DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 9/8/2020. Claims 1-28 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/8/2020 and 1/13/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Notes
Method claim 14 depends on claim 4, but corresponding system claim 28 depends on claim 25, not claim 18. Please ensure this is intended.

Claim Objections
Claims 2-4, 6, 9, 16-18, 20 and 23 are objected to because of the following informalities: 
Claim 2 recites “providing the central sentry platform comprises providing the central sentry platform on a computer system in electronic communication with the plurality of sentries;” The term “a computer system” has already been defined previously in claim 1 and should therefore be referred to using a definite article. Similar objection applies to claim 16.
Claims 3 and 17 recite “granting the access request and decrypting the encrypted data if plaintext access is allowed by the corresponding data self-protection policy, granting the access request without decrypting the encrypted data if cipher-text access is allowed by the corresponding data self-protection policy, or denying the access request if neither plaintext access nor cipher-text access is allowed by the corresponding data self-protection policy;” Please ensure “or” instead of “and” is intended here. In addition, examiner suggests applicant to revisit the "if" statement (contingent limitations) used in the claims. According to MPEP 2111.04(II), the broadest reasonable interpretation of a method (or process) claim having contingent limitations requires only those steps that must be performed and does not include steps that are not required to be performed because the condition(s) precedent are not met. Language such as "based on" or "in response to" can be used to avoid steps being not required by the broadest reasonable interpretation of the claim because the claimed invention may be practiced without the conditions happening.
Claims 4 and 18 recite “for each access request made by each process on each computer in the plurality of computers, the information of that computer, the information of that process including its application program, the file information of the encrypted data, the time of access attempt associated with that access request, and the examination result made by the corresponding sentry on that computer.” It is recommend to remove these five “the” to avoid possible antecedent issues.
Claims 6 and 20 recite “for a plurality of resources of that computer, the current usage level of each resource in the plurality of resources relative to the total capacity of that resource on that computer;” It is recommend to remove these “the” in “the current usage level” and “the total capacity” to avoid possible antecedent issues.
Claim 9 recites “defining a heartbeat frequency; operating that sentry to send a time series of heartbeats to the central sentry platform at a heartbeat frequency via the communication channel” The second term “a heartbeat frequency” has already been defined previously and should therefore be referred to using a definite article.
Claims 9 and 23 recite “operating the central sentry platform to evaluate the status of that sentry It is recommend to remove “the” in “the status of that sentry” to avoid possible antecedent issues.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 26-27 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 26 recites "The method as defined in claim 20 wherein…" and claim 27 recites “The system as defined in claim 26, wherein…”; however, claim 20 recites “The system as defined in claim 19, wherein…”.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 15-28 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter. Claim 15 recites “A system for enabling data self-protection, the system comprising: at least one computer system,… and, a central sentry platform in electronic communication with the sentry installed on the computer system…”, which can be considered software per se. This is confirmed by specification [0046], which recites “Aspects of embodiments of the systems and methods described herein may be implemented in hardware or software, or a combination of both.” Even though specification [0059] recites “Referring now to FIG. 1, there is shown an example computer system 10, in accordance with an embodiment. The computer system 10 can include hardware components 40, such as a processor 42, a data storage 44, and a communication interface 46.”, the use of word “can” implies “example only” and the computer system can include software only. The dependent claims inherit the deficiencies of the claim upon which they ultimate claim and are rejected as well.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-8 and 14-22 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 20180102902 A1) in view of Wright (US 20080077971 A1).

Regarding claim 1, Yang teaches a method of enabling data self-protection on at least one computer system, the method comprising: ([0007] methods and systems for managing data access in a computer system.)
installing a sentry on a computer system of the at least one computer system, wherein the sentry comprises a file system filter installed on a kernel of that computer system, the file system filter integrating mandatory access control and encryption together; ([0008] provide a data protection module that may be referred to as a kernel level file system filter. The data protection module may implement methods for process authentication and/or process authorization to police (i.e. manage data access for) processes trying to access data (encrypted data and/or unencrypted data) on a computer system.) Here Yang discloses details on "data protection module", "process-based encrypted data access policing system" and "kernel level file system filter" in [0009], [0051], [0057], [0066], [0106], [0121].
operating the file system filter to control access to encrypted data stored on the computer system, ([0009], [0023], [0057], [0106], [0121], [0140] disclose details on "manage access to encrypted data files";) by, for each process making a file access request to the encrypted data, the file system filter receiving and handling that file access request according to the data self-protection policy to grant or deny that file access request; ([0010], [0017]-[0020], [0023]-[0027], [0031], [0057], [0070], [0127]-[0133]; claims 1-5, 9 disclose details on "configuration map", "providing the requesting process instance with a level of access to the particular data file based on the determined authorization level of the requesting process", "denying the requesting process instance access to the particular data file";)

