DETAILED ACTION
Response to Amendment

1.   The present application, filed on or after March 16, 2013, is being examined 
       under the first inventor to file provisions of the AIA .  

2. 
	Continued Examination Under 37 CFR 1.114
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/14/2022 has been entered.

3.
Response to Arguments
Applicant’s Argument:
On pages 9-10 of the Remarks/Arguments, Applicant argues that Davis fails to teach in response to determining that the user-plane data includes the plaintext sensitive data, generating plaintext placeholder data that is a generalization of the user-plane data and that is a same type of data as the plaintext sensitive data; providing the plaintext placeholder data that is the generalization of the user-plane data and that is the same type of data as the plaintext sensitive data to the computing operation.

Response to Argument: 
Applicant’s arguments, filed on 06/28/2022, with respect to the rejection(s) of claims 1-6, 8-14, 16-18 and 20 under 35 U.S.C 102(a)(1) have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Carlson et al (See rejections below) 


4.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-14, 16 and 21-24 are rejected under 35 U.S.C. 103 as being unpatentable over Davis et al. US 2018/0176192 (hereinafter Davis), and further in view of Carlson et al. US 20130246199 (hereinafter Carlson).


Regarding claim 1 Davis teaches a user device, comprising: one or more processors; memory coupled to the one or more processors, the memory including one or more modules that are executable by the one or more processors to: intercept, at a security monitoring application, a computing operation executed by a user application, the computing operation including user-plane data; determine whether the user-plane data includes plaintext sensitive data; and in response to determining that the user-plane data includes the plaintext sensitive data, quarantine the user-plane data and provide the computing operation with placeholder data that is a generalization of the user-plane data; and permit execution of the computing operation by the user application using the plaintext placeholder data that is the generalization of the user-plane data (Davis teaches sensitive data may be exchanged between a user and a service provider, wherein a proxy server may protect the sensitive data such as encrypting the sensitive data, wherein the sensitive data may include a plurality of different types of data [0018], [0023-0025], and fig. 1. A data protection module may obtain a request including information from a sender (i.e. user-plane data), determine whether the information include sensitive data based on a flag or a data type, upon determining that the information include sensitive data, the data protection module provides the sensitive data to an encryption module, wherein the encryption module encrypts the sensitive data, and provides the encrypted sensitive data to the data protection module, and wherein the data protection module replaces the plaintext sensitive data with the encrypted sensitive data and then transmits the request to an endpoint associated with the sender (i.e. data included in the request are related to a user, for example payment information (see Davis, par 0163 ) however after encrypting portion of the data (i.e. sensitive portion) the whole data in the request represent a generalization of the user data) [0099-0102], and fig. 3-4, and 12). Note according to the specification of the instant application, the term “quarantine” comprises encrypting the sensitive data (see par. 0017 and 0093). Davis does not teach in response to determining that the user-plane data includes the plaintext sensitive data, generating plaintext placeholder data that is a generalization of the user-plane data and that is a same type of data as the plaintext sensitive data; providing the plaintext placeholder data that is the generalization of the user-plane data and that is the same type of data as the plaintext sensitive data to the computing operation. Carlson substantially teaches a pay network server may send a notification to a merchant server, wherein the notification such as an email, wherein some private information may be removed from the email such as a consumer’s name and address [0067]. Note the after removing the private information from the email, the email provides a generalization of the consumer plaintext.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Davis such that the invention further includes in response to determining that the user-plane data includes the plaintext sensitive data, generating plaintext placeholder data that is a generalization of the user-plane data and that is a same type of data as the plaintext sensitive data; providing the plaintext placeholder data that is the generalization of the user-plane data and that is the same type of data as the plaintext sensitive data to the computing operation. One would have been motivated to do so to satisfy the consumer preference [0067].

Regarding claim 2 Davis as modified teaches the user device of claim 1, wherein the computing operation corresponds to an outbound transmission of the user-plane data to a recipient device, use of the user-plane data on the user device, or a storage of the user-plane data at a data-store of the user device (Davis teaches transmitting configuration data to endpoint device [0102], fig. 1, and 12).  

