Notice of Pre-AIA  or AIA  Status
Claims 1-23 remain for examination.  The amendment filed 3/8/22 amended claims 1, 7, 8, 12, 14, 15, & 18-20; and added claims 21-23.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. Independent claims 1, 15, and 20 were amended to add new limitations regarding inter alia “training a machine learning model to a plurality of encryption methods”, “associate the anomalous pattern to an encryption standard for an identified one of the plurality of encryption methods”, and “apply a respective decryption algorithm to decrypt the anomalous pattern”; however, contrary to Applicant’s remarks in the response filed 3/8/22, the Examiner could find no evidence that paragraphs 0065-0068 or Figure 2 of the instant specification teach anything regarding a machine learning model being able to not just recognize encrypted content but to recognize the particular encryption algorithm used, and decrypt the encrypted content based on the machine learning model’s recognition thereof.  At best, Examiner has determined that paragraph 0048 of the specification as filed provides the barest minimum recitation of these limitations, but provides no guidance as to how a person of ordinary skill in the art would even begin to implement this functionality.  Encryption algorithms including those explicitly named in paragraph 0048 as being recognized by the invention are designed to produce blocks of ciphertext that are resistant to cryptanalysis, with few if any obvious tells that would give away what type of encryption algorithm was used to produce it; without any teaching as to what one would even train the model to look for in order to identify a particular encryption algorithm, the specification does not adequately disclose the claimed invention in sufficient detail that a person of ordinary skill in the art could reasonably conclude that the Applicant had possession of the claimed invention.  Moba BV v. Diamond Automation, Inc., 325 F.3d 1306, 1319, 66 USPQ2d 1429, 1438 (Fed. Cir. 2003).  Furthermore, even assuming arguendo that the specification described the training step(s), the encryption algorithm identified by the model would also require the use of the appropriate decryption key in order to decrypt the data; the specification is entirely silent regarding decryption keys in general, let alone where the invention obtains the key to decrypt the anomalous pattern.  Although decryption algorithms, and the use of decryption keys therein, are generally known in the art, in the specific context of the instant disclosure, a malicious actor attempting to exfiltrate sensitive data that would otherwise be recognized by the invention has no reason to share the decryption key with the invention that would detect his malicious activity.  Thus, without any disclosure pertaining to how the invention obtains and uses decryption keys, a person of ordinary skill in the art could reasonably conclude that the Applicant had possession of the claimed invention.  Moba BV v. Diamond Automation, Inc., 325 F.3d 1306, 1319, 66 USPQ2d 1429, 1438 (Fed. Cir. 2003).  

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3-11, and 15-20  is/are rejected under 35 U.S.C. 103 as being unpatentable over “Text Classification for Data Loss Prevention” (hereinafter, “Hart”) in view of U.S. Patent Publication 2021/0044603 (hereinafter, “Annen”).

Regarding claims 1, 15, and 20:
Hart discloses a computing platform, method, and computer program product comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions  (all elements of a computer implementing the disclosed method(s) implied by the results disclosed on pages 10-11, “5. Evaluation”) that, when executed by the at least one processor, cause the computing platform to: monitor, in real-time and via a computing device, a transmission of textual data from a user device (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “First, the system discovers the three types of enterprise data by scanning storage devices, intercepting network traffic in real time, and monitoring user actions on end point devices.” [emphasis Examiner’s]); scan, via the computing device, a content of the textual data (Ibid: “Second, the system identifies confidential enterprise data from the data discovered in the first step.”; see also the first paragraph of page 4); perform, via the computing device and based on the scanning, textual analysis of the scanned content (pages 5-8, “3 Text Classifiers for DLP”); detect, in real-time and based on the textual analysis, an anomalous pattern indicative of secure enterprise information (Ibid; see also pages 10-11, “5. Evaluation”); and trigger, via the computing device, one or more security actions to prevent the transmission of the secure enterprise information (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “Third, the system enforces enterprise policies on confidential data. For example, the system may encrypt confidential data-at-rest to prevent unauthorized use; the system may block confidential data-in-motion from leaving the enterprise and may prevent confidential data from being copied to a USB device” [emphasis Examiner’s]; see also page 12, “6. Discussion”, particularly the 1st paragraph: “Our method coupled with the DLP system's ability to recognize data flow from a trusted to an untrusted device should prevent these type of leakages.”). 
Hart does not disclose training a machine learning model to a plurality of encryption methods; associating the anomalous pattern to an encryption standard for an identified one of the plurality of encryption methods; and applying a respective decryption algorithm to decrypt the anomalous pattern.  However, Annen discloses a related invention comprising these limitations (paragraphs 0078-0081).  It would have been obvious prior to the effective filing date of the instant application to train a machine learning model to recognize and decrypt encrypted data, as doing so would help one defend one’s network from ransomware (e.g. Annen, paragraphs 0002-0003).

