Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending. Claims 1, 8 and 15 have been amended.
Respond to amendments
	Applicant’s amendments filed on  05-06-2022 has been considered and entered.	
Response to Arguments
	Applicant's amendments/arguments filed on 05-06-2022 have been fully considered and are persuasive. However, upon further consideration, a new ground of rejection is made (as shown in the office action below).

Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 1, 3, 4, 8, 10, 11, 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Jaiswal et al. (US Patent No. 9,015,082 ) in view of Townsend et al. (US Publication No.2005/0125687), further in view of He et al. (US Patent No. 9,380,075).
	As per claim 1, Jaiswal discloses a cloud-based security system comprising: a plurality of enforcement nodes connected to one another  (figure 1, DLP agents n devices 102A-c and server 120, column 4, lines 24-26); a Data Loss Prevention (DLP) service executed between the plurality of enforcement nodes (column 18, line 59-column 19, line3, protecting computing device from data loss is performed by DLP agents 106 and DLP engine 122), wherein the DLP service includes one or more DLP rules based on a tenant (column 6, lines14-24, DLP policy 250 may include criteria that may indicate an increased risk of data loss…[e]xamples of criteria include user status…file location…file contents...and so on”) , and wherein, for the DLP service, a first enforcement node is configured to monitor traffic of a user of the tenant, detect a DLP rule violation (column 5, lines 4-7, “DLP agent 106 that monitors data loss vectors to ensure that sensitive...information does not leave the endpoint device for illegitimate purposes”), based on the one or more DLP rules (column 5, lines 15-19, “DLP policy may specify a type of content to be monitored ...how to identify sensitive data…and/or action to be performed when sensitive data is detected”), and forward DLP incident information to a second enforcement node (column 5, lines 42-43, data from endpoint  is collected by server 115/second enforcement node) and the second enforcement node is configured to transmit the DLP incident information to a server for the tenant (column 5, lines 42-45, server 115 report the collected data to server 120), including both DLP triggering content that cause the DLP rule violation and DLP scan metadata (column 7, lines 38-43, the incident report identifies an application (triggering content), user, data loss, type of the sensitive data, etc (DLP scan metadata), associated with the policy violation).
	Jaiswal does not explicitly disclose a central authority connected to the plurality of enforcement nodes;  DLP rules based on one or more DLP engines; and the second enforcement node is on a different cloud that the DLP service uses for sending communications. However, in an analogous art, Townsend discloses a central authority connected to the plurality of enforcement nodes (paragraph [0048], host computer 102 receives security policies from a source device. multiple host computers 102 obtain security policies from the same source device (central authority)); and DLP rules based on one or more DLP engines (paragraph [0032], security rules in security policy are associated with and applied by particular security engines]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jaiswal to include a central authority connected to the plurality of enforcement nodes; and DLP rules being based on one or more DLP engines, as disclosed by Townsend. This would have been obvious because one of ordinary skill in the art would have been motivated to distribute engine-based security policy to various security engines, in order to improve the level of security provided for the computing system.
	Jaiswal in view of Townsend does not explicitly disclose the second enforcement node is on a different cloud that the DLP service uses for sending communications. However, in an analogous art He discloses security supervisor of a first cloud communicating  with security supervisor of a second /different cloud and  sending security events  that has accord at the  first cloud to the  security supervisor of the second  cloud (column 9, lines 23-29).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jaiswal and Townsend  to include the second enforcement node is on a different cloud that the DLP service uses for sending communications, as disclosed by He. This would have been obvious because one of ordinary skill in the art would have been motivated to inform other cloud of the security event  that has arisen in the cloud and prevent the arising of the same security event in the other cloud.
	It is noted that although He does not use the terms second enforcement node and DLP service, the functionality of the  first cloud security supervisor communicating security event to the second security supervisor in a different cloud is similar to the functionality of DLP service and second enforcement node. As such, teaching of He is functionally equivalent to the limitation of the claim.
	As per claim 8 and 15, Jaiswal discloses a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors at a first enforcement node in a cloud- based security system (column 4, lines 15-22) to perform steps of: 
monitoring traffic of a user of a tenant; implementing Data Loss Prevention (DLP) service for the tenant (column 5, lines 4-7, “DLP agent 106 that monitors data loss vectors to ensure that sensitive… information does not leave the endpoint device for illegitimate purposes”), wherein the DLP service includes one or more DLP rules  (column 6, lines14-24, DLP policy 250 may include criteria that may indicate an increased risk of data loss..[e]xamples of criteria include user status...file location...file contents… and so on”); analyzing the traffic via the DLP service  (column 6, lines 3-10, monitor data loss vector, applications, data, etc. to detect operations that attempt to move data off of an endpoint device); 
detecting a DLP rule violation (column 5, lines 4-7, “DLP agent 106 that monitors data loss vectors to ensure that sensitive...information does not leave the endpoint device for illegitimate purposes”) based on the one or more DLP rules (column 5, lines 15-19, “DLP policy may specify a type of content to be monitored ...how to identify sensitive data…and/or action to be performed when sensitive data is detected”); and forwarding forward DLP incident information to a second enforcement node (column 5, lines 42-43, data from endpoint  is collected by server 115/second enforcement node) that is configured to transmit the DLP incident information to a server for the tenant (column 5, lines 42-45, server 115 report the collected data to server 120), including both DLP triggering content that cause the DLP rule violation and DLP scan metadata (column 7, lines 38-43, the incident report identifies an application (triggering content), user, data loss, type of the sensitive data, etc (DLP scan metadata), associated with the policy violation).
