DETAILED ACTION
The following is final office action in response to applicant’s amendments filed on 11/20/2020 for response of office action mailed on 07/20/2020. Claim 1, 6, 12, 13 and 21 are amended. No claim is added and cancelled. Claims 1-22 are pending.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 21 is objected because of the following informalities:
In line 17 of claim 21, “and the consolidated verdict” is repetitive. Examiner suggests to remove it.


Response to Arguments
Applicant’s amendments and arguments to claim 1, 6 and 13, filed on 11/20/2020, with respect to claim objections have been considered and the objections have been withdrawn.
Applicant’s amendments to independent claim 1 and 21, filed on 11/20/2020, with respect to rejections under 35 U.S.C 101 (software per se) has been considered and the amendments overcame the rejections. The rejections have been withdrawn. 
Applicant’s amendments to independent claim 1, 2, 3 and 9, filed on 11/20/2020, with respect to rejections under 35 U.S.C 112 indefinite (lack of antecedent) have been considered and the amendments overcame the rejections. The rejections have been withdrawn. 
Applicant’s amendments to independent claim 12, filed on 11/20/2020, with respect to rejections under 35 U.S.C 112 indefinite have been considered and the amendments overcame the rejections. The rejections have been withdrawn. 
Regarding claim 6, applicant does not amend or argue with respect to rejection under 35 U.S.C 112 indefinite (prolix). The rejection has been sustained. 
As provided in further detail below, applicant’s arguments regarding that the references fail to show certain features are unpersuasive in view of the grounds of rejection discussed in detail. Please note that during patent examination, the pending claims even when interpreted in view of the specification must be “given their broadest reasonable interpretation.” Phillips v. AWH Corp., 415 F.3d 1303, 1316, 75 USPQ2d 1321, 1329 (Fed. Cir. 2005), In re Am. Acad, of Sci. Tech. Ctr
Regarding the arguments on independent claim 1 on page 13, applicant simply state the prior art, Mahaffey, does not teach newly amended limitations: (i) receive meta-information associated with a first artifact, being different from the plurality of artifacts, from the first network device; ….. (b) providing, from the second network device to the first network device, at least (i) [[a]]the verdict of at least the second artifact as the verdict for the first artifact and (ii) context information to assist in remediation or prevention of further cyber-attacks where the first artifact is associated with a malicious classification or to optimize use of processing resources when the first artifact is associated with a benign classification in response to the portion of the meta-information associated with the first artifact being determined by the second network device to match the portion of the stored meta-information associated with the second artifact. Examiner carefully reviewed applicant’s arguments but respectfully disagree. Mahaffey does teach (i) receive meta-information associated with a first artifact, being different from the plurality of artifacts, from the first network device (Mahaffey: Para. 0046); (b) providing, from the second network device to the first network device, at least (i) [[a]]the verdict of at least the second artifact as the verdict for the first artifact and (ii) context information to assist in remediation or prevention of further cyber-attacks where the first artifact is associated with a malicious classification or to optimize use of processing resources when the first artifact is associated with a benign classification in response to the portion of the meta-information associated with the first artifact being determined by the second network device to match the portion of the stored meta-information associated with the second artifact (Para. 0048, 0037, 0124, 0046, 0159). In more details, Mahaffey teaches a data store contains know good or know bad objects, comparing the newly received objects with known good or known bad first, then transmitting the assessment to the first device if the previous assessment is still valid. If not, when the object is changed, sever will perform reassessment. If the reassessment is malicious, transmitting a notification with remediation information for the object. 
Applicant presents no further arguments.

ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).

Claim Interpretation

The following is a quotation of 35 U.S.C. 112(f): (FP 7.30.03) 
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph: 
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and 
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 


Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in the application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. (FP 7.30.05) 
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitations are:  “a cybersecurity intelligence hub being configured to“ in claim 10.
Because this/these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
a cybersecurity intelligence hub configured to“ in claim 10 invokes 112(f). However, a review in the specification discloses that a cybersecurity intelligence hub comprise a hardware processor and a memory in Para. 0120 and Figure 4. A hardware processor is interpreted as the corresponding structural support for the claimed function. 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. (FP 7.30.06)

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention
Regarding claim 6, the scope of “wherein the portion of the meta-information associated with the first artifact includes distinctive metadata distinguishing the first artifact from each of the plurality of artifacts except for any artifact of the plurality of artifacts being represented by stored meta-MPEP 2173.05(m)). 


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1, 2, 4-9 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mahaffey et al. (US20110047594, Hereinafter Mahaffey).
