DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/8/2021 has been entered.
 
Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 41-46, 51-52, 56-62, 64-65, and 67-69 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Each of claims 41, 51, and 56 recites the limitation "after the data exfiltration has occurred" without appearing to define the actual occurrence of the data exfiltration.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 41, 43-44, 46, 51, 56, 61, 65, 67, 58-60, and 69 is/are rejected under 35 U.S.C. 103 as being unpatentable over Galil (US 9,734,343 B2) in view of Madhukar (US 9,736,182 B1).

Regarding claim 41, Galil discloses: A method comprising: 
identifying, by one or more devices (e.g., 100 and Col. 3, Ll. 38-42 in FIG. 1 of Galil), a file; 
Refer to at least Col. 3, Ll. 50-51 and Col. 5, Ll. 32-34 of Galil with respect to an object, sensitive data source, and/or a process which is identified. 
generating, by the one or more devices, exfiltration information associated with the file;
Refer to at least Col. 2, Ll. 61-Col. 3, Ll. 2, Col. 3, Ll. 50-55, Col. 4, Ll. 16-23, and Col. 5, Ll. 28-54 of Galil with respect to exemplary forms of claimed exfiltration data. For instance, metadata, identifiers, regular expressions to detect sensitive data, and rules.
determining, by the one or more devices, [exfiltration information within network traffic]; and
Refer to at least Col. 3, Ll. 10-31 and Col. 4, Ll. 1-23 of Galil with respect to creating and/or updating data leaks applications to look for the exfiltration information in network traffic.  
storing, by the one or more devices, 
Refer to at least 122 in FIG. 1, Col. 4, Ll. 10-23, and Col. 5, Ll. 13-24 of Galil with respect to storage, provision of the exfiltration information. 
the exfiltration information in a memory local to the one or more devices and providing the exfiltration information to an exfiltration detection device that detects data exfiltration after the data exfiltration has occurred.
Refer to at least Col. 6, Ll. 19-36 and Col. 8, Ll. 40-51 of Galil with respect to creating a second data leaks application as required and provision of exfiltration information to the second application.
Although the claims portion of Galil recites (e.g., claim 1 of Galil) generating the second data leaks application responsive to “the first data leaks application being unable to identify” exfiltration information, it is not clear whether the Galil patent specification fully discloses this claim element. Galil further does not specify a monitoring period of time. Accordingly, it appears that Galil does not disclose: determining, by the one or more devices, that the exfiltration information is not detected in outbound network traffic after the outbound network traffic is monitored for a threshold amount of time; and storage based on determining that the exfiltration information is not detected in the outbound network traffic after the outbound network traffic is monitored for the threshold amount of time. However, Galil in view of Madhukar discloses: determining, by the one or more devices, that the exfiltration information is not detected in outbound network traffic after the outbound network traffic is monitored for a threshold amount of time; and storage based on determining that the exfiltration information is not detected in the outbound network traffic after the outbound network traffic is monitored for the threshold amount of time. 
Refer to at least steps 305-315, 330, and 370 of FIG 3 of Madhukar with respect to performing data loss prevention monitoring over a time interval (first level of analysis), wherein data is sent to an analyst via PNF graph if no exfiltration is detected over the interval (second level of analysis).
Refer to at least Col. 2, Ll. 59-Col. 3, Ll. 4 of Madhukar with respect to agents for performing the monitoring, as well as to the security analyst console. 
Refer to at least Col. 4, Ll. 36-61 and Col. 7, Ll. 46-56 of Madhukar with respect to the data collected and the monitoring interval.
The teachings of Galil and Madhukar both concern exfiltration, monitoring, and security. They further concern multiple layers of analysis for data leak detection. As such, they are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Galil such that the second (or additional) application is created responsive to the first (or previous) application being unable to identify exfiltration within network traffic after a period of time for at least the purpose of reducing false negatives, and thereby improving security.

Regarding claim 43, Galil-Madhukar discloses: The method of claim 41, where the exfiltration information includes information that is designed to appear to be sensitive information.
Refer to at least Col. 1, Ll. 60-Col. 2, Ll. 13 of Galil with respect to sensitive information.

Regarding claim 44, Galil-Madhukar discloses: The method of claim 41, where the exfiltration information is encoded with a file identifier that identifies the file.
Refer to at least Col. 3, Ll. 50-51 and Col. 5, Ll. 32-34 of Galil with respect to an object, sensitive data source, and/or a process which is identified. 