Regarding claims 3 and 16:	Hart further discloses wherein the secure enterprise information is in numeric format, and wherein the anomalous pattern comprises the secure enterprise information in alphanumeric format (see page 4, top paragraph, regarding examples of detecting e.g. social security numbers and telephone numbers [numeric content] within the text being analyzed by the invention). 

Regarding claim 4:	Hart further discloses wherein the secure enterprise information is in alphanumeric format, and wherein the anomalous pattern comprises the secure enterprise information in an altered alphanumeric format (page 4, Ibid). 

Regarding claims 5 and 17:	Hart further discloses wherein the anomalous pattern comprises a portion of the content that deviates from a context of the content (page 13, paragraph beginning with “The xtra.info attribute…”). 

Regarding claim 6:	Hart further discloses wherein the instructions to perform the textual analysis comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: perform the textual analysis based on a language model (page 11, paragraph beginning with “Our approach is unique…”). 

Regarding claims 7 and 18:	Hart further discloses wherein the instructions to detect the anomalous pattern comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: train a machine learning model based on previously detected anomalous patterns (page 4, paragraph beginning with “Our approach builds on a well-studied machine learning technique…”; and page 9, “4. DLP corpora”). 

Regarding claims 8 and 19:	Hart further discloses wherein the instructions to detect the anomalous pattern comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: train a machine learning model to generate additional anomalous patterns (page 4, paragraph beginning with “Our approach builds on a well-studied machine learning technique…”; and page 9, “4. DLP corpora”); and detect the anomalous pattern based on the additional anomalous patterns (pages 10-11, “5. Evaluation”). 

Regarding claim 9:	Hart further discloses wherein the textual data comprises data associated with an electronic communication (page 3, “2. Data Loss Prevention Systems”, particularly the first paragraph: “Data-in-motion is enterprise data contained in outbound network traffic such as emails, instant messages, and web traffic”). 

Regarding claim 10:	Hart further discloses wherein the textual data comprises data associated with an electronic document spooled for printing to a print device (Ibid: printers inherently being end-point devices which qualify under the data-in-use criterion). 

Regarding claim 11:	Hart further discloses wherein the one or more security actions comprises preventing the transmission of the textual data (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “Third, the system enforces enterprise policies on confidential data. For example, the system may encrypt confidential data-at-rest to prevent unauthorized use; the system may block confidential data-in-motion from leaving the enterprise and may prevent confidential data from being copied to a USB device” [emphasis Examiner’s]). 

Claims 2, 12, and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of U.S. Patent Publication 2018/0054447 (hereinafter, “Greevy”).