Regarding claim 1, Mahaffey teaches a system for detecting artifacts associated with a cyber-attack, comprising: a first network device (Mahaffey: Fig. 3: mobile communication device (101)); and a second network device remotely located from and communicatively coupled over a network to the first network device (Mahaffey: Fig. 3: Server (151); Para. 0025: one or more servers 151 communicate with one or more mobile communication devices 101 over a cellular, wireless Internet or other network 121), the second network device comprises a non-transitory storage medium including a data store including stored meta-information associated with each artifact of a plurality of artifacts and each stored meta-information includes a verdict classifying the corresponding  artifact as a malicious classification or a benign classification (Mahaffey: Fig. 3: Data storage (111); Para. 0025: The one or more servers 151 may have access to a data storage 111 that stores security information for the one or more mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101; Para. 0075: application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object…..In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis. Server 151 may contain known good component 903, known bad component 905; Para. 0046: some or all of the received data is stored on server 151 or data storage 111), wherein the second network device being configured to (i) receive meta- information associated with a first artifact, being different from the plurality of artifacts, from the first network device (Mahaffey: Para. 0033: Application data includes metadata about data objects. For example, metadata is information about a specific data object, rather than the data object itself. Metadata includes the location on a mobile communication device's file system where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present in or associated with the data object such as a GUID or UUID, security information related to the data object such as its cryptographic signer information or level of permissions granted, and characteristics of how the data object is installed on or integrates with the mobile communication device's operating system. Metadata for a data object may also include from where the data object came; Para. 0037: metadata for an application may be sent for an assessment rather than the whole application. In many cases, metadata, such as a package name, application name, file name, file size, permissions requested, cryptographic signer, download source, a unique identifier such as a UUID, and other information may be sufficient as identifying information for a data object; Para. 0046: mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID). In block 305, server 151 receives the identifier for mobile communication device 101 and information for the changed data object.), and (ii) determine a verdict for the first artifact upon (Mahaffey: Para. 0046: In block 309, server 151 provides an assessment for the changed data object….The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown) (a) analyzing a portion of the meta-information associated with the first artifact and a portion of the stored meta-information associated with each of the plurality of artifacts that includes a portion of the stored meta-information associated with at least a second artifact of the plurality of artifacts (Mahaffey:  Fig. 3: receive identification + data object information (305); analyze data object (309); Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device…..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; Para. 0146: software on the mobile communication device can use the identifying information to determine an assessment for the application by evaluating the identifying information locally using any of the systems described herein or by transmitting the identifying information to server 151 and receiving an assessment from the server; Para. 0148: In block 901, the executable is determined to need to be classified as either good or bad as a result from an attempt to access the executable, installing the executable, or the executable being downloaded or otherwise transferred to the mobile device. The executable may or may not be pre-processed to extract additional application data such as a hash identifier, cryptographic signer, package name or other characteristics before being evaluated by known good component 903 ….. This evaluation may include comparing the executable's hash identifier or other characteristics against a database of known good characteristics, identifying whether the executable has sufficient known good characteristics; Para. 0159: a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed. In an embodiment, if a data object has any characteristic in the known good list, it is considered safe. In an embodiment, server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed), and (b) providing, from the second network device to the first network device, at least (i) the verdict of at least the second artifact as the verdict for the first artifact and (ii) context information to assist in remediation or prevention of further cyber-attacks where the first artifact is associated with a malicious classification or to optimize use of processing resources when the first artifact is associated with a benign classification in response to the portion of the meta-information associated with the first artifact being determined by the second network device to match the portion of the stored meta-information associated with the second artifact (Mahaffey: Para. 0037: To prevent taxing network 121 and server 151 with network traffic, various methods may be used to reduce the amount of data requested by and transmitted to server 151. For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid; Para. 0048: server 151 may transmit a notification, remediation instructions or the like to mobile communication device 101. Mobile communication device 101 receives the notification from server 151 (block 421), then performs the recommended actions or remediation instructions (block 423); Para. 0124: the notification transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and remediation information for the data object. For example the notification may utilize a push service provided by a platform vendor and include the package name and content hash for a data object. The notification may also specify a remediation action such as “killing” any processes containing the data object, requesting for a user to uninstall the data object, and deleting the data object without user intervention. In an embodiment, the notification includes information for display to a user about the data object such as remediation instructions, an explanation for why the data object is considered undesirable, or a request to take a particular action; Para. 0046: Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path. In block 311, the assessment is transmitted to mobile communication device 101, which receives this assessment from server 151 (block 313); Para. 0159: a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed. In an embodiment, if a data object has any characteristic in the known good list, it is considered safe. In an embodiment, server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed). 
Regarding claim 2, Mahaffey teaches the system of claim 1. In addition, Mahaffey teaches wherein the second network device to determine the verdict for the first artifact without conducting a malware analysis on the first artifact (Mahaffey: Para. 0037:  Rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. ….a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151). 
Regarding claim 4, Mahaffey teaches the system of claim 1. In addition, Mahaffey teaches wherein the second network device being a cybersecurity sensor communicatively coupled to a plurality of endpoints including the first network device, the cybersecurity sensor to determine classifications for artifacts represented by submitted meta-information from the plurality of endpoints (Mahaffey: Para. 0085: server 151 determines whether a data object causes a mobile communication device 101 to access malicious Internet or other public or private networks. For example, a data object that causes a mobile communication device to access a malicious website may subject the device to exploitation. An embodiment of this disclosure allows for resolution of transmitted Inter- or Intranet addresses (e.g., URLs) to determine whether the address will direct the mobile communication device to a safe website, rather than a nefarious website or phishing scam. This information can be stored as it relates to a particular data object; Para. 0025: mobile communication device 101 may also be referred to as a “mobile client device,” “client device,” “device,” or “client,” and may be referred to in the singular or plural form; Para. 0037:  For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. ….a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151).
Regarding claim 5, Mahaffey teaches the system of claim 1. In addition, Mahaffey teaches wherein the second network device analyzing the portion of the meta-information associated with the first artifact and the portion of the stored meta- information associated with the second artifact by at least comparing whether the portion of the meta-information associated with the first artifact matches the portion of the meta- information associated with the second artifact (Mahaffey: Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device…..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; Para. 0159: a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed. In an embodiment, if a data object has any characteristic in the known good list, it is considered safe. In an embodiment, server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed
Regarding claim 6, Mahaffey teaches the system of claim 5. In addition, Mahaffey teaches wherein the portion of the meta-information associated with the first artifact includes distinctive metadata distinguishing the first artifact from each of the plurality of artifacts except for any artifact of the plurality of artifacts being represented by stored meta-information on which the portion of the stored meta-information matches the distinctive metadata (Mahaffey: Para. 0037:  For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. ….a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151; Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device…..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path).
