Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114

1.       A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Applicant's submission filed on 2-22-2022 has been entered.

2.        Claims 1 - 20 are pending.  Claims 1, 9, 17 have been amended.  Claims 1, 9, 17 are independent.  This application was filed on 5-30-2018.  

Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 9-10-2020, with respect to the rejection(s) under Borders in view of Chitre and further in view of Hanner have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Borders in view of Sarin and further in view of Chitre and Hanner.

A.  Applicant argues on page 11 of Remarks: “   ...   Chitre performs the operations mapped in the Office action to the subject matter at issue without respect to a transmitted file   ...   “. 

    The Examiner respectfully disagrees.   Sarin discloses a detection of a transmitted file and performing operations in response to the detection.  (see Sarin paragraph [0042], lines 1-14: DLP policy enforcer activated when an application is allowed to execute by DLP endpoint monitor; attempts to open, read, and/or send a file or contents in a file to a destination; DLP policy enforcer receives, as input, information about a requested file, application that requested access to file, and/or information about destination of file (if an application is attempting to transfer a file from endpoint system to a remote system); based on content of file and application that is attempting to access file, DLP policy enforcer can block access to file, allow access to a redacted copy of file, or allow unrestricted access to file; paragraph [0038], lines 1-11: file system monitor is configured to intercept file operations initiated by an application in order to determine whether to allow or block requested file operations; file system monitor configured by DLP endpoint monitor to monitor file open and/or read operations for applications that have active network connections; when an application attempts to open and/or read a file, file system monitor detects the attempted file operation and activates DLP policy enforcer to determine whether to allow or block access to requested file; paragraph [0033], lines 1-5: DLP endpoint monitor can additionally monitor application and/or library activity on file system (e.g., application and or library access of a file stored on file system for transmission to a remote location via network interface)
    And, Chitre discloses the operational steps of file size determination and file size 

B.  Applicant argues on page 11 of Remarks: “   ...   Hanner does not perform the claimed activity responsive to detecting a transmitted file,   ...   “.

    The Examiner respectfully disagrees.  Sarin discloses a detection of a transmitted file and performing operations in response to the detection.  (see Sarin paragraph [0042], lines 1-14: DLP policy enforcer activated when an application is allowed to execute by DLP endpoint monitor; attempts to open, read, and/or send a file or contents in a file to a destination; DLP policy enforcer receives, as input, information about a requested file, application that requested access to file, and/or information about destination of file (if an application is attempting to transfer a file from endpoint system to a remote system); paragraph [0038], lines 1-11: file system monitor is configured to intercept file operations initiated by an application in order to determine whether to allow or block requested file operations; file system monitor configured by DLP endpoint monitor to monitor file open and/or read operations for applications that have active network connections; when an application attempts to open and/or read a file, file system monitor detects the attempted file operation and activates DLP policy enforcer to determine whether to allow or block access to requested file; paragraph [0033], lines 1-5: DLP endpoint monitor can additionally monitor application and/or library activity on 

C.  Applicant argues on pages 11-12 of Remarks: “   ...   claims 1, 9, and 17 are patentable over the cited art of record, as are the claims that depend therefrom”.

    Independent claims 9 and 17 have similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claims 9 and 17.     
    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.  

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1, 2, 4 - 7, 9, 10, 12 - 15, 17, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Borders et al. (US PGPUB No. 20090158430) in view of Sarin et al. (US PGPUB 20170091482) and further in view of Chitre et al. (US Patent No. 7,441,153) and Hanner, SR. et al. (US PGPUB No. 20150026464, referred to as “Hanner”).      	

