DETAILED ACTION
Responsive to the Applicant reply filed on 06/02/2022, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in following.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/02/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
The amendment filed 06/02/2022 has been entered. Claims 1, 11 and 16 have been amended. Claims 1-20 remain pending in the application.

Response to Arguments
Applicants arguments, see amended claims 1, 11 and 16 and Applicant’s Remarks, Page 6-7, regarding the newly added limitation “identify, based on the file identifier, a frequency of previous whitelist handling of the file, wherein the whitelist handling is an occurrence of the file being analyzed and a whitelist approval decision made.” have been fully considered. Examiner asserts a new understanding of the limitation in the amended claims. Thus, dependent claims  9, 10 and 20 including the concept of the “frequency” were also re-considered as well. Upon further consideration, Examiner concludes that Chen-Kaidi discloses the newly added features above in Fig. 3, 4 and para. 0051-0052. Chen-Kaidi teaches a first, a second and a third task are executed at respective a first, a second and a third frequency. The frequencies, considered as the “occurrence of the file being analyzed”, indicate how often systems may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist. For example, the first task may run every two hours, the second task may run every week, and the third task may run every hour. Based on the frequencies as explained in para. 0052-0053, the disclosed system by Chen-Kaidi may determine IP addresses on the dynamic whitelist that have a risk score greater than a predetermined threshold, considered as the “approval decision”. For such reasons, Examiner respectfully disagrees with Applicant’s arguments and asserts that claims 1-20 are rejected for the reasons stated above and claim rejections section below. Please refer to the 35 U.S.C. § 102 and 103 section below for the detailed rejection.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 5-11, 13-16, and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chen Kaidi (US 20210409411 A1 hereinafter “Chen-Kaidi”).
Regarding independent claim 1, (Currently Amended) Chen-Kaidi discloses one or more non-transitory computer-readable media comprising instructions that, upon execution of the instructions by one or more processors of an electronic device, are to cause the electronic device to (Fig. 3 and 4; [0048] the dynamic whitelist 402 in execution of the first task 302; Thus, tasks in Fig 3 corresponds to Fig. 4): 
identify a file identifier of a file related to a user whitelist request ([0034-0035] the first task may include performing block 308 (determining one or more IP addresses to add to the dynamic whitelist based on their recent activity) and performing block 310 (adding the one or more IP addresses to a dynamic whitelist). The dynamic whitelist 402 may be a whitelist that provides, to accounts (e.g., user accounts) associated with the IP addresses [“file identifier”] on the dynamic whitelist 402. Examiner considers the IP addresses as the file identifier as claimed. Para. 0013 states the registered account and registered account activities. The registered account may be considered as “identifier of a publisher of the file” as recited in clm. 5 below or the registered account activities such as API calls also may be considered as the file path as stated in para. 0076 of Spec.); 
identify, based on the file identifier, a frequency of previous whitelist handlings of the file ([0051] IP addresses [“file identifier”] that are returned or otherwise identified to be inactive for the threshold time period, may be removed from the dynamic whitelist 402 [“previous whitelist”, See Fig. 4 regarding IP address 5.6.7.8 in Whitelists 402 and 404] by the system), wherein the whitelist handling is an occurrence of the file being analyzed and a whitelist approval decision made ([0052-0053] states a first, a second and a third task are executed at respective a first, a second and a third frequency (302, 304 and 306 in Fig. 3). The frequencies indicate how often systems may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist [“previous whitelist”]. For example, the first task may run every two hours, the second task may run every week, and the third task may run every hour [“file analyzing occurrence”]. The system may determine IP addresses on the dynamic whitelist that have a risk score greater than a predetermined threshold [“whitelist approval decision made”]);
determine, based on the frequency of the previous whitelist handling of the file, whether to approve the user whitelist request ([0055] At block 316 in execution of the third task 306, the system may remove/tag IP addresses [“determining whether or not to approve the request”] on the dynamic whitelist 402 that have a risk score greater than the predetermined threshold); and 
output, based on the determination of the frequency of the previous whitelist handling of the file, an indication of whether the user whitelist request is approved ([0057] a risk score of an IP address on the dynamic whitelist 402 may have increased since it was added to the dynamic whitelist 402 but the risk score does not exceed the predetermined threshold. In such cases, the IP address may remain on the dynamic whitelist 402 and also be copied to a secondary whitelist 404 [“outputting the indication”]. The secondary whitelist 404 [“outputting the indication”] may be a whitelist that is used by one or more security layers of the service provider). 

