DETAILED ACTION
1.	Claims 1-24 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
2.2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Response to Arguments 	
3.1.	Applicant’s arguments filed 11/5/2020 have been fully considered but they are not persuasive.
3.2.	Applicant’s Response applicant argues, in substance that “..the Examiner has not addressed the remainder of that limitation, which requires “detection of a compromised connection is reported to at least one of: a user, an administrator, or a security server.” Rather, the Examiner has split the limitation and suggests that Polyakov discloses “compromised connection is reported to at least one of: a user, an administrator, or a security server.” Thus, nowhere does the Examiner suggest that Walter or Polyakov disclose or suggest the “preventing a false report that a connection is compromised” or the “by default” element of the limitation “operating, by a security component executing on a processor of a computing device, such that by default a detection of a compromised connection is reported.” (Claim 1, emphasis added.) For this reason, the Examiner has failed to make proper prima facie rejection of claims 1, 9, and 17….” (remark, pages 8-10).
In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Applicant’s arguments rely on language solely recited in preamble recitations in claim(s) “preventing a false report that a connection is compromised”. When reading the preamble in the context of the entire claim, the recitation “preventing a false report that a connection is compromised”  is not limiting because the body of the claim describes a complete invention and the language recited solely in the preamble does not provide any distinct definition of any of the claimed invention’s limitations. Thus, the preamble of the claim(s) is not considered a limitation and is of no significance to claim construction. See Pitney Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1305, 51 USPQ2d 1161, 1165 (Fed. Cir. 1999). See MPEP § 2111.02.
 The Examiner respectfully disagrees with Applicant’s arguments; the examiner submits that the combination of Walter and Polyakov discloses above features. For example, preamble recited “… a method for preventing a false report that a connection is compromised, the method comprising:..” which is discloses by Polyakov in paragraph 30.

    PNG
    media_image1.png
    319
    718
    media_image1.png
    Greyscale


3.3.	Appellant argues, in substance, that “the Examiner has failed to make proper prima facie rejection of claims 1, 9, and 17” (remark, pages 8-10). 
The Examiner disagrees.  Sufficient motivation has been provided that one of ordinary skill in the art would find it obvious to combine the teachings of Walter and Polyakov.
Furthermore one of ordinary skill in the art would find it obvious to combined features of messages having been tampered with or otherwise compromised (connection) discloses by Walter with features determine whether the report is likely a false positive in order for negative effects of false positive errors may be magnified in an enterprise environment, in which multiple hosts may run similar OS components and/or software applications. For instance, where multiple host computers are reporting detected malware, it may be difficult for a system administrator to decide whether to initiate a network shutdown. On the one hand, if the incoming reports correspond to a true malware outbreak, a delay in shutting down the network may cause more host 
3.4.	Applicant’s Response applicant argues, in substance that “..Walter is silent regarding “preventing a false report that a connection is compromised.” Walter also does not disclose or suggest: “operating, by a security component executing on a processor of a computing device, such that by default a detection of a compromised connection is reported….”. (remark, pages 9-11).
The Examiner respectfully disagrees with Applicant’s arguments; the examiner submits that the combination of Walter and Polyakov discloses above features. As explained section 3.2; Polyakov discloses, “preventing a false report that a connection is compromised.” in paragraph 30.  Additionally Polyakov discloses in paragraph 41 that “… by default a detection of a compromised connection is reported..” (When an anti-malware program running on a host (e.g., host 210A) detects one or more potential malware attacks, it may generate a malware report, which may be in the form of report 130 shown in FIG. 1B or any other suitable form, and may send the report to the server 220. Upon receiving such a report, the server 220 may analyze information contained therein to determine whether the report is likely a false positive. For example, as discussed above, the server 220 may compare a suspicious version of a file identified in 
The examiner interprets “anti-malware program running on a host (e.g., host 210A) detects one or more potential malware attacks, it may generate a malware report… malware report is likely a false positive” as a default deletion and report is likely a false positive.
Furthermore Walter discloses detection of a compromised connection in paragraph 51; “…variety of reasons, such as when a device has been decommissioned an office closed/moved, a device was compromised, a network configuration change, and/or various other reasons. Accordingly, these techniques provide an efficient approach for managing revocation of certificates for such devices in a large scale VPN deployment (e.g., which can include hundreds to thousands of devices). Also, these techniques provide a robust approach for implementing revocation of certificates for such devices in a large scale VPN deployment (e.g., as STL certificates automatically become invalid upon expiration, which can be determined even if the portal or OCSP responder is down or otherwise unavailable, such that a device with an expired STL certificate cannot establish or maintain VPN connections with other devices in the large scale VPN deployment).” Furthermore paragraph 20 discloses “VPN communications also allow for message integrity to detect any instances of transmitted messages having been tampered with or otherwise compromised”. The examiner interprets above two 
3.5.	Appellant argues, in substance, that “…. Walter does not disclose or suggest: “determining, by the security component, that captive portal authentication is enabled for the computing device for a connection….” (remark, pages 9-11). 
The Examiner respectfully disagrees with Applicant’s arguments; the examiner submits that the combination of Walter and Polyakov discloses above features. For example, Walter discloses in paragraph 27, “verified by the portal; and receiving a certificate from the portal for using to establish VPN connections …”.
3.6.	Appellant argues, in substance, that Walter does not disclose “requesting, by the security component, a response from a first server over the connection.” (remark, pages 10-11). 
The Examiner respectfully disagrees with Applicant’s arguments. For example, Walter discloses in paragraph 74, VPN send a certificate signing request, CSR  to the portal verifies the CSR from the portal/server (e.g., verifying the CSR and the serial number of the satellite, in which the CSR includes the serial number of the satellite). At 606 (assuming the verification of the CSR was successful), the portal generates a certificate (CERT) for the satellite. At 608, the portal sends the CERT and gateway configuration information to the satellite.


