DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 10/01/2019.
Status of claims in the instant application:
Claims 1-20 are pending.
Priority
The instant application claims priority benefit of “62/739,832 filed on 10/01/2018”.
Information Disclosure Statement
No Information Disclosure Statements (IDS) has been filed by the Applicant. Applicant is reminded that per “mpep § 2011: Duty of Disclosure, Candor, and Good Faith” Applicant has the responsibility to disclose information material to patentability. It’s noted that:
(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the most effective patent examination occurs when, at the time an application is being examined, the Office is aware of and evaluates the teachings of all information material to patentability. Each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in this section. The duty to disclose information exists with respect to each pending claim until the claim is cancelled or withdrawn from consideration, or the application becomes abandoned. §§ 1.97(b) -(d)  and 1.98. However, no patent will be granted on an application in connection with which fraud on the Office was practiced or attempted or the duty of disclosure was violated through bad faith or intentional misconduct. The Office encourages applicants to carefully examine:
(1) Prior art cited in search reports of a foreign patent office in a counterpart application, and
(2) The closest information over which individuals associated with the filing or prosecution of a patent application believe any pending claim patentably defines, to make sure that any material information contained therein is disclosed to the Office.
(c) Individuals associated with the filing or prosecution of a patent application within the meaning of this section are:
(1) Each inventor named in the application;
(2) Each attorney or agent who prepares or prosecutes the application; and
(3) Every other person who is substantively involved in the preparation or prosecution of the application and who is associated with the inventor, the applicant, an assignee, or anyone to whom there is an obligation to assign the application.

(e) In any continuation-in-part application, the duty under this section includes the duty to disclose to the Office all information known to the person to be material to patentability, as defined in paragraph (b) of this section, which became available between the filing date of the prior application and the national or PCT international filing date of the continuation-in-part application
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 6, 7, 8, 9, 10, 11, 12, 17 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0359272 A1 to Mizrachi et al. (hereinafter “Mizrachi”) in view of Pub. No.: US 2011/0022642 A1 to deMilo et al. (hereinafter “deMilo”).
Regarding Claim 1. Mizrachi discloses A system (Mizrachin FIG. 1, Para [0044]: … FIG. 1 is a system diagram of an exemplary arrangement 100 for a next-generation enhanced comprehensive cybersecurity platform, according to an aspect …) comprising:
one or more processors (Mizrachin, Para [0008, 0049, 0074]: … processor 13 …);
Mizrachin, Para [0008, 0049]: … FIG. 11 is a block diagram of an exemplary network endpoint 1100, according to one aspect. A network endpoint 1100, such as (for example, including but not limited to) a mobile device or IoT sensor, may operate a NGEPP agent 108a-n to perform host-based intrusion prevention and detection by monitoring files and processes 1101a-n operating on the processor 13 or stored in the memory 11 of the endpoint device 1100 …) to:
capture, via a security client that resides on an enterprise device, datum metadata associated with a data operation initiated by the enterprise device (Mizrachin, abstract, Para [0008, 0059]: … FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. According to the aspect, in an initial step 1001 an NGEPP software agent 108a-n may collect operating system metadata (such as vendor, version, or other such details) for the operating system of the endpoint device on which it is operating. When an activity request is captured 1002 such as an attempt to open a file or perform an action, a snapshot of the request information may be sent 1003 to a UEBA server 102 along with the previously-collected OS metadata …), the data operation being associated with a data item stored within a data repository server of an enterprise network (Mizrachin, Para [0046]: … FIG. 2 is a diagram illustrating the function of a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may be used to provide an enhanced security information and event management (SIEM) solution, detecting malicious and abusive activity that might otherwise go unnoticed as well as consolidating and prioritizing security alerts from connected systems. UEBA server 102 may connect to a plurality of corporate systems 211 such as security systems (for example, firewalls, intrusion detection applications, user access logging, or other security-focused internal systems) as well as a plurality of data stores 212 such as databases, cloud-hosted repositories, or other data storage sources. UEBA server 102 may also be connected to a plurality of endpoints 201 that may each operate a NGEPP software agent (as described previously), as well as a plurality of internal applications 202 such as cloud-based, mobile, or other internal applications for users within the enterprise …);
analyze the datum metadata to determine whether the data operation is associated with a cybersecurity threat (Mizrachin, Para [0008, 0059]: … Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed, and the UEBA server 102 directs the NGEPP software agent 108a-n to handle the activity accordingly 1006 … FIG. 12 is a flow diagram of an exemplary method 1200 for threat prevention, according to one aspect. Vulnerability management is used to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Implementing effective vulnerability or patch management tools can significantly reduce potential attack surface, keeping users safe from data breaches and theft. According to the aspect, a vulnerability management method 1200 may comprise the steps of first 1201 discovering existing vulnerabilities using any of a number of cloud-based reputation services rather than a single vulnerability database, and then 1202 analyzing vulnerabilities and ranking them 1203 according to potential threat level …);
determine whether to facilitate an execution of the data operation, based at least in part on analysis of the datum metadata (Mizrachin, Para [0059]: … Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed, and the UEBA server 102 directs the NGEPP software agent 108a-n to handle the activity accordingly 1006 …); and
However, Mizrachin does not explicitly teach, but deMilo from same or similar field of endeavor teaches, “generate a response protocol for delivery to a global key server, based at least in part on determining whether to facilitate the execution of the data operation (deMilo, Para [0021-0024]; FIG. 1, 5: … In one embodiment, a user interacts with the application 122 to access a tenant application 144 hosted by the storage broker 140. The storage broker 140 may provide a software application, e.g., a combination of an application server, a web server, and a database. As shown, the storage broker 140 hosts both a file upload tenant 148 and a file download tenant 150. In this example, assume that the file upload tenant 148 allows a user to attach the file 112 to a service request submitted to a computer hardware vendor (e.g., a configuration file associated with the user's computer hardware). And assume that the file download tenant 150 allows a user of the enterprise system 160 to access the file from the cloud storage service 130 and the associated file metadata as part of processing the service request. In such a case, the user may access the file upload tenant 148 to upload the file 112 to the cloud storage service 130. Once uploaded, the cloud storage service 130 may store the file 112 on a block storage device 132 (or some other form of physical storage) … the file upload tenant 148 may be configured to generate a user interface (e.g., a web page) rendered by the application 122 on client system 102. Such an interface allows the user to specify the file metadata 114 to associate with the file 112. Further, the file upload tenant 148 may provide a network link (e.g., a URL) used to upload the file 112 to the cloud storage service 130. The particular cloud service 130 may be specified as part of the configuration of the file upload tenant 140. Alternatively, the cloud service 130 may be determined dynamically using policies 142. For example, the file metadata 114 specified by the user may indicate a particular file type being uploaded, and the file upload tenant may select what cloud storage service 130 to send the file based on the file metadata 114. The application 122 may send the file metadata 114 to the storage broker 140, which in turn, stores the file metadata 114 in the enterprise database 180 (shown in FIG. 1 as file metadata 182) …  Further, the particular policy 142 for the file upload tenant 148 may require that the file 114 be encrypted prior to being uploaded to the cloud storage service 130. Accordingly, in one embodiment, the storage broker 140 and file upload tenant 148 may be configured to communicate with the key service 170 to obtain an encryption key to supply with the user interface provided to the client application 122. The encryption key may be a symmetric key (i.e., a single key which both encrypts and decrypts the file 112) or an asymmetric key (i.e., a public key of a public/private key pair). The keys used to encrypt such files (or the private key of a key pair) may be stored in the key database 175. This approach allows each file updated to the cloud storage service 130 to be encrypted using a distinct key (or key pair), while allowing the enterprise to maintain the security of the key service 170 and key database 170 …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of deMilo into the teachings of Mizrachin, because it discloses that “each file updated to the cloud storage service 130 to be encrypted using a distinct key (or key pair), while allowing the enterprise to maintain the security of the key service 170 and key database 170 (deMilo, Para [0023])”, and that “a storage broker may provide real time service negotiation and dynamic cloud storage management for multiple tenant applications registered with the broker. A file upload tenant may be configured to generate a user interface that allows a user to specify metadata to associate with a file along with a link to a cloud storage service to which the file is uploaded. A link to the file and the metadata may be stored in an enterprise database. Thus, the user interface allows the user to transfer files to a cloud storage service suitable for the needs of a particular case, as well as allows the enterprise to receive any number of metadata attributes describing the contents of the file stored by the cloud service. That is, the tenant application may collect and store the metadata attributes (along with a reference to the file stored in the cloud) in an enterprise database, while the file itself may be transmitted to the cloud storage service directly deMilo, Para [0048])”.
