Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 	
DETAILED ACTION

Response to Amendment
The Amendment filed on December 17, 2021 has been received and entered. Claims 1, 8 and 15 have been amended. Claims 1-20 are pending for examination. 
Rejections and/or objections not reiterated from previous office actions are hereby withdrawn.  The following rejections and/or objections are either reiterated or newly applied.  They constitute the complete set presently being applied to the instant application.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/15/2021 has been considered by the examiner.  Please see attached PTO-1449.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 2, 8, 9, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ahrens et al. (U.S. Pat. Pub. 2016/0224259) in view of Tan (U.S. Pat. Pub. 2017/0235490).

Referring to claim 1, Ahrens et al. teaches a method comprising: 
generating, by a storage system (The storage system 100 includes… data transformation module 380, see Ahrens et al., Fig. 3) and according to a security policy, an obfuscated snapshot of a dataset by obfuscating a sensitive subset of the dataset (the data transformation module 380 performs masking by replacing either a portion of a number (i.e., a string of digits) with one or more characters. For example, if a number represents a social security number or a credit card number, the transformation function may replace a prefix of the number with a character, such as 'x'. Accordingly, the data transformation module 380 Ahrens et al., Para. 49), wherein the obfuscated snapshot captures the state of the dataset at a specific point in time with the sensitive data obfuscated (each secure snapshot stores a distinct copy of a masked data block even if the masked data block is obtained from the same unmasked data block. Transmission of all masked data blocks of a secure snapshot results in significant amount of data being transmitted to the target storage system and also requires additional storage at the target storage system for storing the masked data blocks, see Ahrens et al., Para, 22. The storage system 100 masks the sensitive data in the copy of the unsecure snapshot to obtained masked sensitive data for the secure snapshot, see Ahrens et al., Para, 35. The storage system 100 creates snapshots of data that represent state of the data at a particular point in time… the storage system 100 creates secure copies of a snapshot by applying a masking function to a portion of data of the snapshot identified as sensitive data, see Ahrens et al., Para, 36);
providing, to one or more untrusted target computer systems, the obfuscated snapshot the dataset corresponding to the specific point in time with the sensitive subset of the dataset obfuscated at the one or more untrusted target computer systems (The target storage system reconstructs the masked snapshot based on the data blocks received and data blocks of the previously received secure snapshot, see Ahrens et al., Para, 22, the source storage system 100a replicates only the secure snapshot 220 and does not replicate snapshot 210 that stores unmasked sensitive data. The source storage system 100a replicates 235 the secure snapshot 220a to the target system 100b. The replicated secure snapshot 220a is stored Ahrens et al., Para, 40).
However, Ahrens et al. does not explicitly teach 
wherein the sensitive subset remains obfuscated to an untrusted target computer system when the untrusted target computer system restores the dataset from the obfuscated snapshot;
for restoration of the dataset corresponding to the specific point in time. 
Tan teaches
wherein the sensitive subset remains obfuscated to an untrusted target computer system when the untrusted target computer system restores the dataset from the obfuscated snapshot (all required content is protected and can be restored to its original state at the time the enhance backup occurred, see Tan, Para. 300, in addition to the source storage system 100a replicates only the secure snapshot 220 and does not replicate snapshot 210 that stores unmasked sensitive data. The source storage system 100a replicates 235 the secure snapshot 220a to the target system 1 00b. The replicated secure snapshot 220a is stored as the snapshot 220b on the target system 100b, see Ahrens et al., Para, 40. The combination of references clear teaches the limitation);
for restoration of the dataset corresponding to the specific point in time (all required content is protected and can be restored to its original state at the time the enhance backup occurred, see Tan, Para. 300).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Ahrens et al., to wherein the sensitive subset remains obfuscated to an untrusted target computer system when the untrusted target computer system restores the dataset from the obfuscated snapshot; for restoration of the dataset corresponding to the specific point in time, as taught by Tan, to enhance the security and privacy of data (Tan, Para. 70).
	As to claim 2, Ahrens et al. teaches generating the obfuscated snapshot is performed by a controller of a storage system (The storage system 100 includes… data transformation module 380, see Ahrens et al., Fig. 3, the data transformation module 380 performs masking by replacing either a portion of a number (i.e., a string of digits) with one or more characters. For example, if a number represents a social security number or a credit card number, the transformation function may replace a prefix of the number with a character, such as 'x'. Accordingly, the data transformation module 380 replaces a number "123 456" with "xxx 456." In an embodiment, the data transformation module 380 performs masking by using a dictionary to map a term to another term, see Ahrens et al., Para. 49). 
	Referring to claim 8, Ahrens et al. teaches an apparatus comprising: 
Ahrens et al., Para. 85) configured to implement an obfuscation engine; and 
a computer memory (machine-readable medium, see Ahrens et al., Para. 85) operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions implementing the obfuscation engine that, when executed by the computer processor, cause the apparatus perform, which recites the corresponding limitations as set forth in claim 1 above; therefore it is rejected under the same subject matter.
	
