarny et al. US 9,749,349 hereinafter “Czarny” further in view of Cole et al. US  2004/0015728 hereinafter “Cole” Published Jan. 20, 2004.

Regarding claim 2, the combination of Meghji and Czarny teach all the limitations of claim 1, but the combination do not explicitly disclose: wherein performing the first scan includes initiating a particular number of scanning processes in parallel, each scanning process performing a scan on a portion of the selected first group, wherein the particular number is based on an available bandwidth of the computer system
However Cole teaches: wherein performing the first scan includes initiating a particular number of scanning processes in parallel, each scanning process performing a scan on a portion of the selected first group, wherein the particular number is based on an available bandwidth of the computer system (Cole, first see ¶¶ [0045, 0141, 0142, 0147, and 0157] for parallel processing a particular number as a group (batch) and then see in ¶ [0183] that discloses scanning in batches by utilizing the available bandwidth on a network initiating scanning operations, “scanning the target computers in batches enables the system to more fully utilize the available bandwidth on a network by initiating scanning operations directed to multiple IP addresses in rapid succession”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Cole because the use of Cole’s idea (Cole, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to report and convey scanning according to available bandwidth the results regarding security environment of a user or a device, “scanning the target computers in batches enables the system to more fully utilize the available bandwidth on a network by initiating scanning operations directed to multiple IP addresses in rapid succession” (Cole, ¶ [0182]). 

Regarding claim 4, the combination of Meghji and Czarny teach all the limitations of claim 1. Further the combination of Meghji and Czarny teaches the type of data objects, but the combination do not explicitly disclose: determining a risk analysis score for the particular data object, the risk analysis score indicating a level of compliance of storage of the particular data object with the first set of security rules
However Cole teaches: determining, by the computer system based on a type of data included in a particular data object in the first group, a risk analysis score for the particular data object, the risk analysis score indicating a level of compliance of storage of the particular data object with the first set of security rules (Cole, see ¶ [0191], “scanning process 2000 analyzes the results of the scanning operations and generates a vulnerability assessment. For example, in preferred embodiments, the scanning process 2000 generates a quantitative score of the target network vulnerability in accordance with the detailed description set forth below”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Cole because the use of Cole’s idea (Cole, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to report and convey scanning according to available bandwidth the results regarding security environment of a user or a device, “scanning the target computers in batches enables the system to more fully utilize the available bandwidth on a network by initiating scanning operations directed to multiple IP addresses in rapid succession … the scanning process 2000 generates a quantitative score of the target network vulnerability” (Cole, ¶¶ [0182 and 0191]).

Regarding claim 5, the combination of Meghji, Czarny and Cole teach all the limitations of claim 4. Further Czarny teaches: wherein the conveying includes determining, by the computer system, to convey the risk analysis score to the  repository zone in response to the risk analysis score satisfying a threshold risk value  (Czarny, see col. 5 lines 46-67 “the security vulnerability level may be provided as a score value indicating a level of vulnerability of the target device 103. For example, the security vulnerability level may be zero if no known vulnerabilities are found, a low value if only a few vulnerabilities are found, or a high value if a relatively large number of vulnerabilities are found. In some embodiments, the target device 103 may have no known security vulnerability if no vulnerabilities with a risk level over a particular risk threshold have been discovered”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji with the teaching 

Regarding claim 14, this claim defines a computer readable storage medium claim that corresponds to method claim 4 and does not define beyond limitations of claim 4. Therefore, claim 14 is rejected with the same rational as in the rejection of claim 4. Furthermore, Meghji in para. [0017-0018] discloses computer readable storage medium where the storage medium executes instructions from a computer system.

