Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 2, 5-13 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts have been fully considered and are persuasive. 

Allowable Subject Matter
1.	Amended claims 1, 2, 5-13 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. Claims 3 and 4 are cancelled.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Kyle Doerrler (attorney) for filed amended claims:
1.	(Currently Amended) A computer implemented method to detect a data breach in a network-connected computing system, the method comprising:
storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system;
generating, by the trusted secure computing device, a copy of a data dump distributed across a network;
identifying, by the trusted secure computing device, information about a network attack stored in the copy of the data dump, the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump or a portion of data obtained by the network attack; 
generating, by the trusted secure computing device, a signature for the network attack or patterns for identifying the network attack in network traffic, the signature being based on characteristics of the portion of obtained data that include at least one of: 
one or more of an identification, data type, number or order of data fields in the portion of obtained data; 
metadata associated with the portion of obtained data; or 
the content of the portion of obtained data; and
identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.

2.	(Previously Presented) The method of claim 1, wherein the identified information about the network attack includes at least a portion of code or script for carrying out the network attack, and the signature identifies the network attack based on the at least a portion of code or script.

3.	(Canceled)

4.	(Canceled) 

5.	(Previously Presented) The method of claim 1, further comprising identifying a subset of the stored network traffic associated with the attack based on the signature.

6.	(Previously Presented) The method of claim 5, wherein the subset of stored network traffic includes network traffic communicated between communication endpoints involved in network traffic corresponding to the signature, the communication endpoints being compromised communication endpoints.

7.	(Previously Presented) The method of claim 6, further comprising identifying data stored or communicated by or via compromised endpoints as compromised data.

8.	(Previously Presented) The method of claim 7, wherein the compromised data is identified as discredited or invalidated.

9.	(Previously Presented) The method of claim 7, wherein the compromised data is associated with one or more computing services for generating, accessing or processing the compromised data, and the method further comprises implementing protective measures in respect of the one or more computing services.

10.	(Previously Presented) The method of claim 7, wherein the compromised data includes one or more of at least part of an authentication credential; an access token; a certificate; a key; or an authorization data item.

11.	(Previously Presented) The method of claim 7, wherein the compromised data includes at least part of an authentication credential, and the authentication credential is revoked in response to the identification of the compromised data.

12.	(Currently Amended) A computer system comprising:
a processor and memory storing computer program code for detecting a data breach in a network-connected computing system by:
storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system;
generating, by the trusted secure computing device, a copy of a data dump distributed across a network, the data dump including sensitive information arising as a result of a data breach;
identifying, by the trusted secure computing device, information about a network attack stored in the copy of the data dump, the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump or a portion of data obtained by the network attack;
generating, by the trusted secure computing device, a signature for the network attack or patterns for identifying the network attack in network traffic, the signature being based on characteristics of the portion of obtained data that include at least one of: 
one or more of an identification, data type, number or order of data fields in the portion of obtained data; 
metadata associated with the portion of obtained data; or 
the content of the portion of obtained data; and
identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.

13.	(Currently Amended) A non-transitory computer-readable storage element storing computer program code to, when loaded into a computer system and executed thereon, cause the computer system to detect a data breach in a network-connected computing system by:
storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system;
generating, by the trusted secure computing device, a copy of a data dump distributed across a network, the data dump including sensitive information arising as a result of a data breach;
identifying, by the trusted secure computing device, information about a network attack stored in the copy of the data dump, the information about the network attack comprising at least one characteristic indicative of a method used to obtain the data dump or a portion of data obtained by the network attack;
generating, by the trusted secure computing device, a signature for the network attack or patterns for identifying the network attack in network traffic, the signature being based on characteristics of the portion of obtained data that include at least one of: 
one or more of an identification, data type, number or order of data fields in the portion of obtained data; 
metadata associated with the portion of obtained data; or 
the content of the portion of obtained data; and
identifying an occurrence of the network attack in the stored portion of network traffic based on the generated signature.

Reasons for Allowance
None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: storing, at a trusted secure computing device, at least a portion of network traffic communicated with the computer system; the computing device generating a copy of data distributed across a network; the computing device identifying information about the network attack stored in the copy of the data; the computing device generating a signature for the network attack based on the information about the network attack, the signature including rules for identifying the network attack in network traffic, the signature being based on characteristics of the portion of obtained data that include at least one of: one or more of an identification, data type, number or order of data fields in the portion of obtained data; metadata associated with the portion of obtained data; or the content of the portion of obtained data; identifying an occurrence of the network attack in the stored network traffic based on the signature.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 12 and 13 mutatis mutandis.  Claims 3 and 4 are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ortiz-Criado Jorge can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.