Regarding claim 7, Mahaffey teaches the system of claim 6. In addition, Mahaffey teaches wherein the first artifact is an object and the distinctive metadata includes a hash value of the object (Mahaffey: Para. 0033: Application data includes metadata about data objects. For example, metadata is information about a specific data object, rather than the data object itself. Metadata includes the location on a mobile communication device's file system where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present in or associated with the data object such as a GUID or UUID, security information related to the data object such as its cryptographic signer information or level of permissions granted, and characteristics of how the data object is installed on or integrates with the mobile communication device's operating system. Metadata for a data object may also include from where the data object came). 
Regarding claim 8, Mahaffey teaches the system of claim 7. In addition, Mahaffey teaches wherein the portion of the stored meta-information associated with the second artifact matching the hash value of the object (Mahaffey: Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111 in a way that server cannot directly tie the information to a particular device…..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path). 
Regarding claim 9, Mahaffey teaches the system of claim 1. In addition, Mahaffey teaches wherein the second network device being further configured to (i) store the received meta-information associated with the first artifact within the data store in response to the portion of the meta-information associated with the first artifact failing to match the stored meta-information associated In block 509, server 151 determines whether it requires additional information about the changed data object. For example, server 151 may attempt to assess whether the changed data object is safe or malicious, but is unable to provide a conclusive assessment (i.e., the assessment results in “unknown”). The determination of whether more information is needed can be performed either before the server 151 performs an assessment if there is not enough data to even begin an assessment or after an assessment returns inconclusively due wholly or in part to a lack of data. If additional information is required, then server 151 may request the additional information from mobile communication device 101 (block 511); Para. 0051: In block 513 of FIG. 5, mobile communication device 101 receives the request for additional information, gathers the requested information (block 515), then transmits the additional information to server 151 (block 517). In an embodiment, additional information includes behavioral data for a data object and application data for the data object, such as the content for the data object. In block 519, server 151 receives the additional information from mobile communication device 101, and stores the additional information (block 521)), and (ii) provide the received meta-information associated with the first artifact to a third network device including a global data store, wherein the third network device to provide the verdict for the first artifact to the second network device in response to the portion of the meta-information associated with the first artifact being determined by the third network device to match a portion of stored meta-information associated a third artifact stored within the global data store (Mahaffey: Para. 0155: server 151 has access to such application providers and can collect information about specific applications. For example, server 151 can search for and collect user-generated reviews or ratings about applications. An application that has favorable ratings may be deemed safe while an application with significantly negative ratings may be deemed undesirable. Because server 151 may also determine trust data for data objects, the assessment for an application with negative reviews may only indicate that the application is undesirable if the application has a low trust rating while an application with a high trust rating and negative reviews may still be considered desirable by an anti-malware system; Para. 0037: metadata for an application may be sent for an assessment rather than the whole application. In many cases, metadata, such as a package name, application name, file name). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Oliver et al. (US8769683, hereinafter Oliver).
Regarding claim 3, Mahaffey teaches the system of claim 2. 
Yet, Mahaffey does not teach wherein the first network device issuing an alert message to notify an administrator of a detection of the first artifact being part of a cyber-attack in response to the verdict for the first artifact being malicious classification.
However, in the same field of endeavor, Oliver teaches wherein the first network device issuing an alert message to notify an administrator of a detection of the first artifact being part of a cyber-attack in response to the verdict for the first artifact being malicious classification (Oliver: Col. 9, line 2-10: As a consequence of detecting such a new malware family, the malware classifier 31 may take appropriate action, which may include one or more of the following: informing the client machine that the file is likely to be new malware; requesting a copy of the file for further analysis; and alerting users or other people (such as system administrators) of a possible infection by new malware). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Mahaffey to include wherein the first network device issuing an alert message to notify an administrator of a detection of the first artifact being part of a cyber-attack in response to the verdict for the first artifact being malicious classification .
Claim 10-11 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Manni et al. (US9311479, hereinafter Manni). 
Regarding claim 10, Mahaffey teaches the system of claim 1. In addition, Mahaffey further teaches wherein the second network device being a cybersecurity intelligence hub remotely located from and communicatively coupled over a network to a plurality of network devices including the first network device (Mahaffey: Fig. 10: mobile devices (101), web crawler (1003), application marketplace data gathering system (1005), application marketplace (1009), network security infrastructure (1011), data feeds (1013), server (151); Para. 0069: server 151 may receive data from sources other than mobile communication devices for use in analyzing a data object and producing assessments. FIG. 10 illustrates an embodiment in which server 151 may receive data from multiple sources…. One or more mobile communication devices 101 are illustrated as a group to emphasize that multiple devices 101 may transmit and receive information to and from server 151), the cybersecurity intelligence hub being configured to (i) cybersecurity intelligence including the stored meta-information being associated with each of the plurality of artifacts and received from a plurality of cybersecurity sensors including the first network device operating as a cybersecurity sensor (Mahaffey: Para. 0070: In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151… There are many types of systems that may be used as data feeds to server 151. Some examples include web crawlers 1003, application marketplace data gathering systems 1005; Para. 0071: the web crawler 1003 may utilize a search engine to look for web sites that host mobile applications. Once the crawler 1003 identifies sites hosting mobile downloads, the crawler may retrieve web pages available on those sites, examining the content of each page to determine additional pages to retrieve…. the web crawler 1003 gathers marketplace metadata about data items and transmits the marketplace metadata to server 151. Some example marketplace metadata includes from which web sites a data object is available for download, user ratings and comments for a data object, the price of the data object if it is available for purchase, the number of times the data object has been downloaded, information about the author of the data object, and other information pertaining to a data object that is available on web sites; Para. 0072: it may be important for server 151 to receive information about data objects that are available in application marketplaces….. Application marketplaces are often provided by mobile platform vendors (e.g., Android Marketplace, Blackberry App World, Apple App Store, Nokia Ovi Store) or third parties (e.g., GetJar, Handango); Para. 0075: FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information…..In block 1101 of FIG. 11, application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object. Some of the possible methods for gathering and types of data gathered have been discussed above. Such methods may include gathering data from devices, from web sites, from application marketplaces, from people, and from other sources. In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered; Para. 0031: Application data includes both data objects and information about data objects, such as behavioral data or metadata), (ii) determine whether the cybersecurity intelligence includes cybersecurity intelligence corresponding to the first artifact using the portion of the meta-information associated with the first artifact (Mahaffey: Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path),  and (iii) provide a verdict being part of the cybersecurity intelligence identifying whether the first artifact is of a known or unknown classification including at least a malicious classification or a benign classification (Mahaffey: Para. 0097: Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad; Para. 0098: One will appreciate that the above assessment data may be provided as an input into to server 151. For example, a network operator or enterprise may operate a server that produces assessment data and feeds it data back to a master server…… server 151 combines assessment data received from multiple sources to produce an aggregated assessment). 
