DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 11/17/2020 wherein claims 1 – 20 are pending and ready for examination.  

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
                                      Information Disclosure Statement 
The information disclosure statements (IDS) submitted on 12/08/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-5, 7-9,12,14-15,17, and 19-20 are rejected under 35 U.S.C. 102(a)(1) (a2) as being anticipated by Knapp; Eric D. et al, US 20170353460 A1, December 7, 2017 hereafter referred to as Knapp.

          As to claim 1, Knapp teaches a method - Knapp [0094] FIG. 8 illustrates an example method 800) comprising:
          Identifying - Knapp [0032] The system 100 uses the “check-in” and “check-out” mechanisms to authorize removable media or specific files or file types on the removable media. An end user wishing to use a storage device in a protected system first allows an SMX server 105 to scan and authorize the storage device, at which point the storage device is locked to prevent other uses of the storage device. ... When the user is finished with his or her task, the storage device can be checked-out using an SMX server 105, restoring the storage device to its normal functionality and preventing use of the storage device with the protected system nodes 102a-102n.  Here, the claimed ‘identifying’ is taught by Knapp as ‘check in’ since inserting the media initiates identifying both the user and content further taught by Knapp at [0074]) by at least one processor of an electronic device a computer-related security event that is related to a removable media device - Knapp [0074] As shown in FIG. 4, a storage device 402 is inserted into a slot of or otherwise coupled to an SMX kiosk 104, and a check-in process can be selected on a display of the SMX kiosk 104 (or using another input mechanism). The SMX server 105 of the SMX kiosk 104 then performs the check-in procedure. The check-in procedure could include functions such as scanning the storage device 402 for malware, digitally signing and possibly encrypting clean files on the storage device 402, and quarantining any files identified as having malware on the storage device 402 (where the quarantined files are not signed or encrypted). Here, the claimed ‘at least one processor’ is taught by Knapp as ‘SMX server 105’. The claimed ‘electronic device’ is taught by Knapp as ‘SMX kiosk 104.’ Examiner note: the SMX server 105 has the SMX agents 103 as extensions and can be collectively considered as the at least one processor, as further defined by Knapp as [0031].  The claimed ‘security event’ is taught by Knapp as ‘files identified as having malware’ as external insertion to protected device is a security event (see instant specification [0032]).  The claimed ‘removable media’ is taught by Knapp as ‘storage device 402’ depicted as a thumb drive in Figure 4), and a user account associated with the security event - Knapp [0087] ... The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer.  Here, the claimed ‘user account’ is taught by Knapp as ‘active user’ which is a pertinent detail in the log associated with the check-in process.   The claimed ‘security event’ is taught by Knapp as ‘files identified as having malware’ since infected files pose a security event per instant specification)
          determining, by the at least one processor based on the identification of the user account, a number of previous computer-related security events that are associated with the user account – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘determining’ is taught by Knapp as ‘audit logs’ since the log records the check-in process.  The claimed ‘identification of the user account’ is taught by Knapp as ‘identify the user account’.  The claimed ‘a number of previous computer-related security events’ is taught by Knapp as ‘operations attempted or performed’ because the logs would provide a quantity of times storage device was checked in and files quarantined.  Further, an operation is an event, and in this case, Knapp teaches the plurality of operation(s) which results in a number value recorded in and identified from the audit logs); and
               outputting an indication that the file does or does not contain malware – Knapp [0079] ... If the storage device 402 and a file are successfully validated, the file is freely accessible by the local file system of the protected node 102 (so it can be copied from the removable storage device 402 to the local file system. Here, the claimed ‘outputting an indication’ is taught by Knapp as ‘freely accessible’ since the access is a declaration of no malware else the files could not be copied), an indication of the user account - Knapp [0087] ... The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer.  Here, the claimed ‘outputting ... user account’ is taught by Knapp as ‘active user’ identifying the account holder via the audit log associated with the check-in process), and an indication of the number of previous computer-related security events that are associated with the user account – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event).

