DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 4, and 19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 5, and 18 of U.S. Patent No. 9,984,248 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because similar concepts of exposing detected changes with a plurality of files at a compute instance and/or endpoint in an enterprise network.
Claims  provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4, 7 of copending Application No. 16/383315 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because similar concepts of determining risk based on deviations of event vectors at a compute instance in an enterprise network.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Specification
The use of the term Windows, MacOS, Linux, Android, iOS in paragraphs 0056 and 00140, which is a trade name or a mark used in commerce, has been noted in this application. The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a file integrity monitor” in claims 1 and 19-20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 7, and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Berger et al., hereinafter (“Berger”), US PG Publication (20170302458 A1), in view of Bedhapudi et al., hereinafter (“Bedhapudi”), US PG Publication (20190108341 A1).
Regarding claims 1, 4, and 19-20, Berger teaches a computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing one or more computing devices, performs the steps of; a method comprising; and a system comprising: 
a file integrity monitor deployed on a compute instance, the file integrity monitor configured to report file integrity impacting events in response to indications of interactions with data on the compute instance; [Berger, ¶¶0165 and 0169-0170: Fig. 7 shows endpoint protection in an enterprise network security system, include a processing environment 702, a file system 706, a threat monitor 720 and a key wrapper 730. The threat monitor 720 may also or instead use reputation to evaluate the security state, source files or executable code of processes 704. The extension 710 communicates with a threat monitor 720 in order to receive updates, monitors and reports on the security status and exposure status of the processes 704 on the endpoint.] 
instrumenting a compute instance with a data integrity monitor, the data integrity monitor configured with a number of rules to report events; [Berger, ¶¶0053 and 0058 : The security management facility 122 provide reporting on suspect devices and the like. The threat management facility 100 may provide a policy management facility 112 that include rules to determine allowable request, type of access to be granted, etc.]  
instrumenting a compute instance with a file integrity monitor, the file integrity monitor configured with a number of rules to detect interactions with files on the compute instance; [Berger, ¶¶0165 and 0169-0170: Fig. 7 shows endpoint protection in an enterprise network security system, include a processing environment 702, a file system 706, a threat monitor 720 and a key wrapper 730. The threat monitor 720 may also or instead use reputation to evaluate the security state, source files or executable code of processes 704. The extension 710 communicates with a threat monitor 720 in order to receive updates, monitors and reports on the security status and exposure status of the processes 704 on the endpoint.]
dynamically managing one or more additional rules in the number of rules for the file integrity monitor to detect interactions with the files based on a context of the compute instance, wherein the context includes an attempt to tamper with one or more protected files on the compute instance. [Berger, ¶0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction. ¶0106: coloring system 310 for improved tracking and detection of potentially harmful activity; variety of technique dynamically label software objects, as well as rules for propagating , inheriting, changing, or otherwise manipulating such labels]
While Berger teaches a file integrity monitor  [Berger, ¶¶0165 and 0169-0170: extension 710 communicates with a threat monitor 720]; however, Berger fails to explicitly teach but Bedhapudi teaches creating a first set of rules in the number of rules for the file integrity monitor to detect changes in the files based on an operating system for the compute instance; [Bedhapudi, ¶0004: The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. ¶0118: administrators and others may configure/initiate information management policy 148 that include information source that specifies parameters (i.e. rules).]
creating a second set of rules in the number of rules for the file integrity monitor to detect changes in the number of files based on a file monitoring specification received from a user; [See Bedhapudi, ¶0118. ¶0004: The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi [Bedhapudi, ¶0083 and 0201].  
 
Regarding claim 2, the combination of Berger and Bedhapudi teach claim 1 as described above.
Berger teaches further comprising code that performs the step of monitoring the number of files with the file integrity monitor according to the number of rules. [Berger, ¶0064: threat management facility 100 create definition updates accessed by security management facility 122 that applies a number of commands/definitions/instructions]
 
Regarding claim 3, the combination of Berger and Bedhapudi teach claim 2 as described above.
Berger teaches further comprising reporting detections by the file integrity monitor based upon the number of rules to a threat management facility for an enterprise network associated with the compute instance. [Berger, ¶0053: reporting on suspect devices]

Regarding claim 7, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein the context includes an indication of compromise for the compute instance. [Berger, ¶0127: An indication of compromise (IOC) monitor 421 may be provided to instrument the endpoint 402 so that any observable actions by or involving various objects 418 can be detected.]

Regarding claim 9, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies at least one of a reputation of an application interacting with the data, an authentication level of a source of interactions with the data, and a type of application interacting with the data. [Berger, ¶0067: threat management facility100 provides controlled access based on certain criteria: method of authentication, connection type, etc. ¶0059 and 0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction]
 
Regarding claim 10, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies a type of information in the data for a detected interaction. [Berger, ¶0056: type of feedback may be useful for any aspect of threat detection. Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like.]
 
