DETAILED ACTION
Claims 1-20 are pending in this application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,200,338 B2 issued to Hoa. Although the claims at issue are not identical, they are not patentably distinct from each other because all claim limitations of the instant application is present in the 11,200,338 B2 patent.


Instant Application No. 17/521,817
U.S. Pat. No. 11,200,338 B2
Claim 1:
   A method comprising: 
providing, by a security engine, access to data from a database requested by a requesting entity, 









the security engine configured to, in response to determining that the accessed data comprises sensitive information, modify the accessed data to include a tag within metadata of the accessed data indicating that the accessed data includes sensitive information; 
providing, by the security engine, the modified data to a client device of the requesting entity, the client device different from the security engine and the database; 
receiving, by the security engine, a notification from the client device in response to a request from each of a plurality of accessing entities to access the modified data from the client device, the client device configured to provide the notifications to the security engine in response to detecting the tag within the modified data when access is requested by each of the accessing entities; and 
modifying, by the security engine, a data access log to identify each attempted access to the modified data by each accessing entity, the modified data access log identifying the accessing entity, the modified data, and a time associated with the attempted access to the modified data. 

Claim 2:
   The method of claim 1, wherein the metadata of the accessed data comprises at least one of: a category of data, a type of data, a format of data, a sensitivity of data, and a required authorization level.  

Claim 3:
The method of claim 1, wherein the modified data access log further identifies at least one of: - 29 -a user account associated with the requesting entity; a hardware identifier for a device used by the requesting entity to access the modified data; a software identifier for software used by the requesting entity to access the modified data; and information indicating whether the attempt to access the modified data was successful.  

Claim 4:
  The method of claim 1, wherein the modified data access log further identifies one or more of: a web page used to access the modified data, a form used to access the modified data, and one or more fields displayed by a device of the requesting entity associated with the modified data.  

Claim 5:
The method of claim 1, wherein the sensitive information is personally identifiable information (PII).  


Claim 6:
   The method of claim 1, wherein portions of the database including sensitive information are defined by a data security policy.  


Claim 7:
  The method of claim 1, further comprising: responsive to receiving a request from an auditing entity to audit the modified data access log for information associated with a potential data breach, accessing, by the security engine, access data associated with the potential data breach from the modified data access log; and responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity.  

Claim 8:
   The method of claim 7, further comprising modifying, by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity.  
Claim 9:
   The method of claim 1, further comprising: responsive to determining that the requested data is not stored in one or more database columns corresponding to sensitive information, providing, by the security engine, the requested data from the database to the requesting entity. 

Claim 10:
   The method of claim 1, further comprising: in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data.  

Claim 11:
  The method of claim 1, further comprising: responsive to determining that the modified data has been accessed by an unauthorized entity, by the security engine, sending a notification identifying the unauthorized access to a user.  


Claim 12:
  The method of claim 1, further comprising: determining that the modified data has been accessed by an unauthorized accessing entity that is unauthorized to access the modified data; and responsive to the determining that the modified data has been accessed by the unauthorized entity, preventing, by the security engine, the unauthorized entity from subsequently accessing the modified data.  

Claim 13:
   A non-transitory computer readable storage medium storing executable instructions that, when executed by one or more processors, cause the processor to perform steps comprising:
    providing, by a security engine, access to data from a database requested by a requesting entity, 










the security engine configured to, in response to determining that the accessed data comprises sensitive information, modify the accessed data to include a tag within metadata of the accessed data indicating that the accessed data includes sensitive information;
   
  providing, by the security engine, the modified data to a client device of the requesting entity, the client device different from the security engine and the database;
    receiving, by the security engine, a notification from the client device in response to a request from each of a plurality of accessing entities to access the modified data from the client device, the client device configured to provide the notifications to the security engine in response to detecting the tag within the modified data when access is requested by each of the accessing entities; and 
   modifying, by the security engine, a data access log to identify each attempted access to the modified data by each accessing entity, the modified data access log identifying the accessing entity, the modified data, and a time associated with the attempted access to the modified data.  

Claim 14:
  The non-transitory computer readable storage medium of claim 13, wherein the sensitive information is personally identifiable information (PII).  


Claim 15:
    The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise: - 32 -responsive to receiving a request from an auditing entity to audit the modified data access log for information associated with a potential data breach, accessing, by the security engine, access data associated with the potential data breach from the modified data access log; and responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity.  


Claim 16:
  The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise modifying, by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity. 

Claim 17:
  The non-transitory computer readable storage medium of claim 13, wherein the metadata of the retrieved data comprises at least one of: a category of data, a type of data, a format of data, a sensitivity of data, and a required authorization level. 

Claim 18:
  The non-transitory computer readable storage medium of claim 13, wherein the modified data access log further identifies at least one of: a user account associated with the requesting entity; a hardware identifier for a device used by the requesting entity to access the modified data; a software identifier for software used by the requesting entity to access the modified data; and information indicating whether the attempt to access the modified data was successful.  



Claim 19:
  The non-transitory computer readable storage medium of claim 13, wherein the modified data access log further identifies one or more of: a web page used to access the - 33 -modified data, a form used to access the modified data, and one or more fields displayed by a device of the requesting entity associated with the modified data.  

