DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the RCE filed on 05/17/2022.
 Claims 1-20 are currently pending in this application. Claims 1, 4, 9 and 16 have been amended. No new IDS has been filed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/25/2022 has been entered.

Examiner’s Note
Applicant is suggested to include information of the figures 6A and 6B with associated text of the specification (e.g., user authentication factors, such as biometrics, external tokens, ID/PW etc.; user/user interactions to other user or devices; risk-adaptive behavior factors, such as user profile attributes, access rights, interactions, date/time/frequency, location, gestures, etc.) to the claims to improve the application for providing a better condition for an allowance.

Response to Arguments
The previous 112(a) rejections to the claims 1-20 have been withdrawn in response to the applicant’s amendments/remarks.

Regarding the 112(b) rejections, the applicant, in page 8 of the remarks, argued that “… dictionary defines identifying as to perceive the identity of something and correlating as to establish a mutual relationship between ...".
The applicant's this argument is not persuasive.
As indicated in the previous office actions, the claimed identifying not only identifying the identity of the binary signature, but also identifying the common binary signature for the file format type. In other words, it is identifying to establish the mutual relationship (e.g., having a common binary signature) between the common binary signature and the file format type. Therefore, the 112 rejections to the claims 1-20 are maintained.

In regard to the previous 103 rejections, the applicant, in page 8 of the remarks, has argued that "... nowhere within Manse and Sun, taken alone or in combination is ... suggestion of generating a security policy via a security generator ... having access to a security policy datastore ...".
Examiner respectfully disagrees with the argument.
As explained in the previous office action, Manse clear teaches the rule set engine for setting rules by adding rule, editing rule, moving rule up/down priority list or generating rule or security policy via a security policy generator or rule set engine - see fig. 23a and paras. 0165 and 0166 of Manse. Furthermore, Manse, in figs. 3, 8 and par. 0127, also teaches the real time monitor engine 300 of the monitored system 108 retrieving rules from the surveillance management system 102 with the rule set engine 200i and using in the monitoring system 108. See paragraphs 16 and 32 of the previous action. Therefore, Manse teaches the argued limitations, " ... generating a security policy via a security policy generator ... having access to a security policy datastore ... " – see also the 103 rejections below for detail.
The applicant, in page 8 of the remarks, has amended the claims and further argued that “…Mansel and Sun do not disclose or suggest the security policy generator is included within a security analytics environment … the risk-adaptive protection operation adaptively responding to a risk associated with an electronically-observable user behavior …”.
Examiner respectfully disagrees with these arguments.
As taught in Mansel, Mansel, in figs. 1b, 2, 3 and par. 0111, describes the security analytics environment (e.g., the surveillance system of fig. 1b) with the security policy generator (e.g., the rule set engine 200i, etc.) and a security analytics system (e.g., the real time monitor engine 200c, the report engine 200f, or the client management engine 200g, etc.), with perform a risk-adaptive protection operation (e.g., operations performed by the real time monitor engine 200c, the report engine 200f, the client management engine 200g, etc.) associated with the user behavior (e.g., renaming a file by the user; access attempt on the file, etc.). Therefore, it is obvious that Mansel teaches the amended/argued limitations, “… the security policy generator is included within a security analytics environment … the risk-adaptive protection operation adaptively responding to a risk associated with an electronically-observable user behavior …”.  

The applicant’s arguments, for the claims 2-8, 10-15 and 17-20 with the 103 rejections regarding similar limitations of above responded limitations of the claim 1, 9 or 16, are not persuasive and the response for these arguments are similar with the response above.

Thus, the applicants’ arguments are not persuasive. Please see amended rejections below for the amended claims.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claim 1 (claims 9 and 16 include similar limitations) recites:
“… method for generating a security policy for a file format type … the plurality of files includes files having a file format type … “, however, it is not clear (1) whether “a file format type” included in two different locations are the same or not; (2) whether all files of the plurality of files have a same file format type or not (assumed that all files have the same file format type);
“… identifying a common binary signature for the file format type … correlating the file format type with the common binary signature …”, however, it is not clear how the correlation function performs when the file format type has already correlated with the common binary signature by identifying process (note: the common binary signature is identified for the file formation type as identifying correlation between the file format type and the common binary signature);
“… deploying the security policy for use in a protected endpoint …”, however, it is not clear whether the security policy is deployed in the endpoint which has already been protected or not;
“A computer-implemented method for generating a security policy for a file format type … the security analytics environment comprising a security analytics system … being implemented to perform a risk-adaptive protection operation … responding to a risk associated with an electronically-observable user behavior …” – for the claim 1, however, it is not clear whether “the risk-adaptive protection operation” associated with the user behavior is related to the claimed method (e.g., generating the security policy for the file format type) or not.
Claims 2-8, 10-15 and 17-20 depend from the claim 1, 9 or 16 and are analyzed and rejected accordingly.

