Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/06/2022 has been entered.

The instant application having Application No. 16/526,684 has claims 1-6, 8-13 and 15-19 pending filed on 07/30/2019; there are 3 independent claims and 14 dependent claims, all of which are ready for examination by the examiner.

Response to Arguments

This Office Action is in response to applicant’s communication filed on June 6, 2022 in response to PTO Office Action dated March 4, 2022.  The Applicant’s remarks and amendments to the claims and/or specification were considered with the results that follow.


Claim Rejections

Claim Rejections - 35 USC § 103

 35 USC § 103 Rejection of claims 1-6, 8-13 and 15-19


Applicant's arguments filed on 06/06/2022 with respect to the claims 1-6, 8-13 and 15-19 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.




Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-6, 8-13, 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Katragadda et al (US PGPUB 20190379699) in view of LeFever et al (US PGPUB 20190332807) and in further view of Bellis et al (US PGPUB 20200401704). 

As per claim 1:
Katragadda teaches:
“A method” (Paragraph [0007] (a method for detecting vulnerabilities))
 “by a processor, for providing intelligent data security in a computing environment, comprising” (Paragraph [0026] and Paragraph [0089] (uses self-learning intelligent systems consisting processor with the ability to detect, defend and alert threats in the computational environment)) 
“identifying one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data))
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protecting selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data; predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form. 
However LeFever teaches:
“stored in a database in tabular form” (Paragraph [0530] (uses traditional tabular database structures to store data in the database))
“determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data” (Paragraph [0411], Paragraph [0510] and Paragraph [0530] (the data becomes vulnerable when it is decrypted for the very purpose of enabling use, uses traditional tabular database structures to store data in the database and where the data contains personal identifiable information about the data subjects))
“by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form” (Paragraph [0510] and Paragraph [0530] (implementations of systems for granular, contextual, programmatic enforcement of privacy polices disclosed herein include real-time de-identification and anonymity solutions and/or services that help to address concerns over unintended access to, and use of, data in violation of privacy policies and uses traditional tabular database structures)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of LeFever and apply them on teachings of Katragadda for “stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data;  by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form”.  One would be motivated as dynamic anonymity may be leveraged to provide more privacy-respectful and efficient communications than previous approaches where individuals may benefit from improved privacy and control over third-party access to and use of identifying information about them (LeFever, Paragraph [0032]).
Katragadda and LeFever do not EXPLICITLY disclose: predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data.
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bellis and apply them on teachings of Katragadda and LeFever for “predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data”.  One would be motivated as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]).

As per claim 2:
Katragadda, LeFever and Bellis teach the method as specified in the parent claim 1 above. 
Bellis further teaches:
“further including ranking the one or more data vulnerabilities according to a degree of importance” (Paragraph [0045] (determining values for such a feature may involve sorting and/or ranking vulnerabilities according to one or more of the numeric features)).

As per claim 3:
Katragadda, LeFever and Bellis teach the method as specified in the parent claim 1 above. 
Katragadda further teaches:
“further including matching the one or more data vulnerabilities with the one or more data protection policies or rules” (Paragraph [0139] (the map client engine of the external malware analysis engine are configured to detect unknown vulnerabilities using dynamic behavior analysis and the rule engine to evaluate the behavior from the new transaction and use the analysis from the map behavior file engine to validate the transaction against past behavior models so to decide whether new transaction is malware or vulnerable)).

As per claim 4:
Katragadda, LeFever and Bellis teach the method as specified in the parent claim 1 above. 
Katragadda further teaches:
“further including defining one or more eligible data compliance formats for protecting selected data using the one or more data protection policies or rules” (Paragraph [0093] and Paragraph [0138] (payload as used generally refers to user specific data in a previously established format, the valid message payload having a header may be converted into a data file, so that the external malware analysis engine may interpret the data file)).

As per claim 5:
Katragadda, LeFever and Bellis teach the method as specified in the parent claim 1 above.
Bellis further teaches:
“further including providing a list of the selected data having potential data vulnerabilities, wherein the list of the selected data is ranked according to a degree of importance” (Paragraph [0044] and Paragraph [0045] (prevalence feature indicates a number of references, in a particular database, to a particular vulnerability and determining values for such a feature may involve sorting and/or ranking vulnerabilities)).

