DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 01/18/2022.
Claims 1-2, 8-9, and 15-16 are amended.
Claims 1-20 are pending in the application. 
The 101 rejections against claims 1-2, 5-9, 12-16 and 19-20 are withdrawn because the amended claims overcome the rejections.
 
Response to Applicant’s Arguments
Claims 1-2, 6, 8-9, 13, and 15-16 were previously rejected under 35 U.S.C. @ 102(a)(1) as being anticipated by U.S. Publication No. 2017/0163677 by Gordon et al. (hereinafter "Gordon") in the office action dated 10/21/2021.	In the Remarks filed on 01/18/2022, starting near the top of page 2, the Applicant argues “Claim 1 as amended recites among other elements the element of, "generating, by the classification server, a set of sensitivity scores corresponding to the one or more pieces of information, wherein the set of sensitivity scores includes a sensitivity score corresponding to the field name, wherein the sensitivity score corresponding to the field name is generated based on applying regular expressions to the field name and the content data corresponding to the field name, wherein the sensitivity score corresponding to the field name indicates the level of sensitivity associated with the field name." Applicant respectfully submits that the cited reference fails to teach at least this element of claim 1.” 	The above arguments have been fully considered but are moot because the new ground of rejection in view of PARTHASARATHY; RAJESH KRISHNASWAMI (US 20200057864 A1, hereinafter Parthasarathy) is used necessitated by the amendment to reject the disputed limitation of the amended claim 1.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 6, 8-9, 13, and 15-16 are rejected under 35 U.S.C. § 103 as unpatenable over Gordon et al. (US 20170163677 A1, hereinafter Gordon) in view of PARTHASARATHY; RAJESH KRISHNASWAMI (US 20200057864 A1, hereinafter Parthasarathy).
 a method for passively classifying data in a database based on event logs stored in an event log database, the method comprising:	retrieving, by a classification server, a first event log from the event log database  (¶26, the system 110 may extract (or otherwise receive, such as load) data from the database server(s), the data extracted from the database server(s) (e.g., the user access data, such as activity logs); ¶56, extract data from the database server(s) 105, the data stored in the database servers 105 may comprise user activity data), wherein the first event log represents a transaction involving a client device and the database (¶66, the system may capture security events based on anomalies from users accessing data from queries executed in one or more database platforms);	extracting, by the classification server, one or more pieces of information from the first event log to generate classification data (¶65, determine a risk score associated with each record, see also ¶56, ¶60-¶64);	generating, by the classification server, a set of  ([Examiner remark: the crossed over text is discussed below]; Abstract , monitoring system and method described herein may provide visibility into users' activities and their access to sensitive information (e.g., social security number, addresses, fingerprints, and the like) in order to evaluate and mitigate, for example, insider data security threats ¶65, determine a risk score associated with each record, ¶65, calculate a risk score for a combination of non-public and/or personally identifiable data, how much sensitive data (e.g., SSNs) the user was viewing, certain customers were viewed, work data accessed outside of normal work hours);storing, by the classification server, the set of  ([Examiner remark: the crossed over text is discussed below]; ¶26, determine a threat or risk score associated with each record and determine whether there is any suspicious activity based on the determined risk score for each record , provide user(s) access to the data (e.g., to one or more reports);¶90, notifications and/or reports containing one or more of the data fields and values, Query Risk Score, 
    PNG
    media_image1.png
    205
    509
    media_image1.png
    Greyscale
; ¶91, notification 900 may also include a link 915, the link 915 may direct the recipient of the notification 900 to additional details on the security event, such as one or more query reports, query reports were described above; [Examiner note: as users access the link, they can access query risk score data, which means the risk score was retained for users’ later access]).	Although Gordon teaches calculating risk scores of records based on how much sensitivity data user was viewing by the classification server, but Gordon does not explicitly disclose:	wherein the one or more pieces of information include a field name indicated in the first event log and content data corresponding to the field name;
	generating, by the classification server, a set of sensitivity scores corresponding to the one or more pieces of information, wherein the set of sensitivity scores includes a sensitivity score corresponding to the field name, wherein the sensitivity score corresponding to the field name is generated based on applying regular expressions to the field name and the content data corresponding to the field name, wherein the sensitivity score corresponding to the field name indicates a level of sensitivity associated with the field name; and