             As to claim 2, Knapp teaches the method of claim 1, wherein the method further comprising
             identifying, by the at least one processor of the electronic device, that the computer-related security event is related to the removable media device based on a file path of a file associated with the computer- related security event – Knapp [0085] Example details that may be included in the ‘audit log file’ for a file activity could include a source node or device identifier, a target node or device identifier, parameters of the source and target nodes like Internet Protocol (IP) address and Medium Access Control (MAC) address.  Here, the claimed ‘identifying’ is taught by Knapp as ‘audit log file’ which stores data identified by the processor.  The claimed ‘file path’ is taught by Knapp as ‘Internet Protocol (IP) address’) or a timestamp of the computer-related security event –Knapp [0075] The check-in procedure could also optionally include adding one or more configuration parameters or other data to the storage device 402, such as ... a timestamp).

              As to claim 3, Knapp teaches the method of claim 1, wherein the method further comprises determining the number of previous computer-related security events based on a database that stores information related to previous computer-related security events – Knapp [0033] The check-in and check-out mechanisms of the SMX servers 105 and the operations of the SMX agents 103 are able to maintain an audit trail of file transfers to and from a storage device. .The check-in and check-out mechanisms of the SMX servers 105 and the operations of the SMX agents 103 are also able to pass configuration parameters, ...  One example of configuration parameters that might be passed to the SMX agents 103 on the protected system nodes 102a-102n includes whitelists and blacklists of files. Here, the claimed ‘determining’ is taught by Knapp as ‘check-in ...mechanisms’ because the check in procedure is how Knapp determines access requirements.  The claimed ‘database stores.....previous...events’ is taught by Knapp as ‘blacklist’ since any entity on the list is a previous occurrence and can be added to produce a number of previous malware events).
             As to claim 4, Knapp teaches the method of claim 1, wherein the method further comprises outputting, by at least one processor, a report that includes the indication of the security event, the indication of the user account - Knapp [0075] ... The configuration parameters or other data can be used to update SMX agents 103 as described below. In addition, the results of the malware scan, a timestamp, an active user, configuration options, or other information can be stored on the storage device 402 in an encrypted and signed auditing file (called an audit log), and the audit log could be reported to a security manager 108 or threat analysis server 112.  Here, the claimed ‘outputting’ is taught by Knapp as ‘audit log could be reported’ since SMX server 105 updates the agents during or after check in.  The data needs to be outputted in order to update the agents.  The claimed ‘at least one processor’ is taught by Knapp as SMX server 105’ depicted in Figure 1.  The claimed ‘report’ is taught by Knapp as ‘audit log’ since the file contains the updates.  The claimed ‘indication of the security event’ is taught by Knapp as ‘results of the scan’ where files could be malware or clean affecting the quarantine decision.  The claimed ‘indication of a user account’ is taught by Knapp as ‘active user’ since the check in mechanism identifies who is making the request to verify the user is authorized and the indication of the number of previous-computer-related security events – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event).

           As to claim 5, Knapp teaches the method of claim 1, wherein the method further comprises identifying the computer-related security event based on a log that is related to a plurality of computer- related security events – Knapp [0111] One example of configuration parameters that might be passed to the SMX agents 103 on the protected system nodes 102a-102n includes whitelists and blacklists of files  Here, the claimed ‘log’ is taught by Knapp as ‘blacklist’ whereas the claimed ‘plurality of computer ...events’ is taught by Knapp as ‘files’ because these files have been blacklisted hence quarantined).