Regarding claim 15, this claim defines a computer readable storage medium claim that corresponds to method claim 2 and does not define beyond limitations of claim 4. Therefore, claim 15 is rejected with the same rational as in the rejection of claim 2. Furthermore, Meghji in para. [0017-0018] discloses computer readable storage medium where the storage medium executes instructions from a computer system.
20.	Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Czarny et al. US 9,749,349 hereinafter “Czarny” further in view of Williamson et al. US  2018/0232528 hereinafter “Williamson” Published Aug. 16, 2018. 
Regarding claim 6, the combination of Meghji and Czarny teaches all the limitations of claim 1 and set of security rules and groups. Further Meghji teaches: wherein a particular security rule of the first set of security rules includes one or more criteria that are usable to match a given data object to a particular classification (Meghji, see ¶ [0153] discloses classifying for access-enabling code, “message processing can include classifying the message and routing it to the appropriate module. To illustrate, the message can be classified as a request for resource access or for an access-enabling code, an update message or an indication that a code has been redeemed or verified”), 
The combination of Meghji and Czarny do not explicitly discloses: and further comprising using, by the computer system, the one or more criteria to determine a confidence score for a particular data object in the first group, the confidence score indicating a level of confidence that the particular data object matches the particular classification
However Williamson teaches: and further comprising using, by the computer system, the one or more criteria to determine a confidence score for a particular data object in the first group, the confidence score indicating a level of confidence that the particular data object matches the particular classification (Williamson, see ¶¶ [0035- 0036], “The data classifier 108 may further determine that data is sensitive using reference table matching. The data classifier 108 may store various reference tables that include lists of potentially sensitive data, such as common names of persons, common terms in addresses … the machine learning model will be able to determine (with a confidence level) whether data is sensitive or not”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Williamson because the use of Williamson’s idea (Williamson, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to determine a confidence score that matches the classified data object with a confidence score that is a level of confidence in the group, “The data classifier 108 may match data portions in the data received from the data pre-processor 106 with the elements in the reference tables to see 

Regarding claim 7, the combination of Meghji, Czarny and Williamson teaches all the limitations of claim 6. Further Williamson teaches: wherein the particular security rule specifies a respective level of security to be enforced on a data object matched to the particular  classification, and further comprising comparing, by the computer system, the specified level of security for the particular data object to a security level of the first security zone (Williamson, see ¶¶ [0035- 0038], “The data classifier 108 may be able to detect the number and type of security feature(s) applied to the data portion. The security level may be determined to be higher based on the number of security features applied to the data portion, as well as the strength of the security feature applied to the data portion”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Williamson because the use of Williamson’s idea (Williamson, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to determine a confidence score that matches the classified data object with a confidence score that is a level of confidence in the group, “The data classifier 108 may match data portions in the data received from the data pre-processor 106 with the elements in the reference tables to see if it can find a match… able to determine (with a confidence level) whether data is sensitive or not” (Williamson, ¶¶ [0035-0036]).

Regarding claim 8, the combination of Meghji, Czarny and Williamson teaches all the limitations of claim 6. Further Meghji teaches : wherein the particular data object in the first group is encrypted (Meghji, see ¶ [0227] “the unique anonymous address representing the access-right holder and the encrypted access code data can be published to a distributed ledger that is represented across a public blockchain”), 
The combination of Meghji and Czarny do not explicitly discloses: and wherein using the one or more criteria to determine the confidence score for the particular data object includes determine the confidence score without performing a decryption operation
However Williamson teaches: and wherein using the one or more criteria to determine the confidence score for the particular data object includes determine the confidence score without performing a decryption operation (Williamson, see ¶¶ [0035- 0036], “The data classifier 108 may further determine that data is sensitive using reference table matching. The data classifier 108 may store various reference tables that include lists of potentially sensitive data, such as common names of persons, common terms in addresses … the machine learning model will be able to determine (with a confidence level) whether data is sensitive or not” and continues in ¶ [0065], that where encrypted data indicated a higher level of security and in ¶ [0067] indicates that the security level of the data is used such as logical classifier in order to determine the data portion is sensitive and have higher security level (higher confidence score without performing decryption), in  addition in ¶ [0036] disclose N-gram method where the classifier uses convolutional neural network to on data known to be sensitive that reads on applicant’s limitation confidence score without performing decryption operation).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Williamson because the use of Williamson’s idea (Williamson, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to determine a confidence score that matches the classified data object with a confidence score that is a level of confidence in the group, “The data classifier 108 may match data portions in the data received from the data pre-processor 106 with the elements in the reference tables to see if it can find a match… able to determine (with a confidence level) whether data is sensitive or not” (Williamson, ¶¶ [0035-0036]).

