DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions.
This Office action is in response to the RCE/amendment, arguments and remarks, filed on 10/19/2021, in which claim(s) 1-28 is/are presented for further examination.
Claim(s) 1, 9 and 17 has/have been amended.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission, filed on 10/19/2021, has been entered.

Response to Amendments
Applicant’s amendment(s) to claim(s) 1, 9 and 17 has/have been accepted.  Support was found in at least [0325]-[0328], [0360]-[0367] and [0377]-[0380] of the specification.
The examiner thanks applicant’s representative for pointing out where he believes there is support for the amendment(s).

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-28, filed on 10/19/2021, have been fully considered but they are not persuasive.

Applicant’s arguments with respect to the rejection(s) of claim(s) 1-28 under 35 U.S.C. 103, see page 10 of applicant’s remarks, filed on 10/19/2021, have been fully considered but they are not persuasive.
Applicant is merely arguing the newly added limitations in the claim that were not previously presented.  The examiner respectfully disagrees.  Please see the corresponding section of the rejection below.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim(s) 1-28 is/are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-22 of US 9,407,662 B2.  Although the claims at issue are not identical, they are not patentably distinct from each other because they contain similar subject matter.  That is, all the limitation of the instant application is contained in the ‘662 patent.
Application: 15/226,872
Patent: US 9,407,662
1.  A method comprising:


providing a plurality of rules to manage information of an information management system, wherein a first rule comprises a condition between a first entity and a second entity;

providing activity data stored in a log associated with the first entity, the second entity, and a third entity the activity data comprising:

a first activity data at a first time indicating sending of the e-mail from the first entity to the third entity; and





a second activity data at a second time indicating sending of the e-mail from the third entity to the second entity, wherein the first time and the second time are different;

inspecting at least the first rule to extract the condition between the first entity and the second entity;

analyzing the log for the first activity data and the second activity data to derive a relationship between the first entity and the second entity, wherein the relationship comprises:









a first correlation between sending of the e-mail from the first entity to the third entity as provided in the first activity data and sending of the e-mail from the third entity to the second entity as provided in the second activity data, the first correlation being based on the sending of the e-mail; and

detecting a potential satisfaction of the condition because of the first correlation in the relationship.


9.  Same as 1.

17.  Same as 1.
A method of operating an information management system comprising:

providing a plurality of rules to manage information of the information management system, wherein a first rule comprises a condition between a first entity and a second entity;

providing activity data stored in a log associated with the first entity, the second entity, and a third entity the activity data comprising:

a first activity data at a first time indicating attaching of a document to an e-mail by the first entity;

a second activity data at a second time indicating sending of the e-mail from the first entity to the third entity; and

a third activity data at a third time indicating sending of the e-mail from the third entity to the second entity, wherein the first time, the second time, and the third time are different;

inspecting at least the first rule to extract the condition between the first entity and the second entity;

analyzing the log for the first activity data, the second activity data, and the third activity data to derive a relationship between the first entity and the second entity, wherein the relationship comprises:

a first correlation between attaching of the document to the e-mail by the first entity as provided in the first activity data and sending of the e-mail from the first entity to the third entity as provided in the second activity data, the first correlation being based on the first entity; and

a second correlation between sending of the e-mail from the first entity to the third entity as provided in the second activity data and sending of the e-mail from the third entity to the second entity as provided in the third activity data, the second correlation being based on the sending of the e-mail; and

detecting a potential satisfaction of the condition because of the first correlation and the second correlation in the relationship.

14.  Same as 1.

15.  Same as 1.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim(s) 1-28 is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.

Regarding claim(s) 1, 9 and 17, no support was found for the limitation, “changes to the policy abstraction do not require changing the first information usage rule.”  The specification 
Note: The examiner will reconsider this rejection if additional support is cited.
Claim(s) 2-8, 10-16 and 18-28 inherit(s) the deficiencies of the claim it/they depend(s) from.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim(s) 17 and 18 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim(s) 17 recite(s) the limitation "the first entity", “the second entity” and “the third entity” in lines 33-34.  There is insufficient antecedent basis for this/these limitation(s) in the claim(s).
Note: Applicant uses “user” instead of “entity” in this set of claims.  The rejection(s) can be resolved by merely amending the claim(s) to recite “user” instead of “entity”.
Claim(s) 18 inherit(s) the deficiencies of the claim it/they depend(s) from.