Yet, Mahaffey only teaches aggregating the received cybersecurity intelligence, but not consolidating cybersecurity intelligence and providing a consolidated verdict.
However, in the same field of endeavor, Manni teaches consolidating cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes) and providing a consolidated verdict (Manni: Col. 2, line 43-47: “Analysis attributes” include information directed to portions of the suspicious network content that are analyzed for malware (hereinafter referred to as “artifacts”) as well as one or more anomalous behaviors observed during malware detection analysis of the artifacts; Col. 2, line 48-56: After receipt of analytic data from different MCD systems, the management system correlates the analytic data by recursively comparing analysis attributes recovered from one MCD system with analysis attributes recovered from one or more other MCD systems. Upon determining that at least certain analysis attributes from different MCD systems match, the input attributes corresponding to these compared analysis attributes may be consolidated to provide greater details). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Mahaffey to include consolidating cybersecurity intelligence and providing a consolidated verdict as disclosed by Manni. One of ordinary skill in the art would have been motivated to make this modification in order to consolidate the analytic data from multiple malware content detection systems as suggested by Manni (Manni: Col. 2, line 21-34). 
Regarding claim 11, combination of Mahaffey and Manni teaches the system of claim 10. In addition, Manni further teaches wherein the consolidated verdict being a selected verdict based on a plurality of verdicts extracted from stored meta-information associated with two or more of the plurality of agents matching the portion of the meta-information associated with the first artifact (Manni: Col. 2, line 43-47: “Analysis attributes” include information directed to portions of the suspicious network content that are analyzed for malware (hereinafter referred to as “artifacts”) as well as one or more anomalous behaviors observed during malware detection analysis of the artifacts; Col. 2, line 48-56: After receipt of analytic data from different MCD systems, the management system correlates the analytic data by recursively comparing analysis attributes recovered from one MCD system with analysis attributes recovered from one or more other MCD systems. Upon determining that at least certain analysis attributes from different MCD systems match, the input attributes corresponding to these compared analysis attributes may be consolidated to provide greater details). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the consolidated verdict being a selected verdict based on a plurality of verdicts extracted from stored meta-information associated with two or more of the plurality of agents matching the portion of the meta-information associated with the first artifact as disclosed by Manni. One of ordinary skill in the art would have been motivated to make this modification in order to consolidate the analytic data from multiple malware content detection systems as suggested by Manni (Manni: Col. 2, line 21-34).
Regarding claim 21, Mahaffey teaches a system comprising: a plurality of network devices operating as a plurality of cybersecurity sensors; and a cybersecurity intelligence hub remotely located from and communicatively coupled to the plurality of cybersecurity sensors over a network (Mahaffey: Fig. 10: server (151), mobile devices (101), web crawler (1003), application marketplace data gathering system (1005); Para. 0069: that server 151 may receive data from sources other than mobile communication devices for use in analyzing a data object and producing assessments. FIG. 10 illustrates an embodiment in which server 151 may receive data from multiple sources and transmit assessment information for multiple uses. One or more servers 151 are illustrated as a “cloud” to emphasize that multiple servers may operate in coordination to provide the functionality disclosed herein. One or more mobile communication devices 101 are illustrated as a group to emphasize that multiple devices 101 may transmit and receive information to and from server 151), the cybersecurity intelligence hub including a non-transitory storage medium including a global data  Para. 0070: In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151 or may be part of server 151. In an embodiment, a data gathering system directly updates a database or other storage on server 151 or data storage 111 with information for one or more data objects), and a processor communicatively coupled to the global data store, the processor to (i) store meta-information for each of a plurality of prior evaluated artifacts within the global data store (Mahaffey: Para. 0070: In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151 or may be part of server 151. In an embodiment, a data gathering system directly updates a database or other storage on server 151 or data storage 111 with information for one or more data objects; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis; Para. 0046: some or all of the received data is stored on server 151 or data storage 111), (ii) receive meta-information associated with an artifact from a cybersecurity sensor of the plurality of cybersecurity sensors (Mahaffey: Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis; Para. 0033: Application data includes metadata about data objects. For example, metadata is information about a specific data object, rather than the data object itself. Metadata includes the location on a mobile communication device's file system where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present in or associated with the data object such as a GUID or UUID, security information related to the data object such as its cryptographic signer information or level of permissions granted, and characteristics of how the data object is installed on or integrates with the mobile communication device's operating system. Metadata for a data object may also include from where the data object came); (iii) determine whether a portion of the received meta-information associated with the artifact matches a portion of the stored meta-information associated with any of the plurality of prior evaluated artifacts within the global data store (Mahaffey: Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111  …..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; Para. 0159: a known good component may have a list of known good hash identifiers, package names, and cryptographic signers that it tries to match with data objects being analyzed. In an embodiment, if a data object has any characteristic in the known good list, it is considered safe. In an embodiment, server may use a similar known bad system that matches known bad application data to application data for a data object being analyzed), and (iv) provide both a verdict identifying a classification for the artifact, including whether the artifact is of a malicious classification or a benign classification, in response to determining that a portion of the stored meta-information associated with at least a first prior evaluated artifact of the plurality of prior evaluated artifacts matches the portion of the received meta-information associated with the artifact (Mahaffey: Para. 0046: In block 309, server 151 provides an assessment for the changed data object…. some or all of the received data is stored on server 151 or data storage 111  …..server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown. …. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; Para. 0097: Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad) and context information to assist in remediation or prevention of further cyber-attacks where the first artifact is associated with the malicious classification or optimize use of processing resources when the first artifact is associated with the benign classification (Mahaffey: Para. 0037: Para. 0048: server 151 may transmit a notification, remediation instructions or the like to mobile communication device 101. Mobile communication device 101 receives the notification from server 151 (block 421), then performs the recommended actions or remediation instructions (block 423); Para. 0124: the notification transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and remediation information for the data object. For example the notification may utilize a push service provided by a platform vendor and include the package name and content hash for a data object. The notification may also specify a remediation action such as “killing” any processes containing the data object, requesting for a user to uninstall the data object, and deleting the data object without user intervention. In an embodiment, the notification includes information for display to a user about the data object such as remediation instructions, an explanation for why the data object is considered undesirable, or a request to take a particular action). 
