DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the amendments filed on 01/26/2022.
 Claims 1-20 are currently pending in this application. Claims 1, 3-5, 8, 9, 11, 12, 15, 16, 18 and 19 have been amended.
No new IDS has been filed. 

Examiner’s Note
Applicant is suggested to include information of the figures 6A and 6B with associated text of the specification (e.g., the security analytics system environment, user authentication factors, user/user interactions, risk-adaptive behavior factors, etc.) to the claims to improve the application for providing a better condition for an allowance.

Response to Arguments
The previous objection to the drawing has been withdrawn in response to the replacement sheets of the drawing and amendment to the specification.

Regarding the 112(b) rejections, the applicant amends some claims and has, in page 8 of the remarks, argued that “… amended to address some of the issues … identifying as to ascertain the identity of something and correlating as to establish a mutual relation between … generating the security … this operation is discussed in paragraph [0116] of the application …”.
Examiner respectfully disagrees with these arguments.
As the applicant noted, the claimed identifying not only identifying the identity of the binary signature, but also identifying the common binary signature for the file format type. In other words, it is identifying to establish the mutual relationship (e.g., having a common binary signature) between the common binary signature and the file format type. Moreover, although the claims are interpreted in light of the specification, limitations for the specification are not read into the claims - see In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 
Because the applicant’s amendments do not overcome all rejections (although overcome some of them), the updated/maintained rejections are stated the 112(b) rejections section below.    

Regarding the 103 rejections, the applicant, in page 9 of the remarks, has argued that “… claim 1 recites … signing the request with a certificate that identifies the request as valid without identifying the device … however, Roth illustrates that a request from a node includes the ID of the node – fig. 7… messages sending secret shares to the nodes are published so that it is … [0053] … Roth expressly requires that the identity of the nodes be made known …”.
The applicant’s this argument is not persuasive.
It is noted that the features upon which applicants argue (e.g., teaching of Roth, such as “a request from a node includes the ID of the node, publishing messages sending secret shares to the nodes, requiring that the identity of the nodes be made known …”) are NOT prohibited/prevented by the claims. Although the claims are In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). It is clear that “a node including the node ID, publishing the messages, making known the node ID” is nothing to do/relate with the claimed limitations, “… signing the request with a certificate that identifies the request as valid without identifying the device”.

The applicant has amended the claims 1, 9 and 16 to include the limitations, “… generating a security policy via a security policy generator and deploying the security policy for use in a protected endpoint … an endpoint agent executing on an endpoint device …”, and has, in pages 8-9 of the remarks, argued that “… nowhere within Mansel and Sun, taken alone or in combination is there any disclosure or suggestion of generating a security policy …”.
Examiner respectfully disagrees with this argument.
As taught in Mansel, Mansel clear teaches the rule set engine for setting rules by adding rule, editing rule, moving rule up/down priority list or generating rule or security policy via a security policy generator or rule set engine – see fig. 23a and paras. 0165 and 0166 of Mansel. Furthermore, Mansel, in figs. 3, 8 and par. 0127, also teaches the real time monitor engine 300 of the monitored system 108 retrieving rules from the surveillance management system 102 with the rule set engine 200i and using in the monitoring system 108. Therefore, Mansel teaches the amended/argued limitations, “… generating a security policy via a security policy generator and deploying the security policy for use in a protected endpoint … an endpoint agent executing on an endpoint device …” – see the 103 rejections section below for detail.
     

The applicant’s arguments, for the claims 2-8, 10-15 and 17-20 with the 103 rejections regarding similar limitations of above responded limitations of the claim 1, 9 or 16, are not persuasive and the response for these arguments are similar with the response above.

Thus, the applicants’ arguments are not persuasive. Please see amended rejections below for the amended claims. This action is final.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(a):

(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.


Claims 1-20 are rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirements (new matter issues).

The claims 1, 9 and 16 are amended to include “… the protected endpoint comprising an endpoint agent executing on an endpoint device …”, however, these limitations were NOT described in the specification (e.g.,  fig.3 and par. 0034 of the specification describe the endpoint agent 306 being outside of the endpoint devices 
Claims 2-8, 10-15 and 17-20 depend from the claim 1, 9 or 16, and are analyzed and rejected accordingly.

21.	The claims 4, 12 and 19 are amended to include “… there are at least three files having the file format type …”, however, these limitations were NOT described in the specification such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the invention or application was filed, had possession of the claimed invention. Applicant is suggested to indicate the location of the supporting information in the specification for the amended limitations.