Claim 20:
   The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise: in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data.
Claim 1:
  A method comprising:
  receiving, by a security engine, a request from a requesting entity to access data in a database; 
  determining, by the security engine, that the requested data is stored in one or more database columns corresponding to sensitive information; 
  in response to the requesting entity being authorized to access the data, retrieving, by the security engine, the requested data from the database;    modifying, by the security engine, the retrieved data by modifying metadata of the retrieved data to include a tag indicating that the retrieved data includes sensitive information; providing, by the security engine, the modified data to a client device of the requesting entity, the client device different from the security engine and the database; 
    
receiving, by the security engine, a notification from the client device in response to a request from each of a plurality of accessing entities to access the modified data from the client device, the client device configured to provide the notifications to the security engine in response to detecting the tag within the modified data when access is requested by each of the accessing entities; and 



  modifying, by the security engine, a data access log to identify each attempted access to the modified data by each accessing entity, the modified data access log identifying the accessing entity, the modified data, and a time associated with the attempted access to the modified data.

Claim 2:
  The method of claim 1, wherein the metadata of the retrieved data comprises at least one of: a category of data, a type of data, a format of data, a sensitivity of data, and a required authorization level.

Claim 3:
 The method of claim 1, wherein the modified data access log further identifies at least one of: a user account associated with the requesting entity; a hardware identifier for a device used by the requesting entity to access the modified data; a software identifier for software used by the requesting entity to access the modified data; and information indicating whether the attempt to access the modified data was successful.

Claim 4:
   The method of claim 1, wherein the modified data access log further identifies one or more of: a web page used to access the modified data, a form used to access the modified data, and one or more fields displayed by a device of the requesting entity associated with the modified data.

Claim 5:
  The method of claim 1, wherein the sensitive information is personally identifiable information (PII).

Claim 6:
  The method of claim 1, wherein the database columns corresponding to sensitive information are defined by a data security policy.

Claim 7:
  The method of claim 1, further comprising: responsive to receiving a request from an auditing entity to audit the modified data access log for information associated with a potential data breach, accessing, by the security engine, access data associated with the potential data breach from the modified data access log; and responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity.

Claim 8:
  The method of claim 7, further comprising modifying, by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity.
Claim 9:
 The method of claim 1, further comprising: responsive to determining that the requested data is not stored in one or more database columns corresponding to sensitive information, providing, by the security engine, the requested data from the database to the requesting entity.

Claim 10:
   The method of claim 1, further comprising: in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data.

Claim 11:
  The method of claim 1, further comprising: responsive to determining that the modified data has been accessed by an unauthorized entity, by the security engine, sending a notification identifying the unauthorized access to a user.


Claim 12:
  The method of claim 1, further comprising, determining that the modified data has been accessed by an unauthorized accessing entity that is unauthorized to access the modified data; and responsive to the determining that the modified data has been accessed by the unauthorized entity, preventing, by the security engine, the unauthorized entity from subsequently accessing the modified data.

Claim 13:
  A non-transitory computer readable storage medium storing executable instructions that, when executed by one or more processors, cause the processor to perform steps comprising:
receiving, by a security engine, a request from a requesting entity to access data in a database;
   determining, by the security engine, that the requested data is stored in one or more database columns corresponding to sensitive information; 
   in response to the requesting entity being authorized to access the data, retrieving, by the security engine, the requested data from the database; 
  modifying, by the security engine, the retrieved data by modifying metadata of the retrieved data to include a tag indicating that the retrieved data includes sensitive information; 


   providing, by the security engine, the modified data to a client device of the requesting entity, the client device different from the security engine and the database; 
    receiving, by the security engine, a notification from the client device in response to a request from each of a plurality of accessing entities to access the modified data from the client device, the client device configured to provide the notifications to the security engine in response to detecting the tag within the modified data when access is requested by each of the accessing entities; and 
   modifying, by the security engine, a data access log to identify each attempted access to the modified data by each accessing entity, the modified data access log identifying the accessing entity, the modified data, and a time associated with the attempted access to the modified data.



Claim 14:
   The non-transitory computer readable storage medium of claim 13, wherein the sensitive information is personally identifiable information (PII).


Claim 15:
  The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise: responsive to receiving a request from an auditing entity to audit the modified data access log for information associated with a potential data breach, accessing, by the security engine, access data associated with the potential data breach from the modified data access log; and responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity.


Claim 16:
  The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise modifying, by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity.

Claim 17:
   The non-transitory computer readable storage medium of claim 13, wherein the metadata of the retrieved data comprises at least one of: a category of data, a type of data, a format of data, a sensitivity of data, and a required authorization level.

Claim 18:
   The non-transitory computer readable storage medium of claim 13, wherein the modified data access log further identifies at least one of: a user account associated with the requesting entity; a hardware identifier for a device used by the requesting entity to access the modified data; a software identifier for software used by the requesting entity to access the modified data; and information indicating whether the attempt to access the modified data was successful

Claim 19:
  The non-transitory computer readable storage medium of claim 13, wherein the modified data access log further identifies one or more of: a web page used to access the modified data, a form used to access the modified data, and one or more fields displayed by a device of the requesting entity associated with the modified data.

Claim 20:
  The non-transitory computer readable storage medium of claim 13, wherein the steps further comprise: in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data.