Note: Applicant uses “user” instead of “entity” in this set of claims.  The rejection(s) can be resolved by merely amending the claim(s) to recite “user” instead of “entity”.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of application for patent in the United States.

Claim(s) 1-18, 21-24 and 26-28 is/are rejected under pre-AIA  35 U.S.C. 102(b) as being anticipated by Tirosh et al., US 2007/0220061 A1 (hereinafter “Tirosh”).
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claims 1, 9 and 17
Tirosh discloses a method comprising:
providing a plurality of rules to manage information of an information management system (Tirosh, [0008], see the policy is established to control unauthorized access to the host; and Tirosh, [0009], see the system may establish a policy to control the leakage of information from the organization by insiders, for example, the policy may specify which applications are wherein a first rule comprises a condition between a first entity/user and a second entity/user (Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group, where if the users are not in the same groups they will not have access to the same files/documents/etc., which are being interpreted as the “condition between a first user and a second user”);
controlling document usage, based on first and second information usage rules of the plurality of rules (Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group), comprising:
intercepting a first e-mail being sent from the first entity/user to a third entity/user (Tirosh, [0099], see email probe intercepts received emails and attempts to send email);
evaluating the first information usage rule to determine, based on the first entity/user and the third entity/user, whether to allow sending the first e-mail (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see sensors will report external access attempts to the host as well as unusual local activity, which may be an indication that an intruder has already gained some access and is attempting to extend or use it, where the agent will apply a set of reactions such as ignore (allow the operation to proceed), Block (cause the operation to fail) or Log (allow the operation to proceed but log its details; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file wherein the first information usage rule comprises a rule condition and evaluating the rule condition comprises retrieving a policy abstraction, defined (Tirosh, [0008], see sensors will report external access attempts to the host as well as unusual local activity, which may be an indication that an intruder has already gained some access and is attempting to extend or use it, where the agent will apply a set of reactions such as ignore (allow the operation to proceed), Block (cause the operation to fail) or Log (allow the operation to proceed but log its details; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group; and Tirosh, [0119], see each element in the policy can be edited by a dedicated wizard user interface component, where, in an exemplary embodiment, a wizard for editing an email reaction rule is described, allowing the administrator to configure a rule by specifying the email domain, the tags associated with potential stored separately from the first information usage rule (Tirosh, Fig. 1, see rules applied between the management console and the active directory server and the logging results are stored in the logging server apart from the management console; and Tirosh, Fig. 4, see the policy storage and update is apart from the policy resolver, which is apart from the logging service) and changes to the policy abstraction do not require changing the first information usage rule (Tirosh, [0076], where the addition/subtraction of a user to an access control list does require any change to the files/information that the access control list has access to);
determining, based on evaluating the first information usage rule, to allow sending the first e-mail (Tirosh, [0091]-[0098], see the policy resolution process, where the description of an event, containing the details of an attempted transmission intercepted by the agent, is sent to the policy resolver subcomponent, which consults the current effective policy to produce the appropriate set of reactions the agent should take, where the current policy consists of a list of reaction rules, where each rule consists of a condition and a set of reactions, where the policy resolver evaluates the condition of each reaction rule with the parameters from the details of event, where if a condition evaluates to TRUE, then the set of reactions in the reaction rule is added to the set of reactions for this event);
storing in a log that the sending of the first e-mail was allowed (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see Log (allow the operation to proceed but log its details); and Tirosh, [0032], see the system also includes a Logging Server for storing the Event Descriptions generated by the Agents and a Management Console for setting the Policy and reviewing the Event Descriptions);
intercepting a second e-mail being sent from the third entity/user to the second entity/user (Tirosh, [0099], see email probe intercepts received emails and attempts to send email);
evaluating the second information usage rule to determine, based on the third entity/user and the second entity/user, whether to allow sending the second e-mail (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see sensors will report external access attempts to the host as well as unusual local activity, which may be an indication that an intruder has already gained some access and is attempting to extend or use it, where the agent will apply a set of reactions such as ignore (allow the operation to proceed), Block (cause the operation to fail) or Log (allow the operation to proceed but log its details; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group; and Tirosh, [0119], see each element in the policy can be edited by a dedicated wizard user interface component, where, in an exemplary embodiment, a wizard for editing an email reaction rule is described, allowing the administrator to configure a rule by specifying the email domain, the tags associated with potential transmission attempt and the required reaction);
determining, based on evaluating the second information usage rule, to allow sending the second e-mail (Tirosh, [0091]-[0098], see the policy resolution process, where the description of an event, containing the details of an attempted transmission intercepted by the 
storing in the log that the sending of the second e-mail was allowed (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see Log (allow the operation to proceed but log its details); and Tirosh, [0032], see the system also includes a Logging Server for storing the Event Descriptions generated by the Agents and a Management Console for setting the Policy and reviewing the Event Descriptions); and
after determining to allow sending the first e-mail and the second e-mail, determining whether an activity data correlation rule of the plurality of rules has been satisfied (Tirosh, [0091]-[0098], see the policy resolution process, where the description of an event, containing the details of an attempted transmission intercepted by the agent, is sent to the policy resolver subcomponent, which consults the current effective policy to produce the appropriate set of reactions the agent should take, where the current policy consists of a list of reaction rules, where each rule consists of a condition and a set of reactions, where the policy resolver evaluates the condition of each reaction rule with the parameters from the details of event, where if a condition evaluates to TRUE, then the set of reactions in the reaction rule is added to the set of reactions for this event; and Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the comprising:
providing activity data stored in the log associated with the first entity/user, the second entity/user and the third entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored; Tirosh, [0088], see, when an event is processed by the agent software, the policy may indicate that the event should be recorded, where, in this case, the agent software will send the event to logging server; and Tirosh, [0102], see logging (Monitor), the event description along with the reaction set is sent to the logging service module) the activity data comprising:
a first activity data at a first time indicating sending of an e-mail from the first entity/user to the third entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event 
a second activity data at a second time indicating sending of the e-mail from the third entity/user to the second entity/user, wherein the first time and the second time are different, and the activity data stored in the log comprises activity data generated based on one or more policy engines executing separately from applications used to send the e-mail from the first entity/user to the third entity/user and from the third entity/user to the second entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored; Tirosh, [0088], see, when an event is processed by the agent software, the policy may indicate that the event should be recorded, where, in this case, the agent software 
inspecting at least a first rule to extract the condition between the first entity/user and the second entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; and Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored), wherein the first rule specifies that content of the e-mail should not be transmitted to members outside of an organization (Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored and blocking the attempted operation and preventing it from completing successfully; and Tirosh, [0010], see sending a file to an external email destination);
analyzing the log for the first activity data and the second activity data to derive a relationship between the first entity/user and the second entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent wherein the relationship comprises:
a first correlation between sending of the e-mail by the first entity/user to the third entity/user as provided in the first activity data and sending of the e-mail from the third entity/user to the second entity/user as provided in the second activity data, the first correlation being based on the sending of the e-mail (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system 
that the second entity/user, without the first rule explicitly identifying the second entity/user as being outside of the organization, is a member outside of the organization (Tirosh, [0010], see sending a file to an external email destination);
detecting a potential satisfaction of the condition because of the first correlation in the relationship (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; and Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group); and
based on the detected potential satisfaction of the condition, automatically implementing a remedial action of at least one of: implementing a policy in the information management system, disallowing a user from connecting to the information management system, or restricting a user from being allowed to perform certain actions to information managed by the information management system (Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent 
Claim(s) 9 and 17 recite(s) similar limitations to claim 1 and is/are rejected under the same rationale.