The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claim 1 (claims 9 and 16 include similar limitations) recites:
“… method for generating a security policy for a file format type … the plurality of files includes files having file format type … “, however, it is not clear 
“… identifying a common binary signature for the file format type … correlating the file format type with the common binary signature …”, however, it is not clear how the correlation function performs when the file format type has already correlated with the common binary signature by identifying process (note: the common binary signature is identified for the file formation type as identifying correlation between the file format type and the common binary signature);
“… generating the security policy … includes the common binary signature for the file format type …”, however, it is not clear how to define the generated policy is the security policy or whether a policy including the common binary signature is defined/generated as the security policy (e.g., omitting necessary steps/components which causes the limitations unclear);
“… deploying the security policy for use in a protected endpoint …”, however, it is not clear whether the security policy is deployed in the endpoint which has already been protected or not.
Claims 2-8, 10-15 and 17-20 depend from the claim 1, 9 or 16 and are analyzed and rejected accordingly.

Claim 2 (and the claim 10, 17) recites “… using the common binary signature … to detect occurrence of events relating to files having the file format type”, however, it is 
Claim 4 (and the claim 12, 19) recites “… there are at least three files having the file format type; and only binary signature candidates common to a majority of the plurality of files are correlated with the file format name for use as the common binary signature”, however, it is not clear (1) whether the claimed “at least three files” have any relationship with “the plurality of files”, and “the files” included before or not; (2) whether the “binary signature candidates” are the same as “the set of binary signature candidates” of the claim 3 or not; (3) how to define majority of the two plurality of files (note: one of the two files cannot define as a majority); (4) the correlating process is performed with whether the file format name (of the claim 4) or the file format type (of the claim 1).
Claim 5 recites “… only a single binary signature candidate from the set of binary signature candidate is correlated with the file format name …”, however, it is not clear how to define “the set of binary signature candidates” (e.g., the antecedent basis issue and omitting necessary steps/components which cause the limitation unclear).
 Claim 8 (and the claim 15) recites “… the security policy for the file format is deployed to a plurality of endpoint devices”, however, (1) the term, the file format, has an antecedent basis issue (e.g., not defining a file format before); (2) whether the “a plurality of endpoint devices” have any relationship with “a protected endpoint” of the claim 1 or not.

Claim Rejections - 35 USC § 103


The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mansel (US 2006/0253905 A1) in view of Sun et al. (US 8,201,244 B2).

As per claim 1, Mansel teaches a computer-implemented method for generating a security policy for a file format type [see figs. 1b, 2, 3; par. 0008, lines 1-7; par. 0014, lines 1-5 of Mansel], comprising:
receiving, at a user interface, identification of a plurality of files stored in electronic memory, wherein the plurality of files includes files having file format type [figs. 2, 3; par. 0003, lines 1-5; par. 0110, lines 1-10; par. 0111, lines 8-16 of Mansel teaches receiving, at a user interface (e.g., the user interface of the surveillance management system), identification of a plurality of files stored in electronic memory, wherein the plurality of files includes files having file format type (e.g., the file type group)];
providing a file format name, the file format name being associated with the file format type; accessing the plurality of files from the electronic memory [figs. 4c, 4d, 15a, 15d, 15h; par. 0113, lines 1-12; par. 0114, lines 1-6; par. 0137, lines 1-8; par. 0142, lines 1-5 of Mansel teaches providing a file format name (e.g., the file mask, file name or folder name), the file format name being associated with the file format type (shown in fig. 15d); accessing (to scan) the plurality of files from the electronic memory];
identifying a common signature for the file format type included in the plurality of files; correlating the file format type with the common signature [figs. 7e, 7f, 14, 15a, 15d, 15f, 15h; par. 0137, lines 1-8, 17-20; par. 0142, lines 1-5; par. 0143, lines 1-3 of Mansel teaches identifying a common signature (e.g., identifying a matching file signature) for the file format type included in the plurality of files (e.g., the scanned files); correlating the file format 
generating the security policy for the file format type using the file format name, the security policy being generated via a security policy generator, wherein the security policy includes the common signature for the file format type; and deploying the security policy for use in a protected endpoint [figs. 1b, 3, 17b, 23a, 23b; par. 0124, lines 12-15; par. 0153, lines 1-10; par. 0165, lines 1-4; par. 0166, lines 1-16; par. 0181, lines 1-11; par. 0184, lines 1-8 of Mansel teaches generating the security policy (e.g., the rules for blocking, alert processes) for the file format type using the file format name (e.g., the file name), the security policy being generated (e.g., adding rule set, editing rule set, moving rule up/down priority list, etc.) via a security policy generator (e.g., the rule set engine 200i), wherein the security policy includes the common signature for the file format type (e.g., the file name/mask is associated with file type and matching file signature); and deploying the security policy (e.g., adding/editing rule set) for use in a protected endpoint (e.g., the monitored system)];
the protected endpoint comprising an endpoint agent executing on an endpoint device, the security policy being deployed via at least one of directly from the security policy generator and a deployment system having access to a security policy datastore [figs. 1b, 2, 3, 8; par. 0111, lines 17-21, 44-48; par. 0127, lines 1-16 of Mansel teaches the protected endpoint (e.g., the monitored system 108) comprising an endpoint agent (e.g., the real time monitor engine 300) executing on an endpoint device, the security policy 

