Notice of Pre-AIA  or AIA  Status
Claims 1-27 remain for examination.  The amendment filed 9/21/22 added claims 24-27, and amended claims 1, 14, 15. 18-20, & 22. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/21/22 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/25/19 has been considered by the Examiner.

Response to Arguments
The rejection of claims 1-23 under 35 USC 112 are withdrawn as being moot in view of Applicant’s amendments to the claims.
Regarding claims 1 & 20, Applicant argues:
Regarding claim 1, Hart, Annen, Greevy, Soby, Ford, and Weith, either individually or in combination, fail to even suggest the features of "determine that the detected anomalous pattern comprises obfuscated secure enterprise information" and "provide the detected anomalous pattern as labeled training data to train a machine learning model for obfuscated information." For example, while Annen discusses that "The anomaly detection model 508 may be implemented using a. deep neural network (DNN), and the encryption detection model 522 may be implemented using a logistic regression model (LRM)" at paragraph 0078, Annen fails to suggest anything about "obfuscated secure enterprise information." Because independent claim 20 includes similar features, claim 20 is patentable for at least the above reasons.

	Examiner disagrees, noting that one of the ways in which Annen detects ransomware is to observe when previously unencrypted office information has subsequently been encrypted via suspicious means (see. e.g. paragraphs 0091-0094).  A person of ordinary skill in the art would have reason to believe that at least some of the documents stored by an enterprise would be considered “sensitive”, and as such the ability to detect when such documents are encrypted in a suspicious manner could be construed as determining that the detected anomalous pattern comprises obfuscated secure enterprise information under the broadest reasonable interpretation of the term in view of the instant specification.  Furthermore, since the Annen disclosure requires the invention to have previously examined the documents at least once prior to detecting unauthorized encryption, note that the Hart reference teaches analyzing documents to distinguish between those that are public and those that are secret [i.e. “sensitive”] (Hart, pages 7-8).  Thus, the combination of Hart with Annen would recognize previously identified secret documents may have been encrypted by ransomware, resulting in a determination that the obfuscated document contained sensitive information.  As for the other limitation, Annen clearly discloses in paragraph 0091 that the invention can take the identified anomalous pattern and label it as training data for further refinement of its model(s).


Regarding claim 22, Applicant argues:
Moreover, regarding claim 22, Hart, Annen, and Greevy fail to suggest the feature of "replace replaced anomalous content associated with the anomalous pattern with alternative content to prevent disclosure of secure enterprise information, wherein the alternative content and the replaced anomalous content have a same format." (Emphasis added.) For example, Greevy discloses (Paragraph 0073.): 

In yet another implementation, upon receipt of an email for which either the sender or the recipient is included in an exclusion list. the security server can scan the email for sensitive information and automatically remove (e g., redact) sensitive information from the email prior to releasing the email for delivery to the recipient's email address. For example. in response to detecting sensitive information in the email, the security server can automatically redact the sensitive information from the email, insert - into the email - a hyperlink to a secure webpage containing the sensitive information, and then transmit the revised email in unencrypted form or encrypted according to a strongest encryption protocol supported by the recipient's mail client and/or incoming mail server to the recipient address. Upon receipt of the email, the recipient can select the hyperlink within the email to access a secure web portal to view content redacted from the email or to view content of the email in its entirety. 

While Greevy discusses that sensitive e-mail can redacted and replaced with a hyperlink, Greevy fails to suggest anything about "the alternative content and the replaced anomalous content [having] a same format".

	Examiner disagrees, noting that a hyperlink, as understood by persons of ordinary skill in the art, is merely a plaintext string that indicates an address of a resource on the World Wide Web and/or the Internet.  Thus, the disclosed ability of the Greevy invention to replace the offending text to be redacted with a text string that links to a secure location to access the redacted content still reads on the limitation under the broadest reasonable interpretation of the term “format” [i.e. text] in view of the instant specification.
Applicant’s arguments, see pages 11 & 13 of the RCE filed 9/21/22, with respect to claims 15, 14, & 23 have been fully considered and are persuasive.  The rejection of claims 14-19 & 23 has been withdrawn. 
The rejection of the remaining claims not explicitly enumerated above are maintained for the reasons as discussed supra.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3-11, 20, 24, & 25 are rejected under 35 U.S.C. 103 as being unpatentable over “Text Classification for Data Loss Prevention” (hereinafter, “Hart”) in view of U.S. Patent Publication 2021/0044603 (hereinafter, “Annen”).

