Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4/22/2022 has been entered.   Claims 1-5, 7, 10-14, 16 and 21-28 are pending.
 Response to Arguments
Applicant’s arguments with respect to claims 1, 10 and 21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 3-5, 7, 10, 12-14, 16, 21 and 27 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-3, 5-7, 9-13 and 15-20 of U.S. Patent No. 9,661,065. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations recited in the claims 1-3, 5-13 and 15-20 of the U.S. Patent No. 9,661,065 are anticipated by the claims 1, 3-5, 7, 10, 12-14, 16, 21 and 27 of the instant application.
Claims 3-5, 7, 12-14, 16 and 27 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4, 7-8, 10-13, 16 and 19-20 of U.S. Patent No. 9,807,182. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations recited in the claims 3-5, 7, 12-14, 16 and 27 of the instant application are anticipated by the claims 1-4, 7-8, 10-13, 16 and 19-20 of U.S. Patent No. 9,807,182.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7, 10-13, 16, 21-22 and 24-28 are rejected under 35 U.S.C. 103 as being unpatentable over of Madhu et al. (US 2014/0282977 hereinafter Madhu) in view of Basavapatna et al. (US 2013/0097709 hereinafter Basavapatna). 
Regarding claim 1, Madhu discloses a method comprising: 
analyzing behavior information that indicates behavior of a user for a cloud computing environment corresponding to one or more data objects in the cloud computing environment that are associated with the user (¶ [0022]-[0024], [0038]-[0041], [0052]; i.e. monitoring and/or analyzing user’s social networks behavioral patterns and financial patterns corresponding to user data, for example, user’s connections across multiple social/professional networks with other entities such as friends, user’s disclosure of private and public data, contact information, etc.); 
based on analyzing the behavior information, determining a plurality of characteristics for the user that indicate exposure of the one or more data objects associated with the user, wherein each of the plurality of characteristics reflects the behavior of the user pertaining to the one or more data objects (¶ [0038]-[0041], [0052]; i.e. based on the analyzed social networks behavioral patterns, identifying the user’s exposure of personal data on the social networks, for example, exposure of sensitive data such as birthday, birthplace that could be used for resetting forgotten passwords, connections to fake accounts, etc.); 
[[based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules,]] determining a reputation of the user for exposing data objects in the cloud computing environment (¶ [0038]-[0044]; i.e. determining a user score and/or authentication score for the user’s vulnerability or exposure); and 
indicating the reputation of the user to an entity with which the user is associated (¶ [0020]-[0021], [0031]-[0033]; i.e. providing the user score or authentication score to the user, friends, and/or other entities that are interested in the user’s reputation).  
Madhu discloses determining a reputation of the user for exposing data objects but does not explicitly disclose based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules.
However, Basavapatna discloses determining a behavioral risk score based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules (¶ [0061]-[0062], [0068]; i.e. Activities performed by the particular user can be detected and are determined according to a set of system rules whether the detected activities qualified as pre-defined use violation to determine a behavioral risk score for the user).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Basavapatna’s teaching into Madhu in order to at least report monitored behavior that violates a particular rule to the backend security tools to include in the generation of risk assessments (Basavapatna, ¶ [0003], [0038]).
Regarding claim 2, Madhu in view of Basavapatna discloses the method of claim 1, wherein each of the plurality of rules indicates at least one of a threshold and a criterion for a characteristic to satisfy a policy or to be considered desirable (Basavapatna, ¶ [0037]-[0038]).
Regarding claim 3, Madhu in view of Basavapatna discloses the method of claim 1, wherein the behavior information comprises at least one of accessibility settings of the one or more data objects, metadata of the one or more data objects, login information of the user, activity logs for the user, and account settings of the user (Madhu, ¶ [0039]-[0040]; Basavapatna, ¶ [0037]).  
Regarding claim 4, Madhu in view of Basavapatna discloses the method of claim 1, further comprising classifying at least a first data object of the one or more data objects associated with the user based on data of the first data object, wherein determining the reputation is also based on a classification of the first data object (Madhu, ¶ [0039]-[0040]; i.e. an algorithm processes the user’s profile data taking into account the private and public views of the profile attributes…compute a profile score for the user based on the positive and negative factors for the user’s profile).  