Hoa is silent with reference to generating, by the security engine, an audit table (Change History Data 545) by querying the modified data access log (Read Access Log 530) with one or more query values received from an auditing entity, the audit table comprising rows from the modified data access log that include values equal to the one or more query values.
Brunswig teaches generating, by the security engine, an audit table (Change History Data 545) by querying the modified data access log (Read Access Log 530) with one or more query values received from an auditing entity, the audit table comprising rows from the modified data access log that include values equal to the one or more query values (“...Turning back to FIG. 2, at block 260, the structured read access log file is audited. Auditing includes activities such as filtering, searching, grouping, analyzing, etc. In one embodiment, auditing includes searching within the structured read access log file. In one embodiment, a set of generic auditing user interfaces are supplied, providing searching capabilities on the logged data. In some embodiments, some capabilities for reconstructing the original attribute values of the business object node instances are provided. For update and delete enabled business objects for which a history of changes is not available, a change log BO shall be used to enable a reconstruction of the data for a given point in time. If there is no change log available at all, the read access logging may provide at least the information which fields were accessed. If the BO node instance exists and there is no data change in between the point in time when the log is written and the point in time at which the auditor requests to see the logged information, the data content may be reconstructed by fetching the current BO data...FIG. 5 is a block diagram illustrating an auditing phase according to an embodiment of a system for read access logging. An auditing UI 510 provides searching capabilities on logged data. Requests received by the auditing UI 510 are transmitted to BO Read access log 530 through a UI controller 520. The logged data is persisted in a Structured read access log file 535. The logged data includes information about the fields that were accessed during logging, time stamps of when the user access one or more of the data fields and information identifying the user. The information about the fields accessed by a user may identify the fields accessed by the user. In some embodiments, the logged data does not include the exact values for the data fields accessed by the user. In some embodiments a change log BO is available such as BO Change history 540 that could be used together with the BO Read access log 530 to reconstruct data in a field for a given point in time. The exact data is persisted in Change history data 545 that may be accessed by the BO Change history 540...” paragraphs 0029/030).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Hoa with the teaching of Brunswig because the teaching of Brunswig would improve the system of Hoa  by providing a technique for auditing sensitive related data in an access log file.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 11-14, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2019/0138625 A1 to Umansky et al. in view of in view of U.S. Pub. No. 2019/0073483 A1 to McClintock et al. and further in view of U.S. Pub. No. 2014/0122436 A1 to Brunswig et al.