	representing the set of sensitivity scores in a dashboard.	On the other hand, Parthasarathy teaches:	wherein the one or more pieces of information include a field name indicated in the first event log and content data corresponding to the field name (abstract, scores the data, and determines sensitive data; ¶28, sequence of one or more of match operations to be performed on the accessed data, match operations comprise, for example, a master data field match operation, multiple dictionary match operations, a code match operation, multiple pattern match operations, and multiple exact data match operations; ¶29, scores the accessed data based on a result of each of the executed match operations; ¶55, The match operations comprise, for example, a master data field match operation,  matching the accessed data against fields and values defined in the master data table, matches the accessed data against fields, for example, column names, and values defined in the master data table, if a score assigned to the accessed data exceeds a predefined threshold, the SDDE deems the accessed data as sensitive data; ¶56, The dictionary match operations comprise, for example, “Dictionary Match: Relationship”, “Dictionary Match: Column Name”, and “Dictionary Match Column Name Expression”);
	generating, a set of sensitivity scores corresponding to the one or more pieces of information (¶20, determine/judge a status/presence of sensitive data as a true positive or a false positive, based on the validated scores of the data. ¶29, scores the accessed data based on a result of each of the executed match operations; see also ¶51-¶71), wherein the set of sensitivity scores includes a sensitivity score corresponding to the field name (¶29, scores the accessed data based on a result of each of the executed match operations, determines sensitive data from the scored data; ¶55, matches the accessed data against fields, for example, column names, if a score assigned to the accessed data exceeds a predefined threshold, the SDDE deems the accessed data as sensitive data), wherein the sensitivity score corresponding to the field name is generated based on applying regular expressions to the field name and the content data corresponding to the field name (¶28, multiple pattern match operations; ¶29, scores the accessed data based on a result of each of the executed match operations; ¶55, matches the accessed data against fields, for example, column names, and values; ¶56, Dictionary Match Column Name Expression, determines all the occurrences of any pattern or string of the dictionary in the accessed data, exact column names, and matching the accessed data against similar column names; ¶57, for credit card number, which is a 16-digit number, the SDDE includes all possible pattern combinations NNNN-NNNN-NNNN-NNNN, NNNNNNNNNNNNNNNN, NNNN NNNN NNNN NNNN, NNNN/NNNN/NNNN/NNNN. etc., in the pattern match operations to capture all such patterns. The pattern combinations are configurable via the GUI. The pattern match operations comprise matching the accessed data against character-based patterns. The pattern match operations comprise, for example, “Pattern , wherein the sensitivity score corresponding to the field name indicates a level of sensitivity associated with the field name (¶55, the SDDE matches the accessed data against fields, for example, column names, and values defined in the master data table. If a match of the accessed data with the sensitive data contained in the master data table is found and if a score assigned to the accessed data exceeds a predefined threshold, the SDDE deems the accessed data as sensitive data); and
	representing the set of sensitivity scores in a dashboard ([0097] FIGS. 11A-11B illustrate a table 1101 showing locations of sensitive data deemed as true positives, determined from a scan performed on data in a database, according to an embodiment herein. In an embodiment, the sensitive data discovery engine (SDDE) represents the locations of the sensitive data in a sensitive data discovery map report and renders the sensitive data discovery map report on a GUI displayed on a user device. [0099] FIGS. 13-14 illustrate tables 1301 and 1401 showing results of identification of sensitive data in complex columns, according to an embodiment herein. In an example, the sensitive data discovery engine (SDDE) runs the following queries to verify the sensitive data discovery map report exemplarily illustrated in FIG. 14; 
    PNG
    media_image2.png
    592
    999
    media_image2.png
    Greyscale
; see also fig. 15A-15C, ¶94-¶96, ¶100).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Parthasarathy, which teaches using text pattern matching against column names and column values of historical data to determine sensitive score for a column into the teaching of Gordon to result in the limitation of the claimed invention.