         As to claim 7, Knapp teaches the method of claim 1, further comprising identifying, by the at least one processor, the computer-related security event based on a file signature – Knapp [0038] ... If a user or the threat analysis server 112 determines that the code is malicious, the threat analysis server 112 can update the SMX servers 105 with new threat information. The threat analysis server 112 could also obtain information identifying new cyber-security threats (such as new malware signatures) from other sources and provide the threat information to the SMX servers 105. Here, the claimed ‘identify’ is taught by Knapp as ‘determines that the code is malicious’ since this determination identifies a security threat.  The claimed ‘file signature’ is taught by Knapp as ‘malware signature updates’ since the malware signature is present but is now the signature is updated), or a file descriptor related to the computer-related security event - Knapp [0074] ... The check-in procedure could further include functions such as creating a file manifest to contain scan results, activity logs, messages, and other information relevant to the operation of the system 100.  Here, the claimed ‘file descriptor’ is taught by Knapp as ‘a file manifest’).

          As to claim 8, Knapp teaches the method of claim 1, further comprising outputting, by the at least one processor, the indication of the security event – Knapp [0075], the indication of the user account – Knapp [0075], and the indication of the number to a non-transitory computer-readable storage media that is communicatively coupled with the at least one processor - Knapp [0155] In some embodiments, various functions described in this patent document are implemented or supported by a computer program that is formed from computer readable program code and that is embodied in a computer readable medium. A non-transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable storage device).

           As to claim 9, Knapp teaches the method of claim 1, wherein the method further comprising altering, by the processor based on a security event type or the number of previous computer-related security events, a user access permission related to the user account – Knapp [0079] If the storage device 402 or a file is not successfully validated, the storage device 402 or the file is blocked by the SMX agent 103 and not made accessible for any meaningful access to the local file system of the protected node 102. During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user and the types of operations attempted or performed using the storage device 402. Note that “meaningful” access here includes read, write, or delete access for a stream, file, directory, or volume (which can be prevented when the device 402 is not checked-in.  Here, the claimed ‘altering’ is taught by Knapp as ‘not made accessible for any meaningful access’ limiting access functions. The claimed ‘security event type’ is taught by Knapp as ‘successfully validated’ because the scanning operation can find either validated or non-validated device or files resulting in clean or infected designations). 

           As to claim 12, Knapp teaches at least one non-transitory computer-readable media – Knapp [0015] a non-transitory computer readable medium contains instructions that, when executed by at least one processing device, cause the at least one processing device to detect a storage device at a protected node and determine whether the storage device has been checked-in for use with at least the protected node. Here, the claimed ‘at least one non-transitory computer-readable media’ is taught by Knapp as ‘a non-transitory computer readable medium’) comprising instructions that, upon execution of the instructions by at least one processor of an electronic device – Knapp [0015] ... The medium also contains instructions that, when executed by the at least one processing device, cause the at least one processing device to grant access to the storage device), are to cause the electronic device to:
         Identify - Knapp [0032] The system 100 uses the “check-in” and “check-out” mechanisms to authorize removable media or specific files or file types on the removable media. An end user wishing to use a storage device in a protected system first allows an SMX server 105 to scan and authorize the storage device, at which point the storage device is locked to prevent other uses of the storage device. ... When the user is finished with his or her task, the storage device can be checked-out using an SMX server 105, restoring the storage device to its normal functionality and preventing use of the storage device with the protected system nodes 102a-102n.  Here, the claimed ‘identify’ is taught by Knapp as ‘check in’ since inserting the media initiates identifying both the user and content further taught by Knapp at [0074]), for a computer-related security event related to use of a removable media device - Knapp [0074] ...The check-in procedure could include functions such as scanning the storage device 402 for malware, digitally signing and possibly encrypting clean files on the storage device 402, and quarantining any files identified as having malware on the storage device 402 (where the quarantined files are not signed or encrypted. Here, the claimed ‘security event’ is taught by Knapp as ‘quarantining any files identified as having malware’ as external insertion to protected device is a security event (see instant specification [0032]).  The claimed ‘removable media’ is taught by Knapp as ‘storage device 402’ depicted as a thumb drive in Figure 4), a user account associated with the security event - Knapp [0087] ... The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer.  Here, the claimed ‘user account’ is taught by Knapp as ‘active user’ which is a pertinent detail in the log associated with the check-in process.   The claimed ‘security event’ is taught by Knapp as ‘files identified as having malware’ which is not inconsistent with inserting a thumb drive into a secured/protected device);
          determine, based on the identification of the user account, a number of previous computer-related security events that are associated with the user account – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘determine’ is taught by Knapp as ‘audit logs’ since the log records the check-in process.  The claimed ‘identification of the user account’ is taught by Knapp as ‘identify the user account’.  The claimed ‘a number of previous computer-related security events’ is taught by Knapp as ‘operations attempted or performed’ because the logs would provide a quantity of times storage device was checked in and files quarantined.  Further, an operation is an event, and in this case, Knapp teaches the plurality of operation(s) which results in a number value recorded in and identified from the audit logs); and
            output an indication of the security event, an indication of the user account– Knapp [0079] ... If the storage device 402 and a file are successfully validated, the file is freely accessible by the local file system of the protected node 102 (so it can be copied from the removable storage device 402 to the local file system. Here, the claimed ‘outputting an indication’ is taught by Knapp as ‘freely accessible’ since the access is a declaration of no malware else the files could not be copied), an indication of the user account - Knapp [0087] ... The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer.  Here, the claimed ‘output ... user account’ is taught by Knapp as ‘active user’ identifying the account holder via the audit log associated with the check-in process), and an indication of the number of previous computer-related security events that are associated with the user account– Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event).            