Claim 9 is rejected under the same rationale as stated in the claim 2 rejection.
	Referring to claim 15, Ahrens et al. teaches a computer program product disposed upon a non-transitory computer readable medium (machine-readable medium, see Ahrens et al., Para. 85), the computer program product comprising computer program instructions that, when executed, cause a computer to perform, which recites the corresponding limitations as set forth in claim 1 above; therefore, it is rejected under the same subject matter.
	
Claim 16 is rejected under the same rationale as stated in the claim 2 rejection.

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ahrens et al. (U.S. Pat. Pub. 2016/0224259) in view of Tan (U.S. Pat. Pub. 2017/0235490) as applied to claims 1, 2, 8, 9, 15 and 16 above, and in further view of Mont et al. (U.S. Pat. Pub. 2005/0251865).
	As to claim 3, Ahrens et al. as modified does not explicitly teach the storage system is within a trusted computing environment in accordance with the security policy, and wherein the untrusted target computer system is not within a trusted computing environment in accordance with the security policy.
However, Mont et al. teaches the storage system is within a trusted computing environment in accordance with the security policy, and wherein the untrusted target computer system is not within a trusted computing environment in accordance with the security policy (trust: policies dictate trust requirements to be satisfied by the involved parties, see Mont et al., Para. 127)
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Ahrens et al. as modified, to have the system is a trusted computing environment in accordance with the security policy, as taught by Mont et al., to prevent privacy violations when using data mining learning algorithms, data correlations and linking techniques (Mont et al., Para. 12).

Claim 10 is rejected under the same rationale as stated in the claim 3 rejection.
	
Claim 17 is rejected under the same rationale as stated in the claim 3 rejection.

Claims 4, 5, 11, 12, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ahrens et al. (U.S. Pat. Pub. 2016/0224259) in view of Tan (U.S. Pat. Pub. 2017/0235490) O'Byrne (U.S. Pat. Pub. 2013/0054650).

As to claim 4, Ahrens et al. teaches the dataset comprises a structured database (database, see Ahrens et al., Para, 50).
Ahrens et al. as modified does not explicitly teach structured database that is structured in accordance with a schema. 
O'Byrne teaches structured database that is structured in accordance with a schema (receiving a selection of the database schema and determining column obfuscation patterns within column names of the database schema, see O'Byrne, Para. 3).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Ahrens et al. as modified, to have a structured database that is structured in accordance with a schema, as taught by O'Byrne, to avoid time consuming operation (O'Byrne, Para. 2).
	As to claim 5, Ahrens et al. as modified teaches interpreting the dataset in accordance with the schema to determine one or more columns of data to obfuscate (At decision block 240, it is determined if there are column obfuscation patterns within the column names of the database schema. Column obfuscation patterns within the column names are patterns that may define a column content to be sensitive data. For example, if the column name is "SSN", then the content is considered to be social security numbers, which is typically sensitive data, see O'Byrne, Para. 16). 

Claim 11 is rejected under the same rationale as stated in the claim 4 rejection.

	Claim 12 is rejected under the same rationale as stated in the claim 5 rejection.

Claim 18 is rejected under the same rationale as stated in the claim 4 rejection.

