DETAILED ACTION
	Claims 1-13 are presented on 02/25/2020 for examination on merits.  Claims 1, 8, 12, and 13 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-5 and 7-13 are rejected under 35 U.S.C. 103 as being unpatentable over Crofton (US 20170180394 A1) in view of Buck (US 20180239630 A1).

As per claim 1, Crofton teaches a method for collecting data from a directory service used to administer a private network comprising a group of interconnected computers, the directory service collecting data relating to objects in the network (Crofton, par. 0027-0028 and 0030-0032: device 100 in connection with server 140 for backup data via network 120; see also FIG. 1A), the method comprising: 
connecting a terminal to a network server including an instance of the directory service (Crofton, par. 0055-0057: one or more files 202A-202N that are backed up or synchronized with a backup service. The files may be identified by name and directory, which are inherently 
receiving, by the terminal, notification messages containing modified directory service data, transmitted by the server (Crofton, par. 0085-0086: receiving, by the client device, a notification … having device identifiers associated with the new version of the file that the file is potentially corrupt, wherein … the backup manager sends the notification from the server), and 
processing each notification message received to determine the modifications undergone by the directory service data (Crofton, par. 0094: the backup manager is further configured for determining that the shared rate for the file of the second device does not exceed a first threshold … potentially malicious; par. 0070 and 0085.  Note here that Crofton’s backup manager is mapped to the directory service at the server side).
However, Crofton dose not explicitly disclose configuring the instance of the directory service on the server from the [client] terminal for monitoring the modification of the backup files.  This aspect of the claim is identified as a difference.
In a related art, Buck teaches:
configuring the instance of the directory service on the server from the terminal, so that the terminal is notified of modifications made to the directory service data (Buck, par. 0054-0056: The system 200 includes a directory server.  The directory service management components 209a-n may also include functionality for receiving instructions from the provisioning machine 106f regarding access to, or modification of, data stored by the directory service 207.  Note that receiving instructions from the provisioning machine 106f is configuring an instance of the directory service).
Crofton and Buck are analogous art, because they are in a similar field of endeavor in improving the protection of local files that are stored on server.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Crofton with Buck’s teachings on the directory service on the 

As per claim 2, the references as combined above teach the method according to claim 1, further comprising: 
downloading, by the terminal, the directory service data into a local copy managed by the terminal (Crofton, par. 0059-0060: downloading the backup status file 118 … to local storage media of the client device), and 
each time a notification message is received by the terminal, inserting in the local copy a current value of a modified data conveyed in the notification message (Crofton, par. 0085: The notification may include additional information, such as when the file was first modified, what percentage of other systems have the modified version of the file, what percentage of other systems have the non-modified or prior version of the file).

As per claim 3, the references as combined above teach the method according to claim 1, wherein the directory service data is stored in a database managed by the server, one of the notification messages containing a new value of a modified data of the directory service (Crofton, par. 0085-0086: the new version of the file), the method further comprising: 
comparing the new value of modified data with a previous value of the modified data stored in a local copy managed by the terminal, to identify a type of modification (Crofton, par. 0029: compare the hash to other received hashes to determine if the file is unique or common to a plurality of computing devices 100), and 
inserting the new value of the modified data in the local copy (Crofton, par. 0029 and 0037: status file 118 … synchronized; synchronizing or transferring new or modified files to a backup server 140 or service).

As per claim 4, the references as combined above teach the method according to claim 1, wherein directory service data is stored in files managed by the server, one of the notification messages containing a reference to a modified file and a type of modification made to the file, the method further comprising: 
downloading by the terminal the modified file identified in the notification message (Crofton, par. 0059-0060: downloading the backup status file 118 … to local storage media of the client device), 
comparing the downloaded file with a previous version of the modified file stored in a local copy managed by the terminal, to identify the modified data in the file (Crofton, par. 0029: compare the hash to other received hashes to determine if the file is unique or common to a plurality of computing devices 100), and 
inserting the downloaded file or modified data from the file into the local copy (Crofton, par. 0029 and 0037: status file 118 … synchronized; synchronizing or transferring new or modified files to a backup server 140 or service).

As per claim 5, the references as combined above teach the method according to claim 2, further comprising filtering by the terminal of the directory service data received in order to extract therefrom data relevant for detecting anomalies, wherein only the data thus extracted is stored in the local copy (Crofton, par. 0109: only modifications to files including predetermined file types or extensions (e.g. .DOC, .PDF, .XLS, .TXT, etc.) may be analyzed, with modifications to other files (e.g. .EXE, .DLL, .SYS, etc.) ignored or filtered from the analysis; par. 0052: mark the modification as likely corrupt or malicious or illegitimate; par. 0070).