Regarding claims 1 and 20:
Hart discloses a computing platform, method, and computer program product comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions  (all elements of a computer implementing the disclosed method(s) implied by the results disclosed on pages 10-11, “5. Evaluation”) that, when executed by the at least one processor, cause the computing platform to: monitor, in real-time and via a computing device, a transmission of textual data from a user device (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “First, the system discovers the three types of enterprise data by scanning storage devices, intercepting network traffic in real time, and monitoring user actions on end point devices.” [emphasis Examiner’s]); scan, via the computing device, a content of the textual data (Ibid: “Second, the system identifies confidential enterprise data from the data discovered in the first step.”; see also the first paragraph of page 4); perform, via the computing device and based on the scanning, textual analysis of the scanned content (pages 5-8, “3 Text Classifiers for DLP”); detect, in real-time and based on the textual analysis, an anomalous pattern indicative of secure enterprise information (Ibid; see also pages 10-11, “5. Evaluation”); and trigger, via the computing device, one or more security actions to prevent the transmission of the secure enterprise information (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “Third, the system enforces enterprise policies on confidential data. For example, the system may encrypt confidential data-at-rest to prevent unauthorized use; the system may block confidential data-in-motion from leaving the enterprise and may prevent confidential data from being copied to a USB device” [emphasis Examiner’s]; see also page 12, “6. Discussion”, particularly the 1st paragraph: “Our method coupled with the DLP system's ability to recognize data flow from a trusted to an untrusted device should prevent these type of leakages.”). 
Hart does not disclose determining that the detected anomalous pattern comprises obfuscated secure enterprise information; and providing the detected anomalous pattern as labeled training data to train a machine learning model for obfuscated information.  However, Annen discloses a related invention comprising these limitations (paragraphs 0078-0081 and 0091-0094).  It would have been obvious prior to the effective filing date of the instant application to train a machine learning model to recognize and decrypt encrypted data, as doing so would help one defend one’s network from ransomware (e.g. Annen, paragraphs 0002-0003).

Regarding claim 3:	Hart further discloses wherein the secure enterprise information is in numeric format, and wherein the anomalous pattern comprises the secure enterprise information in alphanumeric format (see page 4, top paragraph, regarding examples of detecting e.g. social security numbers and telephone numbers [numeric content] within the text being analyzed by the invention). 

Regarding claim 4:	Hart further discloses wherein the secure enterprise information is in alphanumeric format, and wherein the anomalous pattern comprises the secure enterprise information in an altered alphanumeric format (page 4, Ibid). 

Regarding claim 5:	Hart further discloses wherein the anomalous pattern comprises a portion of the content that deviates from a context of the content (page 13, paragraph beginning with “The xtra.info attribute…”). 

Regarding claim 6:	Hart further discloses wherein the instructions to perform the textual analysis comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: perform the textual analysis based on a language model (page 11, paragraph beginning with “Our approach is unique…”). 

Regarding claim 7:	Hart further discloses wherein the instructions to detect the anomalous pattern comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: train a machine learning model based on previously detected anomalous patterns (page 4, paragraph beginning with “Our approach builds on a well-studied machine learning technique…”; and page 9, “4. DLP corpora”). 

Regarding claim 8:	Hart further discloses wherein the instructions to detect the anomalous pattern comprise additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: train a machine learning model to generate additional anomalous patterns (page 4, paragraph beginning with “Our approach builds on a well-studied machine learning technique…”; and page 9, “4. DLP corpora”); and detect the anomalous pattern based on the additional anomalous patterns (pages 10-11, “5. Evaluation”). 

Regarding claim 9:	Hart further discloses wherein the textual data comprises data associated with an electronic communication (page 3, “2. Data Loss Prevention Systems”, particularly the first paragraph: “Data-in-motion is enterprise data contained in outbound network traffic such as emails, instant messages, and web traffic”). 

Regarding claim 10:	Hart further discloses wherein the textual data comprises data associated with an electronic document spooled for printing to a print device (Ibid: printers inherently being end-point devices which qualify under the data-in-use criterion). 

Regarding claim 11:	Hart further discloses wherein the one or more security actions comprises preventing the transmission of the textual data (page 3, “2 Data Loss Prevention Systems”, particularly the 3rd paragraph: “Third, the system enforces enterprise policies on confidential data. For example, the system may encrypt confidential data-at-rest to prevent unauthorized use; the system may block confidential data-in-motion from leaving the enterprise and may prevent confidential data from being copied to a USB device” [emphasis Examiner’s]). 

Regarding claim 24:
	The combination further discloses wherein the anomalous pattern comprises the secure enterprise information in an altered alphanumeric formation (Annen: detecting that an unencrypted document comprising plaintext has since been encrypted into ciphertext: paragraphs 0078-0081 & 0091-0094).

Regarding claim 25:
	The combination further discloses detecting that the obfuscated information is out of context with respect to the textual data (Annen: detecting that an unencrypted document comprising plaintext has since been encrypted into ciphertext: paragraphs 0078-0081 & 0091-0094).