Regarding Claim 5. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein the one or more modules are further executable by the one or more processors (Mizrachin, Para [0007, 0043]: … a user entity behavior analytics server comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to … Process descriptions or blocks in figures should be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process) to:
retrieve a set of heuristic behavior curves and a dataset of known cybersecurity threats (Mizrachin, Para [0047, 0068]: …  UEBA server 102 may use information from these various connected systems and resources to rapidly detect and analyze malicious or abusive behavior, by recognizing known behavior and information patterns that may identify an activity as “safe” or “unsafe” (for example, known malicious file signatures, or known routine user behaviors). User activities may be monitored and evaluated beyond an initial login, and include user movements, access to organizational assets and the contexts within which access occurs. Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time. This tracking and organization may then be used to correlate user and other entity activities and behaviors, enabling the detection of anomalies using statistical models and machine learning … as systems age they may continue using older operating systems to maintain compatibility without risking exposure to security vulnerabilities due to lack of official support. Global threat intelligence 2004 may be utilized to establish application reputation and automatically apply security policies in real-time at any level of granularity, as well as to protect applications against known vulnerabilities and maintain granular policies over time …); and
generate, via one or more trained machine-learning algorithms, a data model to infer whether the cybersecurity threat impacts the enterprise network (Mizrachin, Para [0051-0054]: … FIG. 3 is a flow diagram of an exemplary method 300 for using a UEBA server 102 to provide enhanced SIEM, according to an aspect. In an initial step 301, a UEBA server 102 may connect to a number of systems and resources such as (for example, including but not limited to) databases, security systems, user directories, or other enterprise resources. In a next step 302, UEBA server 102 may further connect to a plurality of network endpoints such as user devices or enterprise applications. While connected to endpoints and resources, UEBA server 102 may then monitor and analyze user behavior 303 through the connections, forming peer groups 304 and correlating user activity using machine learning 305 to expose anomalies … User behavior may then be observed 502 as users interact with and move between these endpoints, allowing UEBA server 102 to use machine learning to profile user activity 503 and form a baseline of what may constitute “normal” activity for any given user or user group. Behavior may then be used to correlate and group users into peer groups 504, or logical groupings of users with similar behavior profiles (that may or may not have any real association in the physical world or in a user directory), and these peer groups may be similarly profiled and baselined 505. These behavior profiles and baselines may then be used to identify anomalous behavior 506 as it occurs, for example by using machine learning to compare behavior to statistical models based on the known baselines for the involved parties (individual users, user groups, or peer groups) …), and
wherein, to analyze the datum metadata includes correlating the datum metadata with data points of the data model (Mizrachin, Para [0047-0048]: … Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time. This tracking and organization may then be used to correlate user and other entity activities and behaviors, enabling the detection of anomalies using statistical models and machine learning …).”
Regarding Claim 6. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein the one or more modules are further executable by the one or more processors (Mizrachin, Para [0007, 0043]: … a user entity behavior analytics server comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to … Process descriptions or blocks in figures should be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process) to:
determine whether the datum metadata includes a plurality of data operations which are functionally related to the data item, the plurality of data operations including at least an Application Programming Interface (API) call and a system call (Mizrachin, Para [0065]:  … FIG. 16 is a flow diagram of an exemplary method 1600 for threat remediation, according to one aspect. During execution of an attack, malware often creates, modifies, or deletes system file or registry resources, or changes configuration settings. To handle these effects of an attack, a NGEPP agent 108a-n may first detect a change 1601, and then as part of a remediation process log the changes 1602 and send 1603 the log information to a remediation server 105 for use in analyzing the threat. When remediation instructions are received 1604, part of a remediation process then includes reversing the changes performed by the threat 1605, returning any files or resources to their original state …); and
in response to the datum metadata including the plurality of data operations which are functionally related to the data item, determine whether a consensus exists between the plurality of data operations (Mizrachin, Para [0050]: … FIG. 18 is a block diagram of a network endpoint 1100 showing a plurality of endpoint protection engines 1801a-n, according to one aspect. According to the aspect, a plurality of endpoint protection engines 1801a-n may operate on a network endpoint 1100 to provide a number of protection modes for the endpoint as well as to provide advanced functionality through interaction between individual protection engines or endpoints. For example, an applications control engine may be used to protect against zero-day malware or prevent unauthorized apps from running or performing restricted operations on an endpoint 1100, such as accessing device information to which an app shouldn't have access, while a traffic control engine may be used to protect against zero-day vulnerabilities or exploits such as those that might malicious activities on the endpoint or network such as sending malicious network packets, performing denial-of-service (DOS) attacks, or any other malicious activities. A malicious process engine may be used to provide global threat and reputation intelligence, for example through coordination with other protected network endpoints 1100 or a remote or cloud-based threat intelligence service such as one that may be provided by a UEBA server 102. A runtime behavior analytics engine may be used to protect against ransomware, for example by identifying and halting malicious processes, preventing an initial attack vector for ransomware by preventing the process from taking device functionality or information hostage for exploitation …), and
wherein to analyze the datum metadata further includes determining the consensus between the plurality of data operations (Mizrachin, Para [0066]: FIG. 17 is a flow diagram of an exemplary method 1700 for threat forensics, according to one aspect. A NGEPP agent 108a-n may be used to provide real-time forensics after an attack (whether successful or not), to provide clear and timely visibility into malicious activity that may have taken place on an endpoint. According to the aspect, when an attack occurs 1701, a NGEPP agent 108a-n may log the details of the attack 1702 such as the threat level and any changes made (as described previously, referring to FIGS. 12 and 16). This may then be compared against logs of running processes and open files 1703 to determine what changes took place and what the potential impact may be of a particular attack 1704, to form a report that may then be provided to administrators via the network or optionally via a reporting view in an administration interface 1705).”
Regarding Claim 7. The combination of Mizrachin-deMilo discloses the system of claim 1, deMilo further discloses, “wherein the data item is stored within the data repository server as an encrypted data item (deMilo, Para [0023]:  Further, the particular policy 142 for the file upload tenant 148 may require that the file 114 be encrypted prior to being uploaded to the cloud storage service 130), and
wherein to generate the response protocol further includes generating computer- executable instructions that instruct the global key server to provide the enterprise device with a cryptographic key to decrypt the encrypted data item, based at least in part on a determination to facilitate the execution of the data operation (deMilo, Para [0046]: … FIG. 6 illustrates a method 600 for retrieving a file stored by a cloud service along with metadata related to the file not stored by the cloud service, according to one embodiment. As shown, the method 600 begins at step 605 where a user requests to access to both a file stored by a cloud service and metadata associated with the file. Again, returning to the example of the computer hardware vendor, support personnel may be tasked with resolving service requests submitted by customers using the file upload tenant described relative to the FIG. 1 and FIG. 5. In such a case, the support personnel may be provided with a ticket review application (e.g., the TR application 167 described relative to FIG. 1). Further, in one embodiment, the ticket review application may access a file download tenant registered with the storage broker. Alternatively, the ticket review application may retrieve a service request, file metadata, and a link to a corresponding file stored by the cloud service. In either case, at step 610, the ticket review application (or download tenant) retrieves metadata associated the requested file, including a link (e.g., a URL) used to retrieve the file from the cloud storage service. If the file has been encrypted prior to being stored with the cloud service, then at step 615, the keys needed to decrypt the file are retrieved from the key service …).”
The motivation to further combine deMilo remains same as in claim 1.