Regarding claim 7, Madhu in view of Basavapatna discloses the method of claim 1, wherein indicating the reputation of the user comprises, based on determining that the reputation fails to satisfy a reputation criterion, generating a notification indicating at least one of the reputation and remedial actions to improve the reputation and sending the notification to the entity (Madhu, ¶ [0031]; Basavapatna, ¶ [0042]).  
Regarding claim 10, Madhu discloses a non-transitory computer-readable storage medium having program code stored thereon the program code comprising instructions to: 
analyze behavior information that indicates behavior of a user for a cloud computing environment corresponding to a plurality of data objects in the cloud computing environment that are associated with the user (¶ [0022]-[0024], [0038]-[0041], [0052]; i.e. monitoring and/or analyzing user’s social networks behavioral patterns and financial patterns corresponding to user data, for example, user’s connections across multiple social/professional networks with other entities such as friends, user’s disclosure of private and public data, contact information, etc.); 
determine, based on analysis of the behavior information, a plurality of characteristics for the user that indicate exposure of the plurality of data objects, wherein each of the plurality of 
determine a reputation of the user for exposing data objects in the cloud computing environment (¶ [0038]-[0044]; i.e. determining a user score and/or authentication score for the user’s vulnerability or exposure) based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules; and 
indicate the reputation of the user to an entity with which the user is associated (¶ [0020]-[0021], [0031]-[0033]; i.e. providing the user score or authentication score to the user, friends, and/or other entities that are interested in the user’s reputation).  
Madhu discloses determining a reputation of the user for exposing data objects but does not explicitly disclose apply a plurality of rules to the plurality of characteristics; determining said reputation based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules.
However, Basavapatna discloses apply a plurality of rules to the plurality of characteristics and determining a behavioral risk score based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules (¶ [0061]-[0062], [0068]; i.e. Activities performed by the particular user can be detected and are determined according to a set of system rules whether the detected activities qualified as pre-defined use violation to determine a behavioral risk score for the user).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Basavapatna’s teaching into Madhu in order to at least report monitored behavior that violates a particular rule to the backend security tools to include in the generation of risk assessments (Basavapatna, ¶ [0003], [0038]).
Regarding claim 11, Madhu in view of Basavapatna discloses the non-transitory computer-readable storage medium of claim 10, wherein each of the plurality of rules indicates at least one of a threshold and a criterion for a characteristic to satisfy a policy or to be considered desirable (Basavapatna, ¶ [0037]-[0038]).  
Regarding claim 12, Madhu in view of Basavapatna discloses the non-transitory computer-readable storage medium of claim 10, wherein the behavior information comprises at least one of accessibilityAMENDMENT AND RESPONSE UNDER 37 CFR §1.114Page 7 settings of the one or more data objects, metadata of the one or more data objects, login information of the user, activity logs for the user, and account settings of the user (Madhu, ¶ [0039]-[0040]; Basavapatna, ¶ [0037]).  
Regarding claim 13, Madhu in view of Basavapatna discloses the non-transitory computer-readable storage medium of claim 10, wherein the program code further comprises instructions to classify a subset of the plurality of data objects, wherein the instructions to determine the reputation comprise instructions to determine the reputation based on classifications of each of the subset of data objects (Madhu, ¶ [0039]-[0040]).  
Regarding claim 16, Madhu in view of Basavapatna discloses the non-transitory computer-readable storage medium of claim 10, wherein the instructions to indicate the reputation of the user comprise instructions to, based on a determination that the reputation fails to satisfy a reputation criterion, generate a notification indicating at least one of the reputation and remedial actions to improve the reputation and send the notification to the entity (Madhu, ¶ [0031]; Basavapatna, ¶ [0042]).  
Regarding claim 21, Madhu discloses a system comprising: 
a processor (FIG. 1); and 
a computer-readable medium having instructions stored thereon that are executable by the processor to cause the system to (FIG. 1), 
based on analysis of behavior information that indicates behavior of a user for a cloud computing environment, determine one or more characteristics for the user that indicate exposure of one or more data objects associated with the user, wherein each of the one or more characteristics reflects behavior of the user that pertains to the one or more data objects (¶ [0023], [0038]-[0041], [0052]; i.e. based on the analyzed social networks behavioral patterns, identifying the user’s exposure of personal data on the social networks, for example, connections to fake profile accounts, exposure of sensitive data such as birthday, birthplace that could be used for resetting forgotten passwords, connections to fake accounts, etc.); 
[[based on a degree of compliance of the one or more characteristics with corresponding ones of the one or more rules,]] determine a reputation of the user for exposing data objects in the cloud computing environment (¶ [0038]-[0044]; i.e. determining a user score and/or authentication score for the user’s vulnerability or exposure);  and 
indicate the reputation of the user to an entity with which the user is associated (¶ [0020]-[0021], [0031]-[0033]; i.e. providing the user score or authentication score to the user, friends, and/or other entities that are interested in the user’s reputation).  
