DETAILED ACTION
This communication is responsive to the application # 16/643,529 filed on February 29, 2020. Claims 1-25 are pending and are directed toward MANAGING DATA EXFILTRATION RISK.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-11 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Jou et al. (US 2015/0205954, Pub. Date: Jul. 23, 2015), hereinafter referred to as Jou.
As per claim 1, Jou teaches a computer-based method to facilitate managing data exfiltration risk in a computer network environment (High-risk activities may arise from intent to exfiltrate data in an unauthorized way. Jou, [0036]), the computer-based method comprising:
collecting computer file management information associated with each respective one of a plurality of computer files in an organization's computer network environment from a computer operating system (In accordance with another aspect of the present invention, there is provided a method for measuring risk associated with data files within a population, Jou, [0008], also For example, sensitive files may be compressed and uploaded to an external computer or server; Jou, [0035]);
collecting user activity information associated with each respective one of a plurality of user sessions by users having access to the organization's computer network environment (In various embodiments, there is a quantifiable risk element associate with the involved person or persons: certain people, when associated with an exfiltration of data, for example, may present a relatively higher risk to an organization by virtue of the knowledge they have, their position within the organization, their access to sensitive data such as intellectual property, or the like. Jou, [0047], also a user may deviate from a normal behavioural work pattern; a user may spend unusual amounts of time working with specific documents or specific applications; applications may be opened and/or closed in an unusual pattern and/or at unusual times; or an employee may unexpectedly access a number of sensitive data files outside the realm of their normal duties. Jou, [0035]) with a plurality of session monitoring agents (monitoring and observing actions and behaviours of actors such as persons and computers, analyzing the monitored data to identify potential risks, and optionally acting on the outcome of said analysis. Monitoring and observation may comprise monitoring of computer-related activities, such as computer commands entered by a person, computer scripts or routines which are automatically or manually, locally or remotely initiated on certain computing assets, and the like. Jou, [0033], see also Monitoring modules may comprise hardware components, software agents, or the like, or a combination thereof. Jou, [0081]);
correlating at least some of the collected user activity information to one or more of the computer files associated with the collected file management information (The term "risk" refers to a measurement or estimate of impact of a given variable such as an activity, a behaviour, an event such as a data leakage event, or the like. In some cases, a risk measurement may be probabilistic in nature. For example, a risk measurement associated with a behavior may be an expected value, also referred to as an expectation, taken over risk values corresponding to possible events, each risk value multiplied by a probability of the corresponding possible event occurring given the behaviour. Jou, [0018], see also The present invention provides various methods and systems related to the analysis of risks such as data leakage risks. According to some aspects of the invention, risk associated with a behavioural activity is measured as a function of certain component risk values which are computed or obtained from available data. One such risk value may represent risk ascribable to persons involved in performing the behavioural activity, such as organizational insiders or outsiders with access to sensitive data, and/or the activities of such persons. Another risk value may represent sensitivity of assets, such as digital files, comprising data associated with the risk. Jou, [0023]); and
assessing data exfiltration risk with respect to one or more of the computer files based at least in part on some of the file management information and the correlated user activity information (For example, FIG. 1 illustrates: determining 110 a risk component associated with persons involved in an activity; determining 120 a risk component associated with sensitivity of assets comprising data associated with the risk, which may for example be a data leakage risk; determining 130 a risk component associated with an endpoint which receives the assets due to the activity; determining 140 a risk component associated with a type of the activity; and measuring 150 the risk as a function of these components. For the purposes of the present invention, it will be readily appreciated that the term person in accordance to the present invention can understood to encompass any suitably entity, including but limited to people, machines or applications. Jou, [0024]).
As per claim 2, Jou teaches the computer-based method of claim 1, further comprising: presenting an alert to one or more particular system users, if the assessment reveals that the data exfiltration risk exists with respect to any one or more of the computer files (Jou, [0033]).
As per claim 3, Jou teaches the computer-based method of claim 1, further comprising: preventing a user action that would result in a data exfiltration associated with one of the computer files, if the assessment reveals that the data exfiltration risk exists with respect to that computer file. (Jou, [0033], [0066]).
As per claim 4, Jou teaches the computer-based method of claim 1, wherein the exfiltration risk is assessed without regard to content in any of the one or more computer files (determining a first risk component associated with one or more persons involved in performing the activity; Jou, Claim 1).
As per claim 5, Jou teaches the computer-based method of claim 1, further comprising: identifying which of the computer files in the organization's computer network environment should be tracked for purposes of assessing the data exfiltration risk with respect to those computer files (Jou, [0038]).
As per claim 6, Jou teaches the computer-based method of claim 5, further comprising: creating a file history chain for each respective one of the computer files identified for tracking (Jou, [0048]).
As per claim 7, Jou teaches the computer-based method of claim 6, wherein the file history chain for each respective one of the computer files identified for tracking includes the Jou, [0048]).
As per claim 8, Jou teaches the computer-based method of claim 5, wherein identifying which of the computer files should be tracked for possible data exfiltration takes into account each computer file's original storage location in the organization's computer network environment, and/or whether any suspicious actions may have been performed by a user on that computer file (Jou, [0048], [0068]).
As per claim 9, Jou teaches the computer-based method of claim 5, wherein assessing the exfiltration risk comprises: utilizing a rules engine to check whether one or more particular actions in a tracked file history chain or characteristics associated with a particular one of the computer files being tracked creates the data exfiltration risk (Jou, [0049], [0067]).
As per claim 10, Jou teaches the computer-based method of claim 1, wherein correlating at least some of the collected user activity information to one or more of the computer files associated with the collected file management information comprises: comparing time stamp information, session identifiers, user identifiers, and/or process identifiers associated with the collected computer file management information to time stamp information, session identifiers, user identifiers, and/or process identifiers associated with the collected user activity information (Jou, [0048], [0055]).
As per claim 11, Jou teaches the computer-based method of claim 1, wherein the computer file management information comprises information about one or more of the following: creating a file, opening a file, renaming a file, moving a file, copying a file, deleting a file, searching for a file, encrypting a file, putting a file into an archive, and/or modifying one or more file attributes, properties, or file permissions (Jou, [0065], [0073]). 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over  Jou et al. (US 2015/0205954, Pub. Date: Jul. 23, 2015), hereinafter referred to as Jou, in view of WikipediA (Login session, May 05, 2015, 2 pages), hereinafter referred to as Jou and WikipediA.
As per claim 12, Jou teaches the computer-based method of claim 1, and teaches further time related user activity (Jou, [0033], [0035]), Jou does not provide a definition of a session, WikipediA however teaches wherein each respective one the user sessions is corresponds to a period of time between a particular system user logging into and subsequently logging out of the computer environment (In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. WikipediA, page 1).
Jou in view of  WikipediA are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Jou in view of  WikipediA. This would have been desirable because a POSITA relies on terminology as commonly used in the art.