Yang teaches a data protection system comprising a kernel-level file system filter to control process access to encrypted data according to a data self-protection policy, but does not explicitly teach providing a central sentry platform in electronic communication with the sentry installed on the computer system, the central sentry platform being separate from the kernel of the computer system; operating the central sentry platform to send a data self-protection policy to the sentry, the data self-protection policy being encrypted so that the data self-protection policy can only be modified by the central sentry platform; operating the central sentry platform to monitor the sentry and to receive information from the sentry regarding access to the encrypted data stored on the computer system. This aspect of the claim is identified as a difference.
However, Wright in an analogous art explicitly teaches
providing a central sentry platform in electronic communication with the sentry installed on the computer system, the central sentry platform being separate from the kernel of the computer system; ([0016-0017] FIG. 2A illustrates a computer system for administering the protection of data accessible by one or more mobile devices based on either or both of a location associated with the mobile device or a security feature. FIG. 2B illustrates a system in a client mobile device for protecting data accessible by the mobile device based on either or both of a location associated with the mobile device or a security feature.) Here Wright discloses details on this limitation in [0012]-[0014], [0078]-[0103], [0128], [0144] [0151], [0176], [0213]-[0218]; claim 1; figs. 3A, 3B, 8, 10A, 10B.
operating the central sentry platform to send a data self-protection policy to the sentry, the data self-protection policy being encrypted so that the data self-protection policy can only be modified by the central sentry platform; ([0078] responsive to security information such as a policy or software being designated for encryption, the policy management module 236 provides 308 the designated client mobile device with cryptographic information which the client device can store and use to decrypt the security information. An example of cryptographic information is a key for use with a cryptographic authentication protocol. [0104] The policy management module 236 determines 309 whether the security information is to be encrypted. If not, the policy management module 236 stores 312 the security policy. If it is to be encrypted, the policy is encrypted 311.) Here Wright discloses details on this limitation in [0078], [0104], [0128], [0131], [0132]; figs. 3A-3C.
operating the central sentry platform to monitor the sentry and to receive information from the sentry regarding access to the encrypted data stored on the computer system. ([0054] The remote diagnostics module 224 comprises three modules or sub-modules: a monitoring module 226, a diagnosis module 228, and a diagnosis distribution module 230. The monitoring module 226 receives diagnostic information such as events or audit logs from a client device and stores the information in a data object (242) for the client device.) Here Wright discloses details on this limitation in [0068]-[0077], [0104]-[0127], [0220]. In addition, Yang discloses that “Additionally or alternatively, the user-mode filter companion application 101D may communicate with the file system filter 102 to log file access information for data use monitoring and governance” in [0115].
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “encrypted data access policing” concept of Yang, and the “central policy server” approach of Wright. One of ordinary skill in the art would have been motivated to perform such a modification to receive encrypted data protection policies from a central platform in order to increase the security of the system (Wright [0078]).

