DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 06/14/2022. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/14/2022 was filed before the mailing date of the office action on 08/28/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

 

  Response to Amendment
The amendment filed on 06/14/2022 has been entered. Applicant’s amendments to claims and specification have overcome all the objections, 112(b), and 101 rejections previously set forth in the Non-Final Office Action mailed on 07/01/2022.

Response to Arguments
Applicant’s arguments filed on 06/14/2022 have been fully considered but are persuasive. 
Regarding applicant argument that intrusion can not be consider as sensitive information as set forth in the Non-final office action in view of Dennerline’s teaching. The examiner respectively disagrees with the applicant because Dennerline discloses that packets may comprise intrusions. These intrusions in the packets are information that need to be addressed else the network on which the intrusion is on will be maliciously attacked. Thus, the intrusion is a sensitive information. 
All other arguments are moot because of new ground of rejections made below in response to the new amendments by the applicant. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-5, 8, 10, 12, 15, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No 20100125900 to Dennerline et al. (hereinafter Dennerline) in view of U.S. PGPub No 20170099200 to Ellenbogen et al. (hereinafter Ellenbogen).

Regarding claim 1, Dennerline discloses a method for classifying data in real-time, the method comprising: 
capturing a plurality of data packets (plurality of packets, ¶0006;) flowing between a data source machine (source computer 120, ¶0016, Fig. 1) and a data client (destination computer 160, ¶0016, Fig. 1): 
searching at least one of the data packets (¶0032; wherein the data packet in the network is searched) for tokens (¶0019; wherein the signatures or other patterns of bits in each packet are the tokens) associated with sensitive information (¶0018, pornography) streaming in or out of a database in real-time (“potential threats can be continuously assessed”, ¶0051);
if tokens associated with sensitive information are not found in a data packet (¶0032): 
allowing the data packet to flow between the data source machine and the data client (¶0032, wherein data is forwarded to the subnet 170): and
sending the data packet to a comprehensive security analysis (Fig. 1, wherein there is a firewall between the subnet 170 and the data client 160 and wherein a firewall is a form of security analysis;
and if tokens associated with sensitive information are found in the data packet:(¶0032 malicious packet): 
preventing the data packet from flowing between the data source machine and the data client:( ¶0032, wherein the packet is dropped if it is found to be malicious); 
and sending the data packet to a comprehensive security analysis, (¶0003, wherein the blocked/dropped packets are sent for comprehensive analysis by the system administrator).

	However, Dennerline does not disclose the following limitation taught by Ellenbogen: sending the packet for an offline comprehensive security analysis.
Ellenbogen discloses a record keeping services and audit and record tracking that can record all raw data of a platform activity to a data warehouse for offline analysis and presentation (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline to include the concept of sending packet for offline comprehensive security analysis as taught by Ellenbogen and be motivated in doing so in order to save time and resources of the network.  


Regarding claim 4, Dennerline in view of Ellenbogen discloses the method of claim 1. Dennerline further discloses wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.                                                                                     See Dennerline disclosure of two-directional communication of a packet which involves a request (query) and response (“Next, program 147 determines if this packet has a flow-based protocol, i.e., a protocol which involves a two-directional communication (decision 204). Typically, a two-directional communication includes a setup of the communication, a request, a response and a closure of the communication”, ¶0036) The examiner equates this to a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.

Regarding claim 5, Dennerline in view of Ellenbogen discloses the method of claim 1. Dennerline further discloses wherein capturing and searching are performed by a software agent that is installed on the data source machine.  
Dennerline discloses an intrusion analysis engine in the source computer and implemented in software which the examiner equates to a software agent that is installed on the data source machine (“Source computer 120 also includes an intrusion analysis engine 152 (implemented in software and/or hardware) which analyzes incoming packets to detect and block intrusions such as viruses, worms, or other packets which attempt to exploit a vulnerability in the destination computer or cause denial of service attacks. Intrusion analysis engine 152 can also block messages with unwanted content such as pornography and/or spam”, ¶0018).