	Jaiswal does not explicitly disclose DLP rules being based on one or more DLP engines; and the second enforcement node is on a different cloud that the DLP service uses for sending communications.
However, in an analogous art, Townsend discloses DLP rules based on one or more DLP engines (paragraph [0032], security rules in security policy are associated with and applied by particular security engines).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jaiswal to include DLP rules being based on one or more DLP engines, as disclosed by Townsend. This would have been obvious because one of ordinary skill in the art would have been motivated to distribute engine-based security policy to various security engines, in order to improve the level of security provided for the computing system.
	Jaiswal in view of Townsend does not explicitly disclose the second enforcement node is on a different cloud that the DLP service uses for sending communications. However, in an analogous art He discloses security supervisor of a first cloud communicating  with security supervisor of a second /different cloud and  sending security events  that has accord at the  first cloud to the  security supervisor of the second  cloud (column 9, lines 23-29).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jaiswal and Townsend  to include the second enforcement node is on a different cloud that the DLP service uses for sending communications, as disclosed by He. This would have been obvious because one of ordinary skill in the art would have been motivated to inform other cloud of the security event  that has arisen in the cloud and prevent the arising of the same security event in the other cloud.
	It is noted that although He does not use the terms second enforcement node and DLP service, the functionality of the  first cloud security supervisor communicating security event to the second security supervisor in a different cloud is similar to the functionality of DLP service and second enforcement node. As such, teaching of He is functionally equivalent to the limitation of the claim.
	As per claim 3 and 10, Jaiswal furthermore discloses, wherein the DLP triggering content includes all or a portion of data that triggered the DLP rule violation so that the tenant can determine remediation (column 7, lines 32-43, incident report identify an application, user, time stamp, data loss vector, type of sensitive data, etc, associated with the policy violation).
	As per claim 4 and 11, Jaiswal furthermore discloses, wherein the DLP scan metadata includes [a plurality of a DLP dictionary], a DLP engine, [a search score], a trigger, a time, a user, [and a Uniform Resource Locator (URL)] (column 7, lines36-43, “[i]n addition to identifying the DLP policy that was violated, each incident report 240 may identify an application [application triggering violation], user, data loss vector, type of the sensitive data (e.g., social security number, credit card number, etc.),etc. associated with the policy violation. [t]he incident report generator 215 may also include time stamp showing when the policy violation occurred”). Although Jaiswal does not explicitly list DLP dictionary, DLP engine, search score and URL, it is noted that firstly, in Jaiswal, the list of metadata information is not an exhaustive list and could include other information. As such, Jaiswal is capable of including different information (DLP dictionary, DLP engine, search score and URL) within the metadata. 
	In addition, the claim limitation (“the DLP scan meta data includes a plurality of a DLP dictionary, under 35 U.S.C. § DLP engine…Uniform Resource Locator (URL)”) is directed to non-functional descriptive material which does not affect the claim in a determinative or manipulative sense   and therefore cannot be used to differentiate Applicant's invention from the prior art invention. The type of data within metadata is non-functional as it does not alter how the invention functions. That is, the core functionality of the claim remains the same. It has been held that non-functional descriptive material cannot render non-obvious an invention that would have otherwise been obvious. See In re Gulack, 217 USPQ 401 (Fed. Cir. 1983); In re Ngai, 70 USPQ2d (Fed. Cir. 2004); In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994).
	As per claim 17, Jaiswal furthermore discloses, the DLP triggering content includes all or a portion of data that triggered the DLP rule violation so that the tenant can determine remediation (column 7, lines 32-43, incident report identify an application, user , time stamp, data loss vector, type of sensitive data, etc, associated with the policy violation), and wherein the DLP scan metadata includes [a plurality of a DLP dictionary], a DLP engine, [a search score], a trigger, a time, a user,  [a Uniform Resource Locator (URL)] (column 7, lines36-43, “[i]n addition to identifying the DLP policy that was violated, each incident report 240 may identify an application [application triggering violation], user, data loss vector, type of the sensitive data (e.g., social security number, credit card number, etc.),etc. associated with the policy violation. [t]he incident report generator 215 may also include time stamp showing when the policy violation occurred”). 	Although Jaiswal does not explicitly list DLP dictionary, DLP engine, search score and URL, it is noted that firstly, in Jaiswal, the list of metadata information is not an exhaustive list and could include other information. As such, Jaiswal is capable of including different information (DLP dictionary, DLP engine, search score and URL) within the metadata. 
	In addition, the claim limitation (“the DLP scan meta data includes a plurality of a DLP dictionary, DLP engine…Uniform Resource Locator (URL)”) is directed to non-functional descriptive material which does not affect the claim in a determinative or manipulative sense and therefore cannot be used to differentiate Applicant's invention from the prior art invention. The type of data within metadata is non-functional as it does not alter how the invention functions. That is, the core functionality of the claim remains the same. It has been held that non-functional descriptive material cannot render non-obvious an invention that would have otherwise been obvious. See In re Gulack, 217 USPQ 401 (Fed. Cir. 1983); In re Ngai, 70 USPQ2d (Fed. Cir. 2004); In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994).
	
	Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Jaiswal, in view of Townsend, in view of He, further in view of Shukla (US Publication No. 2008/0016339).
	As per claim 2, 9 and 16, Jaiswal furthermore discloses, wherein the first enforcement node and the second enforcement node are configured to forward the DLP incident information (column 5, lines 42-45, data from endpoint is collected by server 115, server 115 report the collected data to server 120). Jaiswal in view of He and Townsend does not explicitly disclose, not persist the DLP triggering content in memory. However, in an analogous art, Shukla discloses removing a malware code (DLP triggering content) form the memory (paragraph [0104], “the malware code is deleted in memory”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Jaiswal, Townsend and He with Shukla, in order to achieve the predictable result of eliminating the ability of malware to perform any malicious function in the system.

	Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jaiswal in view of Townsend, in view of He, further in view of Geddes (US Patent No. 7,853,782).
	As per claim 5,  12 and 18, Jaiswal furthermore discloses, the DLP rule violation is a violation of an Exact Data Match (EDM) index provided to the cloud-based security system as a hash signature so that underlying data is not accessible by the cloud-based security system (column 6, lines 36-50, DLP policy includes an exact data matching (EDM) when a file or other data is to be scanned a fingerprint or hash is generated of the file and compared or matched to stored fingerprint).
	Jaiswal in view Townsend and He does not explicitly disclose the triggering content includes the hash signature which is converted back to the underlying data at the server for the tenant. However, in an analogous art Geddes discloses an encrypted data received by intermediary/server is decrypted by the intermediary for the client (column 7, lines 2-5). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Jaiswal, Townsend and He with Geddes, in order to achieve the predictable result of data verification and authentication.

	Claims 6, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jaiswal, in view of Townsend, in view of  He, further in view of Lopilato et al. (US Patent No. 9, 356, 943).
	As per claim 6, 13 and 19, Jaiswal in view of Townsend and He disclose all limitations of claim as applied to claims 1, 8 and 15 above. Jaiswal  in view of Townsend and He does not explicitly disclose but in an analogous art Lopilato discloses, wherein the server includes an Internet Content Adaptation Protocol (ICAP) server that is one of located on-premises with the tenant and located in a cloud system and connected securely to another server located on-premises with the tenant (column 1, lines 29-37, and column 5, lines 32-43 ,“a multi-tenant cloud-based environment may include an ICAP server that multiplexes network traffic exchanged between various clients and web servers over a single network connection”).
	It would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Jaiswal, Townsend and He  with Lopilato, and include the well know Content Adaptation Protocol (ICAP) server, in order to achieve the predictable result of handling network traffic exchanged between various clients and web servers.

	Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jaiswal, in view of Townsend, in view of  He, further in view of Goyal et al. (US Publication No. 2018/0288062).
	As per claim 7, 14 and 20, Jaiswal in view of Townsend and He teaches all limitations of claim as applied to claims 1, 8 and 15 above. Jaiswal in view of Townsend and He does not explicitly disclose but in an analogous art, Goyal discloses, the first enforcement node is configured to monitor the traffic that includes any of Secure Sockets Layer (SSL) traffic and Transport Layer Security (TLS) traffic as a proxy (paragraph [0040], interception proxy 510 filters the content over SSL channel)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Jaiswal, Townsend and He with Goyal, in order to filter and detect malicious activities over encrypted channel.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Mathison, III et al. (US Publication No. 2021/0243211), discloses a method, system and computer-usable medium for routing data loss prevention (DLP) events across different network levels. A determination is made as to a number of DLP networks. The classification and data as to a DLP network is determined. Certain data is processed, including an entity risk level and certain data is held, such as certificates. The held data is processed by a computing platform. Processed entity risk levels are returned to the DLP networks. When all networks are processed, processed and held data are sent to the computing platform.


Conclusion


	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437