Regarding claim 2, Yang in view of Wright teaches all the features with respect to claim 1, as outlined above. The combination further teaches
the at least one computer system comprises a plurality of computers; ([Wright 0053] The remote diagnostics module 224 is illustrated in the context of a server computer system embodiment 200 in FIG. 2A concerned with security or protection of data accessible by mobile client devices.)
installing the sentry comprises installing a plurality of sentries including, for each computer in the plurality of computers, installing a corresponding sentry on that computer, wherein installing that corresponding sentry on that computer comprises installing the file system filter of that corresponding sentry on the kernel of that computer; ([Yang 0008] provide a data protection module that may be referred to as a kernel level file system filter. The data protection module may implement methods for process authentication and/or process authorization to police (i.e. manage data access for) processes trying to access data (encrypted data and/or unencrypted data) on a computer system.) Here Yang discloses details on "data protection module", "process-based encrypted data access policing system" and "kernel level file system filter" in [0009], [0051], [0057], [0066], [0106], [0121].
providing the central sentry platform comprises providing the central sentry platform on a computer system in electronic communication with the plurality of sentries; (Wright discloses the central sentry platform in electronic communication with a plurality of sentries on a plurality of computers in [0011 ]-[0014], [0078]-[0103], [0128], [0144,] [0151], [0176], [0213]-[0218]; figs. 2A, 2B, 8.)
operating the central sentry platform to send the data self-protection policy comprises operating the central sentry platform to send a plurality of data self-protection policies including, for each sentry in the plurality of sentries, sending a corresponding data self-protection policy to that sentry; ([Wright 0078] responsive to security information such as a policy or software being designated for encryption, the policy management module 236 provides 308 the designated client mobile device with cryptographic information which the client device can store and use to decrypt the security information. An example of cryptographic information is a key for use with a cryptographic authentication protocol. [0104] The policy management module 236 determines 309 whether the security information is to be encrypted. If not, the policy management module 236 stores 312 the security policy. If it is to be encrypted, the policy is encrypted 311.) Here Wright discloses details on this limitation in[ 0078], [0104], [0128], [0131], [0132]; figs. 3A-3C.
operating the file system filter to control access to encrypted data stored on the computer system, (Yang in [0009], [0023], [0057], [0106], [0121], [0140] disclose details on "manage access to encrypted data files";) comprises, for each computer in the plurality of computers, operating the file system filter of the corresponding sentry installed on that computer to control access to the encrypted data stored on that computer according to the corresponding data self-protection policy sent to the corresponding sentry; and, (Yang in [0010], [0017]-[0020], [0023]-[0027], [0031], [0057], [0070], [0127]-[0133]; claims 1-5, 9 disclose details on "configuration map", "providing the requesting process instance with a level of access to the particular data file based on the determined authorization level of the requesting process", "denying the requesting process instance access to the particular data file";)
operating the central sentry platform to monitor the sentry comprises, for each computer in the plurality of computers, operating the central sentry platform to monitor the corresponding sentry on that computer to receive information from that sentry regarding access to the encrypted data stored on that computer. ([Wright 0054] The remote diagnostics module 224 comprises three modules or sub-modules: a monitoring module 226, a diagnosis module 228, and a diagnosis distribution module 230. The monitoring module 226 receives diagnostic information such as events or audit logs from a client device and stores the information in a data object (242) for the client device.) Here Wright discloses details on this limitation in [0068]-[0077], [0104]-[0127], [0220]. In addition, Yang discloses that “Additionally or alternatively, the user-mode filter companion application 101D may communicate with the file system filter 102 to log file access information for data use monitoring and governance” in [0115].

Regarding claim 3, Yang in view of Wright teaches all the features with respect to claim 2, as outlined above. The combination further teaches 
for each computer in the plurality of computers, operating the file system filter of the corresponding sentry installed on that computer further comprises operating the file system filter to examine each access request made by each process to access the encrypted data stored on that computer according to the corresponding data self-protection policy sent to that sentry by (Yang  discloses in [0010], [0017], [0025]-[0027], [0031], [0057], [0070], [0100]-[0106]; claims 3-5;)
granting the access request and decrypting the encrypted data if plaintext access is allowed by the corresponding data self-protection policy,
granting the access request without decrypting the encrypted data if cipher-text access is allowed by the corresponding data self-protection policy, or
denying the access request if neither plaintext access nor cipher-text access is allowed by the corresponding data self-protection policy; and
operating the central sentry platform to monitor each sentry in the plurality of sentries to receive information from that sentry further comprises monitoring each sentry to receive information on all examined access requests from that sentry. ([Wright 0054] The remote diagnostics module 224 comprises three modules or sub-modules: a monitoring module 226, a diagnosis module 228, and a diagnosis distribution module 230. The monitoring module 226 receives diagnostic information such as events or audit logs from a client device and stores the information in a data object (242) for the client device.) Here Wright discloses details on this limitation in [0068]-[0077], [0104]-[0127], [0220]. In addition, Yang discloses that “Additionally or alternatively, the user-mode filter companion application 101D may communicate with the file system filter 102 to log file access information for data use monitoring and governance” in [0115].