As to claim 1, Umansky teaches a method comprising: 
providing, by a security engine (Database Engine 212), access to data from a database requested by a requesting entity (Client Systems 220/222/224) (“...According to some embodiments, client system 120 executes client application 125 to request data from data server 110. Data server 110 executes database engine 112 to receive the request and retrieve data from data store 114 based on the request. Database engine 112 generates a result set based on the received data...According to some embodiments, any of client systems 220, 222 and 224 may execute a respective client application to interact with application 232 executed by application server 230. For example, execution of a client application may cause presentation of a user interface on a display device of a client system. A user may manipulate the user interface, causing the client application to transmit a request based on the manipulation to application 232. Application 232 generates a query (e.g., an SQL script) based on the request and forwards the query to database engine 212 executed by data server 210. In some embodiments, each client application of client systems 220, 222 and 224 interacts directly with data server 210 to provide a query thereto as described with respect to FIG. 1...” paragraphs 0014/0025), the security engine configured to, in response to determining that the accessed data comprises sensitive information, modify the accessed data to include a tag within metadata of the accessed data indicating that the accessed data includes sensitive information (“...Database systems may tag stored data with information indicating the sensitivity of the data. The information may be used to control access to the stored data. For example, a database system may receive a request for stored data from a user operating a client application. In response, the database system identifies information tagged to the stored data and determines whether the user is authorized to view data which is tagged with such information. If the user is authorized, the database system provides the stored data to the client application...” paragraph 0002, “...The result set sensitivity information is added to the query output metadata at S470...” paragraph 0048); 
providing, by the security engine, the modified data (query output metadata/Metadata 214) to a client device of the requesting entity, the client device different from the security engine and the database (“...A technical problem addressed by some embodiments is the inability to determine and provide the sensitivity of a received result set which is based on disparate data sources, each of which may be associated with disparate sensitivity information. Some embodiments provide a technical solution of identifying table columns which underlie a query result set based on analysis of the query and database schema, identifying the sensitivity of the table columns via database metadata, determining result set sensitivity information based on the identified sensitivities, and efficiently providing result set sensitivity information to a client application within result set metadata... During online operation, database engine 212 executes a received query based on stored metadata 214 to generate a result set based on data stored in data storage system 240. Assuming the data comprises relational database tables, metadata 214 may include information specifying the structure and content of the data sources stored in data stores 242, 244 and 246 and any interrelations therebetween. Embodiments are not limited to structured data sources. Metadata 214 may also associate various types of sensitivity information with one or more of the data sources (e.g., table columns) used to generate the result set. Database engine 212 may determine result set sensitivity information based on this sensitivity information and during online generation of the result set... A result set is determined based on the query at S460 as is known in the art. According to some embodiments, data server 210 retrieves the result set from database tables stored in data storage system 240. The result set comprises a number of rows of values, where each row includes a value for each of the determined query output columns. Query output metadata describing the result set is also determined at S460, as is also known in the art. Such query output metadata may specify a number of rows of the result set, output column names, output column types, etc...The result set sensitivity information is added to the query output metadata at S470. According to some embodiments of S470, database engine 212 includes the result set sensitivity information in a data structure which also includes the query output metadata. A network query protocol may be explicitly enriched to account for return of the result set sensitivity information. The result set and the query output metadata, which now includes the result set sensitivity information, are returned to the system from which the query was received at S410...” paragraphs 0016/0026/0047/0048); 
receiving, by the security engine, a notification from the client device in response to a request from each of a plurality of accessing entities to access the modified data from the client device, the client device configured to provide the notifications to the security engine in response to detecting the tag within the modified data (query output metadata) when access is requested by each of the accessing entities (“...The result set sensitivity information could be analyzed, perhaps in conjunction with other query output metadata, to detect unauthorized access. In one example, a large data extraction (e.g., evidenced by a large number of result set rows) of very sensitive data (i.e., evaluated based on returned result set sensitivity information) may indicate a data breach and cause database engine 212 or application 232 to issue corresponding log entries and/or alerts...” paragraph 0051); and 
modifying, by the security engine, a data access log (audit logs) to identify each attempted access to the modified data by each accessing entity, the modified data access log identifying the accessing entity (“...Database engine 212 generate audit logs to record access of sensitive data. Database engine 212 may use the audit logs for security monitoring, and/or to control transmission of sensitive data out of the data server 210...Database engine 212 and/or application 232 may invoke security policies based on the result set sensitivity information and a user identity. The security policies may prevent transmission of the result set (or a portion thereof) to a requesting client system based on characteristics of the client system. In some embodiments, database engine 212 may determine the result set sensitivity information and control transmission of the result set to application 232 based thereon. Application 232 may also receive the result set sensitivity information and generate audit logs to record access of sensitive data, control transmission of sensitive data out of the system (e.g., to a client system 220, 222 or 224), or control copying of sensitive data (e.g., by a client system 220, 222 or 224)...Database service 910 and/or application service 920 may generate entries for an audit log of storage account 925. As described above, the audit log may record instances of data access, including the result set sensitivity information of any generated result set...” paragraphs 0049/0050/0062).
Umansky is silent with reference to the modified data, and a time associated with the attempted access to the modified data and 
generating, by the security engine, an audit table by querying the modified data access log with one or more query values received from an auditing entity, the audit table comprising rows from the modified data access log that include values equal to the one or more query values.
McClintock teaches the modified data, and a time associated with the attempted access to the modified data (“...Access to sensitive data 116 may be logged to a sensitive data log 124 and the log may be analyzed by a log analysis service 126. As described herein above, the data in the sensitive data log 124 may include, but not be limited to, the date and time of the data access, the type of sensitive data accessed, the size of sensitive data accessed, the number of records accessed, the address and/or URI of the client service, the address and/or URI of the endpoint service, permissions that were used to access the service, what patterns in the data were matched, the number of patterns matched, what rules were used to detect the access, one or more measurements of entropy, the length of the accessed data, the length of the metadata record, document structures, the calling application and/or other such information...The computer-implemented method of claim 21, wherein transmitting of the data event to the logging service includes logging a date and time of the access, types of the sensitive data, and size of the sensitive data...” paragraph 0034/claim 5).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky with the teaching of McClintock because the teaching of McClintock would improve the system of Umansky by providing an auditing system that seamlessly coordinates information stored or logged and displayed to a user.
Brunswig teaches generating, by the security engine, an audit table (Change History Data 545) by querying the modified data access log (Read Access Log 530) with one or more query values received from an auditing entity, the audit table comprising rows from the modified data access log that include values equal to the one or more query values (“...Turning back to FIG. 2, at block 260, the structured read access log file is audited. Auditing includes activities such as filtering, searching, grouping, analyzing, etc. In one embodiment, auditing includes searching within the structured read access log file. In one embodiment, a set of generic auditing user interfaces are supplied, providing searching capabilities on the logged data. In some embodiments, some capabilities for reconstructing the original attribute values of the business object node instances are provided. For update and delete enabled business objects for which a history of changes is not available, a change log BO shall be used to enable a reconstruction of the data for a given point in time. If there is no change log available at all, the read access logging may provide at least the information which fields were accessed. If the BO node instance exists and there is no data change in between the point in time when the log is written and the point in time at which the auditor requests to see the logged information, the data content may be reconstructed by fetching the current BO data...FIG. 5 is a block diagram illustrating an auditing phase according to an embodiment of a system for read access logging. An auditing UI 510 provides searching capabilities on logged data. Requests received by the auditing UI 510 are transmitted to BO Read access log 530 through a UI controller 520. The logged data is persisted in a Structured read access log file 535. The logged data includes information about the fields that were accessed during logging, time stamps of when the user access one or more of the data fields and information identifying the user. The information about the fields accessed by a user may identify the fields accessed by the user. In some embodiments, the logged data does not include the exact values for the data fields accessed by the user. In some embodiments a change log BO is available such as BO Change history 540 that could be used together with the BO Read access log 530 to reconstruct data in a field for a given point in time. The exact data is persisted in Change history data 545 that may be accessed by the BO Change history 540...” paragraphs 0029/030).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky and McClintock with the teaching of Brunswig because the teaching of Brunswig would improve the system of Umansky and McClintock by providing a technique for auditing sensitive related data in an access log file.

