DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1 February 2022 has been entered.
 


Introductory Remarks
	The status of the claims based on communications filed on 1 February 2022: claims 1, 7, and 13 were amended. Claims 2-3, 8-9, and 14-15 were cancelled. No claims were withdrawn. Claims 24-26 were new. Therefore, claims 1, 4-7, 10-13, and 16-26 were pending in the application, of which claims 1, 7, and 13 are presented in independent form.

The previously raised 101 rejection of the pending claims is withdrawn in view of the Examiner’s amendments to the claims as appears in the record below.
The previously raised 103 rejection of the pending claims is withdrawn in view of the Examiner’s amendments to the claims as appears in the record below.




Response to Arguments
Applicant’s arguments filed 1 February 2022 with respect to the rejection of the claims under 35 U.S.C. 101 have been fully considered but are moot in view of the Examiner’s amendments.
Applicant’s arguments filed 1 February 2022 with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but are moot in view of the Examiner’s amendments.



EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
1 (see attached OA.Appendix for the email correspondence and email attachment of the proposed Examiner’s amendments).


The application has been amended as follows: 

1. (Currently Amended) A computer-implementable method for monitoring and detecting file copy activity between an information handling device  information handling device over a Media Transfer Protocol (MTP) connection, the method comprising:
	the information handling device including a protected endpoint device interacting with an endpoint agent through at least one low-level hook, wherein the endpoint agent implements a security analytics system, and wherein the security analytics system includes a file copy module, an event stream collector, an event queue analytics module, and a storage Application Program Interface (API);
	establishing a connection with the protected endpoint device and the one or more devices attempting to connect with the protected endpoint device;
	monitoring, by the file copy module,  MTP file activities between the protected endpoint device and the one or more devices attempting to connect with the protected endpoint deviceby:
registering a callback function for [[the]] each of the one or more devices attempting to connect with the protected endpoint device, wherein the callback function requires monitoring for MTP file copy activities and MTP file read activities;
	creating, by the file copy module, a common queue of events the one or more devices attempting to connect with the protected endpoint device
	gathering, by the file copy module, information  of events
	entering, by the file copy module,  related to  of file activities as an entry into the common queue of events, wherein each entry includes a file size, a time stamp, and device information comprising a device name of a device attempting to connect with the protected endpoint device; [[and]]
	detecting, by the file copy module, one or more file copy activities by comparing entries  of events to determine entry pairs having samefile sizes and time stamps within a predetermined time window, wherein each determined entry pair[[s]] [[of]] comprises a file read and a file create[[d]] corresponding to a file copy activity;
	subscribing, by the endpoint agent implementing the security analytics system, to events through the at least one low-level hook;
	collecting, by the event stream collector of the security analytics system, event and related contextual information associated with one or more user behaviors;
	processing, by the event queue analytics module of the security analytics system, the event and the related contextual information to generate enriched user behavior;
	generating, by the event queue analytics module of the security analytics system, one or more analytic results by analyzing the enriched user behavior associated with the related contextual information, wherein the related contextual information may include at least one of an entity, a particular resource, or a service;
	storing, by the storage API of the security analytics system, the one or more analytic results in one or more datastores.

2. (Cancelled)

3. (Cancelled)

4. (Cancelled) 

5. (Currently Amended) The method of claim 1, wherein the common queue of events is dynamically updated with entries. 

6. (Previously Presented) The method of claim 1 further comprising providing a list of file activities based on the entry pairs determined to be file copy activities. 

7. (Currently Amended) A system comprising:
	a processor;
	a data bus coupled to the processor; and
	a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations for monitoring and detecting file copy activity between an information handling device information handling device over a Media Transfer Protocol (MTP) connection, and comprising instructions executable by the processor and configured for:
	the information handling device including a protected endpoint device interacting with an endpoint agent through at least one low-level hook, the endpoint agent implementing a security analytics system, and the security analytics system including a file copy module, an event stream collector, an event queue analytics module, and a storage Application Program Interface (API);
	establishing a connection with the protected endpoint device and the one or more devices attempting to connect with the protected endpoint device;
	monitoring, by the file copy module, [[the]] MTP file activities between the protected endpoint device and the one or more devices attempting to connect with the protected endpoint deviceby:
registering a callback function for [[the]] each of the one or more devices attempting to connect with the protected endpoint device, wherein the callback function requires monitoring for MTP file copy activities and MTP file read activities;
	creating, by the file copy module, a common queue of events  the one or more devices attempting to connect with the protected endpoint device
	gathering, by the file copy module, information of events
	entering, by the file copy module,  related to  of file activities as an entry into the common queue of events, wherein each entry includes a file size, a time stamp, and device information comprising a device name of a device attempting to connect with the protected endpoint device; [[and]]
	detecting, by the file copy module, one or more file copy activities by comparing entries  of events to determine entry pairs having samefile sizes and time stamps within a predetermined time window, wherein each determined entry pair[[s]] [[of]] comprises a file read and a file create[[d]] corresponding to a file copy activity;
	subscribing, by the endpoint agent implementing the security analytics system, to events through the at least one low-level hook;
	collecting, by the event stream collector of the security analytics system, event and related contextual information associated with one or more user behaviors;
	processing, by the event queue analytics module of the security analytics system, the event and the related contextual information to generate enriched user behavior;
	generating, by the event queue analytics module of the security analytics system, one or more analytic results by analyzing the enriched user behavior associated with the related contextual information, wherein the related contextual information may include at least one of an entity, a particular resource, or a service;
	storing, by the storage API of the security analytics system, the one or more analytic results in one or more datastores.