With respect to claim 9, Tirosh discloses a method of operating an information management system comprising:
providing a first rule comprising a condition between a first entity/user and a second entity/user (Tirosh, [0008], see the policy is established to control unauthorized access to the host; Tirosh, [0009], see the system may establish a policy to control the leakage of information from the organization by insiders, for example, the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device; and Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group, where if the users are not in the same groups they will not have access to the same files/documents/etc., which are being interpreted as the “condition between a first user and a second user”), wherein a first rule specifies that content of the e-mail should not be transmitted to members outside of an organization, without explicitly identifying that the second entity/user is outside of the organization (Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to 
controlling document usage, based on first and second information usage rule (Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group), comprising:
after determining to allow sending the first e-mail and the second e-mail, determining whether an activity data correlation rule of the plurality of rules has been satisfied (Tirosh, [0091]-[0098], see the policy resolution process, where the description of an event, containing the details of an attempted transmission intercepted by the agent, is sent to the policy resolver subcomponent, which consults the current effective policy to produce the appropriate set of reactions the agent should take, where the current policy consists of a list of reaction rules, where each rule consists of a condition and a set of reactions, where the policy resolver evaluates the condition of each reaction rule with the parameters from the details of event, where if a condition evaluates to TRUE, then the set of reactions in the reaction rule is added to the set of reactions for this event; and Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected) comprising:
a first activity data at a first time indicating inputting of information into an e-mail by the first entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored; Tirosh, [0088], see, when an event is processed by the agent software, the policy may indicate that the event should be recorded, where, in this case, the agent software will send the event to logging server; Tirosh, [0102], see logging (Monitor), the event description along with the reaction set is sent to the logging service module; Tirosh, [0062], see, in content-tracking, monitoring deleting, reading and writing; and Tirosh, [0010], see sending a file to an external email destination);
a second activity data at a second time indicating sending of the e-mail from the first entity/user to the third entity/user (Tirosh, [0010], see sending a file to an external email destination);
a third activity data at a third time indicating sending of the e-mail from the third entity/user to the second entity/user, wherein the first time, the second time, and the third time are different (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a 
the activity data is generated at least in part from one or more policy enforcers detecting operations on the application programming level to send the e-mail from the first entity/user to the third entity/user or from the third entity/user to the second entity/user (Tirosh, [0099], see the mail probe intercepts received emails and attempts to send email, where, in this embodiment, it is implemented as a plug-in conforming to the plug-in interface of the Microsoft Outlook email program; and Tirosh, [0100], see the network probe intercepts requests to establish network connections using the TCP/IP protocol, where it is implemented in the form of a kernel mode Transport Data Interface (TDI) filter driver for the Windows NT kernel, where the HTTP probe intercepts requests in the HTTP protocol, where, in this embodiment, it is implemented in the form of a plug-in conforming to the plug-in interface of Microsoft Internet Explorer and, where the printer probe intercepts printing requests);
analyzing the first activity data, the second activity data, and the third activity data to derive a relationship between the first entity/user and the second entity/user (Tirosh, wherein the relationship comprises:
a first association between inputting of information into an e-mail by the first entity/user as provided in the first activity data and sending and sending of the e-mail from the first entity/user to the third entity/user as provided in the second activity data, the first association being based on the first entity/user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log 
a second association between sending of the e-mail from the first entity/user to the third entity/user as provided in the second activity data and sending of the e-mail from the third entity/user to the second entity/user as provided in the third activity data, the second association being based on the sending of the e-mail (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group; and Tirosh, [0010], see sending a file to an external email destination).