As to claim 2, Umansky teaches the method of claim 1, wherein the metadata of the accessed data comprises at least one of: a category of data, a type of data, a format of data, a sensitivity of data, and a required authorization level (“...According to the illustrated example, the column attributes include Data Type, Allow Nulls, Default, Info_type and Sensitivity. Embodiments are not limited to the attributes of FIG. 3. The Data Type attribute indicates the data type of a column and the Allow Nulls attribute indicates whether the column allows null values. The Default attribute specifies a default value to be used for a column whenever no value is specified for the column. Many other column attributes may be specified as is known in the art...The Info_type and Sensitivity attributes provide sensitivity information of an associated column according to the present description. Example values of the Info_type attribute include Credit Card Number, Bank Account Number, Name, SSN, etc. Example values of the Sensitivity attribute may include PII (Personally Identifiable Information), HBI (High Business Impact), MBI (Medium Business Impact), LBI (Low Business Impact), Regulated, Confidential, Public, but are not limited thereto. Embodiments may employ any other suitable sensitivity-related attributes, and any number of sensitivity-related attributes per data source. For example, a sensitivity-related column attribute may specify access restrictions...The sensitivity information may indicate a degree to which associated data should be protected from unauthorized access and/or disclosure. Various types of data may be associated with different sensitivity information, which may be usable to authorize access to the data and/or to determine an amount of harm which would occur if the data were disclosed...” paragraphs 0030-0033).  

As to claim 3, Umansky teaches the method of claim 1, wherein the modified data access log further identifies at least one of: - 29 -a user account associated with the requesting entity; a hardware identifier for a device used by the requesting entity to access the modified data (Field 116E); a software identifier for software used by the requesting entity to access the modified data; and information indicating whether the attempt to access the modified data was successful (“...A non-limiting example of log record type can be log record type 114B including fields 116A-E. In a non-limiting example, the log record type 114B can be a type of a record that is recorded by an application when a user of a database accesses a record of the database. The log record type may include the following fields: a timestamp indicating a time at which the log record is recorded (in some implementations, this can correspond to a time at which the user has accessed the record), an organization identifier (orgId), a user identifier (userId) uniquely identifying the user accessing the database, a record identifier uniquely identifying the accessed record (recordId), and an IP address assigned to the network device used by the user (IP-address). In this non-limiting example, field 116A indicates that a log record of type 114B includes a timestamp as its first field; the field 116B indicates that the log record of type 114B includes an orgId as its second field, field 116C indicates that a log record of type 114B includes a userId as its third field, field 116D indicates that a log record of type 114B includes a recordId as its fourth field, and field 116E indicates that a log record of type 114B includes an IP-address as its fifth field. While exemplary log record type 114B is illustrated with fields 116A-E, in other implementations log record type 114B can include additional fields that may be recorded when a user accesses a record of a database. Several examples of log records types can be contemplated where different numbers and types of fields can be included in a log record type than the one illustrated in the non-limiting exemplary log record type 114B...” paragraph 0044).
 
As to claim 4, McClintock teaches the method of claim 1, wherein the modified data access log (Sensitive Data Log 124) further identifies one or more of:
a web page used to access the modified data, 
a form used to access the modified data, and 
one or more fields displayed by a device of a requesting entity associated with the modified data (Sensitive Data 116) (“...One or more services such as the service 114 running on the computer system 112 may have access to sensitive data 116. The sensitive data 116 may be provided to the service 114 by a backend service 118 which may be configured to provide the data from a data store 122. The sensitive data 116 may be provided to the user 102 via the network 108 and displayed using an interface 120 running on the computer system client device 104. The interface 120 may be an interface to an application, a browser, an interface to a service, a console and/or other such interfaces. The sensitive data 116 may be data that is predetermined by a system as data that should be protected or secured and may be stored in a predetermined and known secure location. The sensitive data 116 may also be data that becomes secure as a system operates and may be stored in discoverable locations within the computing system. The sensitive data 116 may be any data that is considered protectable, of interest or requiring enhanced levels of data security including, but not limited to, payment data, legal data, credit card data, email addresses, personally identifying information, credentials such as user names, passwords, encryption keys, payment tokens, single sign-in tokens, identifiers, meta-identifiers, project names, project code names, sales trends, inventors, usability studies, behavioral studies, data that, when combined with other data, may become sensitive data or combinations of these and/or other such data types. In some embodiments, whether data is sensitive may depend on the nature of the computer system and/or the users of the computer system. For example, a computer system may be configured for compliance with the health insurance portability and accountability act (HIPAA) which may require that all data relating to health records be secured. In some embodiments, the sensitivity of the sensitive data 116 may be related to certain systems, or certain users, or certain roles and/or related to other such computer system security and/or permission policies. In some embodiments, rules associated with the level of security of a system may be adaptive and/or behavioral. In such embodiments, a computer system may be configured to, upon observing certain behavior, alter the types of data that may be considered sensitive and/or the level of protection that sensitive data may be provided...Access to sensitive data 116 may be logged to a sensitive data log 124 and the log may be analyzed by a log analysis service 126. As described herein above, the data in the sensitive data log 124 may include, but not be limited to, the date and time of the data access, the type of sensitive data accessed, the size of sensitive data accessed, the number of records accessed, the address and/or URI of the client service, the address and/or URI of the endpoint service, permissions that were used to access the service, what patterns in the data were matched, the number of patterns matched, what rules were used to detect the access, one or more measurements of entropy, the length of the accessed data, the length of the metadata record, document structures, the calling application and/or other such information. The metadata associated with the access and that may be included in the log entries may depend on system policies, business value, the sensitivity of the data and/or other such concerns. The log entries may be generated by the calling (or client) application or may be generated by a service associated with the calling (or client) application, or may be generated by one or more other applications, processes, services, modules and/or other such computer system entities. The log analysis service 126 may use a variety of techniques to analyze the logs including, but not limited to, base lining (comparing logs to known values), filtering, pattern matching techniques such as Markov chains, call graphs and/or other such techniques...” paragraphs 0033/0034).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky and Brunswig with the teaching of McClintock because the teaching of McClintock would improve the system of Umansky and Brunswig by providing an auditing system that seamlessly coordinates information stored or logged and displayed to a user.