Regarding claim 8, Dennerline in view of Ellenbogen discloses the method of claim 1. Dennerline further discloses comprising: updating the tokens associated with sensitive information based on results of the comprehensive security analysis.  
Dennerline discloses the concept of updating the packet’s flow attributes after analyzing the packet for intrusion which is in conformity with the limitation of claim 8 above: (“In response to the notification from program 147, intrusion analysis engine 152 analyzes the packet for intrusions in a known manner as described above. Next, program 147 updates the packet's flow attributes, as described above (step 242). Next, program 147 proceeds to decision 244-248, as described above”, ¶0044).
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 1 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of updating the tokens associated with sensitive information based on results of the offline comprehensive security analysis as taught by Ellenbogen and be motivated in doing so in order to reduce or eliminate false-negative or false-positive alerts-Ellenbogen ¶0056 in part.



Regarding claim 10, Dennerline in view of Ellenbogen discloses the method of claim 1.
Dennerline further discloses comprising: issuing a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues.  
Dennerline discloses the concept of notifying the administrator who will further analyze the notification if an intrusion in a packet is detected by the IPS (“If the IPS detects an intrusion in a packet, the IPS can automatically block/drop the packet, block the flow associated with the packet, and/or notify (alert) an administrator. The administrator can further analyze the notification details, and if he or she determines that the notification is associated with an intrusion, may change the configuration of a firewall to block the intruder, report the event to the authorities, gather forensic evidence, clean any compromised hosts, and/or contact the administrator of the network that was the source of the attack”, ¶0003).
See also Dennerline disclosure in ¶0076 “Flows marked fast forward can continue to be inspected and any detected security violation (security issues) can be reported”
The examiner interprets these two paragraphs as issuing a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues.  
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 1 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of issuing security alert if tokens associated with sensitive information are found in the data packet and if the offline comprehensive security analysis disclosed by Ellenbogen finds no security issues and be motivated in doing so in order to reduce or eliminate false-negative or false-positive alerts-Ellenbogen ¶0056 in part

Regarding claim 12, Dennerline discloses a system for classifying data in real-time, the system comprising: 
a memory: and a processor configured to: (¶0040 “In such implementations, an application program (e.g., application 127, program 147, intrusion analysis engine 152 or application 167), or software components thereof, including instructions or code for performing the methodologies of the invention, as described herein, may be stored on one or more associated storage devices (e.g., ROM 124, 144 or 164 and/or storage units 126, 146 or 166) and, when ready to be utilized, loaded in whole or in part (e.g., into RAM 123, 143 or 163) and executed by one or more processors (e.g., CPUs 121, 141 or 161).                            
capture a plurality of data packets (plurality of packets, ¶0006;) flowing between a data source machine (source computer 120, ¶0016) and a data client (destination computer 160, ¶0016, Fig. 1): 
search at least one of the data packets (¶0032; wherein the data packet in the network is searched) for tokens (¶0019; wherein the signatures or other patterns of bits in each packet are the tokens) associated with sensitive information (¶0018, pornography) streaming in or out of a database in real-time (“potential threats can be continuously assessed”, ¶0051);

if tokens associated with sensitive information are not found in a data packet (¶0032): 
allowing the data packet to flow between the data source machine and the data client (¶0032, wherein data is forwarded to the subnet 170): and
sending the data packet to a comprehensive security analysis (Fig. 1, wherein there is a firewall between the subnet 170 and the data client 160 and wherein a firewall is a form of security analysis;
and if tokens associated with sensitive information are found in the data packet:(¶0032 malicious packet): 
preventing the data packet from flowing between the data source machine and the data client:( ¶0032, wherein the packet is dropped if it is found to be malicious); 
and sending the data packet to a comprehensive security analysis, (¶0003, wherein the blocked/dropped packets are sent for comprehensive analysis by a system the system administrator). 
 	However, Dennerline does not disclose the following limitation taught by Ellenbogen: sending the packet for an offline comprehensive security analysis
Ellenbogen discloses a record keeping services and audit and record tracking that can record all raw data of a platform activity to a data warehouse for offline analysis and presentation (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline to include the concept of sending packet for offline comprehensive security analysis as taught by Ellenbogen and be motivated in doing so in order to save time and resources of the network.                                                                                        
 

Regarding claim 15, Dennerline in view of Ellenbogen discloses the system of claim 12. Dennerline further discloses wherein the data packet is one of: a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client.                                                                                                                                             	See Dennerline disclosure of two-directional communication of a packet which involves a request (query) and response in ¶0036 Next, program 147 determines if this packet has a flow-based protocol, i.e., a protocol which involves a two-directional communication (decision 204). Typically, a two-directional communication includes a setup of the communication, a request, a response and a closure of the communication. The examiner equates this to a query sent from the data client to the data source machine, and a response sent from the data source machine to the data client. 