With respect to claim 17, Tirosh discloses a first activity, corresponding to a first log entry that the sending of the first e-mail was allowed, data at a first time indicating drafting of an e-mail by the first entity/user (Tirosh, [0007], see the agent must be able to 
a second activity data, corresponding to a second log entry that the sending of the second e-mail was allowed, at a second time indicating sending of the e-mail from the first user to the third user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored; Tirosh, [0088], see, when an event is processed by the agent software, 
a third activity data at a third time indicating sending of the e-mail from the third user to the second user, wherein the first time and the second time are different (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0070]-[0083], see tagging and content tracking, applying the security policy, reaction rules used to define the set of operations the agent should apply in case of unauthorized operations, monitoring operations and logging to the system event log and the type of metadata stored; Tirosh, [0088], see, when an event is processed by the agent software, the policy may indicate that the event should be recorded, where, in this case, the agent software will send the event to logging server; Tirosh, [0102], see logging (Monitor), the event description along with the reaction set is sent to the logging service module; and Tirosh, [0010], see sending a file to an external email destination), and
the activity data is generated from one or more policy enforcers installed as at least one of add-ins, plug-ins, scripts, macros, libraries, or extension programs on computing devices used to send the e-mail from the first entity to the third entity or from the third entity to the second entity (Tirosh, [0099], see the mail probe intercepts received emails and 
analyzing the first activity data, the second activity data, and the third activity data to derive a relationship between the first user and the second user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group), wherein the relationship comprises:
a first correlation between drafting of the e-mail by the first user as provided in the first activity data and sending of the e-mail from the first user to the third user as provided in the second activity data, the first correlation being based on the first user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group; and Tirosh, [0062], see, in content-tracking, monitoring deleting, reading and writing); and
a second correlation between sending of the e-mail from the first user to the third user as provided in the second activity data and sending of the e-mail from the third user to the second user as provided in the third activity data, the second correlation being based on the sending of the e-mail (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application 
the second entity is outside an organization of the first user and the third user (Tirosh, [0010], see sending a file to an external email destination).

