DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claims, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Niemela (US 2012/0002839 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 7-11, 13-15, and 17-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Balinsky (US 2014/0165137 A1) in view of Niemela (US 2012/0002839 A1) and Wyatt (US 2012/0240236 A1).

Regarding claim 1, Balinsky discloses: A system for preventing or controlling misuse of data, the system comprising: 
a learning engine executing on one or more hardware processors, the learning engine configured to: 
identify capabilities of [system calls];
detect activities relating to data access or transfer from, into or through the computing environment via invocation [of systems calls associated with], the invocation to access or transfer data, the invocation including at least one of a user interaction with the graphical user interface element and an a function call via the application programming interface function; and 
Refer to at least [0011]-[0014] of Balinsky with respect to detecting calls and recognizing a potential to leak data.
Refer to at least [0027] of Balinsky with respect to system calls associated with APIs.
Refer to at least [0015] of Balinsky with respect to system calls associated with GUI interaction by a user.
determine, according to data assets of the computing environment that are identified to be protected, and at least one of the capabilities or activities, a situation within the computing environment that represents potential or actual misuse of one of the identified data assets, wherein the data assets that are to be protected are identified according to metadata of the data assets; and 
Refer to at least [0030] and [0036]-[0037] of Balinsky with respect to determining document sensitivity and associated policy in association with document’s metadata. 
Refer to at least [0030]-[0032] and [0035] of Balinsky with respect to policies. 
a rule engine executing on the one or more hardware processors, the rule engine configured to perform an action to prevent or control the potential or actual misuse of the one of the identified data assets, responsive to applying one or more rules to the determined situation.
Refer to at least the abstract and [0045]-[0050] of Balinsky with respect to actions associated with the policies. 
Balinsky does not disclose: identify a graphical user interface element of a plurality of interfaces by applying an image recognition algorithm to a screenshot of a rendering of an application launched in a computing environment, the plurality of interfaces including the graphical user interface element and an application programming interface function; identifying the capabilities being of at least the graphical user interface element; the plurality of interfaces as available for invocation by a user, the capabilities to access or transfer data in the computing environment; via invocation of one or more of the plurality of interfaces. However, Balinsky in view of Niemela discloses: identify a graphical user interface element of a plurality of interfaces by applying an image recognition algorithm to a screenshot of a rendering of an application launched in a computing environment, the plurality of interfaces including the graphical user interface element and an application programming interface function; 
Refer to at least the abstract, [0008], [0010], [0056]-[0058], and [0068] of Niemela with respect to identifying image elements of an application GUI via screenshot and OCR, for malware analysis.
Balinsky-Niemela in view of Wyatt further discloses: [identifying the capabilities being of at least the graphical user interface element; the plurality of interfaces as available for invocation by a user, the capabilities to access or transfer data in the computing environment; via invocation of one or more of the plurality of interfaces.
Refer to at least [0097]-[0098] of Wyatt with respect to data object capabilities. 
Refer to at least [0076] of Wyatt concerning “e.g., system calls, API calls, libraries used, inter-process communication calls, number of SMS messages transmitted, number of email messages sent, information about user interfaces displayed, URLs accessed.”
The teachings of Balinsky, Niemela, and Wyatt concern detection and analysis of malware, and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Balinsky to further include support malware image recognition for at least the reasons discussed in [0004], [0044]-[0045], and [0069] of Niemela (i.e., identifying zero day exploits and polymorphic malware). It further would have been obvious to include detailed object capability analysis for the same reason of expanding the data model to better identify security concerns. 

Regarding claim 3, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the learning engine is configured to detect the capabilities or the activities by monitoring or detecting one or more of: graphical user interface (GUI) controls available to a user control selection by the user, application programming interface (API) calls, files accessed, data communicated over a network, or activity using an input/output (I/O) device.
Refer to at least [0014]-[0016] with respect to exemplary potential leak events. 

Regarding claim 4, it is rejected for substantially the same reasons as claim 1 above (i.e., with respect to the metadata).

Regarding claim 5, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the computing environment comprises at least one of a web browser, an application, background system service, or an input/output (I/O) device,
Refer to at least [0025]-[0026] of Balinsky with respect to applications and/or documents monitored.
wherein the application comprises a cloud-synchronization application, an electronic-mail application, a document processing or rendering application, a data transfer or copying application, or a facsimile or printing application.
Refer to at least [0016], TABLE 1 on page 3, and the examples starting on page 7 of Balinsky with respect to exemplary applications.

Regarding claim 7, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the learning engine is configured to detect the capabilities or the activities by detecting meta-data, words or phrases associated with application interfaces indicative of means of data egress from the computing environment.
Refer to at least [0030] and [0038]-[0044] of Balinsky with respect to parsing the document for metadata and/or content; words or phrases.

Regarding claim 8, it is rejected for substantially the same reasons as claim 7 above (i.e., the citations).

Regarding claim 9, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the learning engine is configured to determine whether there is a situation within the computing environment that represents potential or actual exfiltration of one or more of the identified data assets, responsive to a triggering event.
Refer to at least [0013] and [0017] of Balinsky with respect to filtering out events. 
Refer to at least [0028]-[0031] of Balinsky with respect to suspending suspicious calls and further determination.

Regarding claim 10, it is rejected for substantially the same reasons as claim 1 above (i.e., with respect to the actions).

Regarding independent claim 11, it is substantially similar to independent claim 1, but is in method form. Accordingly, independent claim 11 is rejected for substantially the same reasons as independent claim 1.

Regarding claims 13-15 and 17-20, they are substantially similar to claims 3-10 above, and are therefore likewise rejected.

Regarding claim 21, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the learning engine is configured to apply a prediction model to the capabilities and the activities to determine the situation within the computing environment that represents potential or actual misuse of one of the identified data assets.
Refer to at least FIG. 20 of Wyatt with respect to its correlation and comparison engine and inference engine. Said engines are operable to perform the cited analysis of icon and permissions / capabilities metadata.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 22, Balinsky-Niemela-Wyatt discloses: The system of claim 1, wherein the learning engine is further configured to: perform an optical character recognition algorithm on the graphical user interface element to determine recognized text in the graphical user interface element; and identify the capabilities based on the recognized text.
Refer to at least [0057] and [0068] of Niemela with respect to obtaining strings present in display data, as well as additional information of the application under analysis. 
This claim would have been obvious for substantially the same reasons as claim 1 above.


Claims 2 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Balinsky-Niemela-Wyatt as applied to claims 1, 3-5, 7-11, and 13-15, 17-22 above, and further in view of Shou (US 8,549,643 B1).

Regarding claim 2, Balinsky-Niemela-Wyatt does not fully disclose: further comprising training data for use by the learning engine to recognize application or user behavior indicative of potential or actual misuse of data. However, Balinsky-Niemela-Wyatt in view of Shou discloses: further comprising training data for use by the learning engine to recognize application or user behavior indicative of potential or actual misuse of data.
Refer to at least Col. 5, Ll. 30-37 and Col. 6, Ll. 37-47 of Shou with respect to generating a corpus of training data for use in generating detection scripts.
The teachings of both Balinsky and Shou concern preventing data leakage, and are considered to be combinable as such. Further, Balinsky comprises automatic policy retrieval (e.g., [0034] of Balinsky). 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Balinsky-Niemela-Wyatt to include use of training data for policies for at least the purpose of implementing adaptive models which are adjustable with training data rather than with manual rule changes (i.e., increased efficiency and automation).

Regarding claim 12, it is substantially similar to claim 2 above, and is therefore likewise rejected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432