Yet, Mahaffey only teach aggregated verdict, but not consolidated verdict and the consolidated verdict is extracted from the stored meta-information associated with at least a first prior evaluated artifact.
However, in the same field of endeavor, Manni teaches consolidated verdict and the consolidated verdict is extracted from the stored meta-information associated with at least a first prior evaluated artifact (Manni: Col. 6, line 20-23: Aggregation logic 260 is configured to request (i.e. pull) analytic data from each of the MCD systems 110 1-110 N for storage within an internal data store 290; Col. 11, line 41-51: Referring to FIG. 6A, an exemplary embodiment of a flowchart of the operations for correlating and consolidating the analytic data from multiple MCD systems is shown. Herein, correlation logic within the management system compares analysis attributes associated with a first MCD system to analysis attributes associated with a second MCD system (block 600). If a match is detected for any of these attributes, the input attributes associated with the compared attributes are consolidated to collectively provide additional information concerning a malware attack associated with the network content (blocks 605 and 610); Col. 2, line 43-47: “Analysis attributes” include information directed to portions of the suspicious network content that are analyzed for malware (hereinafter referred to as “artifacts”) as well as one or more anomalous behaviors observed during malware detection analysis of the artifacts; Col. 2, line 48-56: After receipt of analytic data from different MCD systems, the management system correlates the analytic data by recursively comparing analysis attributes recovered from one MCD system with analysis attributes recovered from one or more other MCD systems. Upon determining that at least certain analysis attributes from different MCD systems match, the input attributes corresponding to these compared analysis attributes may be consolidated to provide greater details). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Mahaffey to include consolidated verdict and the consolidated verdict is extracted from the stored meta-information associated with at least a first prior evaluated artifact as disclosed by Manni. One of ordinary skill in the art would have been motivated to make this modification in order to consolidate the analytic data from multiple malware content detection systems as suggested by Manni (Manni: Col. 2, line 21-34).
Regarding claim 22, combination of Mahaffey and Manni teaches the system of claim 21. In addition, Mahaffey further teaches wherein the stored meta-information is an aggregate of meta-information from the plurality of cybersecurity sensors (Mahaffey: Para. 0075: FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information…..In block 1101 of FIG. 11, application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object. Some of the possible methods for gathering and types of data gathered have been discussed above. Such methods may include gathering data from devices, from web sites, from application marketplaces, from people, and from other sources. In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered; Para. 0088: the user interface shows information about the data object, such as aggregated application data, characteristics for the data object, and other information available to server 151). 
Claim 12-17 and 19-20  rejected under 35 U.S.C. 103 as being unpatentable over Manni in view of Mahaffey.