Regarding claim 5, (Original) Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 1, wherein the file identifier is an identifier of a publisher of the file ([0013] the first task may include determining, based on registered account activities (e.g., Application Programming Interface (API) calls, transactions, and/or related activities) associated with registered accounts with a service provider, at least one IP address associated with at least one registered account [“identifier of a publisher of the file”] with the service provider).

Regarding claim 6, (Original)  Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 1, wherein the instructions are further to identify, based on the file identifier, that a previous whitelist handling of the file was based on a user request ([0040] the one or more IP addresses that are queued to be added to the dynamic whitelist 402 [“previous whitelist handling”] may be timestamped with the time of the most recent activity [“user request”] (e.g., incoming network traffic) stemming from the IP address; [0055] the system may completely remove the IP addresses from the dynamic whitelist 402. For example, in the embodiment shown in FIG. 4, IP address 7.8.9.0 is removed from the dynamic whitelist 402 [“previous whitelist handling”, See para. 0057 regarding the secondary whitelist 404] as the system determined that its risk score exceeds the predetermined threshold).

Regarding claim 7, (Original) Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 1, wherein the indication is an indication that the file is whitelisted and is approved for use by a user or installation on a computing device ([0057] a risk score of an IP address on the dynamic whitelist 402 may have increased since it was added to the dynamic whitelist 402 but the risk score does not exceed the predetermined threshold. In such cases, the IP address may remain on the dynamic whitelist 402 and also be copied to a secondary whitelist 404 [“file is whitelisted and is approved for use”]).

Regarding claim 8, (Original) Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 1, wherein the indication is an indication that the file is not whitelisted and is to be further reviewed prior to use by a user or installation on a computing device ([0052] Executing the third task 306 at a greater frequency may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist 402 [“prior to use” since it filtered out malicious use] to reduce the risk of abusive IP addresses being added to and remaining on the dynamic whitelist 402).

Regarding claim 9, (Original) Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 1, wherein the frequency is based on one of a first number of handlings of the file in a first timespan and a second number of handlings of the file in a second timespan ([0052] As an illustrative example, the first task 302 may run every two hours, the second task 304 may run every week, and the third task may run every hour).

Regarding claim 10, (Original) Chen-Kaidi discloses the one or more non-transitory computer-readable media of claim 9, wherein the first number of handlings is greater than the second number of handlings, and the first timespan is longer than the second timespan ([0052] As an illustrative example, the first task 302 may run every two hours, the second task 304 may run every week, and the third task [“first number of handlings”] may run every hour. Executing the third task 306 at a greater frequency [“first timespan”] may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist 402 to reduce the risk of abusive IP addresses being added to and remaining on the dynamic whitelist 402).

Regarding independent claim 11, (Currently Amended) Chen-Kaidi further discloses an electronic device comprising: one or more processors (Fig. 2, 214 or clm. 1); and one or more non-transitory computer-readable media comprising instructions that, upon execution of the instructions by the one or more processors of an electronic device, are to cause the electronic device to(Fig. 2, 220 or clm. 1): 
identify a file identifier of a file related to a user whitelist request ([0034-0035] the first task may include performing block 308 (determining one or more IP addresses to add to the dynamic whitelist based on their recent activity) and performing block 310 (adding the one or more IP addresses to a dynamic whitelist). The dynamic whitelist 402 may be a whitelist that provides, to accounts (e.g., user accounts) associated with the IP addresses [“file identifier”] on the dynamic whitelist 402. Examiner considers the IP addresses as the file identifier as claimed. Para. 0013 states the registered account and registered account activities. The registered account may be considered as “identifier of a publisher of the file” as recited in clm. 12 below or the registered account activities such as API calls also may be considered as the file path as stated in para. 0076 of Spec.); 
identify, based on the file identifier, a frequency of previous whitelist handlings of the file ([0051] IP addresses [“file identifier”] that are returned or otherwise identified to be inactive for the threshold time period, may be removed from the dynamic whitelist 402 [“previous whitelist”, See Fig. 4 regarding IP address 5.6.7.8 in Whitelists 402 and 404] by the system), wherein the whitelist handling is an occurrence of the file being analyzed and a whitelist approval decision made ([0052-0053] states a first, a second and a third task are executed at respective a first, a second and a third frequency (302, 304 and 306 in Fig. 3). The frequencies indicate how often systems may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist [“previous whitelist”]. For example, the first task may run every two hours, the second task may run every week, and the third task may run every hour [“file analyzing occurrence”]. The system may determine IP addresses on the dynamic whitelist that have a risk score greater than a predetermined threshold [“whitelist approval decision made”]); 
determine, based on the frequency of the previous whitelist handlings of the file, whether to approve the user whitelist request ([0055] At block 316 in execution of the third task 306, the system may remove/tag IP addresses [“determining whether or not to approve the request”] on the dynamic whitelist 402 that have a risk score greater than the predetermined threshold), wherein the frequency is based on one of a first number of previous whitelist handlings in a first timespan and a second number of previous whitelist handlings in a second timespan ([0052-0053] The first task may run every two hours, the second task may run every week, and the third task may run every hour. The system may determine IP addresses on the dynamic whitelist that have a risk score greater than a predetermined threshold. [0050-0051] shows IP addresses that are returned or otherwise identified to be inactive for the threshold time period, may be removed from the dynamic whitelist 402 [“previous whitelist”] by the system); and
output, based on the determination of the frequency of the previous whitelist handlings of the file, an indication of whether the user whitelist request is approved ([0057] a risk score of an IP address on the dynamic whitelist 402 may have increased since it was added to the dynamic whitelist 402 but the risk score does not exceed the predetermined threshold. In such cases, the IP address may remain on the dynamic whitelist 402 and also be copied to a secondary whitelist 404 [“outputting the indication”]. The secondary whitelist 404 [“outputting the indication”] may be a whitelist that is used by one or more security layers of the service provider). 