Claim 2 (and the claim 10, 17) recites “… using the common binary signature … to detect occurrence of events relating to files having the file format type”, however, it is not clear whether the “files having the file format type” is the same as “files having file format type” of the claim 1 or not – see also rejection to the claim 1 above.
Claim 5 recites “… only a single binary signature candidate from the set of binary signature candidate is correlated with the file format name …”, however, it is not clear how to define “the set of binary signature candidates” (e.g., the antecedent basis issue and omitting necessary steps/components which cause the limitation unclear).
 Claim 8 (and the claim 15) recites “… the security policy for the file format is deployed to a plurality of endpoint devices”, however, (1) the term, the file format, has an antecedent basis issue (e.g., not defining a file format before); (2) whether the “a plurality of endpoint devices” have any relationship with “a protected endpoint” of the claim 1 or not.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mansel (US 2006/0253905 A1) in view of Sun et al. (US 8,201,244 B2).

As per claim 1, Mansel teaches a computer-implemented method for generating a security policy for a file format type [see figs. 1b, 2, 3; par. 0008, lines 1-7; par. 0014, lines 1-5 of Mansel], comprising:
receiving, at a user interface, identification of a plurality of files stored in electronic memory, wherein the plurality of files includes files having a file format type [figs. 2, 3; par. 0003, lines 1-5; par. 0110, lines 1-10; par. 0111, lines 8-16 of Mansel teaches receiving, at a user interface (e.g., the user interface of the surveillance management system), identification of a plurality of files stored in electronic memory, wherein the plurality of files includes files having file format type (e.g., the file type group)];
providing a file format name, the file format name being associated with the file format type; accessing the plurality of files from the electronic memory [figs. 4c, 4d, 15a, 15d, 15h; par. 0113, lines 1-12; par. 0114, lines 1-6; par. 0137, lines 1-8; par. 0142, lines 1-5 of Mansel teaches providing a file format name (e.g., the file mask, file name or folder name), the file format name being associated with the file format type (shown in fig. 15d); accessing (to scan) the plurality of files from the electronic memory];
identifying a common signature for the file format type included in the plurality of files; correlating the file format type with the common signature [figs. 7e, 7f, 14, 15a, 15d, 15f, 15h; par. 0137, lines 1-8, 17-20; par. 0142, lines 1-5; par. 0143, lines 1-3 of Mansel teaches identifying a common signature (e.g., identifying a matching file signature) for the file format type included in the plurality of files (e.g., the scanned files); correlating the file format type with the common signature (e.g., the file type is related to the matching file signature)]; and
generating the security policy for the file format type using the file format name, the security policy being generated via a security policy generator, wherein the security policy includes the common signature for the file format type; and deploying the security policy for use in a protected endpoint [figs. 1b, 3, 17b, 23a, 23b; par. 0124, lines 12-15; par. 0153, lines 1-10; par. 0165, lines 1-4; par. 0166, lines 1-16; par. 0181, lines 1-11; par. 0184, lines 1-8 of Mansel teaches generating the security policy (e.g., the rules for blocking, alert processes) for the file format type using the file format name (e.g., the file name), the security policy being generated (e.g., adding rule set, editing rule set, moving rule up/down priority list, etc.) via a security policy generator (e.g., the rule set engine 200i), wherein the security policy includes the common signature for the file format type (e.g., the file name/mask is associated with file type and matching file signature); and deploying the security policy (e.g., adding/editing rule set) for use in a protected endpoint (e.g., the monitored system)];
the protected endpoint comprising an endpoint agent in combination with an endpoint device, the security policy being deployed via at least one of directly from the security policy generator and a deployment system having access to a security policy datastore [figs. 1b, 2, 3, 8; par. 0111, lines 17-21, 44-48; par. 0127, lines 1-16 of Mansel teaches the protected endpoint (e.g., the monitored system 108) comprising an endpoint agent (e.g., the real time monitor engine 300) in combination with an endpoint device, the security policy being deployed via at least one of directly from the security policy generator (e.g., retrieving rules from the rule set engine of the surveillance management system 102) and a deployment system having access to a security policy datastore]; and 
wherein the security policy generator is included within a security analytics environment the security analytics environment comprising a security analytics system, the security analytics system being implemented to perform a risk-adaptive protection operation, the risk-adaptive protection operation adaptively responding to a risk associated with an electronically-observable user behavior, at least one risk-adaptive behavior factor being used in performance of the risk-adaptive protection operation [figs. 1b, 2, 3, 6b, 25b; par. 0111, lines 1-60; par. 0119, lines 1-25 of Mansel teaches wherein the security policy generator is included within a security analytics environment (see fig. 1b), the security analytics environment comprising a security analytics system (see fig. 3), the security analytics system being implemented to perform a risk-adaptive protection operation (e.g., operations performed by the real time monitor engine 200c, the report engine 200f, the client management engine 200g, etc.), the risk-adaptive protection operation adaptively responding to a risk associated with an electronically-observable user behavior (e.g., renaming a file by the user; access attempt on the file, etc.), at least one risk-adaptive behavior factor being used in performance of the risk-adaptive protection operation (e.g., logging action, blocking action, alert action, etc.)].