As to claim 5, Umansky teaches the method of claim 1, wherein the sensitive information is personally identifiable information (PII) (“...The Info_type and Sensitivity attributes provide sensitivity information of an associated column according to the present description. Example values of the Info_type attribute include Credit Card Number, Bank Account Number, Name, SSN, etc. Example values of the Sensitivity attribute may include PII (Personally Identifiable Information), HBI (High Business Impact), MBI (Medium Business Impact), LBI (Low Business Impact), Regulated, Confidential, Public, but are not limited thereto. Embodiments may employ any other suitable sensitivity-related attributes, and any number of sensitivity-related attributes per data source. For example, a sensitivity-related column attribute may specify access restrictions...” paragraph 0031).  

As to claim 6, Umansky teaches the method of claim 1, wherein the database columns corresponding to sensitive information are defined by a data security policy (“...A technical problem addressed by some embodiments is the inability to determine and provide the sensitivity of a received result set which is based on disparate data sources, each of which may be associated with disparate sensitivity information. Some embodiments provide a technical solution of identifying table columns which underlie a query result set based on analysis of the query and database schema, identifying the sensitivity of the table columns via database metadata, determining result set sensitivity information based on the identified sensitivities, and efficiently providing result set sensitivity information to a client application within result set metadata...During online operation, database engine 212 executes a received query based on stored metadata 214 to generate a result set based on data stored in data storage system 240. Assuming the data comprises relational database tables, metadata 214 may include information specifying the structure and content of the data sources stored in data stores 242, 244 and 246 and any interrelations therebetween. Embodiments are not limited to structured data sources. Metadata 214 may also associate various types of sensitivity information with one or more of the data sources (e.g., table columns) used to generate the result set. Database engine 212 may determine result set sensitivity information based on this sensitivity information and during online generation of the result set...Result set sensitivity information is determined at S450 based on the sensitivity information determined at S440. S450 may comprise any suitable system for determining the result set sensitivity information. Determination of the result set sensitivity information may be based on heuristics and/or pre-defined policies defining the conversion of the determined sensitivity information into result set sensitivity information...A result set is determined based on the query at S460 as is known in the art. According to some embodiments, data server 210 retrieves the result set from database tables stored in data storage system 240. The result set comprises a number of rows of values, where each row includes a value for each of the determined query output columns. Query output metadata describing the result set is also determined at S460, as is also known in the art. Such query output metadata may specify a number of rows of the result set, output column names, output column types, etc...The result set sensitivity information is added to the query output metadata at S470. According to some embodiments of S470, database engine 212 includes the result set sensitivity information in a data structure which also includes the query output metadata. A network query protocol may be explicitly enriched to account for return of the result set sensitivity information. The result set and the query output metadata, which now includes the result set sensitivity information, are returned to the system from which the query was received at S410...” paragraphs 0016/0026/0047/0048).  

As to claim 11, McClintock teaches method of claim 1, determining that the modified data has been accessed by an unauthorized entity, by the security engine, sending a notification identifying the unauthorized access to a user (“...A log analysis service 716 may then use a rules engine 724 and a set of correlations 718 to determine 720 whether a response 722 to the sensitive data access is warranted as described herein at least in connection with FIGS. 1 and 2. The response 722 may include, but may not be limited to, an alarm, an email alert, an administrator ticket or a popup (either on the user system or on an administrator system). The response 722 may also include such actions as disabling one or more interfaces associated with the accessing service, disabling the service, disabling permissions for the user and/or the accessing service and/or other such responses. The log analysis service 716 may also use the rules engine 724 and the set of correlations 718 to determine 726 whether to update the state 728 of one or more aspects associated with the log analysis service 716. For example, the log analysis service may update the list of the recognized systems, the known data, the known users or the known user access rights as described herein at least in connection with FIG. 4 and in accordance with at least one embodiment...” paragraph 0050).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky and Brunswig with the teaching of McClintock because the teaching of McClintock would improve the system of Umansky and Brunswig by providing a technique for notifying a user of an unauthorized access.

As to claim 12, Umansky teaches the method of claim 1, further comprising, determining that the modified data has been accessed by an unauthorized accessing entity that is unauthorized to access the modified data responsive to the determining that the modified data has been accessed by the unauthorized entity, preventing, by the security engine, the unauthorized entity from subsequently accessing the modified data (“...Database systems may tag stored data with information indicating the sensitivity of the data. The information may be used to control access to the stored data. For example, a database system may receive a request for stored data from a user operating a client application. In response, the database system identifies information tagged to the stored data and determines whether the user is authorized to view data which is tagged with such information. If the user is authorized, the database system provides the stored data to the client application...” paragraph 0002).