	One of ordinary skilled would be motivated to do so as both Parthasarathy and Gordon teach calculating data sensitivity for data protection.  Further incorporating Parthasarathy’s teaching helps securing sensitive data. The close relation between both of the references highly suggests an expectation of success when combined.

	Regarding claim 2, Gordon in view of Parthasarathy teaches the method of claim 1, wherein the extracting includes extracting one or more of (1) the field name indicated in the first event log, (2) an entity name indicated in the first event log, and (3)  the content data corresponding to the field name (Gordon ¶65, whether certain customers were viewed, sensitive data (e.g., SSNs), personally identifiable data; Parthasarathy ¶55, matches the accessed data against fields, for example, column names, and values).

	Regarding claim 6, Gordon in view of Parthasarathy teaches the method of claim 1, further comprising: storing, by the classification server, the set of sensitivity scores in the database (Gordon ¶26, determine a threat or risk score associated with each record and determine whether there is any suspicious activity based on the determined risk score for each record , provide user(s) access to the data (e.g., to one or more reports); Gordon ¶90, notifications and/or reports containing one or more of the data fields and values, Query Risk Score, 
    PNG
    media_image1.png
    205
    509
    media_image1.png
    Greyscale
; Gordon ¶91, notification 900 may also include a link 915, the link 915 may direct the recipient of the notification 900 to additional details on the security event, such as one or more query reports, query reports were described above; [Examiner note: as users access the link, they can access query risk score data, which means the risk score was retained for users’ later access]).	Regarding claims 8-9 and 15-16, the claims are article of manufacture and system claims corresponding to method claims 1-2, respectively.  The claims 8-9 and 15-16 are rejected for the similar reasons as that of claims 1-2, respectively.	Regarding claim 13, the claim is an article of manufacture claim corresponding to method claim 6.  The claim 13 is rejected for the similar reasons as that of claim 6.

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gordon in view of Parthasarathy and further in view of Burges et al. (US 20060106867 A1, hereinafter Burges).
	Regarding claim 3, Gordon in view of Parthasarathy teaches the method of claim 1.		Gordon in view of Parthasarathy does not explicitly disclose:			determining, by the classification server, whether an attempt to classify the classification data was previously attempted in relation to a second event log; and			determining, by the classification server, to forgo generating the set of sensitivity scores for the one or more pieces of information of the classification data in response to determining that an unsuccessful attempt was made to classify the classification data in relation to the second event log.
		On the other hand, Burges teaches determining if a document has an unrecognized format, and stop processing if the document has an unrecognized format ([0020] Negative results of the database search, i.e., no match of the trace against the fingerprints in the database, are not sent back to the client, the cache is searched to identify matching traces prior to searching the fingerprint database. Consequently, if a match is found against the traces stored in the cache, no further database lookup is needed, as the trace in the cache will either include the identity of the associated media object, or will simply indicate that there is no matching fingerprint. In the case that a trace matches a fingerprint in the database, any identity information associated with that matching fingerprint will be sent back to the client).
		determining, by the classification server, to forgo generating the set of sensitivity scores for the one or more pieces of information of the classification data in response to determining that an unsuccessful attempt was made to classify the classification data in relation to the second event log ([0020] Negative results of the database search, i.e., no match of the trace against the fingerprints in the database, are not sent back to the client, the cache is searched to identify matching traces prior to searching the fingerprint database. Consequently, if a match is found against the traces stored in the cache, no further database lookup is needed, as the trace in the cache will either include the identity of the associated media object, or will simply indicate that .		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Burges, which teaches using negative cache to store negative or positive result (Burges ¶17, ¶20), into the teaching of Gordon in view of Parthasarathy to result in the limitation of the claimed invention ([Examiner note: use Burges’ caching mechanism instead of Gordon’s caching mechanism]).