Although Mansel teaches identifying the common signature for the file type and generating the security policy including the common signature – see above rejections, however, Mansel does not explicitly disclose the common signature for the file type is a common binary signature.
However, Sun teaches a common binary signature define for a file type [col. 2, lines 13-23; col. 7, lines 39-48 of Sun teaches a common binary signature (e.g., the binary code/pattern) define for a file type (e.g., malware file)].
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mansel with the teaching of Sun to include a binary signature of a file type because it provides a part of the anti-virus program’s virus identification processes - see column 2 of Sun.

As per claim 2, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel does not teach, but Sun teaches using the common binary signature deployed in the security policy to detect occurrences of events relating to files having the file format type [col. 2, lines 13-23; col. 5, lines 3-19; col. 7, lines 39-48 of Sun teaches using the common binary signature (e.g., the binary code/pattern) deployed in the security policy (e.g., the anti-virus program policy) to detect occurrences of events (e.g., the malware threat) relating to files having the file format type (e.g., the malware file type)]. 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mansel with the teaching of Sun to include a binary signature for a malware detection in a security policy because it provides a part of the anti-virus program’s virus identification processes - see column 2 of Sun.

As per claim 3, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein identifying the common (binary) signature comprises: scanning the plurality of files to detect (binary) content common to two or more of the plurality of files, wherein the (binary) content common to two or more of the plurality of files is added to a set of binary signature candidates for the file format name [figs. 4d, 15h; par. 0137, lines 1-20; par. 0150, lines 1-8 of Mansel teaches identifying the common (binary) signature comprises: scanning the plurality of files to detect (binary) content common (e.g., the file inspection parameter) to two or more of the plurality of files, wherein the (binary) content common to two or more of the plurality of files is added to a set of binary signature candidates (e.g., added the scan result to the log) for the file format name – see also rejections to the claim 1].

As per claim 4, Mansel in view of Sun teaches the computer-implemented method of claim 3. 
Mansel further teaches wherein only (binary) signature candidates common to a majority of the plurality of files are correlated with the file format name for use as the common (binary) signature [figs. 1b, 15h, 15i, 15j; par. 0142, lines 1-5; par. 0150, lines 1-8 of Mansel teaches only (binary) signature candidates (e.g., the file inspection parameter) common to a majority of the plurality of files (e.g., the files matching the scan configuration) are correlated with the file format name (e.g., the file mask/name) for use as the common (binary) signature – see also rejections to the claim 1].

As per claim 5, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein only a single (binary) signature candidate from the set of (binary) signature candidates is correlated with the file format name for use as the common (binary) signature [figs. 15h, 15i, 15j; par. 0142, lines 1-5; par. 0149, lines 1-4; par. 0150, lines 1-8 of Mansel teaches only a single (binary) signature candidate (e.g., the file inspection parameter matching the scan configuration) from the set of (binary) signature candidates is correlated with the file format name (e.g., the file mask/name) for use as the common (binary) signature – see also rejections to the claim 1].

As per claim 6, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the file format name is received at the user interface [figs. 15f; par. 0137, lines 1-8; par. 0139, lines 1-6 of Mansel teaches the file format name is received at the user interface (e.g., selecting of view matching files)].

As per claim 7, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the file format name is automatically determined based on one or more common attributes of the plurality of files, wherein the common attributes include one or more of a file extension or text identified in two or more of the plurality of files [par. 0113; par. 0137, lines 9-16; par. 0139, lines 1-6 of Mansel teaches the file format name is automatically determined based on one or more common attributes (e.g., the file attribute input used in matching with scan configuration parameters) of the plurality of files, wherein the common attributes include one or more of a file extension or text identified (e.g., a system property of the file) in two or more of the plurality of files].

As per claim 8, Mansel in view of Sun teaches the computer-implemented method of claim 1. 
Mansel further teaches wherein the security policy for the file format is deployed to one or more endpoint devices [figs. 1b; par. 0184, lines 1-8 of Mansel teaches the security policy (e.g., the rule set) for the file format is deployed to a plurality of endpoint devices (e.g., the monitored system group) – see also rejections to the claim 1].

Claims 9-15 are system claims that correspond to the method claims 1-4 and 6-8, and are analyzed and rejected accordingly. See par. 0109 of Mansel for the system components.
Claims 16-20 are medium claims that correspond to the method claims 1-4 and 7, and are analyzed and rejected accordingly.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAUNG T LWIN/Primary Examiner, Art Unit 2495