8. (Cancelled)

9. (Cancelled)

10. (Cancelled) 

11. (Currently Amended) The system of claim 7, wherein the  of events is dynamically updated with entries. 

12. (Previously Presented) The system of claim 7 further comprising providing a list of file copy activities based on the pairs determined to be file copy activities

13. (Currently Amended) A non-transitory, computer-readable storage medium embodying computer program code for monitoring and detecting file copy activity between an information handling device and one or more devices attempting to connect with the information handling device over a Media Transfer Protocol (MTP) connection, the computer program code comprising computer executable instructions configured for:
	the information handling device including a protected endpoint device interacting with an endpoint agent through at least one low-level hook, the endpoint agent implementing a security analytics system, and the security analytics system including a file copy module, an event stream collector, an event queue analytics module, and a storage Application Program Interface (API);
	establishing a connection with the protected endpoint device and the one or more devices attempting to connect with the protected endpoint device;
	monitoring, by the file copy module, [[the]] MTP file activities between the protected endpoint device and the one or more devices attempting to connect with the protected endpoint deviceby:
registering a callback function for [[the]] each of the one or more devices attempting to connect with the protected endpoint device, wherein the callback function requires monitoring for MTP file copy activities and MTP file read activities;
	creating, by the file copy module, a common queue of events  the one or more devices attempting to connect with the protected endpoint device
	gathering, by the file copy module, information of events
	entering, by the file copy module,  related to  of file activities as an entry into the common queue of events, wherein each entry includes a file size, a time stamp, and device information comprising a device name of a device attempting to connect with the protected endpoint device; [[and]]
	detecting, by the file copy module, one or more file copy activities by comparing entries  of events to determine entry pairs having samefile sizes and time stamps within a predetermined time window, wherein each determined entry pair[[s]] [[of]] comprises a file read and a file create[[d]] corresponding to a file copy activity;
	subscribing, by the endpoint agent implementing the security analytics system, to events through the at least one low-level hook;
	collecting, by the event stream collector of the security analytics system, event and related contextual information associated with one or more user behaviors;
	processing, by the event queue analytics module of the security analytics system, the event and the related contextual information to generate enriched user behavior;
	generating, by the event queue analytics module of the security analytics system, one or more analytic results by analyzing the enriched user behavior associated with the related contextual information, wherein the related contextual information may include at least one of an entity, a particular resource, or a service;
	storing, by the storage API of the security analytics system, the one or more analytic results in one or more datastores.

14. (Cancelled)

15. (Cancelled)

16. (Cancelled) 

17. (Currently Amended) The non-transitory, computer-readable storage medium of claim 13, wherein the common queue of events is dynamically updated with entries. 

18. (Previously Presented) The non-transitory, computer-readable storage medium of claim 13, further comprising providing a list of file copy activities based on the pairs determined to be file copy activities.

19. (Previously Presented) The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are deployable to a client system from a server system at a remote location. 

20. (Previously Presented) The non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis. 

21. (Cancelled) 

22. (Cancelled) 

23. (Cancelled) 

24. (Cancelled) 

25. (Cancelled) 

26. (Cancelled) 



REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
An updated prior art search was performed, but no prior art appeared to teach, suggest, or otherwise render obvious the combination of the independent claims’ limitations. The dependent claims are allowable for at least by virtue of their dependency on their respective independent claims.
The independent claims, as appears in the Examiner’s amendments above, were found to be patent eligible, resulting in the withdrawal of the 101 rejection. The dependent claims are patent eligible for at least virtue of their dependency on their respective independent claims.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IRENE BAKER whose telephone number is (408)918-7601. The examiner can normally be reached M-F 8-5PM PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEVEEN ABEL-JALIL can be reached on (571)270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IRENE BAKER/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        
24 February 2022




    
        
            
        
            
    

    
        1 Note that Applicant had previously given permission for Internet communications. See the “Internet Communications Authorized” form filed on 18 February 2022.