Regarding Claim 8. The combination of Mizrachin-deMilo discloses the system of claim 1, deMilo further discloses, “wherein the data item is stored within the data repository server as an encrypted data item (deMilo, Para [0023]:  Further, the particular policy 142 for the file upload tenant 148 may require that the file 114 be encrypted prior to being uploaded to the cloud storage service 130), and
wherein to generate the response protocol further includes generating computer- executable instructions that instruct the global key server to alter access privileges associated with one of the data item or enterprise device, based at least in part on a determination to withhold facilitating the execution of the data operation (deMilo, Para [0014]: … the cloud storage policy router may select a cloud storage service based on the requirements for storage submitted with a file. For example, the requirements may allow an enterprise to specify any geopolitical, business, or regulatory requirements associated with storing data files faced by a given enterprise. For instance, the United States Patriot Act has resulted in some non-US localities to pass legislation forbidding data storage within the United States. (See, e.g., British Columbia, Freedom of Information and Protection of Privacy Act "FOIPPA," Oct. 21, 2004). In such a case, the cloud storage policy router may enforce a policy that prevents data files from being stored in a particular jurisdiction. Alternatively, the cloud storage policy router may enforce a requirement that data files remain stored within a particular jurisdiction. Similarly, the policy may allow an enterprise to specify a variety of other business or regulatory processes related to where data records are stored and how they may be accessed. Examples of how files may need to be stored include encryption requirements, audit, and file storage metadata requirements, etc. Examples of regulatory requirements include HIPPA (healthcare privacy), PCI (card transaction security), Gramm-Leach-Bliley (financial consumer privacy). Examples of business processes include internal information security restrictions (e.g., a requirement to encrypt files based on a particular data classification) or data retention requirements (i.e., how long a file should be stored with the cloud storage service before being purged) …).”
The motivation to further combine deMilo remains same as in claim 1.
Regarding Claim 9. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein the one or more modules are further executable by the one or more processors (Mizrachin, Para [0007, 0043]: … a user entity behavior analytics server comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to … Process descriptions or blocks in figures should be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process) to:
generate a message for delivery to an administrator of the enterprise network, based at least in part on a determination to withhold facilitating the execution of the data operation, the message further including selectable options to permit execution of the data operation or terminate execution of the data operation (Mizrachin, Para [0057]: … An endpoint inventory 815 may be used to index the hardware and software of endpoints for easier management, and endpoint statistics 816 may show counts for recorded sessions, account logins, or other activities both per-endpoint and per-user within a particular endpoint. Integration with a lightweight directory access protocol (LDAP) system 817 may be used to integrate with an existing user directory, quickly incorporating existing user account information and organizational structure as well as authorization and authentication information from an existing LDAP setup. Out-of-policy alerts 818 may be produced when a user or endpoint violates a policy rule, such as an unauthorized configuration or activity. User behavior may be logged and used to form a baseline 819 of normal activity that may then be used to identify anomalous activity (as described previously, referring to FIGS. 3-5). A block message 820 may be used to block out a device or application when a policy is violated, preventing further unauthorized activity, or a popup message 821 may be used to display an indicator on-screen without impacting activity (for example, for lesser violations or warnings). For severe violations, an email alert 822 may be triggered and sent to an administrator to notify them of the out-of-policy violation …).”
Regarding Claim 10. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein the data operation comprises a request to create, read, update or delete the data item stored within the data repository server (Mizrachin, Para [0065]:  FIG. 16 is a flow diagram of an exemplary method 1600 for threat remediation, according to one aspect. During execution of an attack, malware often creates, modifies, or deletes system file or registry resources, or changes configuration settings …), and
wherein, the data item comprises a multimedia stream, control messages, signal data, a data file, a data object, or an access privilege associated with the data item or the data object (Mizrachin, Para [0054]: … FIG. 6 is a block diagram of an exemplary logical arrangement of administration functions 610 provided by a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may provide a number of administration functions 610 for security personnel to use when handling threats, including multiple administrator privilege roles 612 such as (for example) read-only administration or full administration, to enable fine-grained control over who can perform what operations. For example, a read-only administrator may be able to view threat reports and security logs, but cannot make policy or directory changes directly (which must then be performed by a full administrator), enabling a hierarchy of administration for more efficient response management. A universal threat dashboard 611 may be provided, to present a unified view for all connected components and systems and their respective alerts and status for easy viewing by personnel. Endpoint grouping and sub-grouping 613 may be used to form groups of security endpoints such as (for example, including but not limited to) enterprise applications, user devices, or internal resources such as servers or databases. This enables grouping of endpoints in a manner similar to peer grouping for users, to enhance machine learning and other operations of UEBA server 102 …)”.
Regarding Claim 11. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein the datum metadata includes at least one of information describing the data operation, a user identifier associated with a user interacting with the enterprise device, a geolocation of the enterprise device at a point in time that the data operation is initiated (Mizrachin, Para [0070]: … FIG. 22 is a block diagram of an exemplary system 2200 for endpoint management, according to one aspect. According to the aspect, endpoint management may comprise a number of features, including but not limited to asset management 2201, vulnerability management 2202, organization mapping 2203, multi-tenancy 2204, and a cloud-based management platform 2205. Asset management 2201 may provide an organization with full visibility and control including, for example, individual endpoint status, application status such as applications currently running on one or more endpoints or applications that have been identified as malicious, user or location information, as well as the ability to apply policies at a granular level throughout the organization. Vulnerability management 2202 may be used to provide information about the state of an organization's security, for example by identifying and prioritizing risks across the organization to enable administrators to discover vulnerabilities without relying on performance-impacting threat scanners. Organization mapping 2203 may be used to produce graphical maps and visualizations for an organization, including infrastructure nodes, network endpoints, regions, locations, departments, or other organizational methods (for example, non-hierarchical organizational models), or a network segment identifier of the enterprise network from which the enterprise device initiated the data operation.”