Regarding Claims 1, 9, 17, Borders discloses a method for real-time detection of and protection from steganography in a kernel mode and a non-transitory computer readable medium storing instructions that when executed by at least one processor cause the at least one processor to perform operations and a computer system, comprising:
a)  detecting transmission of a file via a firewall, an operating system, or an e-mail system; (see Borders paragraph [0068], lines 3-8: receiving a data stream (i.e. a file) representing outbound application layer messages from a first computer process to at least one second computing process implemented upon one or more computer systems; (selected: transmission of a file by an operating system)) and   
g)  executing, responsive to the determined size of the file being smaller than the stored filesize value of the file, steganography detection analytics on the file; (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents and generate a file alert, if required (file sizes do not match; determined size “smaller” than the “other” file size)) and 
h) wherein responsive to the steganography detection analytics indicating presence of steganography in the file; and j) transmitting information describing the steganography to a client device. (see Borders paragraph [0249], lines 1-11: generate a file alert, if required; paragraph [0068], lines 11-12: generating a signal if a security threat is detected)     

Borders does not specifically disclose for b) performing operation(s) in response to detecting transmission of a file. 

b)  in response to detecting the transmission of the file. (see Sarin paragraph [0042], lines 1-14: DLP policy enforcer activated when an application is allowed to execute by DLP endpoint monitor; attempts to open, read, and/or send a file or contents in a file to a destination; DLP policy enforcer receives, as input, information about a requested file, application that requested access to file, and/or information about destination of file (if an application is attempting to transfer a file from endpoint system to a remote system); based on content of file and application that is attempting to access file, DLP policy enforcer can block access to file, allow access to a redacted copy of file, or allow unrestricted access to file; paragraph [0038], lines 1-11: file system monitor is configured to intercept file operations initiated by an application in order to determine whether to allow or block requested file operations; file system monitor configured by DLP endpoint monitor to monitor file open and/or read operations for applications that have active network connections; when an application attempts to open and/or read a file, file system monitor detects the attempted file operation and activates DLP policy enforcer to determine whether to allow or block access to requested file; paragraph [0033], lines 1-5: DLP endpoint monitor can additionally monitor application and/or library activity on file system (e.g., application and or library access of a file stored on file system for transmission to a remote location via network interface)
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders for b) performing 

    Furthermore, Borders discloses for d): determining a size of a file. (see Borders paragraph [0249], lines 1-11: separate file bandwidth from other bandwidth, post-processor identifies file transfers; (i.e. determines size of transferred file))   
    And, Borders discloses for e): retrieving a stored filesize value of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents; (determine size of baseline or stored  file)) 
    And, Borders discloses for f): comparing the size of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents and generate a file alert (i.e. based upon file comparison), if required)  

Furthermore, Borders-Sarin does not specifically disclose for c) storing a file in a file system, and for d) determining a size of a file based on retrieving size data, and for e) retrieving a stored filesize value of a file by accessing a filesize value, and for f) comparison operation using retrieved size of a file determined based on a stored filesize value of a file. 
However, Chitre discloses:  

d)  determining a size of a file, based on retrieving size data from a plurality of sections within the file; (see Chitre col 5, lines 43-51: append data to file, update size field in file header; event generation logic adds size(s) of newly appended data to current size of data in file and writes newly calculated sum to size field in header; (i.e. size of file determined from sections of data: appended section(s) of file and current or previous section of file))           
e)  retrieving, from the file system from a source other than the plurality of sections within the file, a stored filesize value of the file by accessing a filesize value of the file from the file system; (see Chitre col 6, lines 12-14: actual size of file is compared to size as indicated by size file in file header (i.e. file size acquired or read) from stored file size in size field in file header)) and            
f)  comparison operation using a size value of the file determined based on the stored filesize value of the file retrieved by accessing the filesize value from the file system. (see Chitre col 2, lines 7-12: compare actual size of file to size of file as indicated in size field in file header; if actual size of file is same as size of file as indicated in a size field in file header, then file has not been tampered with)    


Borders-Sarin-Chitre does not specifically disclose a transmitted file and executing a steganography remediation action. 
However, Hanner discloses the following: 
a transmitted file; (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated with a computer file is be identified; communication and computer file analyzed to determine whether computer file potentially includes hidden content; to determine whether computer file potentially includes hidden content, a set of steganographic criteria analyzed; if at least a portion of steganographic criteria are satisfied, then it is determined that computer file potentially includes hidden content) and 
i)   executing a steganography remediation action. (see Hanner paragraph [0021], lines 19-23: steganographic analysis techniques allow an organization to take 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Sarin-Chitre for a transmitted file and for i) executing a steganography remediation action as taught by Hanner. One of ordinary skill in the art would have been motivated to employ the teachings of Hanner for the benefits achieved from a system that enables improved approaches to detecting the use of steganography. (see Hanner paragraph [0004], lines 8-10)    