Claim 19 is rejected under the same rationale as stated in the claim 5 rejection.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ahrens et al. (U.S. Pat. Pub. 2016/0224259) in view of Tan (U.S. Pat. Pub. 2017/0235490) as applied to claims 1, 2, 8, 9, 15 and 16 above, and in further view of Balakrishnan et al. (U.S. Pat. No. 7,724,918).
	As to claim 6, Ahrens et al. as modified does not explicitly teach the dataset is unstructured data, and wherein generating the obfuscated snapshot further comprises: interpreting the dataset to determine one or more types of data to obfuscate, wherein the one or more types are specified by one or more of: a user or one or more rule sets. 
However, Balakrishnan et al. teaches the dataset is unstructured data (Disclosed are methods and implementation for the obfuscation of sensitive information in text data that is in unstructured format, see Balakrishnan et al., Col. 2, lines 51-53), and wherein generating the obfuscated snapshot further comprises: interpreting the dataset to determine one or more Balakrishnan et al., Col. 2, lines 58-62. The entity values 126 received from the data sources 116 are provided to the configurable obfuscator module 114 together with the annotator data 124 and the configuration parameters 120. The configurable obfuscator module 114 performs a number of tasks. Firstly, the obfuscator module 114 allows the user to define the level of obfuscation desired for each application. This may be done by specifying names of entities that contain the sensitive information, such as person names, company names and email identifiers, see Balakrishnan et al., Col. 2, lines 30-39).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Ahrens et al. as modified, to have the dataset is unstructured data, and wherein generating the obfuscated snapshot further comprises: interpreting the dataset to determine one or more types of data to obfuscate, wherein the one or more types are specified by one or more of: a user or one or more rule sets, as taught by Balakrishnan et al., to preserve the readability of the original document, and to transform the sensitive information in the original document is such a manner that it is possible to reconstruct the original document from the obfuscated document (Balakrishnan et al., Col. 2, lines 53-57).

Claim 13 is rejected under the same rationale as stated in the claim 6 rejection.

.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ahrens et al. (U.S. Pat. Pub. 2016/0224259) in view of Tan (U.S. Pat. Pub. 2017/0235490) as applied to claims 1, 2, 8, 9, 15 and 16 above, and in further view of Ghafourifar (U.S. Pat. Pub. 2016/0188893).
	As to claim 7, Ahrens et al. as modified does not explicitly teach the security policy specifies permissions for users within different computing environment, wherein the security policy specifies one or more portions or types of data correspond to one or more of the permissions for users, wherein the security policy specifies access limitations to allow access only to datasets that have been correctly obfuscated, and wherein the obfuscated dataset is tagged with metadata specifying the security policy used to obfuscate the obfuscated dataset. 
However, Ghafourifar teaches the security policy specifies permissions for users within different computing environment (the entire JPEG image file would be viewable to User A, but only a redacted portion or portions of the JPEG image (e.g., everything but the face of the subject(s) in the image) would be available to the User B and other users when viewing the JPEG image file in an authorized viewing application, see Ghafourifar, Para. 7, deep-link may be used to validate user credentials, as well as to view the hidden (and/or encrypted) obfuscated contents of the file in a compatible authorized viewer application, see Ghafourifar, Para. 30, wherein the viewer application is interpreted as computing environment), wherein the security policy specifies one or more portions or types of data correspond to one or more of the Ghafourifar, Para. 38 and Para. 36).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to modify the method of Ahrens et al. as modified, to have the security policy specifies permissions for users within different computing environment, wherein the security policy specifies one or more portions or types of data correspond to one or more of the permissions for users, wherein the security policy specifies access limitations to allow access only to datasets that have been correctly obfuscated, and wherein the obfuscated dataset is tagged with metadata specifying the security policy used to obfuscate the obfuscated dataset, as taught by Ghafourifar, to enhance the security of the permission settings (Ghafourifar, Para. 6).

Claim 14 is rejected under the same rationale as stated in the claim 7 rejection.

Response to Argument


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAU SHYA MENG whose telephone number is (571)270-1634.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JAU SHYA MENG/Primary Examiner, Art Unit 2168