		One of ordinary skilled would be motivated to do so as both Burges and Gordon teach using caches to improve performance (Gordon, ¶62-¶64).  Further incorporating Burges’ caching mechanism helps improve modularity of the cache which distinguish the positive and negative caches, which helps facilitate further computation as needed. The close relation between both of the references highly suggests an expectation of success when combined.

	Regarding claims 10 and 17, the claims are article of manufacture and system claims corresponding to method claim 3, respectively.  The claims 10 and 17 are rejected for the similar reasons as that of claim 3, respectively.
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gordon in view of Parthasarathy, Burges and further in view of Pullikottil et al. (US 20110225644 A1, hereinafter Pullikottil).the method of claim 3 (see discussion above). 		Gordon in view of Parthasarathy and Burges does not explicitly disclose:
		determining, by the classification server, to generate the set of sensitivity scores for the one or more pieces of information of the classification data in response to determining that a successful attempt was made to classify the classification data in relation to the second event log
		aggregating, by the classification server, the set of sensitivity scores from the one or more piece of information with sensitivity scores generated in relation to the second event log to produce an aggregated set of scores, wherein storing the set of sensitivity scores in the score database includes storing the aggregated set of scores.		On the other hand, Pullikottil teaches determining, by the classification server, to generate the set of sensitivity scores for the one or more pieces of information of the classification data in response to determining that a successful attempt was made to classify the classification data in relation to the second event log (Pullikottil [0059] … if a specific value, such as an average value, is stored, then the specific value may be altered based on the new requests by, for example, calculating a new average. If a range of values is stored, then the range may be adjusted based on the new requests by, for example, extending the range based on the new requests); and
			aggregating, by the classification server, the set of sensitivity scores from the one or more piece of information with sensitivity scores generated in relation to the second event log to produce an aggregated set of scores, wherein storing the set of sensitivity scores in the score database includes storing the aggregated set of scores (Pullikottil [0053] … multiple requests for security operations to be performed are observed per entity. Observations about requests may be stored in any suitable manner. In some cases, observations are temporarily stored and used in establishing or adjusting a behavioral profile as described below. In other cases, observations may be stored over a long term and may be used to audit or check decisions made by a security server or learning engine; Pullikottil [0059] … if a specific value, such as an average value, is stored, then the specific value may be altered based on the new requests by, for example, calculating a new average. If a range of values is stored, then the range may be adjusted based on the new requests by, for example, extending the range based on the new requests [Examiner note: since the specific value is determined to be a stored value, any change to the specific value corresponds to change to the stored value.  As a result, the updated value based on average would be the updated of the stored value.  The Averaging of the values corresponds to aggregating the set of scores.]).
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Pullikottil, which teaches generating new average score based on new requests when the score was stored, into the teaching of Gordon in view of Parthasarathy and Burges to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as both Gordon and Pullikottil teach determining risk sensitive score for a piece of information (Pullikottil, 

	Regarding claims 11 and 18, the claims are article of manufacture and system claims corresponding to method claim 4, respectively.  The claims 11 and 18 are rejected for the similar reasons as that of claim 4, respectively.
Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gordon in view of Parthasarathy and further in view of ROSENTHAL et al. (US 20170104756 A1 hereinafter Rosenthal).	Regarding claim 5, Gordon in view of Parthasarathy teaches the method of claim 1 (see discussion above).		Gordon in view of Parthasarathy does not explicitly disclose the first event log is generated based on a request from a client device in relation to data stored in the database, and wherein the request is one of (1) a request to insert a record into the database, (2) a request to modify a record in the database, and (3) a request to delete a record from the database.		Rosenthal teaches the first event log is generated based on a request from a client device in relation to data stored in the database, and wherein the request is one of (1) a request to insert a record into the database, (2) a request to modify a record in the database, and (3) a request to delete a record from the database (Rosenthal [0046] … Application agent 110 collects all data related to the user's interaction… [0047] … application agent 110 may access one or more of the following variables: … The SQL request to the data source, the SQL type (select, update, insert or delete); Rosenthal [0123] When a user submits a request … several classifications are assigned to the request, the highest multiplier is used for the sensitivity score calculation).		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Rosenthal, which teaches generating sensitive score based on user request data where the user request includes update, insert or delete request type, into the teaching of Gordon in view of Parthasarathy to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as both Gordon and Rosenthal teach determining sensitive score for request data.  Furthermore, incorporating the teaching of Rosenthal helps providing fast and accurate detection, and monitoring, of sensitive data (Rosenthal [0004]).