Regarding claim 18, Dennerline in view of Ellenbogen discloses the system of claim 12.                                                                                                                                          	Dennerline further discloses wherein the processor is configured to: update the tokens associated with sensitive information based on results of the offline comprehensive security analysis.                                                                                                                                      	Dennerline discloses the concept of updating the packet’s flow attributes after analyzing the packet for intrusion which is in conformity with the limitation of claim 18 above: (“In response to the notification from program 147, intrusion analysis engine 152 analyzes the packet for intrusions in a known manner as described above. Next, program 147 updates the packet's flow attributes, as described above (step 242). Next, program 147 proceeds to decision 244-248, as described above” ¶0044).
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 12 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of updating the tokens associated with sensitive information based on results of the offline comprehensive security analysis as taught by Ellenbogen and be motivated in doing so in order to reduce or eliminate false-negative or false-positive alerts-Ellenbogen ¶0056 in part.


Regarding claim 19, Dennerline in view of Ellenbogen discloses the system of claim 12.                                                                                                                                      	Dennerline further discloses wherein the processor is configured to: issue a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues.            
Dennerline discloses the concept of notifying the administrator who will further analyze the notification if an intrusion in a packet is detected by the IPS (“If the IPS detects an intrusion in a packet, the IPS can automatically block/drop the packet, block the flow associated with the packet, and/or notify (alert) an administrator. The administrator can further analyze the notification details, and if he or she determines that the notification is associated with an intrusion, may change the configuration of a firewall to block the intruder, report the event to the authorities, gather forensic evidence, clean any compromised hosts, and/or contact the administrator of the network that was the source of the attack”, ¶0003).                                                 
See also Dennerline disclosure in ¶0076 “Flows marked fast forward can continue to be inspected and any detected security violation (security issues) can be reported”                       
The examiner interprets these two paragraphs as issuing a security alert if tokens associated with sensitive information are found in the data packet and if the comprehensive security analysis finds security issues.  
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 12 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of issuing security alert if tokens associated with sensitive information are found in the data packet and if the offline comprehensive security analysis disclosed by Ellenbogen finds no security issues and be motivated in doing so in order to reduce or eliminate false-negative or false-positive alerts-Ellenbogen ¶0056 in part.

Claims 2-3, 6, 9, 11, 13-14, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No 20100125900 to Dennerline et al. (hereinafter Dennerline) in view of U.S. PGPub No 20170099200 to Ellenbogen et al. (hereinafter Ellenbogen) and further in view of U.S. PGPub No 20190347413 to Dubrovsky et al. (hereinafter Dubrovsky)

Regarding claim 2, Dennerline in view of Ellenbogen discloses the method of claim 1. 	However, Dennerline in view of Ellenbogen does not disclose the following limitation: if tokens associated with sensitive information are found in the data packet:                              	continuing to prevent the data packet from flowing between the data source machine and the data client if the offline comprehensive security analysis finds security issues; and  
allowing the data packet to flow between continuing between the data source machine and the data client if the offline comprehensive security analysis finds no security issues:                                 
Dubrovsky discloses if tokens associated with sensitive information are found in the data packet: continuing to prevent the data packet from flowing between the data source machine and the data client if the comprehensive security analysis finds security issues:                                           (“When the result 637 from the datacenter 630 indicates that there is a malware signature match or indicates that program code associated with the file performs suspicious activity, the gateway device 610 may then block the file from being sent to the client machine 620. For instance, the gateway device 610 may simply discard the data packets not yet forwarded to the client machine 620, instead of continuing to forward the data packets to the client machine 620”, ¶0088). 
See Dubrovsky disclosure about continuing to forward the packet if no security issues were found (“Otherwise, if there is no match or suspicious activity observed, then the file is not likely to contain malware, and thus, the gateway device 610 continues to forward data packets of the file to the client machine 620 until all data packets of the file have been forwarded”, ¶0088, The gateway device performs the comprehensive security analysis.                                       and allowing the data packet to flow between the data source machine and the data client if the comprehensive security analysis finds no security issues).
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 1 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).                                                                                                                             	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention, to modify the method of Dennerline  and Ellenbogen by incorporating the concept of continuing forwarding the data packets if the offline comprehensive security analysis disclosed by Ellenbogen finds no security issue or continuing blocking the data packets if it finds the packets to be malicious as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to detect and block malware included in the received data set-Dubrovsky abstract.