Regarding claim 4, Yang in view of Wright teaches all the features with respect to claim 3, as outlined above. The combination further teaches 
wherein the information on all examined access requests comprises, for each access request made by each process on each computer in the plurality of computers, the information of that computer, the information of that process including its application program, the file information of the encrypted data, the time of access attempt associated with that access request, and the examination result made by the corresponding sentry on that computer. (Wright discloses in [0068]-[0077], [0104]-[0127]; figs. 2A, 11.)

Regarding claim 5, Yang in view of Wright teaches all the features with respect to claim 3, as outlined above. The combination further teaches 
for each computer in the plurality of computers, operating the corresponding sentry installed on that computer to monitor operational aspects of that computer in addition to examining all access requests to access the encrypted data stored on that computer; wherein, for each computer in the plurality of computers, operating the central sentry platform to monitor each sentry further comprises operating the central sentry platform to receive information from that sentry regarding the operational aspects of that computer. (Wright discloses in [0046], [0047], [0053]-[0059], [0068]-[0077], [0223], [0255], [0269]; figs. 2A, 2B, 8, 11.)

Regarding claim 6, Yang in view of Wright teaches all the features with respect to claim 5, as outlined above. The combination further teaches 
for each computer in the plurality of computers, the operational aspects of that computer comprise, for a plurality of resources of that computer, the current usage level of each resource in the plurality of resources relative to the total capacity of that resource on that computer; wherein the plurality of resources comprises a memory, a processor and disk space of that computer. (Wright discloses in [0046], [0047], [0053]-[0059], [0068]-[0077], [0223], [0255], [0269]; figs. 2A, 2B, 8, 11.)

Regarding claim 7, Yang in view of Wright teaches all the features with respect to claim 3, as outlined above. The combination further teaches wherein, for each computer in the plurality of computers,
the data self-protection policy sent to the corresponding sentry installed on that computer comprises a plaintext authorization list of all legitimate application programs having processes authorized to access plaintext content of the encrypted data, and a cipher-text authorization list of all legitimate application programs having processes authorized to access cypher-text content of encrypted data; (Yang discloses in [0010], [0017]-[0020], [0023], [0024], [0031], [0070], [0128]-[0130]; claim 2;)
for each access request to access the encrypted data, the file system filter of that sentry determines ([Yang 0010] the configuration map defines a first group of processes from the plurality of processes having a plaintext authorization level, and a second group of processes from the plurality of processes having a cypher-text authorization level.)
plaintext access is allowed when the process making the access request is authenticated by that sentry as a process of a legitimate application program listed on the plaintext authorization list, ([Yang 0011] the process authorization level of the corresponding process for the particular data file may be determined to be a plaintext authorization level; and providing the requesting process instance with the level of access to the particular data file can include: decrypting the particular data file to provide a decrypted data file; temporarily storing the decrypted data file in the cache of the computer system; and providing the requesting process instance with access to the decrypted data file in plaintext.)
cipher-text access is allowed when the process making the access request is authenticated by that sentry as a process of a legitimate application program listed on the cipher-text authorization list, and ([Yang 0012] the process authorization level of the corresponding process for the particular data file may be determined to be a cypher-text authorization level; and providing the requesting process instance with the level of access to the particular data file can include providing the requesting process instance with access to the particular data file in the encrypted format.)
otherwise neither plaintext access nor cipher-text access is allowed. ([Yang 0013] the process authorization level of the corresponding process for the particular data file may be determined to be neither a plaintext authorization level nor a cypher-text authorization level; and providing the requesting process instance with the level of access to the particular data file can include denying the requesting process instance access to the particular data file.)