As per claim 6:
Katragadda, LeFever and Bellis teach the method as specified in the parent claim 1 above.
Katragadda further teaches:
“further including generating a set of actionable and non-actionable data protection policies using a data protection vulnerability model” (Paragraph [0127] and Paragraph [0139] (the action engine may be configured to execute the decision signal as well as to make a decision on whether to generate a plurality of alerts to the client environment and validate the transaction against past behavior models so to decide whether new transaction is malware)).

As per claim 8:
Katragadda teaches:
“A system providing intelligent data security in a computing environment, comprising” (Paragraph [0010] (a system of enforcing privacy policy regulations in a computational environment))
 “one or more computers with executable instructions that when executed cause the system to” (Paragraph [0143] (the system is configured to execute and enforce a plurality of data traceability from an integrated system across a browser, a session, a webserver, or the plurality of first databases configured with a personal identifiable information)) 
“identify one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data)) 
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protect selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data; predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form. 
However LeFever teaches:
“stored in a database in tabular form” (Paragraph [0530] (uses traditional tabular database structures to store data in the database))
“determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data” (Paragraph [0411], Paragraph [0510] and Paragraph [0530] (the data becomes vulnerable when it is decrypted for the very purpose of enabling use, uses traditional tabular database structures to store data in the database and where the data contains personal identifiable information about the data subjects))
“by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form” (Paragraph [0510] and Paragraph [0530] (implementations of systems for granular, contextual, programmatic enforcement of privacy polices disclosed herein include real-time de-identification and anonymity solutions and/or services that help to address concerns over unintended access to, and use of, data in violation of privacy policies and uses traditional tabular database structures)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of LeFever and apply them on teachings of Katragadda for “stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data;  by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form”.  One would be motivated as dynamic anonymity may be leveraged to provide more privacy-respectful and efficient communications than previous approaches where individuals may benefit from improved privacy and control over third-party access to and use of identifying information about them (LeFever, Paragraph [0032]).
Katragadda and LeFever do not EXPLICITLY disclose: predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data.
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bellis and apply them on teachings of Katragadda and LeFever for “predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data”.  One would be motivated as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]).

As per claim 9, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 2 above.

As per claim 10, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 3 above.

As per claim 11, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 4 above.

As per claim 12, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 5 above.

As per claim 13, the claim is rejected based upon the same rationale given for the parent claim 8 and the claim 6 above.