Regarding claim 13, (Original) the scope of the claim 13 is similar to that of claim 6. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 14, (Original)  the scope of the claim 14 is similar to that of claim 7. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 15, (Original)  the scope of the claim 15 is similar to that of claim 10. Accordingly, the claim is rejected using a similar rationale.

Regarding independent claim 16, (Currently Amended) Chen-Kaidi discloses a method comprising: 
identifying, by one or more processors of an electronic device based on a file identifier of a file related to a user whitelist request, a frequency of previous whitelist handlings of the file, wherein the whitelist handling is an occurrence of the file being analyzed and a whitelist approval decision made ([0051] IP addresses [“file identifier”] that are returned or otherwise identified to be inactive for the threshold time period, may be removed from the dynamic whitelist 402 [“previous whitelist”, See Fig. 4 regarding IP address 5.6.7.8 in Whitelists 402 and 404] by the system), wherein the whitelist handling is an occurrence of the file being analyzed and a whitelist approval decision made ([0052-0053] states a first, a second and a third task are executed at respective a first, a second and a third frequency (302, 304 and 306 in Fig. 3). The frequencies indicate how often systems may allow for continuous removal/moving of abusive IP addresses from the dynamic whitelist [“previous whitelist”]. For example, the first task may run every two hours, the second task may run every week, and the third task may run every hour [“file analyzing occurrence”]. The system may determine IP addresses on the dynamic whitelist that have a risk score greater than a predetermined threshold [“whitelist approval decision made”]);
determining, by the one or more processors based on the frequency of the previous whitelist handlings of the file, whether to approve the user whitelist request ([0055] At block 316 in execution of the third task 306, the system may remove/tag IP addresses [“determining whether or not to approve the request”] on the dynamic whitelist 402 that have a risk score greater than the predetermined threshold); and 
Application No. : 17/103,286outputting, by the one or more processors based on the determination of the frequency of the previous whitelist handlings of the file, an indication of whether the user whitelist request is approved ([0057] a risk score of an IP address on the dynamic whitelist 402 may have increased since it was added to the dynamic whitelist 402 but the risk score does not exceed the predetermined threshold. In such cases, the IP address may remain on the dynamic whitelist 402 and also be copied to a secondary whitelist 404 [“outputting the indication”]. The secondary whitelist 404 [“outputting the indication”] may be a whitelist that is used by one or more security layers of the service provider).