Regarding Claim 12. Mizrachi discloses A computer-implemented method (Mizrachin, Para [0008, 0049, 0074], FIGs. 10, 18: a method for malware detection and mitigation using a next-generation enhanced comprehensive cybersecurity platform), comprising:
under control of one or more processors (Mizrachin, Para [0008, 0049, 0074]: … a method for malware detection and mitigation using a next-generation enhanced comprehensive cybersecurity platform, comprising the steps of: collecting, at a next-generation endpoint protection software agent comprising at least another processor, another memory, and another plurality of programming instructions stored in the another memory, metadata based at least in part on an operating system operating on the another processor …):
Mizrachin, abstract, Para [0008, 0059]: … FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. According to the aspect, in an initial step 1001 an NGEPP software agent 108a-n may collect operating system metadata (such as vendor, version, or other such details) for the operating system of the endpoint device on which it is operating. When an activity request is captured 1002 such as an attempt to open a file or perform an action, a snapshot of the request information may be sent 1003 to a UEBA server 102 along with the previously-collected OS metadata …), the data operation being associated with a data item stored within a data repository server of an enterprise network (Mizrachin, Para [0046]: … FIG. 2 is a diagram illustrating the function of a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may be used to provide an enhanced security information and event management (SIEM) solution, detecting malicious and abusive activity that might otherwise go unnoticed as well as consolidating and prioritizing security alerts from connected systems. UEBA server 102 may connect to a plurality of corporate systems 211 such as security systems (for example, firewalls, intrusion detection applications, user access logging, or other security-focused internal systems) as well as a plurality of data stores 212 such as databases, cloud-hosted repositories, or other data storage sources. UEBA server 102 may also be connected to a plurality of endpoints 201 that may each operate a NGEPP software agent (as described previously), as well as a plurality of internal applications 202 such as cloud-based, mobile, or other internal applications for users within the enterprise …);
analyzing, via one or more trained machine-learning algorithms, the datum metadata relative to a dataset of known cybersecurity threats (Mizrachin, Para [0008, 0051-0054, 0059]: … Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed …  FIG. 3 is a flow diagram of an exemplary method 300 for using a UEBA server 102 to provide enhanced SIEM, according to an aspect. In an initial step 301, a UEBA server 102 may connect to a number of systems and resources such as (for example, including but not limited to) databases, security systems, user directories, or other enterprise resources. In a next step 302, UEBA server 102 may further connect to a plurality of network endpoints such as user devices or enterprise applications. While connected to endpoints and resources, UEBA server 102 may then monitor and analyze user behavior 303 through the connections, forming peer groups 304 and correlating user activity using machine learning 305 to expose anomalies …These behavior profiles and baselines may then be used to identify anomalous behavior 506 as it occurs, for example by using machine learning to compare behavior to statistical models based on the known baselines for the involved parties (individual users, user groups, or peer groups)    … FIG. 12 is a flow diagram of an exemplary method 1200 for threat prevention, according to one aspect. Vulnerability management is used to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Implementing effective vulnerability or patch management tools can significantly reduce potential attack surface, keeping users safe from data breaches and theft. According to the aspect, a vulnerability management method 1200 may comprise the steps of first 1201 discovering existing vulnerabilities using any of a number of cloud-based reputation services rather than a single vulnerability database, and then 1202 analyzing vulnerabilities and ranking them 1203 according to potential threat level …);
determining whether to facilitate execution of the data operation based at least in part on analysis of the datum metadata (Mizrachin, Para [0059]: … Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed, and the UEBA server 102 directs the NGEPP software agent 108a-n to handle the activity accordingly 1006 …); and
However, Mizrachin does not explicitly teach, but deMilo from same or similar field of endeavor teaches, “in response to determining that the data operation constitutes a cybersecurity threat, generating a response protocol for delivery to a global key server (deMilo, Para [0021-0024]; FIG. 1, 5: … In one embodiment, a user interacts with the application 122 to access a tenant application 144 hosted by the storage broker 140. The storage broker 140 may provide a software application, e.g., a combination of an application server, a web server, and a database. As shown, the storage broker 140 hosts both a file upload tenant 148 and a file download tenant 150. In this example, assume that the file upload tenant 148 allows a user to attach the file 112 to a service request submitted to a computer hardware vendor (e.g., a configuration file associated with the user's computer hardware). And assume that the file download tenant 150 allows a user of the enterprise system 160 to access the file from the cloud storage service 130 and the associated file metadata as part of processing the service request. In such a case, the user may access the file upload tenant 148 to upload the file 112 to the cloud storage service 130. Once uploaded, the cloud storage service 130 may store the file 112 on a block storage device 132 (or some other form of physical storage) … the file upload tenant 148 may be configured to generate a user interface (e.g., a web page) rendered by the application 122 on client system 102. Such an interface allows the user to specify the file metadata 114 to associate with the file 112. Further, the file upload tenant 148 may provide a network link (e.g., a URL) used to upload the file 112 to the cloud storage service 130. The particular cloud service 130 may be specified as part of the configuration of the file upload tenant 140. Alternatively, the cloud service 130 may be determined dynamically using policies 142. For example, the file metadata 114 specified by the user may indicate a particular file type being uploaded, and the file upload tenant may select what cloud storage service 130 to send the file based on the file metadata 114. The application 122 may send the file metadata 114 to the storage broker 140, which in turn, stores the file metadata 114 in the enterprise database 180 (shown in FIG. 1 as file metadata 182) …  Further, the particular policy 142 for the file upload tenant 148 may require that the file 114 be encrypted prior to being uploaded to the cloud storage service 130. Accordingly, in one embodiment, the storage broker 140 and file upload tenant 148 may be configured to communicate with the key service 170 to obtain an encryption key to supply with the user interface provided to the client application 122. The encryption key may be a symmetric key (i.e., a single key which both encrypts and decrypts the file 112) or an asymmetric key (i.e., a public key of a public/private key pair). The keys used to encrypt such files (or the private key of a key pair) may be stored in the key database 175. This approach allows each file updated to the cloud storage service 130 to be encrypted using a distinct key (or key pair), while allowing the enterprise to maintain the security of the key service 170 and key database 170 …).”, the response protocol to modify an access privilege associated with the data item that restricts access of the enterprise device to the data item (deMilo, Para [0014]: … the cloud storage policy router may select a cloud storage service based on the requirements for storage submitted with a file. For example, the requirements may allow an enterprise to specify any geopolitical, business, or regulatory requirements associated with storing data files faced by a given enterprise. For instance, the United States Patriot Act has resulted in some non-US localities to pass legislation forbidding data storage within the United States. (See, e.g., British Columbia, Freedom of Information and Protection of Privacy Act "FOIPPA," Oct. 21, 2004). In such a case, the cloud storage policy router may enforce a policy that prevents data files from being stored in a particular jurisdiction. Alternatively, the cloud storage policy router may enforce a requirement that data files remain stored within a particular jurisdiction. Similarly, the policy may allow an enterprise to specify a variety of other business or regulatory processes related to where data records are stored and how they may be accessed. Examples of how files may need to be stored include encryption requirements, audit, and file storage metadata requirements, etc. Examples of regulatory requirements include HIPPA (healthcare privacy), PCI (card transaction security), Gramm-Leach-Bliley (financial consumer privacy). Examples of business processes include internal information security restrictions (e.g., a requirement to encrypt files based on a particular data classification) or data retention requirements (i.e., how long a file should be stored with the cloud storage service before being purged) …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of deMilo into the teachings of Mizrachin, because it discloses that “each file updated to the cloud storage service 130 to be encrypted using a distinct key (or key pair), while allowing the enterprise to maintain the security of the key service 170 and key database 170 (deMilo, Para [0023])”, and that “a storage broker may provide real time service negotiation and dynamic cloud storage management for multiple tenant applications registered with the broker. A file upload tenant may be configured to generate a user interface that allows a user to specify metadata to associate with a file along with a link to a cloud storage service to which the file is uploaded. A link to the file and the metadata may be stored in an enterprise database. Thus, the user interface allows the user to transfer files to a cloud storage service suitable for the needs of a particular case, as well as allows the enterprise to receive any number of metadata attributes describing the contents of the file stored by the cloud service. That is, the tenant application may collect and store the metadata attributes (along with a reference to the file stored in the cloud) in an enterprise database, while the file itself may be transmitted to the cloud storage service directly deMilo, Para [0048])”.
Regarding Claim 17. The combination of Mizrachin-deMilo discloses the computer-implemented method of claim 12, deMilo further discloses, “wherein the response protocol is further configured to modify access privileges of the enterprise device to the enterprise network, based at least in part on the analysis of the datum metadata (deMilo, Para [0014]: … the cloud storage policy router may select a cloud storage service based on the requirements for storage submitted with a file. For example, the requirements may allow an enterprise to specify any geopolitical, business, or regulatory requirements associated with storing data files faced by a given enterprise. For instance, the United States Patriot Act has resulted in some non-US localities to pass legislation forbidding data storage within the United States. (See, e.g., British Columbia, Freedom of Information and Protection of Privacy Act "FOIPPA," Oct. 21, 2004). In such a case, the cloud storage policy router may enforce a policy that prevents data files from being stored in a particular jurisdiction. Alternatively, the cloud storage policy router may enforce a requirement that data files remain stored within a particular jurisdiction. Similarly, the policy may allow an enterprise to specify a variety of other business or regulatory processes related to where data records are stored and how they may be accessed. Examples of how files may need to be stored include encryption requirements, audit, and file storage metadata requirements, etc. Examples of regulatory requirements include HIPPA (healthcare privacy), PCI (card transaction security), Gramm-Leach-Bliley (financial consumer privacy). Examples of business processes include internal information security restrictions (e.g., a requirement to encrypt files based on a particular data classification) or data retention requirements (i.e., how long a file should be stored with the cloud storage service before being purged) …)”
The motivation to further combine deMilo remains same as in claim 12.