As per claim 15:
Katragadda teaches:
“an executable portion that identifies one or more data vulnerabilities from a plurality of data” (Paragraph [0007] (detecting vulnerabilities and anomalies in a computational environment is provided where a transaction engine receives at least one input data)) 
 “and an executable portion that protects selected data having the one or more data vulnerabilities” (Paragraph [0134] (configured to scan data so to gather information from selected data to protect and predict an attack along with vulnerabilities))
“wherein the identifying data vulnerabilities includes executing machine learning logic to” (Paragraph [0026] (the method uses self-learning intelligent systems with the ability to detect data vulnerabilities in conjunction with machine learning and behavior analysis)) 
 “train a data protection vulnerability model” (Paragraph [0047] (the "supervised machine learning" as used herein generally refers to learning is the optimization of a prediction model to best describe the mapping from the input data to its assigned target label and the optimizing of the model is alternatively referred to as model training)) 
“learn and apply actional data protection policies to the selected data and the one or more data security policies or rules” (Paragraph [0070] (the rule engine refers to creating and/or recording new rules in the rules database and also validates against existing rules in rules database, also includes supervised and unsupervised machine learning techniques and behavior analysis modules that provide decision making capabilities in near real time and to create alerts or notifications))
“and collect feedback data for retraining the data protection vulnerability model” (Paragraph [0046] (the reinforcement algorithm may be a learning method that interacts with its environment by producing actions and discovers errors or rewards and where the feedback may be required for the agent to learn which action is best))
 “and protect selected data having the one or more data vulnerabilities identified by the machine learning logic” (Paragraph [0133] and Paragraph [0134] (configured to scan data using machine learning in the swarm intelligence configuration so to gather information from selected data to protect and predict an attack along with vulnerabilities)). 
Katragadda does not EXPLICITLY discloses: A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising; stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data; predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data; by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form. 
However LeFever teaches:
“A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising” (Paragraph [0043] (the system modules may be implemented in program code executed by a processor in the privacy server computer, or in another computer in communication with the privacy server computer where the program code may be stored on a computer readable medium, accessible by the processor and the computer readable medium may be volatile or non-volatile, and may be removable or non-removable storage))
“stored in a database in tabular form” (Paragraph [0530] (uses traditional tabular database structures to store data in the database))
“determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data” (Paragraph [0411], Paragraph [0510] and Paragraph [0530] (the data becomes vulnerable when it is decrypted for the very purpose of enabling use, uses traditional tabular database structures to store data in the database and where the data contains personal identifiable information about the data subjects))
“by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form” (Paragraph [0510] and Paragraph [0530] (implementations of systems for granular, contextual, programmatic enforcement of privacy polices disclosed herein include real-time de-identification and anonymity solutions and/or services that help to address concerns over unintended access to, and use of, data in violation of privacy policies and uses traditional tabular database structures)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of LeFever and apply them on teachings of Katragadda for “A computer program product for, by a processor, providing intelligent data security in a computing environment, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising; stored in a database in tabular form; determine the one or more vulnerabilities as entries in fields in the plurality of data in the database in the tabular form comprise personally identifiable data;  by applying one or more data protection policies or rules, wherein the selected data is de-identified while preserving a file format, inclusive of a data structure and size, of the plurality of data in the database stored in the tabular form”.  One would be motivated as dynamic anonymity may be leveraged to provide more privacy-respectful and efficient communications than previous approaches where individuals may benefit from improved privacy and control over third-party access to and use of identifying information about them (LeFever, Paragraph [0032]).
Katragadda and LeFever do not EXPLICITLY disclose: predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data.
However, Bellis teaches:
“predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data” (Paragraph [0041] and Paragraph [0045] (from the one or more machine learning computers, output data is generated based on applying the one or more predictive models where the output data comprises predicted values, determining values may involve sorting and/or ranking vulnerabilities according to one or more of the aforementioned numeric features and selecting the vulnerabilities that are less than a predetermined threshold value))
“wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data” Paragraph [0045] (a popular target may refer to a vulnerability ranked in the top 5% by number of affected copies and if there are a total of one billion vulnerabilities being used in a training dataset, the vulnerabilities having rankings of 50 million and above may be assigned a value corresponding to “Yes” (leveraged))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bellis and apply them on teachings of Katragadda and LeFever for “predict a ranking of the one or more data vulnerabilities according to a set of data vulnerabilities from the plurality of data; wherein the ranking of the one or more data vulnerabilities is leveraged to generate training data”.  One would be motivated as the system may interact with the one or more machine learning computers to provide training and input data as well as to receive output data comprising predictions and to assign ranking or priority levels to vulnerabilities (Bellis, Paragraph [0037]).

As per claim 16, the claim is rejected based upon the same rationale given for the parent claim 15 and the claims 2 and 3 above.

As per claim 17, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 4 above.

As per claim 18, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 5 above.

As per claim 19, the claim is rejected based upon the same rationale given for the parent claim 15 and the claim 6 above.
Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Crabtree et al, (US PGPUB 20210092161), a system and method for the contextualization and management of collaborative databases in an adversarial information environment. The system and method feature the ability to scan for, ingest and process, and then use relational, wide column, and graph stores for capturing entity data, their relationships, and actions associated with them. Furthermore, meta-data is gathered and linked to the ingested data, which provides a broader contextual view of the environment leading up to and during an event of interest. The gathered data and meta-data is used to manage the reputation of the contributing data sources.
Erlingsson Ulfar, (US PGPUB 20220247769), Learning from similar cloud deployments, including: identifying, for at least a portion of a first cloud deployment, one or more additional cloud deployments to utilize for cross-customer learning; receiving information describing configurations associated with the additional cloud deployments; and identifying, based on the configurations, one or more configurations to adopt for the first cloud deployment.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAMAL K DEWAN whose telephone number is (571) 272-2196.  The examiner can normally be reached on Mon-Fri 8:00 AM – 5:00 PM (EST).  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONY MAHMOUDI can be reached on 571-272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Kamal K Dewan/
Examiner, Art Unit 2163


/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163