Regarding claim 11, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies a sensitivity of information in the data for a detected interaction. [Berger, ¶0129: ... the IOC monitor 421 applies rules to determine when there is an IOC 422 suitable for reporting to a threat management facility 404; identify inconsistencies or unexpected behavior within a group of actions with improved sensitivity]
 
Regarding claim 12, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the number of rules is a data control rule specifying a permitted file interaction based on at least one of a destination, a file name, a file extension, and a file type associated with a permitted file transfer or an excluded file transfer. [Berger, ¶0210 user interface 1005 presented on display by host 1004 of files selected from a remote location; where the file include file types/multiple file types described from a container 1014 for portable encrypted content. ¶0223: selection of file for encryption and outbound transfer via file transfer.]
 
Regarding claim 13, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the number of rules is a content control rule specifying conditions for permitted interactions with a data type including at least one of confidential data, financial data, and personally identifiable data. [Berger, ¶0123: descriptor 420 provided to multi-tiered/hierarchical description of object 418; include financial]
 
Regarding claim 14, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, Berger fails to explicitly teach but Bedhapudi teaches wherein at least one of the number of rules is selected for compliance with a policy based on one or more of Payment Card Industry standards, Health Insurance Portability and Accountability Act standards, and General Data Protection Regulation standards. [Bedhapudi, ¶0254: information governance policies include: HIPAA (Health Insurance Portability and Accountability Ac) ]
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the compliance policies of HIPAA as taught by Bedhapudi [Bedhapudi, ¶0254].  

Regarding claim 15, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches further comprising providing a user interface for interaction with the number of rules for the compute instance. [Berger, ¶0070: ... the network administration facility 134 may be able to maintain a set of access rules manually by adding rules, changing rules, deleting rules, or the like.  ¶0076: thin clients 144 provide graphical user interface by application server facility 142 for managing threat protections of the threat management facility 100]
 
Regarding claim 16, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein the first set of rules include default rules provided for the compute instance based on a detection of the operating system. [Berger, ¶0152: the default system does not include any additional shade of access control]
 
Regarding claim 17, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, Berger fails to explicitly teach but Bedhapudi teaches wherein the second set of rules include custom rules provided by the user. [Bedhapudi, ¶¶0100-0101: software module or other application hosted by a suitable computing device comprise a storage manager 140 to initiate configuration by a user at a computing device 106].  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the different configuration executed on system 100 where the storage manager 140, one or more data agents 142 executing on client computing device(s) 102 and configured to process primary data 112, and one or more media agents 144 executing on one or more secondary storage computing devices 106  as taught by Bedhapudi [Bedhapudi, ¶0097].  
 
Regarding claim 18, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, Berger fails to explicitly teach but Bedhapudi teaches wherein the context includes interactions detected according to at least one of the first set of rules and the second set of rules. [Bedhapudi, ¶0145: ...certain functions of system 100 can be distributed amongst various physical and/or logical components. For instance, one or more of storage manager 140, data agents 142, and media agents 144 may operate on computing devices that are physically separate from one another; The secondary computing devices 106 on which media agents 144 operate can be tailored for interaction with associated secondary storage devices 108 and provide fast index cache operation, among other specific tasks. Similarly, client computing device(s) 102 can be selected to effectively service applications 110 in order to efficiently produce and store primary data 112.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the distributed, scalable architecture functionality to tailor interactions as taught by Bedhapudi [Bedhapudi, ¶0145].  
  
Regarding claim 20, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches further comprising a threat management facility coupled in a communicating relationship with the compute instance and configured to analyze data from the file integrity monitor in order to detect a threat on the compute instance or initiate a remediation of the compute instance. [Berger, ¶0064: threat management facility 100 creates definition updates, detects, and remediates the latest malicious software; threat definition facility 114 contain threat identification updates/definition files.]

Claims 5-6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Berger et al., hereinafter (“Berger”), US PG Publication (20170302458 A1), in view of Bedhapudi et al., hereinafter (“Bedhapudi”), US PG Publication (20190108341 A1), in view of Christian, US PG Publication (20200204574 A1).
Regarding claim 5, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes an attempt to tamper with one or more protected files on the compute instance. [Christian, ¶0160: For example, event 140 may represent a 500 server-error occurring on a web-server of network 108. This event/error may be due to an intrusion attempt by a hacker, such as by using SQL injection or a null-bit manipulation, resulting in tampering of server logs and/or theft of protected data.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with functionality to address intrusion attempts by Christian [Christian, ¶0160].  
 
Regarding claim 6, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes a signal from a data leakage prevention system for the compute instance. [Christian, ¶0122: packet analysis module 118 augments DPI analysis where a high number of superfluous packets signal a data exfiltration attempt wherein the data thief attempts to conceal private data]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with signal functionality to indicate thief attempts [Christian, ¶0122].  

Regarding claim 8, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes information from an installer for one or more applications installed on the computer instance. [Christian, ¶0208: after instant data surveillance system 520 is installed in environment of organization in Fig. 12, it first ingests the data of PLM system 504A and their associated metadata to develop its baseline 120]
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with the associated metadata  [Christian, ¶0122].  
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ray (US9984248 B2) discloses behavioral-based control of access to encrypted content by a process.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497