           As to claim 14, Knapp teaches the at least one non-transitory computer-readable media of claim 12, wherein the instructions are further to identify the computer-related security event based on a file signature – Knapp [0038] ... If a user or the threat analysis server 112 determines that the code is malicious, the threat analysis server 112 can update the SMX servers 105 with new threat information. The threat analysis server 112 could also obtain information identifying new cyber-security threats (such as new malware signatures) from other sources and provide the threat information to the SMX servers 105. Here, the claimed ‘identify’ is taught by Knapp as ‘determines that the code is malicious’ since this determination identifies a security threat.  The claimed ‘file signature’ is taught by Knapp as ‘malware signature updates’ since the malware signature is present but is now the signature is updated), or a file descriptor related to the computer-related security event, or a file descriptor related to the computer-related security event - Knapp [0074] ... The check-in procedure could further include functions such as creating a file manifest to contain scan results, activity logs, messages, and other information relevant to the operation of the system 100.  Here, the claimed ‘file descriptor’ is taught by Knapp as ‘a file manifest’).

              As to claim 15, Knapp teaches the at least one non-transitory computer-readable media of claim 12, wherein the instructions are further to alter, based on a security event type or the number of previous computer-related security events, a user access permission related to the user account – Knapp [0079] If the storage device 402 or a file is not successfully validated, the storage device 402 or the file is blocked by the SMX agent 103 and not made accessible for any meaningful access to the local file system of the protected node 102. During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user and the types of operations attempted or performed using the storage device 402. Note that “meaningful” access here includes read, write, or delete access for a stream, file, directory, or volume (which can be prevented when the device 402 is not checked-in.  Here, the claimed ‘alter’ is taught by Knapp as ‘not made accessible for any meaningful access’ limiting access functions. The claimed ‘security event type’ is taught by Knapp as ‘successfully validated’ because the scanning operation can find either validated or non-validated device or files resulting in clean or infected designations).           