Regarding Claims 2, 10, 18, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the determining of the size of the file comprises: 
a)  obtaining a pointer to a section header of the file, the section header associated with a plurality of sections of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header (section) field), resource path)     

c)  summing the size of each section of the plurality of sections of the file to determine the size of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))   
Chitre discloses header information (i.e. file section(s) information) of a file as stated in Claim 1 above.  
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 4, 12, 20, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload))   
b)  analyzing the appended payload to determine a file format of the appended payload; (see Borders paragraph [0232], lines 1-7: algorithm encounters a 
c)  executing the steganography detection analytics based on the file format of the appended payload. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))     
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 5, 13, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload)) and
b)  performing one or more of Monte Carlo approximation, entropy determination, serial coefficient analysis, arithmetic mean determination, Chi-Square determination, and standard deviation determination to determine whether data within the appended payload is encrypted. (see Borders paragraph [0239], lines 3-4: a probabilistic profile of request parameters and detecting deviation from this profile; paragraph [0144], lines 1-5: calculating coefficient of variation; coefficient 
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 6, 14, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file. (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload)) 

Borders-Sarin-Chitre does not specifically disclose a transmitted file and identifying presence of unauthorized data. 
However, Hanner discloses:
A transmitted file; and b) identifying presence of unauthorized data within the appended payload. (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated with a computer file is be identified; communication and computer file analyzed to determine whether computer file potentially includes hidden content; to determine whether computer file potentially includes hidden content, a set of steganographic criteria analyzed; if at 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Sarin-Chitre for a transmitted file and identifying presence of unauthorized data as taught by Hanner. One of ordinary skill in the art would have been motivated to employ the teachings of Hanner for the benefits achieved from a system that enables improved approaches to detecting the use of steganography. (see Hanner paragraph [0004], lines 8-10)   

Regarding Claims 7, 15, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. such as header and payload)) and
b)  identifying presence of assembly level or machine level instructions within the appended payload. (see Borders paragraph [0060], lines 5-8: traffic including command and control information such as instructions (i.e. within request) to download other programs or attack other computers)  
Hanner discloses a transmitted file as stated in Claim 1 above.  	

s 3, 8, 11, 16, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Borders in view of Sarin and further in view of Chitre and Hanner and Agaian et al. (US PGPUB No. 20160381054).

Regarding Claims 3, 11, 19, Borders-Sarin-Chitre-Hanner discloses the method of claim 2 and the non-transitory computer readable medium of claim 10 and the computer system of claim 18, wherein the obtaining of the pointer to the section header of the file comprises:
a)  opening the file using a filename of the file or a path of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header field), resource path) and  
b)  reading a header of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters (reads) a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))    

Borders-Sarin-Chitre-Hanner does not specifically disclose for c) magic number associated with file, and for d) verifying magic number to obtain pointer to section of file.
However, Agaian discloses: 
c)  retrieving a magic number from the header; (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format 
d)  verifying the magic number to obtain a pointer to the section header of the file. (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format magic number and values is recorded as a identifier; paragraph [0079], lines 9-11: object identifier such as a file descriptor or magic number)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Sarin-Chitre-Hanner for c) magic number associated with file, and for d) verifying magic number to obtain pointer to section of file as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)  
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 8, 16, Borders-Sarin-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9. 
Borders-Sarin-Chitre-Hanner does not specifically disclose implementation of steganography remediation actions.

        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Sarin-Chitre-Hanner for implementation of steganography remediation actions as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)    
Hanner discloses a transmitted file as stated in Claim 1 above. 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CJ/
February 28, 2022

                                                                                                                                                                                                     /SHEWAYE GELAGAY/ Supervisory Patent Examiner, Art Unit 2436