As to claim 13, see the rejection of claim 1 above, expect for a non-transitory computer readable storage medium.
Umansky teaches a non-transitory computer readable storage medium (figure 10).

As to claims 14, 17, 18 and 19, see rejection of claims 5, 2, 3 and 4 respectively.

Claims 7, 8, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2019/0138625 A1 to Umansky et al. in view of in view of U.S. Pub. No. 2019/0073483 A1 to McClintock et al. and further in view of U.S. Pub. No. 2014/0122436 A1 to Brunswig et al. as applied to claims 1 and 13 above, and further in view of U.S. Pub. No. 2019/0182038 A1 to Shanks et al.

As to claim 7, Umansky as modified by McClintock and Brunswig teaches the method of claim 1, however it is silent with reference to  
responsive to receiving a request from the auditing entity to audit the modified data access log for information associated with a potential data breach, 
accessing, by the security engine, access data associated with the potential data breach from the modified data access log; and  -30-Atty. Docket No.: 29740-42450 
29740/42450/FW/10579704.4responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity.
Shanks teaches responsive to receiving a request from the auditing entity (Audit Consumers 106) to audit the modified data access log (audit logs in the dataset server 112) for information associated with a potential data breach, 
accessing, by the security engine, access data associated with the potential data breach from the modified data access log (Secret Key Server 108/Dataset Key Server 110); and  -30-Atty. Docket No.: 29740-42450 
29740/42450/FW/10579704.4responsive to determining that the auditing entity is authorized to audit the modified data access log, providing, by the security engine, the accessed information to the auditing entity (“...Each of the audit consumers 106 may include a user (e.g., human and/or artificial agent) that is eligible to have authorization to access one or more of audit logs that are generated upon access by the audit producer(s) 104. In some embodiments, each of the audit consumers 106 accesses the secret key server 108 and/or the dataset key server 110 to obtain data (e.g., keys) that are required to access the audit logs in the dataset server 112...The encrypted dataset key datastore 308 is capable of deleting a consumer-encrypted dataset key in response to a request, upon successful authentication of the request and/or a sender of the request by the authentication engine 304. In some embodiments, the request is successfully authenticated when the sender is authorized to perform deletion. In a more specific implementation, the sender is authorized to perform the deletion when the sender is of a consumer role or class higher than the audit consumer of the role or class subjected to deletion in a hierarchy. For example, only the inspector general may have authority to perform deletion...” paragraphs 0031/0044).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky, McClintock and Brunswig with the teaching of Shanks because the teaching of Shanks would improve the system of Umansky, McClintock and Brunswig by providing a technique obtaining data (e.g., keys) that is required to access a dataset stored in the dataset server (Shanks paragraph 0029).

As to claim 8, Umansky as modified by McClintock and Brunswig teaches the method of claim 1, however it is silent with reference to modifying, by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity.  
Shanks teaches modifying (deletion), by the security engine, the data access log to identify the request to audit the modified data access log by the auditing entity (“...Each of the audit consumers 106 may include a user (e.g., human and/or artificial agent) that is eligible to have authorization to access one or more of audit logs that are generated upon access by the audit producer(s) 104. In some embodiments, each of the audit consumers 106 accesses the secret key server 108 and/or the dataset key server 110 to obtain data (e.g., keys) that are required to access the audit logs in the dataset server 112...The encrypted dataset key datastore 308 is capable of deleting a consumer-encrypted dataset key in response to a request, upon successful authentication of the request and/or a sender of the request by the authentication engine 304. In some embodiments, the request is successfully authenticated when the sender is authorized to perform deletion. In a more specific implementation, the sender is authorized to perform the deletion when the sender is of a consumer role or class higher than the audit consumer of the role or class subjected to deletion in a hierarchy. For example, only the inspector general may have authority to perform deletion...” paragraphs 0031/0044).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky, McClintock and Brunswig with the teaching of Shanks because the teaching of Shanks would improve the system of Umansky, McClintock and Brunswig  by providing a technique obtaining data (e.g., keys) that is required to access a dataset stored in the dataset server (Shanks paragraph 0029).

As to claims 15 and 16, see the rejection of claims 7 and 8 respectively.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2019/0138625 A1 to Umansky et al. in view of in view of U.S. Pub. No. 2019/0073483 A1 to McClintock et al. and further in view of U.S. Pub. No. 2014/0122436 A1 to Brunswig et al. as applied to claim 1 above, and further in view of U.S. Pub. No. 2018/0359282 A1 to Roth et al.