The Examiner respectfully disagrees with Applicant’s arguments; the examiner submits that the combination of Walter and Polyakov discloses above features. For example, Walter discloses in paragraph 51; “…variety of reasons, such as when a device has been decommissioned an office closed/moved, a device was compromised, a network configuration change, and/or various other reasons. Accordingly, these techniques provide an efficient approach for managing revocation of certificates for such devices in a large scale VPN deployment (e.g., which can include hundreds to thousands of devices). Also, these techniques provide a robust approach for implementing revocation of certificates for such devices in a large scale VPN deployment (e.g., as STL certificates automatically become invalid upon expiration, which can be determined even if the portal or OCSP responder is down or otherwise unavailable, such that a device with an expired STL certificate cannot establish or maintain VPN connections with other devices in the large scale VPN deployment).” Furthermore paragraph 20 discloses “VPN communications also allow for message integrity to detect any instances of transmitted messages having been tampered with or otherwise compromised”. The examiner interprets above two paragraph as connection was compromise since message integrity to detect any instances of transmitted messages having been tampered with or otherwise compromised.
Therefore, in view of the above reasons, the rejections are maintained.

Claim Rejections - 35 USC § 103
4.1.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.


4.2.	Claims 1-2, 6-7, 9-10, 14-15, 17-18  and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 20150195252 to Walter et al (“Walter”) in view of US Patent Application No. 20110173698 to Polyakov et al (“Polyakov”).
 	As per claim 1, Walter discloses a method for preventing a false report that a connection is compromised, the method comprising: 
operating, by a security component executing on a processor of a computing device, such that by default a detection of a compromised messages/connection, determining, by the security component, that captive portal authentication is enabled for the computing device for a connection ([0027]-[0028], also see [0044], [0051] fig. 7 and associated texts);
requesting, by the security component, a response from a first server over the connection ([0074], in response to the requesting, receiving, by the security component, an indication that the connection is compromised ([0021], [0020]; and
based on the determination that captive portal authentication is enabled, not reporting, by the security component, that the connection is compromised, wherein, but for the determination that captive portal authentication is enabled, the security 
Walter does not explicitly disclose however in the same field of endeavor, Polyakov discloses compromised connection is reported to at least one of: a user, an administrator, or a security server ([0021], [0051]); 
Furthermore Polyakov discloses preventing a false report that a connection is compromised ([0030], [0041]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Walter with the teaching of Polyakov by including the feature of reported to at least one of: a user, an administrator, or a security server, in order for Walter’s system that the negative effects of false positive errors may be magnified in an enterprise environment, in which multiple hosts may run similar OS components and/or software applications. For instance, where multiple host computers are reporting detected malware, it may be difficult for a system administrator to decide whether to initiate a network shutdown. On the one hand, if the incoming reports correspond to a true malware outbreak, a delay in shutting down the network may cause more host computers to become affected and therefore lead to more wide-spread damages. On the other hand, if the reports are merely false positives, a network shutdown may be an unnecessary interruption to enterprise operations, which may be costly in terms of lost productivity (Polyakov, [0031]). 



