Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
The instant application having Application No. 16/526,684 has claims 1-6, 8-13 and 15-19 pending filed on 07/30/2019; there are 3 independent claims and 14 dependent claims, all of which are ready for examination by the examiner.  The applicant cancelled the original claims 7, 14 and 20 (dated 11/26/2021) 

Response to Arguments

This Office Action is in response to applicant’s communication filed on November 26, 2021 in response to PTO Office Action dated August 26, 2021.  The Applicant’s remarks and amendments to the claims and/or specification were considered with the results that follow.

OBJECTIONS

Claim Objections
With reference to the amendments to the claims 6, 13 and 19 (dated
11/26/2021), the objection against Claims 6, 13 and 19 are withdrawn.  


Claim Rejections

Claim Rejections - 35 USC § 101

In view of the applicant’s amendment to the independent claims 1, 8 and 15 (dated 11/26/2021), the 35 U.S.C. § 101 rejection of claims 1-6, 8-13 and 15-19 are withdrawn.

Claim Rejections - 35 USC § 103

 35 USC § 103 Rejection of claims 1-6, 8-13 and 15-19


Applicant's arguments filed on 11/26/2021 with respect to the claims 1-6, 8-13 and 15-19 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-13, 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Katragadda et al (US PGPUB 20190379699) in view of Bellis et al (US PGPUB 20200401704) and in further view of Antonatos et al (US PGPUB 20180025179). 

As per claim 1:
Katragadda teaches:
“A method” (Paragraph [0007] (a method for detecting vulnerabilities))
 “by a processor, for providing intelligent data security in a computing environment, comprising” (Paragraph [0026] and Paragraph [0089] (uses self-learning intelligent systems consisting processor with the ability to detect, defend and alert threats in the computational environment)) 
“identifying one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data))
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protecting selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified. 
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).
Also, Antonatos teaches:
“by applying one or more data protection policies or rules, wherein the selected data is de-identified” (Paragraph [0002] (privacy regulations, such as the EU Data Privacy Act and the US HIPAA guidelines, person-specific data have to be properly de-identified before being shared with third parties)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Katragadda, Bellis and Antonatos for “predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified” as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]) and it causes the system to automatically identify and protect privacy vulnerabilities in a plurality of data streams of data records (Antonatos, Paragraph [0007]).  
Therefore, it would have been obvious to combine Katragadda, Bellis  and Antonatos.

As per claim 2:
Katragadda, Bellis and Antonatos teach the method as specified in the parent claim 1 above. 
Bellis further teaches:
“further including ranking the one or more data vulnerabilities according to a degree of importance” (Paragraph [0045] (determining values for such a feature may involve sorting and/or ranking vulnerabilities according to one or more of the numeric features)).

As per claim 3:
Katragadda, Bellis and Antonatos teach the method as specified in the parent claim 1 above. 
Katragadda further teaches:
“further including matching the one or more data vulnerabilities with the one or more data protection policies or rules” (Paragraph [0139] (the map client engine of the external malware analysis engine are configured to detect unknown vulnerabilities using dynamic behavior analysis and the rule engine to evaluate the behavior from the new transaction and use the analysis from the map behavior file engine to validate the transaction against past behavior models so to decide whether new transaction is malware or vulnerable)).

As per claim 4:
Katragadda, Bellis and Antonatos teach the method as specified in the parent claim 1 above. 
Katragadda further teaches:
“further including defining one or more eligible data compliance formats for protecting selected data using the one or more data protection policies or rules” (Paragraph [0093] and Paragraph [0138] (payload as used generally refers to user specific data in a previously established format, the valid message payload having a header may be converted into a data file, so that the external malware analysis engine may interpret the data file)).

As per claim 5:
Katragadda, Bellis and Antonatos teach the method as specified in the parent claim 1 above.
Bellis further teaches:
“further including providing a list of the selected data having potential data vulnerabilities, wherein the list of the selected data is ranked according to a degree of importance” (Paragraph [0044] and Paragraph [0045] (prevalence feature indicates a number of references, in a particular database, to a particular vulnerability and determining values for such a feature may involve sorting and/or ranking vulnerabilities)).