Regarding claim 8, Yang in view of Wright teaches all the features with respect to claim 7, as outlined above. The combination further teaches wherein, for each computer in the plurality of computers, installing the corresponding sentry on that computer further comprises
installing a sentry application of that sentry on a user space of that computer, the user space being separate from the kernel space of that computer, the sentry application of that sentry being linked for communication with the file system filter of that sentry; and, ([Yang 0066] provide a process-based access policing system for encrypted data. The system may include one or more storage modules that include physical storage media, a data protection module (kernel level file system filter), and optionally a user-mode filter companion application.)
providing a plurality of communication channels, wherein the plurality of communication channels comprises, for each computer in the plurality of computers, a communication channel linking the central sentry platform to the file system filter of the sentry for that computer via the sentry application of the sentry for that computer. ([Yang 0115-0116] a user-mode filter companion application 101D may be used to provide a method for an end user to configure the kernel level file system filter 102. This may be particularly useful when system 100 is used to provide data protection on an endpoint computer. Additionally or alternatively, the user-mode filter companion application 101D may communicate with the file system filter 102 to log file access information for data use monitoring and governance. In this case, a communication channel can be established between the user-mode filter companion application 101D and the kernel level file system filter 102.) Here Yang discloses details of this limitation in [0019], [0033], [0051 ], [0066], [0074]-[0076], [0116], [0155], claim 8.

Regarding claim 14, Yang in view of Wright teaches all the features with respect to claim 4, as outlined above. The combination further teaches
providing at the central sentry platform a dynamic search function for searching items contained in the information on all examined access requests received from the plurality of sentries. ([Yang 0061-0062] The data protection module may then implement a fast string search algorithm based on the tree structure of the file system path strings to determine whether a requested data file is a protected data file. For example, the data protection module may initiate a search tree when it is loaded in the kernel. The data protection module may then define the search tree by detecting, for every data file stored on the storage module(s) associated with the computer system, whether that data file is encrypted. In some cases, the data protection module may define the search tree dynamically, for instance when the data file is accessed by the kernel filter for the first time, which may be in response to a request from any process or application operating on the computer system.) It would have been prima facie obvious to one of ordinary skill in the art to use this dynamic search in collected/reported information disclosed in [0116], if desired.

Regarding claims 15-22, the scope of the claims are similar to that of claims 1-8, respectively. Accordingly, the claims are rejected using a similar rationale.

Claim 9 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 20180102902 A1) in view of Wright (US 20080077971 A1) and Dawes (US 20150325106 A1).

Regarding claim 9, Yang in view of Wright teaches all the features with respect to claim 8, as outlined above. But the combination does not teach for each sentry in the plurality of sentries, defining a heartbeat frequency; operating that sentry to send a time series of heartbeats to the central sentry platform at a heartbeat frequency via the communication channel linking the central sentry platform to the file system filter of that sentry, the time series of heartbeats being encrypted so that the time series of heartbeats can only be modified by that sentry; monitoring the time series of heartbeats; and, based at least partly on the monitoring the time series of heartbeats, operating the central sentry platform to evaluate the status of that sentry. This aspect of the claim is identified as a difference.
However, Dawes in an analogous art explicitly teaches for each sentry in the plurality of sentries,
defining a heartbeat frequency; operating that sentry to send a time series of heartbeats to the central sentry platform at a heartbeat frequency via the communication channel linking the central sentry platform to the file system filter of that sentry, the time series of heartbeats being encrypted so that the time series of heartbeats can only be modified by that sentry; ([0149] In one embodiment the heartbeat signal has a fixed periodicity. In other embodiments the heartbeat signal frequency can be varied based on any desired system parameter. The heartbeat signal, which includes updated alarm state information, is used by the security server to monitor condition of the security system.) Here Dawes discloses in [0078] that regarding security for the IP communications (e.g., authentication, authorization, encryption, anti-spoofing, etc), the integrated security system uses SSL to encrypt all IP traffic. It would have been prima facie obvious to one of ordinary skill in the art to encrypt heartbeat signal to increase the security, if desired.
monitoring the time series of heartbeats; and, based at least partly on the monitoring the time series of heartbeats, operating the central sentry platform to evaluate the status of that sentry. ([0147] In response to the first signal, a heartbeat signal is initiated that monitors health of the security system. The security server detects a failure of the heartbeat signal and generates a report and sends the report to a central monitoring station. In one embodiment, in the event that no failure occurs, the heartbeat signal may continue. In other embodiments the heartbeat signal may continue for variable periods of time.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “encrypted data access policing” concept of Yang, and the “heartbeat signal” approach of Dawes. One of ordinary skill in the art would have been motivated to perform such a modification to initiate a heartbeat signal that monitors health of the systemin order to increase the security of the system (Dawes [0147]).

Regarding claim 23, the scope of the claim is similar to that of claim 9, respectively. Accordingly, the claim is rejected using a similar rationale.