Regarding Claim 18. Mizrachin discloses An enterprise device, storing computer-executable instructions that, when executed on one or more processors (Mizrachin, Para [0046, 0049-0050]; FIGs. 2, 11, 18: … FIG. 11 is a block diagram of an exemplary network endpoint 1100, according to one aspect. A network endpoint 1100, such as (for example, including but not limited to) a mobile device or IoT sensor, may operate a NGEPP agent 108a-n to perform host-based intrusion prevention and detection by monitoring files and processes 1101a-n operating on the processor 13 or stored in the memory 11 of the endpoint device 1100 … FIG. 18 is a block diagram of a network endpoint 1100 showing a plurality of endpoint protection engines 1801a-n, according to one aspect. According to the aspect, a plurality of endpoint protection engines 1801a-n may operate on a network endpoint 1100 to provide a number of protection modes for the endpoint as well as to provide advanced functionality through interaction between individual protection engines or endpoints …), cause the one or more processors to perform acts comprising:
receiving, via a user interaction, a request to initiate a data operation with a data item associated with an enterprise network (Mizrachin, abstract, Para [0046-0047]: … UEBA server 102 may connect to a plurality of corporate systems 211 such as security systems (for example, firewalls, intrusion detection applications, user access logging, or other security-focused internal systems) as well as a plurality of data stores 212  such as databases, cloud-hosted repositories, or other data storage sources. UEBA server 102 may also be connected to a plurality of endpoints 201 that may each operate a NGEPP software agent (as described previously), as well as a plurality of internal applications 202 such as cloud-based, mobile, or other internal applications for users within the enterprise. These endpoints enable monitoring of user activities as they use devices, access information and applications, and interact with and move between and within various systems and components of an enterprise infrastructure …  UEBA server 102 may use information from these various connected systems and resources to rapidly detect and analyze malicious or abusive behavior, by recognizing known behavior and information patterns that may identify an activity as “safe” or “unsafe” (for example, known malicious file signatures, or known routine user behaviors). User activities may be monitored and evaluated beyond an initial login, and include user movements, access to organizational assets and the contexts within which access occurs. Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time. This tracking and organization may then be used to correlate user and other entity activities and behaviors, enabling the detection of anomalies using statistical models and machine learning …), [the data item being stored as an encrypted data item within a data repository server];
However, Mizrachin does not explicitly teach, but deMilo from same or similar field of endeavor teaches, “the data item being stored as an encrypted data item within a data repository server (deMilo, Para [0023]:  Further, the particular policy 142 for the file upload tenant 148 may require that the file 114 be encrypted prior to being uploaded to the cloud storage service 130. Accordingly, in one embodiment, the storage broker 140 and file upload tenant 148 may be configured to communicate with the key service 170 to obtain an encryption key to supply with the user interface provided to the client application 122 …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of deMilo into the teachings of Mizrachin, because it discloses that “the web services interface 242 allows the client system 102 to connect to the routing device 242 and provide it the storage parameters 205 indicating preferences for storing the file 112 with a cloud storage provider 130. Further, the routing application 244 may be configured to evaluate the storage parameters 205 received from client system 102 using the provider metadata table 246. More specifically, the routing application 244 may compare the requested storage parameters 205 with the capabilities advertised by the different cloud storage providers 230, and optionally, the registered storage polices 248, to select a particular cloud storage provider 120 to store the file 112. For example, the requested storage parameters 205 may indicate a minimum guaranteed service level availability (SLA) that the selected cloud storage provider 230 should have to be selected to store the file 112. Similarly, one of the registered storage policies 248 may indicate whether the file 112 should be encrypted before being stored by the cloud storage provider 230 or indicate what locations are allowed (or prohibited) for storing a file using one of the cloud storage providers 230 (deMilo, Para [0027])”.
Mizrachin further discloses:
“intercepting, via a security client, the request to initiate the data operation prior to delivery to an operating system (Mizrachin, abstract, Para [0008, 0059]: FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. According to the aspect, in an initial step 1001 an NGEPP software agent 108a-n may collect operating system metadata (such as vendor, version, or other such details) for the operating system of the endpoint device on which it is operating. When an activity request is captured 1002 such as an attempt to open a file or perform an action …);
generating, at the security client, datum metadata associated with the request to initiate the data operation with the data item (Mizrachin, abstract, Para [0008, 0059]: FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. When an activity request is captured 1002 such as an attempt to open a file or perform an action, a snapshot of the request information may be sent 1003 to a UEBA server 102 along with the previously-collected OS metadata. Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed, and the UEBA server 102 directs the NGEPP software agent 108a-n to handle the activity accordingly 1006 …);
transmitting, the datum metadata to a DMOS analysis server, the DMOS analysis server to infer whether the data operation constitutes a cybersecurity threat to the enterprise network (Mizrachin, abstract, Para [0008, 0059]: … FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. According to the aspect, in an initial step 1001 an NGEPP software agent 108a-n may collect operating system metadata (such as vendor, version, or other such details) for the operating system of the endpoint device on which it is operating. When an activity request is captured 1002 such as an attempt to open a file or perform an action, a snapshot of the request information may be sent 1003 to a UEBA server 102 along with the previously-collected OS metadata. Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked. Only activities that fall within the acceptable policy definitions may be allowed, and the UEBA server 102 directs the NGEPP software agent 108a-n to handle the activity accordingly 1006 …); and
Mizrachin, Para [0057]: … An endpoint inventory 815 may be used to index the hardware and software of endpoints for easier management, and endpoint statistics 816 may show counts for recorded sessions, account logins, or other activities both per-endpoint and per-user within a particular endpoint. Integration with a lightweight directory access protocol (LDAP) system 817 may be used to integrate with an existing user directory, quickly incorporating existing user account information and organizational structure as well as authorization and authentication information from an existing LDAP setup. Out-of-policy alerts 818 may be produced when a user or endpoint violates a policy rule, such as an unauthorized configuration or activity. User behavior may be logged and used to form a baseline 819 of normal activity that may then be used to identify anomalous activity (as described previously, referring to FIGS. 3-5). A block message 820 may be used to block out a device or application when a policy is violated, preventing further unauthorized activity, or a popup message 821 may be used to display an indicator on-screen without impacting activity (for example, for lesser violations or warnings). For severe violations, an email alert 822 may be triggered and sent to an administrator to notify them of the out-of-policy violation …).”
Regarding Claim 19. The combination of Mizrachin-deMilo discloses the enterprise device of claim 18, deMilo further discloses, “further comprising:
in response to an inference that the data operation does not constitute the cybersecurity threat, receiving, from the global key server, a cryptographic key to decrypt the encrypted data item (deMilo, Para [0046]: … FIG. 6 illustrates a method 600 for retrieving a file stored by a cloud service along with metadata related to the file not stored by the cloud service, according to one embodiment. As shown, the method 600 begins at step 605 where a user requests to access to both a file stored by a cloud service and metadata associated with the file. Again, returning to the example of the computer hardware vendor, support personnel may be tasked with resolving service requests submitted by customers using the file upload tenant described relative to the FIG. 1 and FIG. 5. In such a case, the support personnel may be provided with a ticket review application (e.g., the TR application 167 described relative to FIG. 1). Further, in one embodiment, the ticket review application may access a file download tenant registered with the storage broker. Alternatively, the ticket review application may retrieve a service request, file metadata, and a link to a corresponding file stored by the cloud service. In either case, at step 610, the ticket review application (or download tenant) retrieves metadata associated the requested file, including a link (e.g., a URL) used to retrieve the file from the cloud storage service. If the file has been encrypted prior to being stored with the cloud service, then at step 615, the keys needed to decrypt the file are retrieved from the key service …).”
The motivation to further combine deMilo remains same as in claim 18.
Regarding Claim 20. The combination of Mizrachin-deMilo discloses the enterprise device of claim 18, Mizrachin further discloses, “wherein the message further indicates that the enterprise device has been restricted to access to a segment of the enterprise network, based at least in part on the inferred cybersecurity threat (Mizrachin, Para [0045]: … Components used in a next-generation enhanced comprehensive cybersecurity platform may include, but are not limited to, one or more forensics servers 107 that may conduct remote forensic analysis of endpoints that have been or are suspected to have been attacked, one or more malware management servers 106 (that provide anti-virus services, whitelisting services, process hash databases, and the like), one or more remediation servers 105 that provide automated or semi-automated remediation actions (such as quarantine, file deletion, process stopping, and the like) in response to and remediation of hostile actions on one or more endpoint devices …).”