Regarding claim 2:
	Hart explicitly states that their invention as currently disclosed does not decrypt encrypted data for analysis (e.g. pages 5-6, the paragraph beginning with “The major drawback of confidential data identification schemes…”), although Hart does at least explicitly suggest that this functionality may yet be incorporated into future revisions of this invention (e.g. page 16, “8. Conclusion and Future Work”: “We will also look to expand our approach to include encrypted and multimedia content”; see also page 5, top paragraph).  Subsequent to Hart’s disclosure, Greevy discloses a related invention for data loss prevention via email (e.g. paragraphs 0011-0012, 0037, & 0063) which includes the steps of decrypting an email in transit and scanning it for security threats prior to delivery (paragraph 0026).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart to allow it to decrypt emails in transit in search of sensitive information, as this had become a known option within the grasp of a person of ordinary skill in the art, to achieve the predictable effect of preventing sensitive information from being intercepted or accessed maliciously (Greevy, paragraph 0037).

Regarding claim 12:	Hart does not explicitly disclose wherein the one or more security actions comprises modifying, based on a machine learning model, the anomalous pattern to prevent a disclosure of the secure enterprise information. However, Greevy discloses a related invention for data loss prevention through email (e.g. paragraphs 0011-0012, 0037, & 0063) which includes the steps of redacting sensitive information that was detected within a scanned email (paragraph 0073).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart to allow it to redact sensitive information identified by its machine learning model(s) found within emails being scanned, as this had become a known option within the grasp of a person of ordinary skill in the art, to achieve the predictable effect of preventing sensitive information from being intercepted or accessed maliciously (Greevy, paragraph 0037).

Regarding claim 21:
	The rationale(s) for rejecting claims 2 & 12 apply mutatis mutandis to claim 21.

Regarding claim 22:
	The combination further discloses replacing anomalous content associated with the anomalous pattern with alternative content to prevent disclosure of secure enterprise information (Greevy, paragraph 0073).
  
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of U.S. Patent Publication 2019/0370468 (hereinafter, “Soby”).

Regarding claim 13:	Hart does not explicitly disclose wherein the one or more security actions comprises modifying an access permission of an enterprise user associated with the user device.  However, Soby discloses a related invention for protecting confidential information from exposure (e.g. Abstract) wherein this limitation is taught (i.e. removing a user’s access to information determined to have been exposed: paragraph 0028).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart’s invention to modify the access permission of an enterprise user associated with the user device, as doing so was a known option within the grasp of a person of ordinary skill in the art, in order to achieve the predictable effect of limiting the exposure of confidential information from said user in the future (Soby, Ibid).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of U.S. Patent Publication 2015/0310188 (hereinafter, “Ford”).

Regarding claim 14:	Hart does not explicitly disclose wherein the one or more security actions comprises generating, based on the monitoring, a risk profile of an enterprise user associated with the user device, wherein the risk profile is indicative of a likelihood of the enterprise user to transmit secure enterprise information.  However, Ford discloses a related invention for secure data transmission that is compatible with DLP systems (paragraph 0408) wherein this limitation is taught (Ford, paragraph 0346).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart to support generating a risk profile of the enterprise user(s), as doing so would allow the system to protect against data exposure based on external circumstances beyond whether the user would normally have access to said data (i.e. IP address, geography, data node factors, etc.: Ford, Ibid).

Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Hart as applied to claim 14 above, and further in view of Weith (U.S. Patent Publication 2017/0359220).

Regarding claim 23:
	Hart does not disclose determining a type of multiplier to be applied to a risk score of the enterprise user based on the business role of the enterprise user.  However, Weith discloses a related invention for data loss prevention (e.g. Abstract, and paragraph 0062) wherein a risk score can be calculated for users within an enterprise, and wherein the risk score is affected based on their role within the enterprise (paragraphs 0025-0026; see the multiplier at paragraph 0127).  It would have been obvious to alter the risk score based on the role of the user at the enterprise, as doing so helps prioritize remediation efforts on the network (Weith, paragraph 0026).


Response to Arguments
Applicant's arguments filed 3/8/22 have been fully considered but they are not persuasive, being predicated on the prior art not teaching the new limitations that were not enabled by the specification as discussed in the rejections under 35 USC 112 supra.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        6/10/2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436