Regarding claim 18, (Original) the scope of the claim 18 is similar to that of claim 6. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 19, (Original) the scope of the claim 19 is similar to that of claim 7. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 20, (Original) Chen-Kaidi discloses the method of claim 16, wherein the frequency is based on one of a first number of approvals in a first timespan and a second number of approvals in a second timespan ([0050 and 0052] states a first, second and third frequency (302, 304 and 306 in Fig. 3). the third frequency [“frequency”] may be greater than the second frequency [“approvals in a second timespan”, See more details regarding approvals in para. 0050] of the second task 304 and greater than the first frequency [“approvals in a first timespan”, See more details regarding approvals in para. 0034] of the first task 302. In other embodiments, the third frequency may be less than or the same as the second frequency and/or less than or the same as the first frequency [“approvals in a first and second timespan”]).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chen Kaidi (US 20210409411 A1 hereinafter “Chen-Kaidi”) in view of Kuo et al. (US 20090083852 A1 hereinafter “Kuo”).
Regarding claim 2, (Original) Chen-Kaidi teaches all elements of the current invention as stated in claim 1. However, Chen-Kaidi may not explicitly teach, but Kuo, which is a same field of endeavor, discloses the one or more non-transitory computer-readable media of claim 1, wherein the file identifier is a hash value related to the file ([0028] The whitelist server 205 includes information about files that are designated as good. This information may include the name of the file, a hash of the file, the directory in which the file is installed).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Chen-Kaidi with the teachings of Kuo to include the file identifier that is a hash value related to the file. One of ordinary skill in the art would have been motivated to make this modification because the date the file may be identified as being on the whitelist (para. 0028).

Regarding claim 3, (Original) the combination of Chen-Kaidi and Kuo discloses the one or more non-transitory computer-readable media of claim 1, wherein the file identifier is a file name of the file ([Kuo: 0028] The whitelist server 205 includes information about files that are designated as good. This information may include the name of the file, a hash of the file, the directory in which the file is installed).

Regarding claim 4, (Original)  the combination of Chen-Kaidi and Kuo discloses the one or more non-transitory computer-readable media of claim 1, wherein the file identifier is a file path related to the file ([Kuo: 0028] The whitelist server 205 includes information about files that are designated as good. This information may include the name of the file, a hash of the file, the directory in which the file is installed).

Regarding claim 12, (Original) Chen-Kaidi teaches “the registered account and registered account activities” as stated in claim 1. However, Chen-Kaidi may not explicitly teach, the file identifier is a hash value related to the file, a file name of the file, a file path related to the file, or an identifier of a publisher of the file.
Kuo, which is a same field of endeavor, discloses the electronic device of claim 11, wherein the file identifier is a hash value related to the file, a file name of the file, a file path related to the file, or an identifier of a publisher of the file ([0028] The whitelist server 205 includes information about files that are designated as good. This information may include the name of the file, a hash of the file, the directory in which the file is installed).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Chen-Kaidi with the teachings of Kuo to include the file identifier that is a hash value related to the file. One of ordinary skill in the art would have been motivated to make this modification because the date the file may be identified as being on the whitelist (para. 0028).

Regarding claim 17, (Original) the scope of the claim 17 is similar to that of claim 12. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
• Singh et al. (US 20200145423 A1)- Providing access to content within a computing environment: ([0039 and 0099] the specialized tool may detect new network addresses [“file identifier”] within content accessed by multiple users and may perform assessments on whether these new network addresses should be added to the whitelist (e.g., based on occurrence/frequency, whether the users attempted to access content from the detected network addresses [“occurrence of the file being analyzed”], whether the network addresses are on a public or private network, etc.). In addition, Singh disclose “scoring methodology” in para. 0055 and 0076-0080. Para. 0079 states that the specialized tool performs a selection process by ranking the newly discovered network addresses based on their corresponding scores for inclusion on the whitelist 52 (e.g., where any newly discovered network addresses having a score 140 that exceeds a predefined threshold (“whitelist approval decision made”) is recommended for inclusion on the whitelist 52)). 
• HWANG et al. (US 20190044946 A1)- Apparatus for monitoring file access in virtual machine and method for the same: ([0055-0057] an event in which a task attempts to access file data in the page frame is detected, the task is attempting to access the file data is identified [“file identifier” through the task identification, stated in para. 0063, 0017-0018], and information about the file data to which access is being attempted is checked. Then, whether to allow the access is determined based on a whitelist [“a whitelist approval decision made”]. Here, an administrator may select any one of the two methods based on whether a cache is used in a virtual machine, or the like, a data access method, such as a file access pattern, and a frequency with which a file is accessed [“an occurrence of the file being analyzed”]).
• Peterson et al. (US 20150261615 A1)- Striping cache blocks with logical block address scrambling: ([0110] Usage information may be gathered over time and maintained by memory managers 34 and the metadata services, and maintained in their respective stores. Usage may be based on or derived from eviction rates, insertion rates, access frequency, numbers of locks/references granted for particular blocks).
• Gemeniano (US 10277631 B1)- Self-preserving policy engine and policy-based content transmission : (col. 9 ln. 29-34, The decision at block 204 may be based on any or all of the factors above, and an application may end up on the blacklist, whitelist, or graylist, based upon factors such as the number, frequency, and type, of applications it requested and/or was denied/granted access to).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493