As per claim 7, the references as combined above teach the method according to claim 1, wherein the network objects comprise servers, user terminals, peripheral devices, users, user Crofton, par. 0028 and 0128: A device 100 may comprise any type and form of computing device, such as a desktop computer, laptop computer, tablet computer, smart phone, wearable computer, workstation, server, virtual machine executed by a physical machine, or any other type and form of computing device).

As per claim 8, Crofton teaches a method of protecting a private network comprising a group of interconnected computers, the network being administered via a directory service collecting directory service data relating to objects in the network (Crofton, par. 0027-0028 and 0030-0032: device 100 in connection with server 140 for backup data via network 120; par. 0032, 0038-0040: a backup manager 142 …perform functions for stored files), the method comprising: 
acquiring data from a directory service instance of a server of the network, managing the directory service (Crofton, par. 0050 and 0055: acquiring status information, such as identifications of one or more files 202A-202N that are backed up or synchronized with a backup service; the backup manager of a backup server manages the file retrieval process at the server; par. 0060-0063), the acquiring data comprising: 
connecting a terminal to the server including the instance of the directory service (Crofton, par. 0055-0057: one or more files 202A-202N that are backed up or synchronized with a backup service), 
receiving, by the terminal, notification messages containing modified directory service data, transmitted by the server (Crofton, par. 0085-0086: receiving, by the client device, a notification … having device identifiers associated with the new version of the file that the file is potentially corrupt, wherein … the backup manager sends the notification from the server), and 
processing each notification message received to determine the modifications undergone by the directory service data (Crofton, par. 0094: the backup manager is 
storing the acquired directory service data in a local copy managed by the terminal (Crofton, par. 0059: the backup status file 118 may be periodically backed up to local storage media of the client device; see par. 0056-0057 for a hash 204 stored in the status file 118), 
each time a notification message of a modification of directory service data is received, analyzing by the terminal a modified data against the directory service data stored in the local copy to determine whether a modification applied to the directory service data generates a network security breach or reveals a network attack (Crofton, par. 0051: responsive to exceeding threshold 194, the system may remove any flag indicating the modification as potentially suspect, or may mark the modification as legitimate; 0052: the system may mark the modification as likely corrupt or malicious or illegitimate.  Note that Crofton discloses the temporal threshold may be predetermined or configured by an administrator to a set value, such as 24 hours, 72 hours, 1 week, 4 weeks; par. 0052), and 
generating an alert message if a security breach or network attack is detected (Crofton, par. 0070: the backup manager may transmit a notification of a potentially malicious or corrupt file to client devices having device identifiers associated with the new version of the file; see par. 0085-0086 for the notification including additional information, such as the modified version of the file, and transmitting the notification to client devices).
However, Crofton dose not explicitly disclose configuring the instance of the directory service on the server from the [client] terminal for monitoring the modification of the versions of the backup files.  This aspect of the claim is identified as a difference.
In a related art, Buck teaches:
configuring the instance of the directory service on the server from the terminal, so that the terminal is notified of modifications made to the directory service data (Buck, par. 0054-receiving instructions from the provisioning machine 106f regarding access to, or modification of, data stored by the directory service 207.  Note that receiving instructions from the provisioning machine 106f is configuring an instance of the directory service).
Crofton and Buck are analogous art, because they are in a similar field of endeavor in improving the protection of local files that are stored on server.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Crofton with Buck’s teachings on the directory service on the server that may be configured from the terminal for notifying the modifications to the directory service data.  For this combination, the motivation would have been to improve the level of protection of the client’s data.

As per claim 9, the references as combined above teach the method according to claim 8, wherein analyzing the modified data comprises: 
searching in the local copy for a previous value of the modified data, and comparing a current value of the modified data with the previous value of the modified data, wherein an alert message is generated if the comparison reveals an occurrence of a security breach or a network attack (Crofton, par. 0040-0042: backup manager 142 may perform deduplication functions or compare received file hashes to stored file hashes before receiving backup data from device(s) … the prior version of the file; par. 0052: mark the modification as likely corrupt or malicious or illegitimate; par. 0070).

As per claim 10, the references as combined above teach the method according to claim 9, wherein analyzing the modified data comprises: 
Crofton, par. 0040-0042: backup manager 142 may perform deduplication functions or compare received file hashes to stored file hashes before receiving backup data from device(s) … the prior version of the file), and 
comparing the current value of the modified data with the previous values of the modified data, wherein an alert message is generated if the comparison reveals the occurrence of a security breach or an attack on the network (Crofton, par. 0041-0042: compare received file hashes to stored file hashes; par. 0045: hash results or signatures may be compared to detect differences; par. 0052: if it does not exceed threshold 194 within a predetermined period of time or temporal threshold 196, the system may mark the modification as likely corrupt or malicious or illegitimate; par. 0070).