Claims 2, 3, 4, 13, 14, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0359272 A1 to Mizrachi et al. (hereinafter “Mizrachi”) in view of Pub. No.: US 2011/0022642 A1 to deMilo et al. (hereinafter “deMilo”), as applied to claim1 above, and further in view of US 2011/0016534 A1 to Jakobsson et al. (hereinafter “Jakobsson”)
Regarding Claim 2. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein to analyze the datum metadata further includes determining a usage [behavioral score] based at least in part on a correlation of the datum metadata relative to a set of heuristic behavior curves (Mizrachin, Para [0053]:  FIG. 5 is a flow diagram illustrating an exemplary method 500 for user behavior analytics using a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may first connect to a plurality of endpoints 501 such as user devices (for example, smartphones or personal computers), corporate devices such as servers or databases, or enterprise applications such as internal applications and user directories. User behavior may then be observed 502 as users interact with and move between these endpoints, allowing UEBA server 102 to use machine learning to profile user activity 503 and form a baseline of what may constitute “normal” activity for any given user or user group. Behavior may then be used to correlate and group users into peer groups 504, or logical groupings of users with similar behavior profiles (that may or may not have any real association in the physical world or in a user directory), and these peer groups may be similarly profiled and baselined 505. These behavior profiles and baselines may then be used to identify anomalous behavior 506 as it occurs, for example by using machine learning to compare behavior to statistical models based on the known baselines for the involved parties (individual users, user groups, or peer groups) …),” and
However, the combination of Mizrachin-deMilo does not explicitly teach, but Jakobsson from same or similar field of endeavor teaches, “wherein to determine whether to facilitate the execution of the data operation is further based at least in part on a comparison of the usage behavior score relative to a dynamic usage threshold (Jakobsson, Abstract, Para [0007, 0024, 0058]: … Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern … The recent contextual data can be collected without prompting the user to perform an action explicitly associated with authentication. Further, the recent contextual data include multiple data streams, which provide basis for the determination of the user behavior score. However, a data stream alone provides insufficient basis for the determination of the user behavior score. Next, the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource …  the recent contextual data of the user comprise one or more of: GPS data, accelerometer data, voice data, sensor data, application usage data, web browser data, authentication attempts, connection attempts, network traffic pattern, DNS requests, typing pattern, biometric data, social group membership information, and user demographics data … the user behavior modeler 240 creates a user behavior model 255 based on the contextual data 245 about user 160. User behavior model 255 describes a user's historical behavior patterns. User behavior model 255 can include a history string which corresponds to a sequence of observed events, a probability distribution which corresponds to the likelihood of the observed events happening as a function of time, and a score distribution which corresponds to the change in user behavior score 260 resulting from the observed events as a function of time …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jakobsson into the combined teachings of Mizrachin-deMilo, because it discloses that “the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score. In addition, the system can be used in combination with another form of authentication (Jakobsson, Para [0007])”.
Regarding Claim 3. The combination of Mizrachin-deMilo-Jakobsson discloses the system of claim 2, Mizrachin further discloses, “wherein the one or more modules are further executable by the one or more processors (Mizrachin, Para [0007, 0043]: … a user entity behavior analytics server comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to … Process descriptions or blocks in figures should be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process) to:
generate the set of heuristic behavior that reflect at least one of a first set of historical interactions of the enterprise device with a set of data items stored with the data repository server of the enterprise network (Mizrachin, Para [0053]: … FIG. 5 is a flow diagram illustrating an exemplary method 500 for user behavior analytics using a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may first connect to a plurality of endpoints 501 such as user devices (for example, smartphones or personal computers), corporate devices such as servers or databases, or enterprise applications such as internal applications and user directories. User behavior may then be observed 502 as users interact with and move between these endpoints, allowing UEBA server 102 to use machine learning to profile user activity 503 and form a baseline of what may constitute “normal” activity for any given user or user group. Behavior may then be used to correlate and group users into peer groups 504, or logical groupings of users with similar behavior profiles (that may or may not have any real association in the physical world or in a user directory), and these peer groups may be similarly profiled and baselined 505. These behavior profiles and baselines may then be used to identify anomalous behavior 506 as it occurs, for example by using machine learning to compare behavior to statistical models based on the known baselines for the involved parties (individual users, user groups, or peer groups) …),” or a second set of historical interactions of the set of data items with one or more enterprise devices associated with the enterprise network.
Regarding Claim 4. The combination of Mizrachin-deMilo discloses the system of claim 1, Mizrachin further discloses, “wherein to analyze the datum metadata further includes determining a security score based at least in part on a correlation of the datum metadata relative to a dataset of known cybersecurity threats (Mizrachin, Para [0047, 0059-0060]:  UEBA server 102 may use information from these various connected systems and resources to rapidly detect and analyze malicious or abusive behavior, by recognizing known behavior and information patterns that may identify an activity as “safe” or “unsafe” (for example, known malicious file signatures, or known routine user behaviors). User activities may be monitored and evaluated beyond an initial login, and include user movements, access to organizational assets and the contexts within which access occurs. Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time. This tracking and organization may then be used to correlate user and other entity activities and behaviors, enabling the detection of anomalies using statistical models and machine learning … Vulnerability management is used to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Implementing effective vulnerability or patch management tools can significantly reduce potential attack surface, keeping users safe from data breaches and theft. According to the aspect, a vulnerability management method 1200 may comprise the steps of first 1201 discovering existing vulnerabilities using any of a number of cloud-based reputation services rather than a single vulnerability database, and then 1202 analyzing vulnerabilities and ranking them 1203 according to potential threat level. This ranked threat list may then be used to mitigate 1204 the root cause of a vulnerability, and maintain security through ongoing testing and security monitoring 1205 …)”, and
However, the combination of Mizrachin-deMilo does not explicitly teach, but Jakobsson from same or similar field of endeavor teaches, “wherein, to determine whether to facilitate the execution of the data operation is further based at least in part on a comparison of the security score relative to a dynamic security threshold (Jakobsson, Abstract, Para [0007, 0024, 0058]: … Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern … The recent contextual data can be collected without prompting the user to perform an action explicitly associated with authentication. Further, the recent contextual data include multiple data streams, which provide basis for the determination of the user behavior score. However, a data stream alone provides insufficient basis for the determination of the user behavior score. Next, the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource …  the recent contextual data of the user comprise one or more of: GPS data, accelerometer data, voice data, sensor data, application usage data, web browser data, authentication attempts, connection attempts, network traffic pattern, DNS requests, typing pattern, biometric data, social group membership information, and user demographics data … the user behavior modeler 240 creates a user behavior model 255 based on the contextual data 245 about user 160. User behavior model 255 describes a user's historical behavior patterns. User behavior model 255 can include a history string which corresponds to a sequence of observed events, a probability distribution which corresponds to the likelihood of the observed events happening as a function of time, and a score distribution which corresponds to the change in user behavior score 260 resulting from the observed events as a function of time …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jakobsson into the combined teachings of Mizrachin-deMilo, because it discloses that “the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score. In addition, the system can be used in combination with another form of authentication (Jakobsson, Para [0007])”.