21.	Claims 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Czarny et al. US 9,749,349 hereinafter “Czarny” further in view of Wei et al. US  10,715,542 hereinafter “Wei” Filed Jun. 30, 2016.

Regarding claim 11, the combination of Meghji and Czarny teaches all the limitations of claim 10 and set of security rules and results of the risk analysis. 
The combination of Meghji and Czarny do not explicitly discloses: a confidence score indicating a probability that a corresponding data object is a particular type of data object; and a risk score indicating an associated level of risk that the corresponding data object is vulnerable to misuse
However Wei teaches: a confidence score indicating a probability that a corresponding data object is a particular type of data object; and a risk score indicating an associated level of risk that the corresponding data object is vulnerable to misuse (Wei, first see col. 6 lines 1-67 that discloses types of objects that are vulnerable to harm (vulnerable to misuse) and probability that corresponds to data object, “malware may correspond to a type of malicious computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data … The term "malicious" may represent a probability (or level of confidence) that the object is associated with a malicious attack or known vulnerability. For instance, the probability may be based, at least in part, on (I) pattern matches; (ii) analyzed deviations in messaging practices set forth in applicable communication protocols”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Wei because the use of Wei’s idea (Wei, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to determine a confidence score that can analyze data object type with a confidence score (probability) that is a level of 

Regarding claim 12, the combination of Meghji and Czarny teaches all the limitations of claim 10 and set of security rules and results of the risk analysis. 
The combination of Meghji and Czarny do not explicitly discloses: converting the maintained data objects from a particular data format to a common data format, different from the particular data format
However Wei teaches: converting the maintained data objects from a particular data format to a common data format, different from the particular data format (Wei, first see FIG. A and FIG. B along with  col. 12 lines 20-25 and col. 14 lines 2-9, “management server 113 and converts the received application data into a format, as needed or appropriate,… As shown FIG. B, the communication interface 240 of the management server 113 receives transmissions from the analysis cloud 120, the mobile devices 130A-130C and the analysis server 114 and converts the received data into a format, as needed or appropriate, on which a determination by the classification logic 210 may be made”);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Wei because the use of Wei’s idea (Wei, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to convert the format of object data in order determine a confidence score that can analyze data object type with a confidence score (probability) that is a level of confidence, “The term "malicious" may represent a probability (or level of confidence) that the object is associated with a malicious attack or known vulnerability … analysis server 114 and converts the received data into a format” (Wei, col. 6 lines 61-63 and col. 14 lines 5-6). 

Regarding claim 13, the combination of Meghji, Czarny and Wei teaches all the limitations of claim 12 and set of security rules, results of the risk analysis and scanning set of data objects. 
Further Wei teaches: selecting the set of data objects from the converted data objects; and … the set of the converted data objects to determine whether the converted data objects comply with the set of security rules. (Wei, first see FIG. A and FIG. B along with  col. 12 lines 20-25 and col. 14 lines 2-9 and 35-38, “management server 113 and converts the received application data into a format, as needed or appropriate,… As shown FIG. B, the communication interface 240 of the management server 113 receives transmissions from the analysis cloud 120, the mobile devices 130A-130C and the analysis server 114 and converts the received data into a format, as needed or appropriate, on which a determination by the classification logic 210 may be made … any behaviors detected into categories (e.g., malware, vulnerabilities, code obfuscation, etc.), and/or describe the behaviors and/or threats posed and the threat level”);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji in view of Czarny with the teaching of Wei because the use of Wei’s idea (Wei, abstract) could provide Meghji (Meghji, abstract) in view of Czarny (Czarny, abstract) the ability to convert the format of object data in order determine a confidence score that can analyze data object type with a confidence score (probability) that is a level of confidence, “The term "malicious" may represent a probability (or level of confidence) that the object is associated with a malicious attack or known vulnerability … analysis server 114 and converts the received data into a format” (Wei, col. 6 lines 61-63 and col. 14 lines 5-6).