Claims 2, 10 and 18
With respect to claims 2, 10 and 18, Tirosh discloses wherein the condition comprises that the first entity/user is not permitted to send an e-mail to the second entity/user (Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group).

Claims 3 and 11
With respect to claims 3 and 11, Tirosh discloses wherein the first and second activity data is received at a server from a first device of the first entity, and the second activity data is received at the server from a second device of the third entity (Tirosh, [087] and [0088], see servers).

Claims 4 and 12
With respect to claims 4 and 12, Tirosh discloses wherein the analyzing the first activity data and the second third activity data comprises matching the third entity as provided in the first activity data with the third entity as provided in the second activity data (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation; Tirosh, [0076], see allow the operation to continue but set the system Access Control List associated with the information container to allow access only to designated users or group).

Claim 5 and 13
With respect to claims 5 and 13, Tirosh discloses wherein the first entity is a first user and the second entity is a second user (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected; Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external 

Claims 6 and 14
With respect to claims 6 and 14, Tirosh discloses wherein the first entity is a first device and the second entity is a second device (Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation, where applications are run on devices).

Claims 7 and 15
With respect to claims 7 and 15, Tirosh discloses wherein the first entity is a first application program and the second entity is a second application program (Tirosh, [0009], see the policy may specify which applications are allowed to access certain files, devices or network services in order to prevent an application from reading a file and then forward a copy of it over the network or to an external device, where, again, the possible Reactions may include Ignore (allow), Block or Log the attempted operation).

Claims 8 and 16
wherein the inspecting at least the first rule to extract the condition between the first entity and second entity comprises inspecting a plurality of rules (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected).

Claim 21
With respect to claim 21, Tirosh discloses comprising determining to include the first activity data, based upon a first rule of the plurality of rules that is evaluated when the sending of the e-mail from the first entity to the third entity is made, in the log,
wherein the first rule specifies that the first activity data is to be logged (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see Log (allow the operation to proceed but log its details); and Tirosh, [0032], see the system also includes a Logging Server for storing the Event Descriptions generated by the Agents and a Management Console for setting the Policy and reviewing the Event Descriptions).

Claim 22
With respect to claim 22, Tirosh discloses wherein the first rule specifies that logging the first activity data includes an e-mail is sent and an identifier corresponding to the first user (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; 

Claim 23
With respect to claim 23, Tirosh discloses wherein the first correlation comprises identifying the third entity as an entity in common with first and second activity data and the second correlation comprises identifying an e-mail identifier for the e-mail as an e-mail in common with second and third activity data (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected).

Claim 24
With respect to claim 24, Tirosh discloses wherein the first activity data is generated at a first computing device, the second activity data is generated at a second computing device, and the first and second activity data are transmitted to a third computer to be included in the log, wherein the first, second, and third computing devices are different computing devices (Tirosh, Fig. 1).

Claim 26
With respect to claim 26, Tirosh discloses wherein the log comprises at least one activity data indicating an enforcement action to allow an operation (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see Log (allow the operation to proceed but log its details); and Tirosh, [0032], see the system also includes a Logging Server for storing the Event Descriptions generated by the Agents and a Management Console for setting the Policy and reviewing the Event Descriptions).

Claim 27
With respect to claim 27, Tirosh discloses comprising:
causing determining, based on one or more policies evaluated at the first time, that the sending of the e-mail from the first entity to the third entity is to be logged;
causing generating the first activity data to be stored in the log; and
storing the first activity data in the log (Tirosh, [0099], see email probe intercepts received emails and attempts to send email; Tirosh, [0008], see Log (allow the operation to proceed but log its details); and Tirosh, [0032], see the system also includes a Logging Server for storing the Event Descriptions generated by the Agents and a Management Console for setting the Policy and reviewing the Event Descriptions).