Claims 13-22, 24 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over  Jou et al. (US 2015/0205954, Pub. Date: Jul. 23, 2015), hereinafter referred to as Jou, in view of Zimmermann et al. (US 2018/0027006, PCT Filed: Feb. 24, 2016), hereinafter referred to as Jou and Zimmermann.
As per claim 13, Jou teaches the computer-based method of claim 1, but does not teach a firewall, Zimmermann however teaches wherein the organization's computer network environment has a firewall that that restricts communications between the computer network environment and other computer resources and devices outside of the computer network environment (Zimmermann, FIG. 31, [0445]).
Jou in view of  Zimmermann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Jou in view of  Zimmermann. This would have been desirable because s seen in FIG. 27, an application, such as Evernote ™ 2702, may be accessed by an enterprise user 2704. The user 2704 may be on an enterprise network 2706, such as behind a firewall 2708, and in some cases access may involve a proxy server 2710. The enterprise may track application access and usage events, such as file uploads and downloads, occurring on the enterprise network, and relay those events to a SIEM 2712 (Zimmermann, FIG. 27, [0421]).

As per claim 14, Jou iteaches the computer-based method of claim 1, and teaches further important and unimportant files (Jou, [0033], [0035]), Jou does not teach temporary files,  Zimmermann however teaches further comprising: filtering the computer file management information to remove out any information related to or including temporary files prior to the correlating (Zimmermann, FIG. 12, [0338]).
Jou in view of  Zimmermann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Jou in view of  Zimmermann. This would have been desirable becauseiIn some embodiments, parameters may be adjusted or "tuned" while the system is online, in order to improve performance over time (Jou, [0044]).

15-22, 24 and 25  have limitations similar to those treated in the above rejection of claims 1-11, 13 and 14, and are met by the references as discussed above, and are rejected for the reasons of obviousness as used above.
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over  Jou et al. (US 2015/0205954, Pub. Date: Jul. 23, 2015), hereinafter referred to as Jou, in view of Zimmermann et al. (US 2018/0027006, PCT Filed: Feb. 24, 2016), in view of WikipediA (Login session, May 05, 2015, 2 pages), hereinafter referred to as Jou, Zimmermann and WikipediA.
As per claim 23, Jou in view of  Zimmermann teaches the computer system of claim 15, wherein the computer file management information comprises information about one or more of the following: creating a file, opening a file, renaming a file, moving a file, copying a file, deleting a file, searching for a file, encrypting a file, putting a file into an archive, and/or modifying one or more file attributes, properties, or file permissions (Jou, [0065], [0073], Zimmermann, [0141], [0221]), Jou in view of  Zimmermann does not provide a definition of a session, WikipediA however teaches wherein each respective one the user sessions corresponds to a period of time between a particular system user logging into and logging out of the computer environment (In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. WikipediA, page 1).
Jou in view of  Zimmermann in view of  WikipediA are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Jou in view of  Zimmermann in view of  WikipediA. This would have been desirable because a POSITA relies on terminology as commonly used in the art.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492