Regarding claim 3 Davis as modified teaches the user device of claim 1, wherein the one or more modules are further executable by the one or more processors to:
 identify the user application based at least in part on an application identifier included within the user-plane data, and wherein determining whether the user-plane data includes the plaintext sensitive data is based at least in part on the application identifier (Davis teaches a proxy may determine whether  sensitive information and protect them, wherein the sensitive information may include an address, passport number, a tax identifier, legal information, financial information, customer lists and/or specific customer identifying information [0025], and fig. 12. The secure proxy fleet may transmit the rendered data fleet to the customer over the Internet using an IP address associated with the customer [0097]).  

Regarding claim 4 Davis as modified teaches the user device of claim 1, wherein the one or more modules are further executable by the one or more processors to: monitor plaintext device data captured by the user application from components of the user device, the plaintext device data including location data, user identifier data, or device identifier data, and wherein, the plaintext sensitive data includes the plaintext device data (Davis teaches a proxy may detect sensitive information and protect them, wherein the sensitive information may include an address, passport number, a tax identifier, legal information, financial information, customer lists and/or specific customer identifying information [0025], and fig. 1 and 14).  

Regarding claim 5 Davis as modified teaches the user device of claim 1, wherein the one or more modules are further executable by the one or more processors to: in response to determining that the user-plane data includes the plaintext sensitive data, determine that the user application is configured to permit encryption of the user-plane data using an encryption protocol accessible via the user device; encrypt, via the encryption protocol, the user-plane data to create an encrypted user- plane data; and permit an additional execution of the computing operation by the user application using the encrypted user-plane data (Davis teaches the sensitive data may be encrypted with a public key associated with a customer prior to transmission of the sensitive data to a client device associated with the customer [0020]. The secure proxy fleet and/or data protection module may be responsible for establishing and maintaining one end of a secure link between the customer and the backend services. In some examples, the secure proxy fleet establishes an encrypted network connection by using a TLS connection [0038], [0060]). 

Regarding claim 6 Davis as modified teaches the user device of claim 1, wherein the one or more modules are further executable by the one or more processors to: 
determine that the computing operation is associated with a transmission of the user- plane data to a recipient device (Davis teaches sensitive data may be directed to a trusted entity or location operated by the backend services [0025], [0036]); 
determine whether a trust relationship is active between the recipient device and a transitive trust server associated with the user device, the transitive trust server configured to provide a secure transmission of the user-plane data to the recipient device (Davis teaches the secure proxy fleet and/or data protection module may be responsible for establishing and maintaining one end of a secure link between the customer and the backend services. In some examples, the secure proxy fleet establishes an encrypted network connection by using a TLS connection [0038], [0060]); 

in response to confirming that the trust relationship is active, retrieve, from the transitive trust server, a public key of an asymmetric private-public key pair that is associated with the recipient device; and encrypt, the user-plane data using the public key to create an encrypted user-plane data for transmission to the recipient device (Davis teaches the sensitive data may be encrypted with a public key associated with a customer prior to transmission of the sensitive data to a client device associated with the customer [0020]).  

Regarding claim 8 Davis as modified teaches the user device of claim 1, wherein the one or more modules are further executable by the one or more processors to: in response to determining that the user-plane data does not include the plaintext sensitive data, permit execution of the computing operation associated with the user-plane data (Davis teaches if the request does not include sensitive data the data protection module or secure proxy fleet may transmit the request to the endpoint [0101] and fig.12).  

In response to Claim 9: Rejected for the same reason as claim 1
In response to Claim 10: Rejected for the same reason as claim 3

Regarding claim 11 Davis as modified teaches the security monitoring controller of claim 9, wherein the computing operation corresponds to an outbound transmission of the user-plane data to a recipient device, and wherein the one or more modules are further executable by the one or more processors to: 
determine whether the recipient device is configured to use a particular encryption protocol to decrypt an encryption of the user-plane data; in response to the recipient device being configured to use the particular encryption protocol, encrypt the user-plane data to create encrypted user-plane data; and permit an additional execution of the computing operation using the encrypted user-plane data (Davis teaches the sensitive data may be encrypted with a public key associated with a customer prior to transmission of the sensitive data to a client device associated with the customer [0020]. The secure proxy fleet and/or data protection module may be responsible for establishing and maintaining one end of a secure link between the customer and the backend services. In some examples, the secure proxy fleet establishes an encrypted network connection by using a TLS connection [0038], [0060]).    