           As to claim 17, Knapp teaches an electronic device comprising:
           at least one processor- Knapp [0074] As shown in FIG. 4, a storage device 402 is inserted into a slot of or otherwise coupled to an SMX kiosk 104, and a check-in process can be selected on a display of the SMX kiosk 104 (or using another input mechanism). The SMX server 105 of the SMX kiosk 104 then performs the check-in procedure. Here, the claimed ‘at least one processor’ is taught by Knapp as ‘SMX server 105’. The claimed ‘electronic device’ is taught by Knapp as ‘SMX kiosk 104.’ Examiner note: the SMX server 105 has the SMX agents 103 as extensions and can be collectively considered as the at least one processor, as further defined by Knapp as [0031]; and 
           at least one non-transitory computer-readable media comprising instructions– Knapp [0015] a non-transitory computer readable medium contains instructions that, when executed by at least one processing device, cause the at least one processing device to detect a storage device at a protected node and determine whether the storage device has been checked-in for use with at least the protected node. Here, the claimed ‘at least one non-transitory computer-readable media’ is taught by Knapp as ‘a non-transitory computer readable medium’ whereas the claimed ‘comprise instructions’ is taught by Knapp as ‘contains instructions’) that, upon execution of the instructions by at least one processor of an electronic device – Knapp [0015] ... The medium also contains instructions that, when executed by the at least one processing device, cause the at least one processing device to grant access to the storage device), upon execution of the instructions by the at least one processor, are to cause the electronic device to:
                identify a plurality of computer-related security events - Knapp [0074] ... The check-in procedure could include functions such as scanning the storage device 402 for malware, digitally signing and possibly encrypting clean files on the storage device 402, and quarantining any files identified as having malware on the storage device 402.  Here, the claimed ‘identify’ is taught by Knapp as ‘scanning the storage device’ which detects malware.  The claimed ‘plurality of computer-related security events’ is taught by Knapp as ‘any files identified...malware’ since the events are multiple malware files installed on the drive);
                  identify a subset of the plurality of computer-related security events that are related to a removable media device – Knapp [0038] ... a threat analysis server 112 could denote a cloud-based or other computing platform that supports sandboxing, code analysis, reputation analysis, and behavioral analysis in order to identify new forms of malware. When an SMX server 105 is unable to determine whether code on a storage device includes malware, the SMX server 105 could provide the code to the threat analysis server 112 for evaluation.  Here, the claimed ‘identify a subset’ is taught by Knapp as ‘new forms of malware’ which is but a subset of the malware on the storage device but an unknown subset);
                 identify, for a computer-related security event of the subset of computer-related security events, a user account associated with the security event - Knapp [0087] ... The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer.  Here, the claimed ‘user account’ is taught by Knapp as ‘active user’ which is a pertinent detail in the log associated with the check-in process.   The claimed ‘security event’ is taught by Knapp as ‘files identified as having malware’ since infected files pose a security event per instant specification);
               identify, based on the identification of the user account, a number of previous computer-related security events – Knapp [0079] ... the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘identify’ is taught by Knapp as ‘audit logs’ since the log records the check-in process.  The claimed ‘identify based on the user account’ is taught by Knapp as ‘identify the user account’.  The claimed ‘a number of previous computer-related security events’ is taught by Knapp as ‘operations attempted or performed’ because the logs would provide a quantity of times storage device was checked in and files quarantined that are associated with the user account - Knapp [0075] ... The configuration parameters or other data can be used to update SMX agents 103 as described below. In addition, the results of the malware scan, a timestamp, an active user, configuration options, or other information can be stored on the storage device 402 in an encrypted and signed auditing file (called an audit log.  Here, the claimed ‘associated with the user account’ is taught by Knapp as ‘an active user’ ‘an active user’ since the check in mechanism identifies who is making the request to verify the user is authorized, and the indication of the number of previous-computer-related security events – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event).           

            As to claim 19, Knapp teaches the electronic device of claim 17, wherein the instructions are further to identify a computer-related security event of the plurality of computer-related security events based on a file signature or a file descriptor related to the computer-related security event – Knapp [0038] ... If a user or the threat analysis server 112 determines that the code is malicious, the threat analysis server 112 can update the SMX servers 105 with new threat information. The threat analysis server 112 could also obtain information identifying new cyber-security threats (such as new malware signatures) from other sources and provide the threat information to the SMX servers 105. Here, the claimed ‘identify’ is taught by Knapp as ‘determines that the code is malicious’ since this determination identifies a security threat.  The claimed ‘file signature’ is taught by Knapp as ‘malware signature updates’ since the malware signature is present but is now the signature is updated), or a file descriptor related to the computer-related security event - Knapp [0074] ... The check-in procedure could further include functions such as creating a file manifest to contain scan results, activity logs, messages, and other information relevant to the operation of the system 100.  Here, the claimed ‘file descriptor’ is taught by Knapp as ‘a file manifest’)..