As per claim 6:
Katragadda, Bellis and Antonatos teach the method as specified in the parent claim 1 above.
Katragadda further teaches:
“further including generating a set of actionable and non-actionable data protection policies using a data protection vulnerability model” (Paragraph [0127] and Paragraph [0139] (the action engine may be configured to execute the decision signal as well as to make a decision on whether to generate a plurality of alerts to the client environment and validate the transaction against past behavior models so to decide whether new transaction is malware)).

As per claim 8:
Katragadda teaches:
“A system providing intelligent data security in a computing environment, comprising” (Paragraph [0010] (a system of enforcing privacy policy regulations in a computational environment))
 “one or more computers with executable instructions that when executed cause the system to” (Paragraph [0143] (the system is configured to execute and enforce a plurality of data traceability from an integrated system across a browser, a session, a webserver, or the plurality of first databases configured with a personal identifiable information)) 
“identify one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data)) 
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protect selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified. 
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).. 
Also, Antonatos teaches:
“by applying one or more data protection policies or rules, wherein the selected data is de-identified” (Paragraph [0002] (privacy regulations, such as the EU Data Privacy Act and the US HIPAA guidelines, person-specific data have to be properly de-identified before being shared with third parties)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Katragadda, Bellis and Antonatos for “predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified” as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]) and it causes the system to automatically identify and protect privacy vulnerabilities in a plurality of data streams of data records (Antonatos, Paragraph [0007]).  
Therefore, it would have been obvious to combine Katragadda, Bellis  and Antonatos.

As per claim 9, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 2 above.

As per claim 10, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 3 above.

As per claim 11, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 4 above.

As per claim 12, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 5 above.

As per claim 13, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 6 above.

As per claim 15:
Katragadda teaches:
“an executable portion that identifies one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data)) 
 “and an executable portion that protects selected data having the one or more data vulnerabilities” (Paragraph [0134] (configured to scan data so to gather information from selected data to protect and predict an attack along with vulnerabilities))
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protect selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising; predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified. 
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).
Also, Antonatos teaches:
“A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising” (Paragraph [0008] (a computer program product including software instructions on a non-transitory computer-readable medium, where execution of the software instructions using a computer causes the computer to automatically identify and protect privacy vulnerabilities in a plurality))
“by applying one or more data protection policies or rules, wherein the selected data is de-identified” (Paragraph [0002] (privacy regulations, such as the EU Data Privacy Act and the US HIPAA guidelines, person-specific data have to be properly de-identified before being shared with third parties)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Katragadda, Bellis and Antonatos for “A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising; predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified” as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]) and it causes the system to automatically identify and protect privacy vulnerabilities in a plurality of data streams of data records (Antonatos, Paragraph [0007]).  
Therefore, it would have been obvious to combine Katragadda, Bellis  and Antonatos.

As per claim 16, the claim is rejected based upon the same rationale given for the parent claim 15 and the claims 2 and 3 above.

As per claim 17, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 4 above.

As per claim 18, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 5 above.

As per claim 19, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 6 above.
Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Chari et al, (US PGPUB 20170193239), Log(s) of IT events are accessed in a distributed system that includes a distributed application. The distributed system includes multiple data objects. The distributed application uses, processes, or otherwise accesses one or more of data objects. The IT events are correlated with a selected set of the data objects. Risks are estimated to the selected set of data objects based on the information technology events. Estimating risks uses at least ranks of compliance rules as these rules apply to the data objects in the system, and vulnerability scores of systems corresponding to the set of data objects and information technology events.
Wang et al, (US PGPUB 20200211120), systems and methods for monitoring insurance claims include identifying, based on predetermined monitoring frequency, insurance claims identified for vulnerability detection processing. Vulnerability detection features may be extracted from data files of the claims, which provide an indication of claim handling deficiencies that can cause claim leakage. A trained vulnerability detection data model can be used to detect claim handling vulnerabilities within the extracted vulnerability detection features where each of the vulnerabilities may include a likelihood of the vulnerability resulting in claim leakage. The vulnerability detection data model may be trained with a data set customized to a respective insurance provider for each claim.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAMAL K DEWAN whose telephone number is (571)272-2196.  The examiner can normally be reached on Mon-Fri 8:00 AM – 5:00 PM (EST).  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONY MAHMOUDI can be reached on 571-272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Kamal K Dewan/
Examiner, Art Unit 2163


/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163