Claim 28
With respect to claim 28, Tirosh discloses comprising:
identifying, based on the information input into the e-mail, that the first activity data is confidential (Tirosh, [0041] and [0045], see content/information tagged as confidential; and Tirosh, [0062], see, in content-tracking, monitoring deleting, reading and writing);
searching to determine whether the information input into the e-mail is included in additional activity data stored in the log (Tirosh, [0007], see the agent must be able to correlate or aggregate multiple low-level events to a smaller number of high-level events, which may be more meaningful to the goals of the system, where the agent then applies a Policy to the Events, where a Policy is a collection of Rules, where each Rule consists of a Condition, sometimes referred to as a Template or Pattern, and a Reaction to be performed by the Agent when an Event matching the Condition is detected); and
determining that the information input into the e-mail is included in the second activity data (Tirosh, [0091]-[0098], see the policy resolution process, where the description of an event, containing the details of an attempted transmission intercepted by the agent, is sent to the policy resolver subcomponent, which consults the current effective policy to produce the appropriate set of reactions the agent should take, where the current policy consists of a list of reaction rules, where each rule consists of a condition and a set of reactions, where the policy resolver evaluates the condition of each reaction rule with the parameters from the details of event, where if a condition evaluates to TRUE, then the set of reactions in the reaction rule is added to the set of reactions for this event).

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:


Claim(s) 19, 20 and 25 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tirosh in view of Agbabian, US 7,472,422 B1 (hereinafter “Agbabian”).

Claim 19
Claim 19 incorporates all of the limitations above.
On the other hand, Agbabian discloses wherein automatically implementing the remedial action comprises transforming, based on the relationship between the first entity and the second entity, a second policy to generate a transformed second policy (Agbabian, Col. 66, lines 4-19, see time when the rule was last modified means a rule [i.e., policy] was changed [i.e., transformed]), wherein before transformation of the second policy, a first access attempt to information managed by the information management system is allowed upon evaluation of the second policy and after transformation of the second policy, a second access attempt to information managed by the information management system is denied upon evaluation of the transformed second policy (Agbabian, Col. 19, line 63-Col. 20, line 9, see granting and denying access).  It would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate Agbabian’s teachings to Tirosh’s method.  A skilled artisan would have been motivated to do so in order to have an integrated approach to network security management, see Agbabian, Col. 1, lines 26-38.  In addition, both/all of the references (Tirosh and Agbabian) disclose features that are directed to analogous art and they are directed to the same field of endeavor, such as controlling access to content.  This close relation between/among the references highly suggests an expectation of success.

Claim 20
Claim 20 incorporates all of the limitations above.
On the other hand, Agbabian discloses wherein the first activity data stored in the log is stored on a memory buffer of a first computing device, separate from a second computing device storing the activity data stored in the log (Agbabian, Col. 22, lines 16-21, see separate databases; and Agbabian, Col. 16, line 62-Col. 17, line 16, see output buffer, where separating the memory is a design choice not affecting patentability, see In re Japikse, 181 F.2d 1019, 86 USPQ 70 (CCPA 1950) (Claims to a hydraulic power press which read on the prior art except with regard to the position of the starting switch were held unpatentable because shifting the position of the starting switch would not have modified the operation of the device.)), and the first activity data is transferred from the first computing device to the second device according to at least one of a predetermined time interval or when a user logged onto the first computing device logs off the first computing device (Agbabian, Col. 16, lines 36-46, see checking the flush time after logging events).  See claim 19 for the motivation to combine.

Claim 25
Claim 25 incorporates all of the limitations above.
On the other hand, Agbabian discloses comprising:
performing a Lightweight Directory Access Protocol (LDAP) lookup to determine that the second entity is a member outside of the organization, wherein the relationship that the second entity is a member outside of the organization is based at least in part on the LDAP lookup (Agbabian, Col. 20, lines 27-43, see LDAP directory).  Se claim 19 for the motivation to combine.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
– Gladstone et al. for stateful reference monitor;
– Shull et al. for enhanced fraud monitoring systems;
– Viscomi et al. for electronic data security.

Point of Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUBERT G CHEUNG whose telephone number is (571) 270-1396. The examiner can normally be reached M-R 8:00A-5:00P EST; alt. F 8:00A-4:00P EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 



Examiner: Hubert Cheung
/Hubert Cheung/Assistant Examiner, Art Unit 2152Date: February 25, 2022

/NEVEEN ABEL JALIL/Supervisory Patent Examiner, Art Unit 2152