22.	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Czarny et al. US 9,749,349 hereinafter “Czarny” further in view of Williamson et al. US  2018/0232528 hereinafter “Williamson” Published Aug. 16, 2018.

Regarding claim 18, Meghji teaches all the limitations of claim 17 and generating alert regarding set of security rules such as access rights, but does not explicitly disclose: that the particular data object is a credit card number, and … determining that the set of security rules … restricts storage of credit card numbers
However Williamson teaches: that the particular data object is a credit card number, and … determining that the set of security rules … restricts storage of credit card numbers (Williamson, see ¶¶ [0023-0024] that discloses sensitive data that is protected may be credit card information and can be read in any format even encrypted credit card information, “sensitive data that may be protected under one or more of the above definitions include financial data of an individual ( e.g., a social security number, credit card information … The sensitive data included within the input data sources 102A-N may be of any data format. The sensitive data may be in plaintext, encrypted)” and continues in ¶ [0046] the restriction and protection of sensitive data (such as credit card information) that are in different formats in order to access data, “The data protect module 112 may apply a number or type of security features to the data portion so that the security level of that data portion reaches a desired level ( e.g., a minimum threshold required by law or some other standard). Examples of security features that may be applied are encryption (e.g., via SHA, RSA, etc.), tokenization, obfuscation, protection via different formats, access control restrictions, encryption of connections to access the data”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji with the teaching of Williamson because the use of Williamson’s idea (Williamson, abstract) could provide Meghji (Meghji, abstract) the ability to determine and identify credit card information an any format and restrict storage of such sensitive data, “The sensitive data included within the input data sources .

23.	Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Adam Meghji U.S. 2021/0119764 hereinafter “Meghji” in view of Williams et al. US  10,839,052 hereinafter “Williams” Published Aug. 24, 2017.

Regarding claim 20, Meghji teaches all the limitations of claim 17 and storing a plurality of security rules in the repository zone and set of security rules for the first and second zones in previous claims, but does not explicitly disclose: pushing a particular security rule to the first security zone to be added to the set of security rules …, wherein the pushing does not interrupt active processes …; and pushing a different security rule … to be added to the set of security rules …, wherein the pushing does not interrupt active processes 
However Williams teaches: pushing a particular security rule to the first security zone to be added to the set of security rules …, wherein the pushing does not interrupt active processes …; and pushing a different security rule … to be added to the set of security rules …, wherein the pushing does not interrupt active processes (Williams, first see col. 6 lines 60-67 that discloses adding security rules, and in col. 14 lines 34-39 discloses the rule can be pushed automatically and mitigate the attack and keep continuing on col. 15 lines 34-47 tailoring the security hardening can respond to simulated attacks during monitoring and the system can report any violation; that reads on applicant’s limitations).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Meghji with the teaching of Williams because the use of Williams’ idea (Williams, abstract) could provide Meghji (Meghji, abstract) the ability not only to add also push new rules at different times automatically during simulation or monitoring in order to harden the security, “a security expert can add custom sensors and/or security rules to security-hardening system 200, thus tailoring the .


Allowable subject matter
24.	Claim 4 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and to overcome claim objections set forth in the Office action.

Examiner note:
25.	In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive.  Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.

Conclusion
26.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Leonid Rodniansky US 20150242531- discloses controlling access to a database server in a multi-tiered processing system.
Dettinger et al. US 20040068661- discloses Security rules are defined for fields and/or field values. The security rules specify one or more users to which the rules apply. A query is examined for content and a determination is made as to whether security action is required based on the content (e.g., a field and/or a value of the field) and user-specific data.
Sun et al. 2011 IEEE International Conference on Electronic & Mechanical Engineering and Information Technology, “Access Control Method Based on Multi-level Security Tag for Distributed Database System”, discloses Multi-level security system structure and defines the security tags of subjects and objects. It also presents definition rule of security tag and security tag table. Mandatory access control is achieved by modifying the user's query statement and using security tag table in distributed database system. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALIL NAGHDALI whose telephone number is (571) 272-9884. The examiner can normally be reached on M-F 8 AM-5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, KRISTINE L KINCAID can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
/KHALIL NAGHDALI/Primary Examiner, Art Unit 2437