	Regarding claims 12 and 19, the claims are article of manufacture and system claims corresponding to method claim 5, respectively.  The claims 12 and 19 are rejected for the similar reasons as that of claim 5, respectively.

Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gordon in view of in view of Parthasarathy and further in view of Brisebois et al. (US 20170329972 A1, hereinafter Brisebois).
Regarding claim 7, Gordon in view of Parthasarathy teaches the method of claim 1, further comprising:		performing, by a database server that manages the database, a set of actions to secure data in the database based on the set of sensitivity scores (Gordon [0092], indicate 925 actions that the recipient of the notification 900 may take, access will be suppressed in the interim, indicate 930 actions that the recipient can take, such as to confirm the user is performing a normal, authorized business activity for an open ended amount of time, confirm the user is performing a temporary, authorized business activity that will be discontinued at a future date, or confirm the user does not require access to the <Application> and revoke the access).		Gordon in view of Parthasarathy does not explicitly state that the set of actions include limiting access of data in the database to a set of consumers based on the set of sensitivity scores.		Brisebois teaches the set of actions include limiting access of data in the database to a set of consumers based on the set of sensitivity scores 
    PNG
    media_image3.png
    1142
    728
    media_image3.png
    Greyscale
; Brisebois [0002] … the threat detection system may create an event log in response to scanning contents of an email and identifying a number that matches a credit card number. A system administrator may manually review the event log to determine a threat level of the event; Brisebois [0064]: … query and display the data gathered and stored by the SME system 102; Brisebois [0070]: … the query manager security 232 may regulate access to the databases 226 and/or a subset of the information stored at the databases 226 based on security restrictions or data access policies implemented by the business may identify data that is “sensitive” based on a set of rules, such as whether the data mentions one or more keywords relating to an unannounced product in development. The business logic security manager 214 may label the sensitive data as sensitive and may identify which users or roles, which are associated with a set of users, may access data labeled as sensitive. The query security manager 232 may regulate access to the data labeled as sensitive based on the user or the role associated with the user who is accessing the databases 226 [Examiner note: the threat level corresponds to sensitivity scores; regulate access to the data corresponds to limiting access of data in the database to a set of consumers; the databases 226 corresponds to the database; query manager security corresponds to database server that manages the database]).
		It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Brisebois, which teaches to limit access to sensitive data to a set of users, into the teaching of Gordon to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as both Gordon and Brisebois teach determining sensitive score for request data and performing remedial actions based on the sensitive score.  Furthermore, incorporating the teaching of Brisebois helps prevent loss of sensitive data (Brisebois Abstract).	
	Regarding claims 14 and 20, the claims are article of manufacture and system claims corresponding to method claim 7, respectively.  The claims 14 and 20 are .
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 9734169 B2 - provide tools for securing secret or security sensitive sec-con data in the enterprise computer system and to locate, identify and secure select content which may be of interest or importance to the enterprise.
US 9185125 B2 - if a parse error occurs, then the statement cannot be scored by DS6 algorithm, and an error result is returned to the caching layer.
US 8839435 B1 - a risk rating can be initialized to a risk rating calculated for a previous event log.  If a previous event log was analyzed and a risk rating was determined for the previous event log, then the risk rating for the current event log can be initialized to the previous risk rating.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached on (571) 272-4215.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-
03/16/2022
/V.H.H/
Examiner, Art Unit 2162

/PIERRE M VITAL/Supervisory Patent Examiner, Art Unit 2162