Regarding claim 46, Galil-Madhukar discloses: The method of claim 41, further comprising: performing an action to permit the file to be accessed based on determining that the exfiltration information is not detected in the outbound network traffic.
Refer to at least Col. 6, Ll. 4-10 of Galil, wherein corrective actions are discussed. If no corrective action is performed, the object/process is permitted to continue. If exfiltration is not ever identified, no corrective action is performed.
This claim would have been obvious for substantially the same reasons as claim 41 above.

Regarding claim 68, it is rejected for substantially the same reasons as claims 1 and 44 above (e.g., at least Col. 3, Ll. 50-51 and Col. 5, Ll. 28-39 of Galil).

Regarding independent claim 51, it is substantially similar to independent claim 41 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding independent claim 56, it is substantially similar to independent claim 41 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claim 61, it is rejected for substantially the same reasons as elements of claim 56 above (i.e., in the combination, the second app is only started when the first app is unable to detect exfiltration).

Regarding claim 65, it is substantially similar to claim 61 above, and is therefore likewise rejected.

Regarding claims 58-60, they are substantially similar to claims 43-44 and 46 above, and are therefore likewise rejected. 

Regarding claim 67, Galil-Madhukar discloses: The method of claim 41, wherein the exfiltration information is not detected in the outbound network traffic due to the outbound network traffic or the exfiltration information, in the outbound network traffic, being encrypted.
Refer to at least Col. 1, Ll. 22-25 of Madhukar with respect to stolen data being encrypted, and thus not able to be analyzed by network monitoring tools.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s to incorporate the teachings of Madhukar concerning encrypted stolen data being unable to be detected because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (i.e., encrypting network data as known in the art; that encrypted stolen network data is known in the art to be difficult to analyze).

Regarding claim 69, it is substantially similar to claim 68 above, and is therefore likewise rejected.

Claims 42, 45, 52, 57, 62, and 64 is/are rejected under 35 U.S.C. 103 as being unpatentable over Galil-Madhukar as applied to claims 41, 43-44, 46, 51, 56, 61, 65, 67, 58-60, and 69 above, and further in view of Arrowood (US 8,943,594 B1).

Regarding claim 42, Galil-Madhukar does not disclose: further comprising: receiving, by the one or more devices, the file after a client device requests the file and before the file is provided to the client device. However, Galil-Madhukar in view of Arrowood discloses: further comprising: receiving, by the one or more devices, the file after a client device requests the file and before the file is provided to the client device. 
Refer to at least Col. 2, Ll. 33-36, Col. 2, Ll. 62-66, Col. 3, Ll. 4-7, and Col. 7, Ll. 1-6 of Arrowood with respect to obtaining and intercepting the file. 
The teachings of Galil-Madhukar and Arrowood concern exfiltration, monitoring, and security. As such, they are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Galil-Madhukar to include file interception for at least the purpose of protecting from opening potentially malicious files before they are properly classified.

Regarding claim 45, Galil-Madhukar-Arrowood discloses: The method of claim 41, further comprising: executing the file in a testing environment associated with a virtual machine of a security device of the one or more devices; and monitoring outbound network traffic that leaves one or more of the security device or the virtual machine.
Refer to at least Col. 4, Ll. 50-65 and Col. 9, Ll. 40-47 of Arrowood with respect to exemplary decoy environments, including virtual machine environments associated with the security system. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Galil-Madhukar to include decoy environments for at least the purpose of safely testing potentially malicious files and processes without allowing them to access a real system for compromise. 

Regarding claims 52 and 57, they are substantially similar to claim 42 above, and are therefore likewise rejected.

Regarding claim 62, Galil-Madhukar-Arrowood discloses: The non-transitory computer-readable medium of claim 56, wherein the exfiltration information includes program code that, when executed, causes a resource to be accessed to indicate that data has been exfiltrated.
Refer to at least Col. 3, Ll. 34-39, Col. 8, Ll. 12-19, and Col. 9, Ll. 17-20 of Arrowood with respect to dummy data which is inserted as bait for the file.
Refer to at least Col. 3, Ll. 39-45, Col. 7, Ll. 58-64, Col. 8, Ll. 19-28, and Col. 9, Ll. 53-58 of Arrowood with respect to monitoring network communications and the dummy data; remediation and/or continued monitoring resultant therefrom.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Galil-Madhukar to include dummy data for at least the purpose of potentially fooling a malicious actor / object, as well as better triggering detection of said malicious actors / objects.

Regarding claim 64, it is substantially similar to claim 62 above, and is therefore likewise rejected. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/V.S/Examiner, Art Unit 2432