              As to claim 20, Knapp teaches the electronic device of claim 17, wherein the instructions are further to alter, based on a security event type or the number of previous computer-related security events, a user access permission related to the user account – Knapp [0079] If the storage device 402 or a file is not successfully validated, the storage device 402 or the file is blocked by the SMX agent 103 and not made accessible for any meaningful access to the local file system of the protected node 102. During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user and the types of operations attempted or performed using the storage device 402. Note that “meaningful” access here includes read, write, or delete access for a stream, file, directory, or volume (which can be prevented when the device 402 is not checked-in.  Here, the claimed ‘altering’ is taught by Knapp as ‘not made accessible for any meaningful access’ limiting access functions. The claimed ‘security event type’ is taught by Knapp as ‘successfully validated’ because the scanning operation can find either validated or non-validated device or files resulting in clean or infected designations). 

Claims 6, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Knapp, in view of Nguyen; Cory-Khoi Quang et al, US 20200311262 A1, November 1, 2020, hereafter referred to as Nguyen.

         As to claim 6, Knapp teaches the method of claim 1. KNAPP DOES NOT TEACH wherein identifying the user account is based on at least one of a user identifier (ID), a hash related to the user ID, and an identifier of a computer associated with the user ID),
HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR NGUYEN TEACHES wherein identifying the user account is based on at least one of a user identifier (ID) and a hash related to the user ID – Nguyen [206] The account ID can be, e.g., a WINDOWS security identifier (SID), a numeric user ID, an X.500 or other globally-unique identifier of the user, a hash of any of those, or another identifier of the user whose credentials were used to log in and establish the session.  Here, the claimed ‘identifying the user account’ is taught by Knapp as ‘account ID’ whereas the claimed ‘user identifier (ID)’ is taught by Knapp as ‘SID’.  The claimed ‘hash related to the user ID’ is taught by Knapp as ‘a hash of any of those’) and an identifier of a computer associated with the user ID) - Nguyen [0205] ... The device ID can be a unique identifier of computing device 104, e.g., a machine GUID or a hash of details of computing device 104.  Here, the claimed ‘identifier’ is taught by Nguyen as ‘GUID’.  Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the explicit features of a user ID, hash of the user ID, and an identifier associated with the user ID to SMX Server 105 of Knapp.  Knapp does not explicitly teach use a User ID or hash of the User ID in the identification of the check in process but does identify the user.  Nguyen provides these features and incorporating them into Knapp may address the cases where applications and services often miss more sophisticated security violations such as non-malware malicious activity).    

          As to claim 13, Knapp teaches the at least one non-transitory computer-readable media of claim 12. KNAPP DOES NOT TEACH wherein the instructions are to identify the user account based on at least one of a user identifier (ID), a hash related to the user ID, and an identifier of a computer associated with the user ID, HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR NGUYEN TEACHES wherein the instructions are to identify the user account based on at least one of a user identifier (ID), a hash related to the user ID, and an identifier of a computer associated with the user ID – Nguyen [206] The account ID can be, e.g., a WINDOWS security identifier (SID), a numeric user ID, an X.500 or other globally-unique identifier of the user, a hash of any of those, or another identifier of the user whose credentials were used to log in and establish the session.  Here, the claimed ‘identifying the user account’ is taught by Knapp as ‘account ID’ whereas the claimed ‘user identifier (ID)’ is taught by Knapp as ‘SID’.  The claimed ‘hash related to the user ID’ is taught by Knapp as ‘a hash of any of those’) and an identifier of a computer associated with the user ID) - Nguyen [0205] ... The device ID can be a unique identifier of computing device 104, e.g., a machine GUID or a hash of details of computing device 104.  Here, the claimed ‘identifier’ is taught by Nguyen as ‘GUID’.  Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the explicit features of a user ID, hash of the user ID, and an identifier associated with the user ID to SMX Server 105 of Knapp.  Knapp does not explicitly teach use a User ID or hash of the User ID in the identification of the check in process but does identify the user.  Nguyen provides these features and incorporating them into Knapp may address the cases where applications and services often miss more sophisticated security violations such as non-malware malicious activity).  