Regarding Claim 13. The combination of Mizrachin-deMilo discloses the computer-implemented method of claim 12, Mizrachin further discloses, “further comprising:
analyzing the datum metadata relative to a set of heuristic behavior curves to infer whether the data operation constitutes a typical interaction or an atypical interaction with the enterprise network (Mizrachin, Para [0053, 0059]:  FIG. 5 is a flow diagram illustrating an exemplary method 500 for user behavior analytics using a UEBA server 102, according to an aspect. According to the aspect, a UEBA server 102 may first connect to a plurality of endpoints 501 such as user devices (for example, smartphones or personal computers), corporate devices such as servers or databases, or enterprise applications such as internal applications and user directories. User behavior may then be observed 502 as users interact with and move between these endpoints, allowing UEBA server 102 to use machine learning to profile user activity 503 and form a baseline of what may constitute “normal” activity for any given user or user group. Behavior may then be used to correlate and group users into peer groups 504, or logical groupings of users with similar behavior profiles (that may or may not have any real association in the physical world or in a user directory), and these peer groups may be similarly profiled and baselined 505. These behavior profiles and baselines may then be used to identify anomalous behavior 506 as it occurs, for example by using machine learning to compare behavior to statistical models based on the known baselines for the involved parties (individual users, user groups, or peer groups) … FIG. 10 is a flow diagram illustrating an exemplary method 1000 for malware detection and mitigation, according to an aspect. According to the aspect, in an initial step 1001 an NGEPP software agent 108a-n may collect operating system metadata (such as vendor, version, or other such details) for the operating system of the endpoint device on which it is operating. When an activity request is captured 1002 such as an attempt to open a file or perform an action, a snapshot of the request information may be sent 1003 to a UEBA server 102 along with the previously-collected OS metadata. Upon receipt, the snapshot and metadata may be analyzed 1004 by UEBA server 102 and compared against policy rules 1005 to determine whether the activity is “safe” and should be allowed, or if it should be blocked…)”; and
However, the combination of Mizrachin-deMilo does not explicitly teach, but Jakobsson from same or similar field of endeavor teaches:
“determining a usage behavior score, based at least in part on a correlation of the datum metadata relative to the set of heuristic behavior curves (Jakobsson, Abstract, Para [0024-0028, 0090]: The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern. The recent contextual data, which comprise a plurality of data streams, are collected from one or more user devices without prompting the user to perform an action explicitly associated with authentication. The plurality of data streams provide basis for determining the user behavior score … the recent contextual data of the user comprise one or more of: GPS data, accelerometer data, voice data, sensor data, application usage data, web browser data, authentication attempts, connection attempts, network traffic pattern, DNS requests, typing pattern, biometric data, social group membership information, and user demographics data … the user behavior model is stored in a user model look-up table. The user model look-up table comprises historical information on whether a condition is satisfied, and information on a plurality of user events. Each event is associated with a probability distribution and a score distribution … the system collects historical contextual data via one or more of a survey of contextual information about the user entered by a representative of the user, an accumulation of periodically transmitted contextual data of the user from one or more mobile devices, or an inheritance of the contextual information about the user from another device associated with the user … the system derives the user behavior model from a second model of a group of users sharing similar characteristics … the recent event belongs to one of a plurality of categories. The plurality of categories comprise one or more of: (1) a very positive event; (2) a positive event; (3) a neutral event; (4) a negative event; and (5) a very negative event. The determination of increasing or decreasing the user behavior score and the amount of increment or decrement are associated with the category to which the recent event belongs … FIG. 7B shows a user model look-up table 780 used to store a user behavior model in accordance with an embodiment. Users can be characterized by their usage behavior patterns. The system models each user using a look-up table 780 that contains history strings, which are matched with the current history, and a plurality of events information. The table is indexed by the history strings. A history string contains a sequence of observed events, along with the time interval of the sequence. An event entry typically includes a probability distribution and a scoring distribution. The probability distribution corresponds to how likely the associated event is to happen as a function of time. In other words, the probability distribution corresponds to the frequencies of past observations of events. The scoring distribution, on the other hand, is associated with how many points are given to or taken from the user behavior score as a result of the event as a function of time. The scoring distribution depends not only on the probability distribution, but also on the significance of the event, and on whether it is regarded as positive data or negative data …), and
wherein, determining whether the data operation constitutes the cybersecurity threat to the enterprise network is further based at least in part on comparing the usage behavior score relative to a dynamic usage threshold (Jakobsson, Abstract, Para [0007, 0024, 0045, 0058]: … Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern … The recent contextual data can be collected without prompting the user to perform an action explicitly associated with authentication. Further, the recent contextual data include multiple data streams, which provide basis for the determination of the user behavior score. However, a data stream alone provides insufficient basis for the determination of the user behavior score. Next, the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource. If the user behavior score is lower than the predetermined threshold, the system requires the user to be authenticated explicitly, for example, by requesting the user to provide a user credential to access the controlled resource … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource …  the recent contextual data of the user comprise one or more of: GPS data, accelerometer data, voice data, sensor data, application usage data, web browser data, authentication attempts, connection attempts, network traffic pattern, DNS requests, typing pattern, biometric data, social group membership information, and user demographics data … the user behavior modeler 240 creates a user behavior model 255 based on the contextual data 245 about user 160. User behavior model 255 describes a user's historical behavior patterns. User behavior model 255 can include a history string which corresponds to a sequence of observed events, a probability distribution which corresponds to the likelihood of the observed events happening as a function of time, and a score distribution which corresponds to the change in user behavior score 260 resulting from the observed events as a function of time …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jakobsson into the combined teachings of Mizrachin-deMilo, because it discloses that “the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score. In addition, the system can be used in combination with another form of authentication (Jakobsson, Para [0007])”.
Regarding Claim 14. The combination of Mizrachin-deMilo discloses the computer-implemented method of claim 12, Mizrachin further discloses, “further comprising:
determining a security score, based at least in part on analysis of the datum metadata relative to the dataset of known cybersecurity threats (Mizrachin, Para [0047, 0059-0060]:  UEBA server 102 may use information from these various connected systems and resources to rapidly detect and analyze malicious or abusive behavior, by recognizing known behavior and information patterns that may identify an activity as “safe” or “unsafe” (for example, known malicious file signatures, or known routine user behaviors). User activities may be monitored and evaluated beyond an initial login, and include user movements, access to organizational assets and the contexts within which access occurs. Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time. This tracking and organization may then be used to correlate user and other entity activities and behaviors, enabling the detection of anomalies using statistical models and machine learning … Vulnerability management is used to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Implementing effective vulnerability or patch management tools can significantly reduce potential attack surface, keeping users safe from data breaches and theft. According to the aspect, a vulnerability management method 1200 may comprise the steps of first 1201 discovering existing vulnerabilities using any of a number of cloud-based reputation services rather than a single vulnerability database, and then 1202 analyzing vulnerabilities and ranking them 1203 according to potential threat level. This ranked threat list may then be used to mitigate 1204 the root cause of a vulnerability, and maintain security through ongoing testing and security monitoring 1205 …)”; and
Mizrachin-deMilo does not explicitly teach, but Jakobsson from same or similar field of endeavor teaches:
“determining the data operation constitutes the cybersecurity threat based at least in part on the security score being greater than or equal to a dynamic security threshold (Jakobsson, Abstract, Para [0007, 0024, 0045, 0058]: … Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system receives a request to access the controlled resources. The system then determines a user behavior score based on a user behavior model, and recent contextual data about the user. The user behavior score facilitates identifying a level of consistency between one or more recent user events and a past user behavior pattern … The recent contextual data can be collected without prompting the user to perform an action explicitly associated with authentication. Further, the recent contextual data include multiple data streams, which provide basis for the determination of the user behavior score. However, a data stream alone provides insufficient basis for the determination of the user behavior score. Next, the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource. If the user behavior score is lower than the predetermined threshold, the system requires the user to be authenticated explicitly, for example, by requesting the user to provide a user credential to access the controlled resource … the system calculates a user behavior score based on a user behavior model derived from historical contextual data of the user, recent contextual data of the user collected from one or more user devices, and optionally a request to access controlled resources from the user. If the user behavior score is higher than a predetermined threshold, the system authenticates the user to access the controlled resource …  the recent contextual data of the user comprise one or more of: GPS data, accelerometer data, voice data, sensor data, application usage data, web browser data, authentication attempts, connection attempts, network traffic pattern, DNS requests, typing pattern, biometric data, social group membership information, and user demographics data … the user behavior modeler 240 creates a user behavior model 255 based on the contextual data 245 about user 160. User behavior model 255 describes a user's historical behavior patterns. User behavior model 255 can include a history string which corresponds to a sequence of observed events, a probability distribution which corresponds to the likelihood of the observed events happening as a function of time, and a score distribution which corresponds to the change in user behavior score 260 resulting from the observed events as a function of time …).”
Jakobsson into the combined teachings of Mizrachin-deMilo, because it discloses that “the system provides the user behavior score to an access controller of the controlled resource, thereby making an authentication decision derived from the user behavior score for the user to access the controlled resource based at least on the user behavior score. In addition, the system can be used in combination with another form of authentication (Jakobsson, Para [0007])”.