Madhu discloses determining a reputation of the user for exposing data objects but does not explicitly disclose applying one or more rules to the one or more characteristics; determining said reputation based on a degree of compliance of the one or more characteristics with corresponding ones of the one or more rules.
However, Basavapatna discloses applying one or more rules to the one or more characteristics and determining a behavioral risk score based on compliance of the plurality of characteristics with corresponding ones of a plurality of rules (¶ [0061]-[0062], [0068]; i.e. Activities performed by the particular user can be detected and are determined according to a set of system rules whether the detected activities qualified as pre-defined use violation to determine a behavioral risk score for the user).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Basavapatna’s teaching into Madhu in order to at least report monitored behavior that violates a particular rule to the backend security tools to include in the generation of risk assessments (Basavapatna, ¶ [0003], [0038]).
Regarding claim 22, Madhu in view of Basavapatna discloses the system of claim 21, wherein the instructions executable by the processor to cause the system to indicate the reputation of the user comprise instructions executable by the processor to cause the system to, based on a determination that the reputation fails to satisfy a reputation criterion, generate a notification indicating at least one of the reputation and remedial actions to improve the reputation and send the notification to the entity (Madhu, ¶ [0031]; Basavapatna, ¶ [0042]).  
Regarding claim 24, Madhu in view of Basavapatna discloses the system of claim 21, wherein the one or more data objects comprise first and second data objects that correspond to respective first and second cloud services of the cloud computing environment, wherein the instructions executable by the processor to cause the system to determine the one or more characteristics comprise instructions executable by the processor to cause the system to determine a first characteristic corresponding to the first data object and a second characteristic corresponding to the second data object, and wherein the instructions executable by the processor to cause the system to determine the reputation of the user comprise instructions executable by the processor to cause the system to determine a first reputation for the first cloud service and a second reputation for the second cloud service based on respective ones of the first and second characteristics (Madhu, ¶ [0038]-[0043]; i.e. user score, profile score, affinity score, connections score, etc.; Basavapatna, ¶ [0030]).  
Regarding claim 25, Madhu in view of Basavapatna discloses the method of claim 1, wherein determining each characteristic of the plurality of characteristics comprises identifying the characteristic from the behavior information or aggregating multiple items of the behavior information to derive the characteristic (Madhu, ¶ [0039]-[0041]; Basavapatna, ¶ [0030]).  
Regarding claim 26, Madhu in view of Basavapatna discloses the method of claim 1, wherein determining the reputation of the user comprises determining the reputation based on weights associated with the plurality of characteristics, wherein at least a first of the plurality of characteristics is weighted differently than others of the plurality of characteristics (Madhu, ¶ [0038]; Basavapatna, ¶ [0050]).  
Regarding claim 27, Madhu in view of Basavapatna discloses the method of claim 1, wherein the one or more data objects comprise first and second data objects that correspond to respective first and second cloud services of the cloud computing environment, wherein determining the plurality of characteristics comprises determining a first characteristic corresponding to the first data object and a second characteristic corresponding to the second data object, and  wherein determining the reputation of the user comprises determining a first reputation for the first cloud service and a second reputation for the second cloud service based on respective ones of the first and second characteristics (Madhu, ¶ [0038]-[0043]; i.e. user score, profile score, affinity score, connections score, etc.; Basavapatna, ¶ [0030]).
Regarding claim 28, Madhu in view of Basavapatna discloses the method of claim 27 further comprising aggregating the first and second reputations to determine an aggregate reputation of the user, wherein indicating the reputation comprises indicating at least one of the first reputation, the second reputation, and the aggregate reputation (Madhu, ¶ [0044]; Basavapatna, ¶ [0030]).
Allowable Subject Matter
Claims 5, 14 and 23 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art of record, alone or in combination, fails to clearly teach or fairly suggest impersonating the user based on use of one or more Application Programming Interface (API) calls of the cloud computing environment to request the behavior information.  
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/C.D.N/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435