Although Mansel teaches identifying the common signature for the file type and generating the security policy including the common signature – see above rejections, however, Mansel does not explicitly disclose the common signature for the file type is a common binary signature.
However, Sun teaches a common binary signature define for a file type [col. 2, lines 13-23; col. 7, lines 39-48 of Sun teaches a common binary signature (e.g., the binary code/pattern) define for a file type (e.g., malware file)].
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mansel with the teaching of Sun to include a binary signature of a file type because it provides a part of the anti-virus program’s virus identification processes - see column 2 of Sun.

As per claim 2, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel does not teach, but Sun teaches using the common binary signature deployed in the security policy to detect occurrences of events relating to files having the file format type [col. 2, lines 13-23; col. 5, lines 3-19; col. 7, lines 39-48 of Sun teaches using the common binary signature (e.g., the binary code/pattern) deployed in the security policy (e.g., the anti-virus program policy) to detect occurrences 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mansel with the teaching of Sun to include a binary signature for a malware detection in a security policy because it provides a part of the anti-virus program’s virus identification processes - see column 2 of Sun.

As per claim 3, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein identifying the common (binary) signature comprises: scanning the plurality of files to detect (binary) content common to two or more of the plurality of files, wherein the (binary) content common to two or more of the plurality of files is added to a set of binary signature candidates for the file format name [figs. 4d, 15h; par. 0137, lines 1-20; par. 0150, lines 1-8 of Mansel teaches identifying the common (binary) signature comprises: scanning the plurality of files to detect (binary) content common (e.g., the file inspection parameter) to two or more of the plurality of files, wherein the (binary) content common to two or more of the plurality of files is added to a set of binary signature candidates (e.g., added the scan result to the log) for the file format name – see also rejections to the claim 1].

As per claim 4
Mansel further teaches wherein there are at least three files having the file format type; and only (binary) signature candidates common to a majority of the plurality of files are correlated with the file format name for use as the common (binary) signature [figs. 1b, 15h, 15i, 15j; par. 0142, lines 1-5; par. 0150, lines 1-8 of Mansel teaches there are at least three files (e.g., scanning files from at least three monitored system 108 – see fig. 1c) having the file format type; and only (binary) signature candidates (e.g., the file inspection parameter) common to a majority of the plurality of files (e.g., the files matching the scan configuration) are correlated with the file format name (e.g., the file mask/name) for use as the common (binary) signature – see also rejections to the claim 1].

As per claim 5, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein only a single (binary) signature candidate from the set of (binary) signature candidates is correlated with the file format name for use as the common (binary) signature [figs. 15h, 15i, 15j; par. 0142, lines 1-5; par. 0149, lines 1-4; par. 0150, lines 1-8 of Mansel teaches only a single (binary) signature candidate (e.g., the file inspection parameter matching the scan configuration) from the set of (binary) signature candidates is correlated with the file format name (e.g., the file mask/name) for use as the common (binary) signature – see also rejections to the claim 1].

As per claim 6, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the file format name is received at the user interface [figs. 15f; par. 0137, lines 1-8; par. 0139, lines 1-6 of Mansel teaches the file format name is received at the user interface (e.g., selecting of view matching files)].

As per claim 7, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the file format name is automatically determined based on one or more common attributes of the plurality of files, wherein the common attributes include one or more of a file extension or text identified in two or more of the plurality of files [par. 0113; par. 0137, lines 9-16; par. 0139, lines 1-6 of Mansel teaches the file format name is automatically determined based on one or more common attributes (e.g., the file attribute input used in matching with scan configuration parameters) of the plurality of files, wherein the common attributes include one or more of a file extension or text identified (e.g., a system property of the file) in two or more of the plurality of files].

As per claim 8, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the security policy for the file format is deployed to one or more endpoint devices [figs. 1b; par. 0184, lines 1-8 of Mansel teaches the security policy (e.g., the rule set) for the file format is deployed to a plurality 

Claims 9-15 are system claims that correspond to the method claims 1-4 and 6-8, and are analyzed and rejected accordingly. See par. 0109 of Mansel for the system components.
Claims 16-20 are medium claims that correspond to the method claims 1-4 and 7, and are analyzed and rejected accordingly.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAUNG T LWIN/Primary Examiner, Art Unit 2495