As per claim 11, the references as combined above teach the method according to claim 10, wherein analyzing the modified data comprises: 
searching the local copy for a value of at least one data item correlated to the modified data (Crofton, par. 0040-0042: backup manager 142 may perform deduplication functions or compare received file hashes to stored file hashes before receiving backup data from device(s) … the prior version of the file), and 
determining whether the current value of the modified data considered in correlation with the value of the correlated data item indicates the occurrence of a security breach or network attack (Crofton, par. 0068-0070: compared to the threshold; determining a potentially malicious or corrupt file … and transmitting a notification thereof.  See also par. 0041-0042 for comparing hash values; par. 0052: mark the modification as likely corrupt or malicious or illegitimate).

As per claim 12, Crofton teaches a terminal configured to collect data from a directory service used to administer a private network comprising a group of interconnected computers, Crofton, par. 0027-0028 and 0030-0032: device 100 in connection with server 140 for backup data via network 120; see also FIG. 1A), the terminal comprising: 
a processor (Crofton, par. 0028 and 0033: a processor); and 
memory coupled to the processor, the memory comprising instructions that, when executed by the processor (Crofton, par. 0028, 0033 and 0040: a memory storage device 106 … coupled with a processor of the server), cause the terminal to: 
connect to a network server including an instance of the directory service (Crofton, par. 0055-0057: one or more files 202A-202N that are backed up or synchronized with a backup service. The files may be identified by name and directory, which are inherently supported by a directory service whose function is essentially to store, retrieve, and manage information about files), 
receive notification messages containing modified directory service data, transmitted by the server (Crofton, par. 0085-0086: receiving, by the client device, a notification … having device identifiers associated with the new version of the file that the file is potentially corrupt, wherein … the backup manager sends the notification from the server), and 
process each notification message received to determine the modifications undergone by the directory service data (Crofton, par. 0094: the backup manager is further configured for determining that the shared rate for the file of the second device does not exceed a first threshold … potentially malicious; par. 0070 and 0085.  Note here that Crofton’s backup manager is mapped to the directory service at the server side).
However, Crofton dose not explicitly disclose configuring the instance of the directory service on the server from the [client] terminal for monitoring the modification of the versions of the backup files.  This aspect of the claim is identified as a difference.
In a related art, Buck teaches:
Buck, par. 0054-0056: The system 200 includes a directory server.  The directory service management components 209a-n may also include functionality for receiving instructions from the provisioning machine 106f regarding access to, or modification of, data stored by the directory service 207.  Note that receiving instructions from the provisioning machine 106f is configuring an instance of the directory service).
Crofton and Buck are analogous art, because they are in a similar field of endeavor in improving the protection of local files that are stored on server.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Crofton with Buck’s teachings on the directory service on the server that may be configured from the terminal for notifying the modifications to the directory service data.  For this combination, the motivation would have been to improve the level of protection of the client’s data.

As per claim 13, Crofton teaches a non-transitory computer readable storage medium configured to store instructions that, when executed by a computer (Crofton, par. 0136: medium), cause the computer to: 
connect a terminal to a network server including an instance of a directory service (Crofton, par. 0055-0057: one or more files 202A-202N that are backed up or synchronized with a backup service. The files may be identified by name and directory, which are inherently supported by a directory service whose function is essentially to store, retrieve, and manage information about files), 
receive notification messages containing modified directory service data, transmitted by the server (Crofton, par. 0085-0086: receiving, by the client device, a notification … having 
process each notification message received to determine the modifications undergone by the directory service data (Crofton, par. 0094: the backup manager is further configured for determining that the shared rate for the file of the second device does not exceed a first threshold … potentially malicious; par. 0070 and 0085.  Note here that Crofton’s backup manager is mapped to the directory service at the server side).
However, Crofton dose not explicitly disclose configuring the instance of the directory service on the server from the [client] terminal for monitoring the modification of the versions of the backup files.  This aspect of the claim is identified as a difference.
In a related art, Buck teaches:
configure the instance of the directory service on the server from the terminal, so that the terminal is notified of modifications made to the directory service data (Buck, par. 0054-0056: The system 200 includes a directory server.  The directory service management components 209a-n may also include functionality for receiving instructions from the provisioning machine 106f regarding access to, or modification of, data stored by the directory service 207.  Note that receiving instructions from the provisioning machine 106f is configuring an instance of the directory service).
Crofton and Buck are analogous art, because they are in a similar field of endeavor in improving the protection of local files that are stored on server.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Crofton with Buck’s teachings on the directory service on the server that may be configured from the terminal for notifying the modifications to the directory service data.  For this combination, the motivation would have been to improve the level of protection of the client’s data.


Allowable Subject Matter
Claim 6 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 6 recites a limitation of “further comprising converting directory service data received by the terminal into alphanumeric format or structured data before storing it in the local copy”.  The feature of the limitation, in combination with the other limitations in the base claims 1-2, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        03/28/2022