            As to claim 18, Knapp teaches an electronic device of claim 17. KNAPP DOES NOT TEACH wherein identifying the user account is based on at least one of a user identifier (ID), a hash related to the user ID, and an identifier of a computer associated with the user ID), HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR NGUYEN TEACHES wherein identifying the user account is based on at least one of a user identifier (ID) and a hash related to the user ID – Nguyen [206] The account ID can be, e.g., a WINDOWS security identifier (SID), a numeric user ID, an X.500 or other globally-unique identifier of the user, a hash of any of those, or another identifier of the user whose credentials were used to log in and establish the session.  Here, the claimed ‘identifying the user account’ is taught by Knapp as ‘account ID’ whereas the claimed ‘user identifier (ID)’ is taught by Knapp as ‘SID’.  The claimed ‘hash related to the user ID’ is taught by Knapp as ‘a hash of any of those’) and an identifier of a computer associated with the user ID) - Nguyen [0205] ... The device ID can be a unique identifier of computing device 104, e.g., a machine GUID or a hash of details of computing device 104.  Here, the claimed ‘identifier’ is taught by Nguyen as ‘GUID’.  Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the explicit features of a user ID, hash of the user ID, and an identifier associated with the user ID to SMX Server 105 of Knapp.  Knapp does not explicitly teach use a User ID or hash of the User ID in the identification of the check in process but does identify the user.  Nguyen provides these features and incorporating them into Knapp may address the cases where applications and services often miss more sophisticated security violations such as non-malware malicious activity).    

Claims 10-11 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Knapp, in view of Yavo; Udi et al, US 20210200870 A1, July 1, 2021, hereafter referred to as Yavo.

           As to claim 10, Knapp teaches the method of claim 1, wherein the method further comprises outputting, by the processor, the indication of the security event, the indication of the user account, and the indication of the number of previous computer-related security events - Knapp [0075] ... The configuration parameters or other data can be used to update SMX agents 103 as described below. In addition, the results of the malware scan, a timestamp, an active user, configuration options, or other information can be stored on the storage device 402 in an encrypted and signed auditing file (called an audit log), and the audit log could be reported to a security manager 108 or threat analysis server 112.  Here, the claimed ‘outputting’ is taught by Knapp as ‘audit log could be reported’ since SMX server 105 sends updates the SMX agents 103 during or after check in. The claimed ‘indication of the security event’ is taught by Knapp as ‘results of the scan’ where files could indicate clean device/file or indicate malware.  The claimed ‘indication of a user account’ is taught by Knapp as ‘an active user’ since the check in mechanism identifies who is making the request to verify the user is authorized, and the indication of the number of previous-computer-related security events – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event.  KNAPP DOES NOT TEACH outputting, by the processor, if the number of previous computer-related security events is at or above a threshold value HOWEVER IN AN ART DIRECTED TO THE SAME FIELD OF ENDEAVOR YAVO TEACHES outputting, by the processor if the number of previous computer-related security events is at or above a threshold value   - Yavo [0038] ... network security platform 110 compares the static analysis score with the static analysis threshold and when the static analysis score meets or exceeds the static analysis threshold, then network security platform 110 treats the process as malicious (e.g., makes an initial classification of the process as malicious) and may take appropriate action to protect the endpoint device 106 (e.g., quarantining the file, notify the administrator, and/or block execution of the process.  Here, the claimed ‘outputting’ is taught by Yavo as ‘notify the administrator’ whereas the claimed ‘processor’ is taught by Yavo as ‘network security platform 110’).  The claimed ‘previous computer-related security events’ is taught by Yavo as ‘score’ since actions cannot be quantified or scored unless they have previously been observed.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to consider modifying Knapp’s system 100 to provide logic that outputs an indicator when the user has inserted an infected media into the system.  Knapp audit file would identify the user submitting the removable device but Knapp is silent on establishing a threshold and reporting based on the threshold.  Yavo provides the threshold feature thereby improving Knapp’s SMX 105 server to instantly detect user threshold violations).