Regarding claim 3, Dennerline in view of Ellenbogen discloses the method of claim 1. 	However, Dennerline in view of Ellenbogen does not disclose the following limitation taught by Dubrovsky: wherein the data source machine is selected from the list consisting of: a database server, a file server, a proxy and a database server. a combination of a proxy and a file server. a combination of a network gate and a database server, and a combination of a network gate and a file server.                                       
See Dubrovsky disclosure about the datacenter which includes at least one computing machine and at least one computer-readable storage medium (“The datacenter 630 includes at least one computing machine and at least one computer-readable storage medium……….”, ¶0081). The examiner equates the datacenter to the data source machine.
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the method of Dennerline and Ellenbogen by incorporating the concept of data source machine as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to store information relating to behavior patterns that may be associated with or that characterize potentially malicious code. (Dubrovsky ¶0081). 


Regarding claim 6, Dennerline in view of Ellenbogen discloses the method of claim 5. 

Dubrovsky discloses the concept of security screening and the updating of security screen information such as Deep Packets Inspection (DPI) and others which may be performed by another server of a network security company (“………Such updates may be performed manually by an administrator of the datacenter, or automatically by downloading from another server of a network security company that provides such updates…….”, ¶0081)
The examiner equates this to comprehensive security analysis being performed by a dedicated security server as recited in claim 6 above.
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 1 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
	Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the method of Dennerline and Ellenbogen in claim 5 by incorporating the concept of security screening by a dedicated server as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to perform security screening related tasks such as signature /pattern matching, hash comparison, deep packet inspection, e.t.c. (Dubrovsky ¶0081).
	Regarding claim 9, Dennerline in view of Ellenbogen discloses the method of claim 1. 
Dennerline in view of Ellenbogen further discloses wherein the offline comprehensive security analysis comprises: parsing the data packet: and building hierarchy of the data:  
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 1 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis). 
See Dennerline disclosure about parsing the data packet (“…… In response, program 147 parses the packet and identifies attributes of the packet relevant to determining the composite score or whether the packet should automatically be dropped…….”, ¶0035) 
See Dennerline disclosure about building a data structure (hierarchy) which represents a given flow (“… As described in section I, the flow object is a data structure which represents a given flow. In this illustrative embodiment, flow object 400 has been expanded to include additional fields. For example, field 410 represents the state by setting condition flags for normal operation, for fast forwarding, for autodrop, and for the catch-up mode. Field 420 includes counters which indicate number of packets that are enqueued or currently processed in the backend for the flow represented by this flow object…”, ¶0077),
However, Dennerline in view of Ellenbogen does not explicitly disclose the following limitation taught by Dubrovsky:
mapping metadata to data: and processing policy rules, 
Dubrovsky discloses mapping of metadata to data (“……where that modification of the data set may include adding the classification to metadata associated with the data set……..” and ¶0050 “In certain instances a data set that includes suspected malicious code may be modified, for example by adding metadata information that identifies the data set as possibly being malicious”, ¶0049). The examiner equates this to mapping metadata to data.
Dubrovsky discloses the concept of processing policy rules (“Alternatively or additionally, a content rating may be associated with an authorization level and an access policy. In such instances, a user of a client device may be prohibited from accessing certain content when that user is not authorized to view or receive that content based on that user not being authorized to receive or view that content based on a policy”, ¶0084).
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the method of Dennerline and Ellenbogen in claim 1 by incorporating the concept of adding metadata information that identifies the data set as possibly being malicious based on policy rules as disclosed by Dubrovsky to offline comprehensive analysis disclosed by Ellenbogen and be motivated in doing so because it provides a utilization method to modify the data set, thereby disables the executable code in the data set.(Dubrovsky ¶0049).
	Regarding claim 11, Dennerline in view of Ellenbogen discloses the method of claim 1. 
Dennerline further discloses comprising: - 26 -P-593365-US after capturing: analyzing the headers to determine security status of packets associated with the headers: and selecting the at least one data packet based on the security status.  
Dennerline discloses the concept of analyzing (checking) the information on the header of a packet before forwarding the packet to destination computer a firewall or other gateway (“……..After checking the destination IP address, application identifier or other destination indicia contained in the packet's header, firewall (or other gateway) 172 forwards the packet to destination computer 160”, ¶0063). The firewall or other gateway determine the security status of the packet before forwarding it to the destination computer.
Dennerline discloses selection of packets based on their threat-score (security status) (“…..Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections”, ¶0055).
 	However, Dennerline in view of Ellenbogen does not explicitly disclose the following limitation taught by Dubrovsky: decrypting the plurality of data packets to obtain a header of each packet.
Dubrovsky discloses the concept of decrypting the plurality of data packets (“The de-obfuscating of a set of computer data may include decrypting, reordering, or resequencing data included in that set of computer data. In certain instances, a portion of the data included in the set of computer data may be decrypted. The decryption may include XORing at least a portion of the data included in the data packet set with other data or with other data included in the data packet set…..”, ¶0040). Once the data packet is decrypted, the header can be obtained.

Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the method of Dennerline and Ellenbogen in claim 1 by incorporating the concept of decrypting the plurality of data packets to obtain the header of each packet as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to detect the presence of malware in the data set. (Dubrovsky ¶0040)
Regarding claim 13, Dennerline in view of Ellenbogen discloses the system of claim 12.
 	However, Dennerline in view of Ellenbogen does not disclose the following limitation: 
wherein if tokens associated with sensitive information are found in the data packet, the processor is configured to:
 continue to prevent the data packet from flowing between the data source machine and the data client if the offline comprehensive security analysis finds security issues: 
allow the packet to flow between the data source machine and the data client if the offline comprehensive security analysis finds no security issues.
	Dubrovsky discloses if tokens associated with sensitive information are found in the data packet: continuing to prevent the data packet from flowing between the data source machine and the data client if the comprehensive security analysis finds security issues: 
  (“When the result 637 from the datacenter 630 indicates that there is a malware signature match or indicates that program code associated with the file performs suspicious activity, the gateway device 610 may then block the file from being sent to the client machine 620. For instance, the gateway device 610 may simply discard the data packets not yet forwarded to the client machine 620, instead of continuing to forward the data packets to the client machine 620”, ¶0088). The gateway device performs the comprehensive security analysis.
and allowing the data packet to flow between the data source machine and the data client if the comprehensive security analysis finds no security issues.  
See Dubrovsky disclosure about continuing to forward the packet if no security issues were found (“Otherwise, if there is no match or suspicious activity observed, then the file is not likely to contain malware, and thus, the gateway device 610 continues to forward data packets of the file to the client machine 620 until all data packets of the file have been forwarded”, ¶0088).                                                                                                                            
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 12 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention, to modify the method of Dennerline  and Ellenbogen by incorporating the concept of continuing forwarding the data packets if the offline comprehensive security analysis disclosed by Ellenbogen finds no security issue or continuing blocking the data packets if it finds the packets to be malicious as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to detect and block malware included in the received data set-Dubrovsky abstract.
Regarding claim 14, Dennerline in view of Ellenbogen discloses the system of claim 12. However, Dennerline in view of Ellenbogen does not explicitly disclose the following limitation taught by Dubrovsky: 
wherein the data source machine is selected from the list consisting of: a database server, a file server, a proxy and a database server. a combination of a proxy and a file server. a combination of a network gate and a database server, and a combination of a network gate and a file server.                               
 See Dubrovsky disclosure about the datacenter which includes at least one computing machine and at least one computer-readable storage medium (“The datacenter 630 includes at least one computing machine and at least one computer-readable storage medium……….”, ¶0081). The examiner equates the datacenter to the data source machine.                                                  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention, to modify the system of Dennerline and Ellenbogen by incorporating the concept of data source machine as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to store information relating to behavior patterns that may be associated with or that characterize potentially malicious code. (Dubrovsky ¶0081). 