Regarding claim 12, Manni teaches a cybersecurity intelligence hub configured for network connectivity to a plurality of cybersecurity sensors to detect whether an artifact is associated with a cyber-attack without execution of the artifact (Manni: Fig. 1: management system (120), first malware content detection system (1101), second MCD system (1012), third MCD system (1013);  Col. 4, line 27-33: Referring to FIG. 1, an exemplary block diagram of a communication network 100 deploying a plurality of malware content detection (MCD) systems 110 1-110 N (N>1) communicatively coupled to a management system 120 via a network 130 is shown. In general, management system 120 may be adapted to aggregate, correlate and consolidate analytic data provided by MCD systems 110 1-110 N; Claim 1: A method for detecting a malware attack and displaying information associated with suspicious network content pertaining to the malware attack; Col. 4, line 53-56: a first MCD system 110 1 may be a web-based security appliance that is configured to inspect ingress data traffic, identify whether any artifacts of the data traffic may include malware); comprising: a hardware processor (Manni: Fig. 2: processor(s)); a global data store communicatively coupled to the hardware processor (Manni: Fig. 2: data store (290); Col. 6, line 20-23: Aggregation logic 260 is configured to request (i.e. pull) analytic data from each of the MCD systems 110 1-110 N for storage within an internal data store 290); a memory communicatively coupled to the hardware processor, the memory including a data management and analytics engine ( (Manni: Fig. 2: Persistent storage (230), consolidation logic (280), correlation logic (270), aggregation logic (260)) to (i) consolidate cybersecurity intelligence for prior evaluated artifacts (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes), wherein the cybersecurity intelligence being received from the plurality of cybersecurity sensors for storage in the global data store, a first portion of the consolidated cybersecurity intelligence being associated with a first plurality of the prior evaluated artifacts previously analyzed for malware, and cybersecurity intelligence for each corresponding artifact of the first plurality of prior evaluated artifacts being assigned a consolidated verdict identifying whether the corresponding artifact is determined to be at least of a malicious classification or a benign classification (Manni: Col. 6, line 20-23: Aggregation logic 260 is configured to request (i.e. pull) analytic data from each of the MCD systems 110 1-110 N for storage within an internal data store 290; Col. 11, line 41-51: Referring to FIG. 6A, an exemplary embodiment of a flowchart of the operations for correlating and consolidating the analytic data from multiple MCD systems is shown. Herein, correlation logic within the management system compares analysis attributes associated with a first MCD system to analysis attributes associated with a second MCD system (block 600). If a match is detected for any of these attributes, the input attributes associated with the compared attributes are consolidated to collectively provide additional information concerning a malware attack associated with the network content (blocks 605 and 610); Col. 2, line 43-47: “Analysis attributes” include information directed to portions of the suspicious network content that are analyzed for malware (hereinafter referred to as “artifacts”) as well as one or more anomalous behaviors observed during malware detection analysis of the artifacts; Col. 2, line 48-56: After receipt of analytic data from different MCD systems, the management system correlates the analytic data by recursively comparing analysis attributes recovered from one MCD system with analysis attributes recovered from one or more other MCD systems. Upon determining that at least certain analysis attributes from different MCD systems match, the input attributes corresponding to these compared analysis attributes may be consolidated to provide greater details).
and context information to assist in remediation or prevention of further cyber-attacks when the corresponding artifact is associated with the malicious classification or optimize use of processing resources when the corresponding artifact is associated with the benign classification, and generating additional cybersecurity intelligence based on the consolidated intelligence to provide contextual information to a cybersecurity sensor of the one or more cybersecurity sensors enhance assessment of a potential cyber-attack
However, in the same field of endeavor, Mahaffey teaches the verdict identifying whether the corresponding artifact is determined to be at least of a malicious classification or a benign classification (Mahaffey: Para. 0097: Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad), and context information to assist in remediation or prevention of further cyber-attacks when the corresponding artifact is associated with the malicious classification or optimize use of processing resources when the corresponding artifact is associated with the benign classification (Mahaffey:  Para. 0048: server 151 may transmit a notification, remediation instructions or the like to mobile communication device 101. Mobile communication device 101 receives the notification from server 151 (block 421), then performs the recommended actions or remediation instructions (block 423); Para. 0124: the notification transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and remediation information for the data object. For example the notification may utilize a push service provided by a platform vendor and include the package name and content hash for a data object. The notification may also specify a remediation action such as “killing” any processes containing the data object, requesting for a user to uninstall the data object, and deleting the data object without user intervention. In an embodiment, the notification includes information for display to a user about the data object such as remediation instructions, an explanation for why the data object is considered undesirable, or a request to take a particular action), and generating additional cybersecurity intelligence based on the consolidated intelligence to provide contextual information to a cybersecurity sensor of the one or more cybersecurity sensors enhance assessment of a potential cyber-attack (Mahaffey: Para. 0075: server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object; Para. 0077: As part of analyzing a data object, it may be desirable for server 151 to characterize it and/or categorize it (block 1109). In an embodiment, server 151 stores characterization and categorization data for data objects (block 1111). It may be desirable for characterization and categorization data to be updated as more data becomes available or analysis of the data changes. In an embodiment, server 151 performs additional analysis (block 1109) and updates stored categorization and characterization data (block 1111) for a data object when new or updated data for the data object used by analysis systems is available; Para. 0175: Because server 151 continually gathers information and improves assessments, assessment information can be updated on application marketplaces and/or mobile communication devices that have cached the assessment information. For example, server 151 may send a notification to the application marketplace or mobile communication device indicating that new assessment information is available. In another example, server 151 may simply transmit the updated assessment information so that old information is overwritten). 
and context information to assist in remediation or prevention of further cyber-attacks when the corresponding artifact is associated with the malicious classification or optimize use of processing resources when the corresponding artifact is associated with the benign classification, and generating additional cybersecurity intelligence based on the consolidated intelligence to provide contextual information to a cybersecurity sensor of the one or more cybersecurity sensors enhance assessment of a potential cyber-attack as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this modification in order to provide security related assessment suggested by Mahaffey (Mahaffey: Para. 0027). 
Regarding claim 13, combination of Manni and Mahaffey teaches the system of claim 12. In addition, Manni teaches consolidated cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes) and a consolidated verdict (Manni: Col. 2, line 43-47: “Analysis attributes” include information directed to portions of the suspicious network content that are analyzed for malware (hereinafter referred to as “artifacts”) as well as one or more anomalous behaviors observed during malware detection analysis of the artifacts; Col. 2, line 48-56: After receipt of analytic data from different MCD systems, the management system correlates the analytic data by recursively comparing analysis attributes recovered from one MCD system with analysis attributes recovered from one or more other MCD systems. Upon determining that at least certain analysis attributes from different MCD systems match, the input attributes corresponding to these compared analysis attributes may be consolidated to provide greater details).