As per claim 6, the combination of Walter and Polyakov discloses the method of claim 1 further comprising: reporting, by the security component, the indication that the connection is compromised to one or more of: a user, an administrator, and a security server (Polyakov, [0021]). The motivation regarding the obviousness of claim 1 is also applied to claim 6. 

As per claim 7, the combination of Walter and Polyakov discloses the method of claim 6 further comprising: reporting, by the security component, that the indication that the connection is compromised is false or is potentially false (Polyakov, [0021]). The motivation regarding the obviousness of claim 1 is also applied to claim 7. 

Claims 9-10, 14-15, 17-18  and 22-23 are rejected for similar reasons as stated above.



As per claim 3, the combination of Walter and Polyakov discloses the invention as described above. Walter and Polyakov do not explicitly disclose, however in the same field of endeavor, Eisl discloses the method of claim 1, further comprising, before the requesting, by the security component, a response from a first server over the connection: detecting, by the security component, a change in the connection, wherein the detecting a change in the connection prompts the security component to request the response from the first server over the connection (Eisl, [0012], [0135], [0148] also see fig.8 and associated texts).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Walter with the teaching of Polyakov/Eisl by including the feature of detecting a change in the connection, in order for Walter’s system to overcome the above mentioned problem of possible changes to a connection of device(s) (preferable mobile devices) to a network caused by for example a malicious user or mobile device. In particular, the present invention provides a method, an apparatus and a related computer program product for detecting changes to a connection of mobile device(s) to a network. If changes to the connection, resulting for example from frequent actions without purpose, are detected measures may be applied in order to for example inhibit such frequent actions or inform the user or network operator about it (Eisl, [0011]).

 	As per claim 4, the combination of Walter, Polyakov and Eisl discloses the method of claim 3, wherein the change includes one or more of: a making of the connection, a change to a protocol of the connection, and a change to a parameter of the connection (Eisl,[0016]). The motivation regarding the obviousness of claim 3 is also applied to claim 4.

Claims 11-12, and 19-20 are rejected for similar reasons as stated above.

4.4.	Claims 5, 13 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Walter and Polyakov as applied to claim above, and in view of US Patent Application No. 20070220259 to Pavlicic et al (“Pavlicic”) .

As per claim 5, the combination of Walter and Polyakov discloses the invention as described above. Walter and Polyakov do not explicitly disclose, however in the same field of endeavor, Pavlicic discloses the method of claim 1, wherein the indication that the connection is compromised includes one or more of: (i)  that services provided by the connection are limited; (ii) that the requesting, by the security component, a response from a known server over the connection was redirected; (iii) that the security component failed to make a pinned network connection to the first server or a second server; (iv) that a self-signed or a host-mismatched certificate was presented to the security component; and (v) that the connection intercepts TLS communications (Pavlicic, [0027]).


Claims 13 and 21 are rejected for similar reasons as stated above.

4.5.	Claims 8, 16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Walter and Polyakov as applied to claim above, and in view of US Patent Application No. 20100306432 to Juarez et al (“Juarez”) .


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Walter with the teaching of Polyakov/Juarez by including the feature of sending request an arbitrary interval, in order for Walter’s system to increasing the like hood that the requested resources are available. 
Claims 16 and 24 are rejected for similar reasons as stated above.

5.          The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892). 

a.)  U.S. patent application no. 20050157662 to Bingham discloses [0144] The host analysis technique is particularly helpful in eliminating or reducing false positives identified in a session analysis. For example, a session may be identified as interactive even if the interactivity arises from an error or other function in the network not associated with a compromise. Such a case may arise, for example, if an instant messenger port is blocked by a network's firewall, and a client connects to web server port 80, which is typically not interactive, to 
b). U.S. patent application no. 20160212139 to Pike discloses  [0049] Additionally, splitting security into security tiers over time does not necessarily prevent the session/connection manager module 152 from running high security all the time. Different sets of security rules may simply be applied during different security tiers 202, 204, 206 and 208. This prevents false positives while also allowing computing resources to be focused on hacked sessions/connections which typically last longer than non -hacked sessions/connections. For example, security tier B 204 may also include a set of rules that applies deep packet inspection, but only if the IP lookup indicates the IP is a suspicious IP.
Conclusion
6.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195.  The examiner can normally be reached on 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-


HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497