In response to Claim 12: Rejected for the same reason as claim 6

Regarding claim 13 Davis as modified teaches the security monitoring controller of claim 9, wherein the one or more modules are further executable by the one or more processor to: monitor data packets handled by a computing hardware within the network, the computing hardware corresponding to one or more of network interface cards, hubs, repeaters, concentrators, or amplifiers, and wherein, intercepting the computing operation associated with the user device is based at least in part on monitoring the data packets (Davis teaches the network environment may include a plurality of devices such as modem, a network card (wireless or wired) [0116-0117]. A detection module parses received data, and if the detection module determines the received data includes sensitive data, the detection module may forward or otherwise provide the data to the encryption module to be encrypted [0047], and fig. 4).  

Regarding claim 14 Davis as modified teaches the security monitoring controller of claim 9, wherein the one or more modules are further executable by the one or more processor to: monitor at least one of data streams or data frames handled by a computing hardware within the network, the computing hardware corresponding to one or more of routers, bridges, switches, and user devices, and wherein intercept the computing operation associated with the user device is based at least in part on monitoring the data streams or the data frames (Davis teaches sensitive data may be exchanged between a user and a service provider via internet, wherein a proxy server may protect the sensitive data with encryption, wherein the sensitive data may include a plurality of different types of data [0018], [0023-0025], fig. 1).  

In response to Claim 16: Rejected for the same reason as claim 4
In response to Claim 21 Rejected for the same reason as claim 1
In response to Claim 22: Rejected for the same reason as claim 2
In response to Claim 23: Rejected for the same reason as claim 3
In response to Claim 24: Rejected for the same reason as claim 4

5.


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Davis and Carlson as mentioned above, in view of Wu et al. US 20060294391 (hereinafter Wu).

Regarding claim 7 Davis as modified teaches the user device of claim 1, the plaintext sensitive data was quarantined (Davis teaches sensitive data may be exchanged between a user and a service provider, wherein a proxy server may protect the sensitive data such as encrypting the sensitive data, wherein the sensitive data may include a plurality of different types of data [0018], [0023-0025]). Note according to the specification of the instant application, the term “quarantine” comprises encrypting the sensitive data (see par. 0017 and 0093 of the instant application). Davis and Carlson do not teach displaying a message on a user interface of the user device that the plaintext sensitive data was quarantined. Wu substantially teaches a after the encryption/decryption module 2 has finished the encryption operation, an encryption result will be displayed in display a message to the user that the file encryption has been completed [0058].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Davis and Carlson such that the invention further includes displaying a message on a user interface of the user device that the plaintext sensitive data was quarantined. One would have been motivated to do so to make the system friendlier (i.e. updating the user about a status of an operation, allows the user to be aware of an issue, and take an action). 

6.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Davis and Carlson as mentioned above, in view of Cohen et al. US 8,239,918 (hereinafter Cohen).

Regarding claim 15 Davis as modified teaches the security monitoring controller of claim 9, quarantining the user -plane data (Davis teaches sensitive data may be exchanged between a user and a service provider, wherein a proxy server may protect the sensitive data such as encrypting the sensitive data, wherein the sensitive data may include a plurality of different types of data [0018], [0023-0025]). Davis and Carlson do not teach transmitting a message to a user device, the message including one or more selectable options to accept a termination of the computing operation or permit the computing operation to occur. Cohen substantially teaches an administrator may receive a message to approve or disapprove an operation (co. 5, lin. 54-67).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Davis and Carlson such that the invention further includes transmitting a message to a user device, the message including one or more selectable options to accept a termination of the computing operation or permit the computing operation to occur. One would have been motivated to do so to ensure that an appropriate decision has been made to perform or to stop performing an operation (i.e. to overcome false positive and false negative issues). 

















Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AYOUB ALATA whose telephone number is (571)270-1474.  The examiner can normally be reached on Monday - Friday 7:30 - 5:00 Est.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung (Jay) Kim can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is (571)273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AYOUB ALATA/           Primary Examiner, Art Unit 2494