As to claim 9, Umansky as modified by McClintock and Brunswig teaches the method of claim 1, however it is silent with reference to responsive to determining that the requested data is not stored in one or more database columns corresponding to sensitive information, providing, by the security engine, the requested data from the database to the requesting entity. 
Roth teaches responsive to determining that the requested data is not stored in one or more database columns corresponding to sensitive information, providing, by the security engine, the requested data from the database to the requesting entity (“...Parsing the query may be performed in any suitable manner. For example, in some embodiments, columns of a database table are tagged in a manner indicating whether the columns contain sensitive data. Referring to FIG. 10, for example, the first two columns illustrated may be tagged as sensitive where as other columns may be tagged as non-sensitive where tagging as sensitive or non-sensitive may be implicit by the absence of a tag. The tags may enable a storage proxy to determine which data to encrypt before transmitting data to a backing service. The service proxy may, for instance, be configured to receive data through its API interface, identify which columns in a database the data affects, determine which, if any, columns are tagged as sensitive, and encrypt the data for the identified columns before transmitting to the backing service. Parsing the query may be performed by identifying portions of the query that require a search of columns tagged as sensitive, or generally a search of data tagged as sensitive. Similarly, parsing the query may be performed by identifying of the query requiring a search of data tagged as non-sensitive. Turning to the illustrative example of FIG. 10, for instance, a query may be configured to identify data in a relational database that satisfies one or more conditions on a last name as well as one or more conditions on a transaction amount. As noted above, a column for last names may be tagged as sensitive whereas a column of transactions amounts may be tagged as non-sensitive. In this manner, parsing such a query may be performed by extracting from the query a sub-query for identifying data that satisfies the one or more conditions on the transaction amount. Some of the data identified may not satisfy the one or more conditions on the last name. In this manner a sub-query configured to identify data that satisfies the one or more conditions on the last name may be identified as the sensitive query...Returning to FIG. 11, the non-sensitive query may be forwarded 1106 to a backing database service such as in the form of an appropriately configured API call to the backing database service. The backing database service may receive the non-sensitive query and process the non-sensitive query on a database the backing database services maintains on behalf of a customer for which the query was received 1102. The backing database service may then generate a preliminary response and provide that generated preliminary response which, as noted above, may be over-inclusive as it may include data that does not satisfy the sensitive query that was generated. Accordingly, the process 1100 includes receiving 1108 the preliminary response from the backing database service. The preliminary response may be received, for example, as a response to the API call that was made to the backing database service...” paragraphs 0076/0077).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky, McClintock and Brunswig with the teaching of Roth because the teaching of Roth would improve the system of Umansky, McClintock and Brunswig by providing a technique of accessing and retrieving sensitive and non-sensitive information.

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2019/0138625 A1 to Umansky et al. in view of in view of U.S. Pub. No. 2019/0073483 A1 to McClintock et al. and further in view of U.S. Pub. No. 2014/0122436 A1 to Brunswig et al. as applied to claims 1 and 13 above, and further in view of U.S. Pub. No. J.P.O. No. 2013/152497 A to Maeda.

As to claim 10, Umansky as modified by McClintock and Brunswig  teaches the method of claim 1, however it is silent with reference to in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data.  
Maeda teaches in response to the requesting entity being unauthorized to access the data, modifying, by the security engine, the data access log to identify the request from the requesting entity to access the data in the database and to indicate that the requesting entity is not authorized to access the data (blacklist) (“...In order to achieve the above object, a blacklist extraction apparatus according to the present invention is a blacklist extraction apparatus connected to a plurality of web servers via a network. The blacklist extraction apparatus includes: an access log collection unit for collecting access information recorded by each web server and storing it as an access log in a storage means provided in advance; and access information recorded in the access log on the basis of a predetermined detection condition When it is detected that a request including the same character string is transmitted from the same access source IP address to a plurality of web servers within a time range defined under the detection conditions, as a blacklist; a language type determination unit for identifying which development language command is included in the request and determining whether the specified development language is different from the development language of the web server; and a blacklist output unit for outputting the extracted blacklist. When the development language is different between the request and the web server by the attack information extraction unit, it is extracted as a blacklist. In order to achieve the above object, a blacklist extraction method according to the present invention is a blacklist extraction device connected to a plurality of web servers via a network. The blacklist extraction device collects access information recorded by each web server as an access log, stores it as an access log in a storage means provided in advance, and acquires access information recorded in the access log on the basis of a predetermined detection condition When it is detected that a request including the same character string is transmitted from the same access source IP address to a plurality of web servers within a time range defined under the detection conditions, it is determined whether the development language is different from the development language of the web server, and the attack information extraction unit extracts the attack information as a blacklist when the development language is different between the request and the web server. The blacklist output unit outputs the extracted blacklist. In order to achieve the above object, a blacklist extraction program according to the present invention is a blacklist extraction device connected to a plurality of web servers via a network. The blacklist extraction device collects access information recorded by each web server to a computer provided in the blacklist extraction device, and stores the access information as an access log in a storage means provided in advance When it is detected that a request including the same character string is transmitted from the same access source IP address to a plurality of web servers within a time range defined under the detection conditions, as a blacklist; determining which development language command is included in the request; determining whether the development language is different from the development language of the web server; extracting the development language as a blacklist when the development language is different between the request and the web server. and a procedure for outputting the extracted blacklist...” paragraphs 0017/0019).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify the system of Umansky, McClintock and Brunswig with the teaching of Maeda because the teaching of Maeda would improve the system of Umansky, McClintock and Brunswig by providing a technique of blacklisting access or users who are not authorized to access sensitive information.

As to claim 20, see the rejection of claim 10 above.

Response to Arguments
Applicant’s arguments with respect to claims have been considered but are moot because the new ground of rejection relies on additional reference not applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHARLES E ANYA whose telephone number is (571)272-3757. The examiner can normally be reached Mon-Fir. 9-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SOUGH HYUNG can be reached on 571-272-6799. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHARLES E ANYA/Primary Examiner, Art Unit 2194