Regarding claim 16, Dennerline in view of Ellenbogen discloses the system of claim 12.                                        
However, Dennerline in view of Ellenbogen does not explicitly disclose the following limitation: wherein that the processor is installed on the data source machine, and wherein performing the offline comprehensive security analysis is performed by a dedicated security server, and wherein the processor is configured to send the data packet to the dedicated security server for performing the offline comprehensive security analysis.  
	Dubrovsky discloses the concept of security screening and the updating of security screen information such as Deep Packets Inspection (DPI) and others which may be performed by another server of a network security company (“………Such updates may be performed manually by an administrator of the datacenter, or automatically by downloading from another server of a network security company that provides such updates…….”, ¶0081)
The examiner equates this to comprehensive security analysis being performed by a dedicated security server as recited in claim 16 above.
The comprehensive security analysis being done offline was taught by Ellenbogen as discussed above in independent claim 12 rejection (“Record keeping services 540 and audit and record tracking 550 can record all raw data of platform 500 activity to a data warehouse and data lake for offline analysis and presentation”, ¶0178, wherein auditing of raw data is a form of security analysis).
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Dennerline and Ellenbogen in claim 12 by incorporating the concept of security screening as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to perform security screening related tasks such as signature /pattern matching, hash comparison, deep packet inspection, e.t.c. (Dubrovsky ¶0081).




Regarding claim 20, Dennerline in view of Ellenbogen discloses the system of claim 12. 
	Dennerline further discloses wherein the processor is configured to: after capturing, analyzing the headers to determine security status of packets associated with the headers: and selecting the at least one data packet based on the security status.  
Dennerline discloses the concept of checking (analyzing) the information on the header of a packet before forwarding the packet to destination computer a firewall or other gateway (“……..After checking the destination IP address, application identifier or other destination indicia contained in the packet's header, firewall (or other gateway) 172 forwards the packet to destination computer 160”, ¶0063). The firewall or other gateway determine the security status of the packet before forwarding it to the destination computer.
Dennerline discloses selection of packets based on their threat-score (security status) (“…..Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections”, ¶0055).
However, Dennerline in view of Ellenbogen does not explicitly disclose the following limitation taught by Dubrovsky: decrypting the plurality of data packets to obtain a header of each packet.
Dubrovsky discloses the concept of decrypting the plurality of data packets (“The de-obfuscating of a set of computer data may include decrypting, reordering, or resequencing data included in that set of computer data. In certain instances, a portion of the data included in the set of computer data may be decrypted. The decryption may include XORing at least a portion of the data included in the data packet set with other data or with other data included in the data packet set…..”, ¶0040). Once the data packet is decrypted, the header can be obtained.

Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Dennerline and Ellenbogen in claim 12 by incorporating the concept of decrypting the plurality of data packets to obtain the header of each packet as disclosed by Dubrovsky and be motivated in doing so because it provides a utilization method to detect the presence of malware in the data set. (Dubrovsky ¶0040).

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No 20100125900 to Dennerline et al. (hereinafter Dennerline) in view of U.S. PGPub No 20170099200 to Ellenbogen et al. (hereinafter Ellenbogen) and further in view of U.S. PGPub No 20080216174 to Vogel et al. (hereinafter Vogel)

Regarding claim 7, Dennerline in view of Ellenbogen discloses the method of claim 1. However, Dennerline in view of Ellenbogen does not disclose the following limitation taught Vogel: wherein searching the data packet for tokens associated with sensitive information comprises at least one of: wildcard search and dictionary search.                                                                        
 Vogel discloses identification of sensitive data in a data storage which includes the client searching for a pattern of literal characters and wildcard characters (“wildcard characters”, ¶0030)  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of identification of sensitive information by searching for wildcard characters patterns as disclosed by Vogel and be motivated in doing so in order to indicate the location of the sensitive data in the data storage-Vogel ¶0011 in part. 

Regarding claim 17, Dennerline in view of Ellenbogen discloses the system of claim 12. Dennerline in view of Ellenbogen does not disclose the following limitation taught Vogel: wherein searching the data packet for tokens associated with sensitive information comprises at least one of: wildcard search and dictionary search.                                
Vogel discloses identification of sensitive data in a data storage which includes the client searching for a pattern of literal characters and wildcard characters (“wildcard characters”, ¶0030).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Dennerline and Ellenbogen to include the concept of identification of sensitive information by searching for wildcard characters patterns as disclosed by Vogel and be motivated in doing so in order to indicate the location of the sensitive data in the data storage-Vogel ¶0011 in part. 
 
 Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: U.S 20170185638 , 20170140174, and 20160099963.
Applicant's amendment necessitated the new ground(s) of rejection presented in this
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP S 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of
the mailing date of this final action and the advisory action is not mailed until after the end of
the THREE-MONTH shortened statutory period, then the shortened statutory period will expire
on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a)
will be calculated from the mailing date of the advisory action. In no event, however, will the
statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495     

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495