In addition, Mahaffey further teaches (iii) receive a message requesting a verdict for the artifact from a cybersecurity sensor of the one or more cybersecurity sensors (Mahaffey: Para. 0104: server 151 storing the categorization and transmitting it in response to a request for an assessment for the data object….Server 151 stores a list of data objects that are considered undesirable and, when asked for an assessment for one of these data objects returns an assessment indicating that the data object is undesirable; Para 0121: When mobile communication device 101 encounters a data object, it transmits a request to server 151 for an assessment); (iv) determine whether the cybersecurity intelligence includes cybersecurity intelligence directed to the artifact (Mahaffey: Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path); and (v) provide, to the cybersecurity sensor, meta-information being part of the cybersecurity intelligence directed to the artifact in response to the cybersecurity intelligence hub determining that the cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact, the meta-information including the verdict for the artifact identifying whether the artifact as having a known or unknown classification including a malicious classification or a benign classification (Mahaffey: Para. server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path. In block 311, the assessment is transmitted to mobile communication device 101; Para. 0097: Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include (iii) receive a message requesting a verdict for the artifact from a cybersecurity sensor of the one or more cybersecurity sensors, (iv) determine whether the cybersecurity intelligence includes cybersecurity intelligence directed to the artifact and (v) provide, to the cybersecurity sensor, meta-information being part of the cybersecurity intelligence directed to the artifact in response to the cybersecurity intelligence hub determining that the cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact, the meta-information including a verdict for the artifact identifying whether the artifact as having a known or unknown classification including a malicious classification or a benign classification as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this 
Regarding claim 14, combination of Manni and Mahaffey teaches the system of claim 13. In addition, Manni teaches consolidated cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes).  
In addition, Mahaffey further implicitly teaches wherein the data management and analytics engine further determines whether the cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact by at least (a) parsing the message to extract distinctive metadata from meta-information associated with the artifact within the request message, the distinctive metadata distinguishes the artifact from other artifact and (b) conducting a comparison between the distinctive metadata and meta- information with the cybersecurity intelligence associated with each of the prior evaluated artifacts to determine whether at least one of the prior evaluated artifacts corresponds to the artifact and the cybersecurity intelligence directed to the artifact resides within the cybersecurity intelligence (Mahaffey: Para 0121: When mobile communication device 101 encounters a data object, it transmits a request to server 151 for an assessment; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis; Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path. In block 311, the assessment is transmitted to mobile communication device 101). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the data management and analytics engine further determines whether the cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact by at least (a) parsing the message to extract distinctive metadata from meta-information associated with the artifact within the request message, the distinctive metadata distinguishes the artifact from other artifact and (b) conducting a comparison between the distinctive metadata and meta- information with the cybersecurity intelligence associated with each of the prior evaluated artifacts to determine whether at least one of the prior evaluated artifacts corresponds to the artifact and the cybersecurity intelligence directed to the artifact resides within the cybersecurity intelligence as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this modification in order to provide security related assessment suggested by Mahaffey (Mahaffey: Para. 0027).
Regarding claim 15, combination of Manni and Mahaffey teaches the system of claim 12. In addition, Mahaffey teaches wherein the memory further comprises a portal being used, prior to the management and analytics engine determining whether the consolidated cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact, to authenticate a source of the request One will appreciate that communication between mobile communication device 101 and server 151 may utilize a variety of networking protocols and security measures. In an embodiment, server 151 operates as an HTTP server and the device 101 operates as an HTTP client. To secure the data in transit, mobile communication device 101 and server 151 may use Transaction Layer Security (“TLS”). Additionally, to ensure that mobile communication device 101 has authority to access server 151, and/or to verify the identity of mobile communication device 101, device 101 may send one or more identifiers or authentication credentials to server 151. For example, authentication credentials may include a user name and password, device-specific credentials, or any other data that identifies mobile communication device 101 to server 151). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the memory further comprises a portal being used, prior to the management and analytics engine determining whether the consolidated cybersecurity intelligence includes the cybersecurity intelligence directed to the artifact, to authenticate a source of the request message as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this modification in order to provide security related assessment suggested by Mahaffey (Mahaffey: Para. 0027).
Regarding claim 16, combination of Manni and Mahaffey teaches the system of claim 12. In addition, Manni teaches consolidated cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes).  
In addition, Mahaffey further teaches (iii) receive a query message via a customer portal for cybersecurity intelligence directed to a particular customer (Mahaffey: Para. 0035: Assessments may result from collecting and/or processing data by server 151 and may be exposed by server 151 to users or other systems via an API, user interfaces, data feeds, or other methods; Para. 0097: server may …….transmit a response to an API call querying for the assessment of the data object; Claim 27: The method claim 1, wherein providing the assessment comprises providing a response to a search query for the data object); (iv) determine whether the cybersecurity intelligence includes the cybersecurity intelligence (Mahaffey: Para. 0103: If multiple policies are configured on server 151 and data storage 111 stores which policy is to be applied to a device 101, then a given data object may have multiple assessments that depend on the policy of the device querying for an assessment. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 151 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application, server 151 transmits an assessment indicating that the application is allowed. In an embodiment, assessment data is not stored and only information used to produce the assessment such as application data, device data, distribution information, characterization information, trust data, and categorization information is stored and the assessment is performed upon request by applying policy to the stored information; Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111 instead of performing a new assessment. Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path); and (v) return, via the customer portal, meta-information being part of the cybersecurity intelligence directed to the particular customer in response to the cybersecurity intelligence hub determining that the cybersecurity intelligence includes the cybersecurity intelligence (Mahaffey: Para. 0097: server may …….transmit a response to an API call querying for the assessment of the data object; Claim 27: The method claim 1, wherein providing the assessment comprises providing a response to a search query for the data object; Para. 0097: Using data gathered by server 151 or from an analysis system described herein, server may produce an assessment (block 1113 of FIG. 11). After producing the assessment, server 151 may store the assessment of the data object so that it may be retrieved at a later time (block 1115). Server may then transmit the assessment for the data object (block 1117). For example, server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include  (iii) receive a query message via a customer portal for cybersecurity intelligence directed to a particular customer; (iv) determine whether the cybersecurity intelligence includes the cybersecurity intelligence; and (v) return, via the customer portal, meta-information being part of the cybersecurity intelligence directed to the particular customer in response to the cybersecurity intelligence hub determining that the cybersecurity intelligence includes the cybersecurity intelligence as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this modification in order to provide security related assessment suggested by Mahaffey (Mahaffey: Para. 0027).
