Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner’s Amendment 
In response to communication with applicant’s correspondent of record, Stephen Terrile, Reg# 32,946, the application has been amended as follows: 

AMENDMENTS TO THE CLAIMS
1.	(Currently Amended)	A computer-implemented method for identifying encrypted files in a security analytics environment, the method comprising:
building a file size table, the building comprising:
performing a size comparison between an encrypted file and entries in the file size table to determine whether the encrypted file corresponds to a file listed in the file size table, when the encrypted file corresponds to the file listed in the file size table then classifications associated with the file in the file size table are used to determine whether to restrict transfer of the encrypted file;
when the encrypted file does not correspond to a file listed in the file size table, then storing information related to identification of the encrypted file, an original size of the encrypted file and compression information in the file size table, the compression information including a range of compression sizes of the encrypted file, the information related to identification of the encrypted file, the original size of the encrypted file and the compression information in the file size table being used to determine whether to restrict transfer of the encrypted file;
determining whether one or more entries in the file size table matches a size of the encrypted file wherein each entry in the file size table comprises a file size and a range of compressed file sizes for an unencrypted file in a set of files, the range of compressed file sizes being bound by a minimum compressed file size and a maximum compressed file size;
determining a probability that a matching entry uniquely identifies the encrypted file; 
controlling a transfer of the encrypted file according to one or more rules associated with a file associated with the matching entry when the probability is high that the matching entry uniquely identifies the encrypted file and when there are the one or more rules associated with the file, the controlling the transfer handling an event involving the encrypted file in a same manner as for a corresponding original, unencrypted file, the controlling the transfer permitting transferring the encrypted file when the corresponding original, unencrypted file does not contain sensitive data, the controlling the transfer restricting transfer of the encrypted file when the original, unencrypted file contains sensitive data


16.	(Currently Amended)	A node in a security analytics environment comprising:
a processor;
a network interface, coupled to the processor and communicatively coupled to a remote network node in the security analytics environment via a network;
a first non-transitory, computer-readable storage medium, coupled to the processor and storing a plurality of files in a file set; and
a second non-transitory, computer-readable storage medium, coupled to the processor, and storing instructions executable by the processor and configured to:
generate a file size table comprising one or more entries corresponding to a subset of the plurality of files in the file set, wherein 
the file size table comprises one or more entries, and
each entry of the file size table comprises a file size, a range of compression sizes, the range of compression sizes comprising a maximum compressed file size and a minimum compressed file size, and an identifier of the associated file,
determine whether an action executed on the node comprises a transfer of an encrypted file,
determine whether one or more entries in the file size table comprise one of a file size or a compressed file size range matching the size of the encrypted file, wherein the file size range is bound by the maximum compressed file size and the minimum compressed file size, and
control the transfer of the encrypted file according to one or more rules associated with a file associated with the matching entry when there are rules associated with the file associated with the matching entry, the one or more rules being associated with an unencrypted version of the file, the controlling the transfer handling an event involving the encrypted file in a same manner as for a corresponding original, unencrypted file, the controlling the transfer permitting transferring the encrypted file when the corresponding original, unencrypted file does not contain sensitive data, the controlling the transfer restricting transfer of the encrypted file when the original, unencrypted file contains sensitive data.

19.	(Currently Amended)	A non-transitory, computer-readable storage medium storing computer program code, the computer program code comprising computer executable instructions configured for:  
building a file size table, the building comprising:
performing a size comparison between an encrypted file and entries in the file size table to determine whether the encrypted file corresponds to a file listed in the file size table, when the encrypted file corresponds to the file listed in the file size table then classifications associated with the file in the file size table are used to determine whether to restrict transfer of the encrypted file;
when the encrypted file does not correspond to a file listed in the file size table, then storing information related to identification of the encrypted file, an original size of the encrypted file and compression information in the file size table, the compression information including a range of compression sizes of the encrypted file, the information related to identification of the encrypted file, the original size of the encrypted file and the compression information in the file size table being used to determine whether to restrict transfer of the encrypted file;
determining whether one or more entries in a file size table matches a size of an encrypted file wherein each entry in the file size table comprises one or more of a file size, maximum compressed file size, and minimum compressed file size for an unencrypted file in a set of files;
determining a probability that a matching entry uniquely identifies the encrypted file; and
controlling a transfer of the encrypted file according to one or more rules associated with a file associated with the matching entry when the probability is high that the matching entry uniquely identifies the encrypted file, the one or more rules being associated with an unencrypted version of the file, the controlling the transfer handling an event involving the encrypted file in a same manner as for a corresponding original, unencrypted file, the controlling the transfer permitting transferring the encrypted file when the corresponding original, unencrypted file does not contain sensitive data, the controlling the transfer restricting transfer of the encrypted file when the original, unencrypted file contains sensitive data.
Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
 	The prior art of record fails to teach or fairly suggest determining whether to restrict or permit transferring of an encrypted file, wherein the determination to restrict the transferring of the encrypted file is determined when an original, unencrypted file, matching the encrypted file, contains sensitive data, and determining to permit transferring of the encrypted file, when the matching original, unencrypted file does not contain sensitive data, in response to performing a size comparison between the encrypted file and files in a file size table to determine whether the encrypted file corresponds to a file listed in the file size table, and storing information related to identification of the encrypted file, an original size of the encrypted file and compression information in the file size table, the compression information including a range of compression sizes of the encrypted file, the information related to identification of the encrypted file when the encrypted file does not correspond to a file listed in the file size table, in the specific manner and combinations recited in claims 1-20.  
The closest related prior art are cited to state the general state of the art and are not considered to teach the distinguishing features noted above. The prior art includes:
(i) 	US Pat McClintock et al (US 10,185,924), which teaches security risk response impact analysis;
(ii) 	US PG Pub Holland et al (US 2014/0082749), which discloses secure processing of sensitive encrypted information implemented as compressed file segments;
(iii) 	NPL document "Attack, Defence, and Catagion in Networks, The Review of Economic Studies" – Goyal et al, Oxford University Press, 07/30/2014; and 
(iv) 	NPL document "Vulnerability Assessment in Autonomic Network and Services: A Survey" – Barrere et al, IEEE Communications Surveys & Tutotials, Vol. 16, No. 2, 04/2014.
After thorough review of related prior art, the application has been deemed allowable because of the limitations of determining whether to restrict or permit transferring of an encrypted file, wherein the determination to restrict the transferring of the encrypted file is determined when an original, unencrypted file, matching the encrypted file, contains sensitive data, and determining to permit transferring of the encrypted file, when the matching original, unencrypted file does not contain sensitive data, in response to performing a size comparison between the encrypted file and files in a file size table to determine whether the encrypted file corresponds to a file listed in the file size table, and storing information related to identification of the encrypted file, an original size of the encrypted file and compression information in the file size table, the compression information including a range of compression sizes of the encrypted file, the information related to identification of the encrypted file when the encrypted file does not correspond to a file listed in the file size table, recited in the specific manner and combinations recited within the claims. Upon an extensive search and review, none of the cited prior art taught the specified limitation or provided language for the specified limitations.  
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RANDY A SCOTT/Primary Examiner, Art Unit 2439
20220825