Regarding Claim 15. The combination of Mizrachin-deMilo-Jakobsson discloses the computer-implemented method of claim 14, Mizrachin further discloses, “wherein the dataset of known cybersecurity threats includes a first portion and a second portion (Mizrachin, Para [0063]:  To build a threat detection database, a baseline may be built over a set timeframe, wherein files and processes are hashed (first portion) and added to a whitelist to automatically generate a whitelist for “normal operation” against which future hashes (second portion) may be checked …), and further comprising:
importing, from third-party entities that are knowledgeable in cybersecurity threat data, the first portion of the dataset of known cybersecurity threats (Mizrachin, Para [0060]: … FIG. 12 is a flow diagram of an exemplary method 1200 for threat prevention, according to one aspect. Vulnerability management is used to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Implementing effective vulnerability or patch management tools can significantly reduce potential attack surface, keeping users safe from data breaches and theft. According to the aspect, a vulnerability management method 1200 may comprise the steps of first 1201 discovering existing vulnerabilities using any of a number of cloud-based reputation services (third-party entities) rather than a single vulnerability database …); and
generating the second portion of the dataset of known cybersecurity threats based on historical interactions of cybersecurity threats within the enterprise network over a predetermined time interval (Mizrachin, Para [0051, 0046-0047, 0063]: … UEBA server 102 may also be connected to a plurality of endpoints 201 that may each operate a NGEPP software agent (as described previously), as well as a plurality of internal applications 202 such as cloud-based, mobile, or other internal applications for users within the enterprise. These endpoints enable monitoring of user activities as they use devices, access information and applications, and interact with and move between and within various systems and components of an enterprise infrastructure … UEBA server 102 may use information from these various connected systems and resources to rapidly detect and analyze malicious or abusive behavior, by recognizing known behavior and information patterns that may identify an activity as “safe” or “unsafe” (for example, known malicious file signatures, or known routine user behaviors). User activities may be monitored and evaluated beyond an initial login, and include user movements, access to organizational assets and the contexts within which access occurs. Users 220 may be grouped according to their activities into peer groups, for example using directory groupings and human resources information as a starting point and then monitoring user activity over time … To build a threat detection database, a baseline may be built over a set timeframe, wherein files and processes are hashed and added to a whitelist to automatically generate a whitelist for “normal operation” against which future hashes may be checked. If a new file or process is detected that is not on a local whitelist, it may be checked against a global whitelist to see if (for example) it is a legitimate process that simply did not run during the baselining process and thus was missed, or if it is indeed a malicious process. Unknown processes may generate an alert as described previously, prompting a user or administrator to manually allow, deny, or sandbox the potential threat. When sandboxed suspicious files or processes are determined to have carried an actual malicious payload, they may be added to a blacklist, enabling intelligent adaptation to new threats over time …).”
Regarding Claim 16. The combination of Mizrachin-deMilo-Jakobsson discloses the computer-implemented method of claim 14, Mizrachin further discloses, “further comprising:
determining that the datum metadata includes a plurality of data operations which are functionally related to the data item, the plurality of data operations including at least an API call and a system call (Mizrachin, Para [0065]:  … FIG. 16 is a flow diagram of an exemplary method 1600 for threat remediation, according to one aspect. During execution of an attack, malware often creates, modifies, or deletes system file or registry resources, or changes configuration settings. To handle these effects of an attack, a NGEPP agent 108a-n may first detect a change 1601, and then as part of a remediation process log the changes 1602 and send 1603 the log information to a remediation server 105 for use in analyzing the threat. When remediation instructions are received 1604, part of a remediation process then includes reversing the changes performed by the threat 1605, returning any files or resources to their original state …); and
determining whether a consensus exists between the plurality of data operations (Mizrachin, Para [0066]: FIG. 17 is a flow diagram of an exemplary method 1700 for threat forensics, according to one aspect. A NGEPP agent 108a-n may be used to provide real-time forensics after an attack (whether successful or not), to provide clear and timely visibility into malicious activity that may have taken place on an endpoint. According to the aspect, when an attack occurs 1701, a NGEPP agent 108a-n may log the details of the attack 1702 such as the threat level and any changes made (as described previously, referring to FIGS. 12 and 16). This may then be compared against logs of running processes and open files 1703 to determine what changes took place and what the potential impact may be of a particular attack 1704, to form a report that may then be provided to administrators via the network or optionally via a reporting view in an administration interface 1705), and
wherein, analyzing the datum metadata further includes determining the consensus between the plurality of data operations (Mizrachin, Para [0066]: FIG. 17 is a flow diagram of an exemplary method 1700 for threat forensics, according to one aspect. A NGEPP agent 108a-n may be used to provide real-time forensics after an attack (whether successful or not), to provide clear and timely visibility into malicious activity that may have taken place on an endpoint. According to the aspect, when an attack occurs 1701, a NGEPP agent 108a-n may log the details of the attack 1702 such as the threat level and any changes made (as described previously, referring to FIGS. 12 and 16). This may then be compared against logs of running processes and open files 1703 to determine what changes took place and what the potential impact may be of a particular attack 1704, to form a report that may then be provided to administrators via the network or optionally via a reporting view in an administration interface 1705).”
Pertinent Prior Arts: The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	PGPUB US 20090287837 A1, Felsher: Felsher discloses a data security apparatus and method for controlling access to records provided within automated electronic databases, each record having an associated set of access rules, comprising: receiving, by a security processor, a request for access to records associated with at least one of an entity, attribute, and datum from a requestor; determining a set of records associated with the requested entity, attribute, or datum, contained in the automated electronic databases; authorizing access to the records within the determined set of records based on compliance with the associated set of access rules; defining an economic compensation rule, satisfaction of which is required for qualification for access to the set of records; selectively permitting access to records in dependence on satisfaction of the compensation rule; communicating the access permissions to the host automated electronic databases; and logging the request for retrieval and a respective access of each record.

Non-Patent Literature: A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Service; Hwang et al.: Hwang discloses methodologies to store data in the cloud in encrypted form, separating the storage of data and cryptographic key, thus enhancing the data security.
Enterprises usually store data in internal storage and install firewalls to protect against intruders to access the data. They also standardize data access procedures to prevent insiders to disclose the information without permission. In cloud computing, the data will be stored in storage provided by service providers. Service providers must have a viable way to protect their clients’ data, especially to prevent the data from disclosure by unauthorized insiders. Storing the data in encrypted form is a common method of information privacy protection. If a cloud system is responsible for both tasks on storage and encryption/decryption of data, the system administrators may simultaneously obtain encrypted data and decryption keys. This allows them to access information without authorization and thus poses a risk to information privacy. This study proposes a business model for cloud computing based on the concept of separating the encryption and decryption service from the storage service. Furthermore, the party responsible for the data storage system must not store data in plaintext, and the party responsible for data encryption and decryption must delete all data upon the computation on encryption or decryption is complete. A CRM (Customer Relationship Management) service is described in this paper as an example to illustrate the proposed 
PAT US 8826013 B1, Kodukula et al.: Kodukula discloses a cloud computing environment that includes a key management server and a cloud computer system running several virtual machines. A virtual machine hosted by the cloud computer system includes an integrity check module for checking the integrity of the virtual machine and getting identity information of the virtual machine. The integrity check module sends a key request to a key management server, which provides key service to different cloud computer systems. The key management server validates the request and, if the request is valid, provides the key to the virtual machine. The key is used to unlock an encrypted file system in the virtual machine.
PGPUB US 20170223093 A1, Peterson et al.: Peterson discloses devices, systems, and methods are provided to provide cloud-based coordination of customer premise service appliances. A system can include a computing device comprising a communication module, a policy module, an appliance selection module, and a coordination module. The communication module receives a document request from a first client over a network connection, establishes a session with the first client in response to the document request, and receives metadata representing collected signatures at after completion of the electronic signature operation portion of the 
Embodiments of the present disclosure relate generally to securing end user data associated with use of a cloud-based service and, more particularly, but not by way of limitation, to cloud-based coordination of customer premise service appliances.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434