Regarding claim 17, combination of Manni and Mahaffey teaches the system of claim 16. In addition, Manni further teaches wherein the consolidated cybersecurity intelligence being provided by at least a first cybersecurity source and a second cybersecurity source being different than the first cybersecurity source (Manni: Fig. 1: management system (120), first malware content detection system (1101), second MCD system (1102), third MCD system (1103); Col. 4, line 27-33: Referring to FIG. 1, an exemplary block diagram of a communication network 100 deploying a plurality of malware content detection (MCD) systems 110 1-110 N (N>1) communicatively coupled to a management system 120 via a network 130 is shown. In general, management system 120 may be adapted to aggregate, correlate and consolidate analytic data provided by MCD systems 110 1-110 N). 
Regarding claim 19, combination of Manni and Mahaffey teaches the system of claim 12. In addition, Manni teaches consolidated cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes).  
In addition, Mahaffey further teaches a portal to provide an interface to conduct a search of the cybersecurity intelligence for the prior evaluated artifacts stored in the global data store (Mahaffey: Para. 0088: one or more users can sign in to a community voting system provided as a web application where they can search and browse all applications known to server 151)

Regarding claim 20, combination of Manni and Mahaffey teaches the system of claim 12. In addition, Manni teaches consolidated cybersecurity intelligence (Manni: Col. 6, line 61-63: these MCD systems 110-110 of FIG. 1 will provide one or more identical analysis attributes; Col. 6, line 66 to Col. 7, line 3: The input attributes are different based on the MCD system analyzing the network content. Examples of analysis and input attributes realized by different types of MCD systems are set forth below in Table A; Col. 7, line 35-39: triggered by aggregation logic 260 receiving analytic data from one or more MCD systems, correlation logic 270 attempts to find relationships between analysis attributes provided from different MCD systems; Col. 8, line 9-11: Triggered by correlation logic 270, consolidation logic 280 consolidates input attributes associated with these matched analysis attributes).  
In addition, Mahaffey further teaches wherein the portal provides the interface to conduct a search based on one or more selected parameters for use as a search index for stored meta-information being part of the cybersecurity intelligence within the global data store (Mahaffey: Para. 0088: one or more users can sign in to a community voting system provided as a web application where they can search and browse all applications known to server 151. The list of applications may be populated by marketplace crawling and application data reported by devices. Each application may have a page whereby users can select their recommended category for that application. In an embodiment, the user interface shows information about the data object, such as aggregated application data, characteristics for the data object, and other information available to server 151 so that users can make a decision based on the output of analysis). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include   as disclosed by Mahaffey. One of ordinary skill in the art would have been motivated to make this modification in order to provide security related assessment suggested by Mahaffey (Mahaffey: Para. 0027).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Manni, and further in view of Paithane et al. (US20150220735, hereinafter Paithane).
Regarding claim 18, combination of Manni and Mahaffey teaches the system of claim 17. In addition, Manni further teaches wherein the first cybersecurity source providing incident investigation/response intelligence including cybersecurity intelligence gathered by cyber-attack incident investigators during analyses of successful attacks (Manni: Col. 10, line 28-40: Referring to FIG. 5A, an exemplary diagram of a flowchart partially illustrating populating of a data store by a MCD system for subsequent access by the management system is shown. Prior to conducting the malware detection analysis, however, ingress network content is received by the MCD system. Upon determining that this content constitutes suspicious network content, a first identifier is assigned to the suspicious network content (blocks 500, 502 and 505). Input attributes associated with the ingress network content (e.g., source and/or destination) are extracted for subsequent storage in the data store of the MCD system (block 510). Also, malware detection analysis is conducted on the artifacts associated with the ingress network content (block 515); Col. 10, line 41-50: Upon completion of the malware detection analysis, the MCD system stores the artifacts and information associated with any detected anomalous behavior as analysis attributes within a data store. With these analysis artifacts, the MCD system further stores an identifier associated with the content along with the input attributes (blocks 520 and 525). However, if anomalous behavior is not detected, the input attributes along with the identifier associated with the content and the artifacts are collectively stored in the data store (block 530)).
Yet, the combination does not teach the second cybersecurity source providing cybersecurity intelligence produced by network devices using malware detection analysis models formulated by machine- learning driven forensic engines in classifying artifacts as malicious or benign.
However, in the same field of endeavor, Paithane teaches the second cybersecurity source providing cybersecurity intelligence produced by network devices using malware detection analysis models formulated by machine- learning driven forensic engines in classifying artifacts as malicious or benign (Paithane: Para. 0015: a malware content detection (MCD) system is provided that intercepts or otherwise captures objects for analysis; Para. 0016: A determined application specific behavior combined with a process identifier may be provided to the analysis engine as an event for classification of a suspect object. For example, the suspect object may be classified as malware, non-malware, or as needing further analysis…… The analysis can compare the captured operations and associated parameters with those expected for the particular process (e.g., computer program or application) to identify application specific behaviors that in some cases may indicate malicious activities (exploits). To that end, the analysis may utilize experiential knowledge and machine learned information regarding operations). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include the second cybersecurity source providing cybersecurity intelligence produced by network devices using malware detection analysis models formulated by machine- learning driven forensic engines in classifying artifacts as malicious or benign as disclosed by Paithane. One of ordinary skill in the art would 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438