             As to claim 11, the combination of Knapp and Yavo teaches the method of claim 10, wherein the threshold value is based on the user account, the number of previous computer-related security events, or a type of the security event – Yavo [0032] ... The static analysis threshold specifies a threshold for a particular process to be considered malicious when compared to a particular score assigned to the particular process as a result of performing static file analysis on files associated with the particular process and the weighting factors are indicative of a significance of the corresponding behavior to an inference of malicious intent.  Here, the claimed ‘type of security event’ is taught by Yavo as ‘a particular process’ because a normal or particular score is assigned to the process.  The rationale to combine Yavo threshold logic to Knapp system 100 in claim 10 applies here in claim 11).

            As to claim 16, Knapp teaches the at least one non-transitory computer-readable media of claim 12, wherein the instructions are further to output the indication of the security event, the indication of the user account, - Knapp [0075] ... The configuration parameters or other data can be used to update SMX agents 103 as described below. In addition, the results of the malware scan, a timestamp, an active user, configuration options, or other information can be stored on the storage device 402 in an encrypted and signed auditing file (called an audit log), and the audit log could be reported to a security manager 108 or threat analysis server 112.  Here, the claimed ‘to output’ is taught by Knapp as ‘audit log ...reported’ since SMX server 105 sends updates the SMX agents 103 during or after check in. The claimed ‘indication of the security event’ is taught by Knapp as ‘results of the scan’ since scan results indicate the security event.  The claimed ‘indication of a user account’ is taught by Knapp as ‘an active user’ since the check in mechanism identifies who is making the request to verify the user is authorized, and the indication of the number of previous-computer-related security events – Knapp [0079] ... During this time, the audit log(s) on the storage device 402 can be updated by the SMX agent 103 to identify the user account and the types of operations attempted or performed using the storage device 402.  Here, the claimed ‘indication’ is taught by ‘audit logs’ since an audit log denotes a record of past events that can be enumerated and counted, hence the audit.  The claimed ‘number of previous computer-related security events’ is taught by Knapp as ‘operations attempted’ since the quarantine operations attempted can be enumerated and added to determine a number or previous quarantine event.  KNAPP DOES NOT TEACH output, by the processor, if the number of previous computer-related security events is at or above a threshold value HOWEVER IN AN ART DIRECTED TO THE SAME FIELD OF ENDEAVOR YAVO TEACHES output, by the processor if the number of previous computer-related security events is at or above a threshold value   - Yavo [0038] ... network security platform 110 compares the static analysis score with the static analysis threshold and when the static analysis score meets or exceeds the static analysis threshold, then network security platform 110 treats the process as malicious (e.g., makes an initial classification of the process as malicious) and may take appropriate action to protect the endpoint device 106 (e.g., quarantining the file, notify the administrator, and/or block execution of the process.  Here, the claimed ‘outputting’ is taught by Yavo as ‘notify the administrator’ whereas the claimed ‘processor’ is taught by Yavo as ‘network security platform 110’).  The claimed ‘previous computer-related security events’ is taught by Yavo as ‘score’ since actions cannot be quantified or scored unless they have previously been observed.  The rationale to combine Yavo threshold logic to Knapp system 100 in claim 10 applies here in claim 16).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249109/21/2022