Claims 2, 12, and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of U.S. Patent Publication 2018/0054447 (hereinafter, “Greevy”).

Regarding claim 2:
	Hart explicitly states that their invention as currently disclosed does not decrypt encrypted data for analysis (e.g. pages 5-6, the paragraph beginning with “The major drawback of confidential data identification schemes…”), although Hart does at least explicitly suggest that this functionality may yet be incorporated into future revisions of this invention (e.g. page 16, “8. Conclusion and Future Work”: “We will also look to expand our approach to include encrypted and multimedia content”; see also page 5, top paragraph).  Subsequent to Hart’s disclosure, Greevy discloses a related invention for data loss prevention via email (e.g. paragraphs 0011-0012, 0037, & 0063) which includes the steps of decrypting an email in transit and scanning it for security threats prior to delivery (paragraph 0026).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart to allow it to decrypt emails in transit in search of sensitive information, as this had become a known option within the grasp of a person of ordinary skill in the art, to achieve the predictable effect of preventing sensitive information from being intercepted or accessed maliciously (Greevy, paragraph 0037).

Regarding claim 12:	Hart does not explicitly disclose wherein the one or more security actions comprises modifying, based on a machine learning model, the anomalous pattern to prevent a disclosure of the secure enterprise information. However, Greevy discloses a related invention for data loss prevention through email (e.g. paragraphs 0011-0012, 0037, & 0063) which includes the steps of redacting sensitive information that was detected within a scanned email (paragraph 0073).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart to allow it to redact sensitive information identified by its machine learning model(s) found within emails being scanned, as this had become a known option within the grasp of a person of ordinary skill in the art, to achieve the predictable effect of preventing sensitive information from being intercepted or accessed maliciously (Greevy, paragraph 0037).

Regarding claim 21:
	The rationale(s) for rejecting claims 2 & 12 apply mutatis mutandis to claim 21.

Regarding claim 22:
	The combination further discloses replacing replaced anomalous content associated with the anomalous pattern with alternative content to prevent disclosure of secure enterprise information (Greevy, paragraph 0073), wherein the alternative content and the replaced anomalous content have a same format (both the redacted information from the email and the hyperlink that replaces it are text strings: Greevy, Ibid).
  
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of U.S. Patent Publication 2019/0370468 (hereinafter, “Soby”).

Regarding claim 13:	Hart does not explicitly disclose wherein the one or more security actions comprises modifying an access permission of an enterprise user associated with the user device.  However, Soby discloses a related invention for protecting confidential information from exposure (e.g. Abstract) wherein this limitation is taught (i.e. removing a user’s access to information determined to have been exposed: paragraph 0028).  It would have been obvious prior to the effective filing date of the instant invention to modify Hart’s invention to modify the access permission of an enterprise user associated with the user device, as doing so was a known option within the grasp of a person of ordinary skill in the art, in order to achieve the predictable effect of limiting the exposure of confidential information from said user in the future (Soby, Ibid).

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Hart in view of Annen as applied to claim 1 above, and further in view of “Data Loss Prevention Based on Text Classification in Controlled Environments” (from the Office Action mailed 12/17/21; hereinafter, “Kongsgard”).

Regarding claim 26:
	Neither Hart nor Annen disclose detecting the obfuscated secure enterprise information by identifying a pattern of alphabetic forms of numeric characters interpreted within the content of the textual data.  However, Kongsgard discloses a related invention for data loss prevention wherein techniques are employed to detect when a document has been rewritten while still being semantically identical to the original, wherein the modified document was intended to evade detection from a DLP system (page 138, “3. Rewritten Documents”).  It would have been obvious to employ Kongsgard’s methods to the invention of Hart and/or Annen to detect when one replaces numerals with their word equivalents, as doing so would help better detect data leaks from inside the enterprise (Kongsgard, page 136, “Evasion & Poisoning”).

Allowable Subject Matter
Claims 15-19 and 27 are allowed over the prior art.
Claims 14 and 23 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  Independent claim 15, and dependent claim 14, recite inter alia “wherein the one or more security actions comprises generating, based on the monitoring, a risk profile of an enterprise user associated with the user device, wherein the risk profile is indicative of a likelihood of the enterprise user to transmit secure enterprise information.”  None of the prior art of record, including the previously cited Ford reference (U.S. Patent Publication 2015/0310188) disclose this limitation; at best, they disclose detecting an act of a user improperly accessing protected content, rather than calculating a risk profile of the likelihood that said user would transmit protected information.  Dependent claims 16-19 follow from independent claim 15 and are of consequence allowable; likewise, claim 23 follows from dependent claim 14 and is of consequence allowable. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        10/22/2022