Claim 10-13 and 24-28 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 20180102902 A1) in view of Wright (US 20080077971 A1) and Huang (US 20060272024 A1).

Regarding claim 10, Yang in view of Wright teaches all the features with respect to claim 4, as outlined above. But the combination does not teach providing a visualization display, associated with the central sentry platform, to display a plurality of access status indicators for indicating and displaying the information on all examined access requests received from the plurality of sentries. This aspect of the claim is identified as a difference.
However, Huang in an analogous art explicitly teaches 
providing a visualization display, associated with the central sentry platform, to display a plurality of access status indicators for indicating and displaying the information on all examined access requests received from the plurality of sentries. ([0012-0014] users monitor and manage sensitive information within an enterprise network through a graphical user interface (GUI). The GUI provides users with static information, such as the presence of input/output devices (I/O device), the location of sensitive documents, and the status of local security policy. The GUI also provides users with dynamic information, such as the occurrence of security policy violations, the identity of sensitive documents entering and leaving an endpoint of the enterprise network, and their corresponding sensitivity levels. In one embodiment, a scan agent is configured (or adapted) to conduct a security scan for sensitive documents stored in an endpoint and I/O devices attached (or connected) to the endpoint. The scan agent transmits the scan result to a GUI engine. The GUI engine generates an endpoint sensitive information view and an endpoint graphic I/O device view based on the information received. Based on the generated views, a GUI displays a static view of I/O devices and sensitive documents resided on the endpoint to a user. The user can manage the sensitive documents, configure local security policies, and conduct other activities affecting the endpoint through the GUI. In another embodiment, a security agent is configured to detect sensitive documents being processed by an endpoint. The security agent transmits the information to a GUI engine. The GUI engine generates a real-time sensitive information flow view based on the information received. Based on the generated view, a GUI displays a dynamic sensitive information flow map of the endpoint to a user. The user can manage the sensitive documents and other aspects related to the data security of the endpoint through the GUI.) Here Huang discloses a central monitoring system comprising a graphical user interface visualizing data access information and operational indicators received from local agents in [0012]­[0016], [0028]-[0060]; figs. 1-9.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “encrypted data access policing” concept of Yang, and the “graphical user interface for users to monitor and manage sensitive information” approach of Huang. One of ordinary skill in the art would have been motivated to perform such a modification because visual representation enables users to visually identify the location of sensitive information within a network so that the user can quickly assess the vulnerability of that sensitive information (Huang [0015]).

Regarding claims 11-13 and 24-27, the scope of the claims are similar to that of claim 10, respectively. Accordingly, the claims are rejected using a similar rationale.

Regarding claim 28, Yang in view of Wright and Huang teaches all the features with respect to claim 25, as outlined above. The combination further teaches
providing at the central sentry platform a dynamic search function for searching items contained in the information on all examined access requests received from the plurality of sentries. ([Yang 0061-0062] The data protection module may then implement a fast string search algorithm based on the tree structure of the file system path strings to determine whether a requested data file is a protected data file. For example, the data protection module may initiate a search tree when it is loaded in the kernel. The data protection module may then define the search tree by detecting, for every data file stored on the storage module(s) associated with the computer system, whether that data file is encrypted. In some cases, the data protection module may define the search tree dynamically, for instance when the data file is accessed by the kernel filter for the first time, which may be in response to a request from any process or application operating on the computer system.) It would have been prima facie obvious to one of ordinary skill in the art to use this dynamic search in collected/reported information disclosed in [0116], if desired.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20080295174 A1, "Method and System for Preventing Unauthorized Access and Distribution of Digital Data", by Fahmy, teaches a system for preventing tampering and unauthorized access to digital data stored on a device. The system can include 1) a data store for containing digital data to be protected and a listing of processes permitted to access the digital data, 2) a filter driver for intercepting a request issued from a process to access the digital data, 3) a central processor, in communication with the data store, upon receipt of a notification of the intercepted request from the filter driver, deciding to grant or deny the request by determining whether the process issuing the request is on the listing of processes permitted to access the digital data, and 4) a monitor process for monitoring one or more software components of the system including the central processor, filter driver, and data store, and for identifying and preventing any unauthorized processes from accessing and tampering with the software components of the system.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493