DETAILED ACTION
This Office Action is in response to the Amendment filed on 12/22/2020 for 15/917,908.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the instant Amendment, claims 1, 13, and 20 have been amended; claim 21 has been added; claims 1, 13, and 20 are independent claims.  Claims 1-6, 8-18, 20, and 21 have been examined and are pending.  This Action is made FINAL. 
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 12/22/2020, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant asserts as follows:  Examiner Interview Summary.  The undersigned thanks Examiner Malinowski for the courtesy of the telephonic interview conducted on December 16, 2020 with the undersigned. During the interview, proposed amendments, the Office Action, and cited references were discussed. No agreement on allowable subject matter was reached.
Examiner respectfully submits that the record of the December 16, 2021, interview is as follows:  The applicant further explained the claimed invention and alleged differences between the prior art and proposed amended claims. The examiner pointed out his position that the proposed amended claims do not appear to overcome the prior art of record but further review is needed. The examiner and the applicant further discussed possible amendments to clarify the claimed invention and to distinguish the claimed 
Applicant argues as follows:  Claim 1 has been amended to recite the features of “...for a plurality of iterations: calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring the prior reputation score for the host computer based on an aggregation of the respective reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers, calculating a new reputation score for each of the domains in the plurality of domains by rescoring the prior reputation score for the domain based on an aggregation of the respective reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph...” The cited references, alone or in any combination, fail to describe or suggest at least these features. For example, the Office Action aligned “until a predefined condition is satisfied, iteratively, for a plurality of iterations” with Oprea, col. 6, lines 58-64 which describes “The algorithm may be based on iterative message-passing between a vertex and its neighbors until convergence or a specified stopping condition is achieved.”  However, Oprea’s iterative algorithm does not describe or suggest “after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers, 
Examiner respectfully disagrees.  Regarding claim 1, Oprea discloses, in col. 10, lines 9-22, a computer-implemented method executed by one or more processors, the method comprising setting an initial reputation score for each of the plurality of host computers and each of a plurality of domains accessed by the plurality of host computers; in col. 10, lines 9-22, setting an initial reputation score for each of the plurality of host computers and each of a plurality of domains accessed by the plurality of host computers; in col. 6, lines 58-64, until a predefined condition is satisfied, iteratively, for a plurality of iterations; in col. 7, lines 33-37, performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains are exhibiting 
The Examiner respectfully suggests that the claim be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 270 5002 to schedule an interview.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the 

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
Claims 1, 2, 4, 5, 8, 13, 14, 16, 17, 20, and 21 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Oprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015. 
Regarding claim 1, Oprea discloses a computer-implemented method executed by one or more processors, the method comprising setting an initial reputation score for each of the plurality of host computers and each of a plurality of domains accessed by the plurality of host computers (Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”);
(Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”);
until a predefined condition is satisfied, iteratively, for a plurality of iterations (Oprea, col. 6, lines 58-64, “The algorithm may be based on iterative message-passing between a vertex and its neighbors until convergence or a specified stopping condition is achieved.”);
performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains are exhibiting malicious behavior, wherein the one or more corrective actions comprise [a Markush group]: rescoring a blacklist of known malicious domains to include the one or more domains: ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored reputation scores for each of the plurality of domains respectively (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.); and redirecting network traffic attempting to access the one or more domains (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.).
a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains; setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories; until a predefined condition is satisfied, iteratively: calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the respective reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers, calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph; after the predefined condition is satisfied, determining, based upon the new reputation scores for each of the plurality of host 
However, in an analogous art, Horne discloses generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains (Horne, paragraph 0013, “A DNS resolution graph can be constructed that takes into account the DNS information. The graph can include client nodes and domain nodes.  As used herein, a client node is a representation of a device on a network that is  being examined that provides requests to the DNS server. The DNS server can respond to the DNS query. Further, as used herein, a domain node is a node representing a domain name used in a query to resolve to an IP address. The domain node can be represented in the form of a domain name in the request. When a client c requests a DNS resolution to domain d, an edge <c,d> is added to the graph.”; paragraph 0014, “DNS resolution graph can be a bipartite graph” paragraph 0012, DNS information stored in a log; paragraph 0041, whitelisted, blacklisted, unlabeled);
setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories (Horne, paragraph 0052-0053, labelling of hosts is based on their connections to suspicious domains; paragraph 0010, whitelist and blacklist; paragraph 0025, whitelist of hosts, whitelists of domains; paragraph 0041, whitelisted, blacklisted, unlabeled);
until a predefined condition is satisfied, iteratively, for a plurality of iterations ; (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated); 
calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the respective reputation scores (Horne, FIG. 4, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious) of the plurality of domains that are connected to the host computer in the bipartite graph, then  (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing); 
after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers (Horner, FIG. 4 and  FIG. 5, paragraph 0043, domain node because of its relationship with suspicious client nodes 510, 512, is labeled as suspicious), calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores (Horne, paragraph 0043, client nodes 510, 512 map to domain node 520) of the plurality of host computers that are connected to the domain in the bipartite graph (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing);
after the predefined condition is satisfied, determining, based upon the new reputation scores for each of the plurality of host computers and the new reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains are exhibiting malicious behavior (Horne, paragraph 0035, “The analysis engine 114 can, in certain examples, further mark suspicious client nodes as to be blacklisted to a service. In this scenario, an indication of to be blacklisted means that the nodes should be included on a blacklist at the service. In one example, the service can include an Intrusion Prevention System (IPS) protecting the network 260. In another example, the service can be a blacklist or reputation service”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Horne with the method/ system/ computer-readable storage device of Oprea, to include, rescoring the 
One would have been motivated to provide users with a means for protecting networks from malware (Horne: paragraph 0001).
Regarding claim 2, Oprea and Horne disclose the method of claim 1.  Horne discloses wherein rescoring the prior reputation score for the domain comprises: transmitting, from each of the plurality of domains, the reputation score for the domain to each host computer connected to the domain in the bipartite graph; receiving, by each of the plurality of domains, a reputation score for each host computer connected to the domain in the bipartite graph; and rescoring, for each of the plurality of domains, the reputation score for the domain based on a summation of the received reputation scores for each host computer connected to the domain in the bipartite graph.(Horne, paragraph 0040, “By way of example, the clients 220, devices 230, and DNS server 240 communicate with each other and/or other components with access to the network 260 via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the network 260 interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages.”).  Oprea discloses rescoring, for each of the plurality of domains, the reputation score for the domain based on a summation of the received reputation scores for each host computer (Oprea, col. 4, lines 5-13, “The graph inference algorithm 116 is illustratively applied to analyze the contacts between the host devices 102 and the external domains 111 in order to characterize one or more of the external domains as suspicious domains.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 4, Oprea and Horne disclose the method of claim 2.  Horne disclose further comprising, before transmitting the reputation score, bounding a reputation score for a domain associated with a number of connections in the bipartite graph being above a maximum threshold or a number of connections in the bipartite graph being below a minimum (Horne, paragraph 0030, “The sub graph engine 112 determines at least one biclique of the bipartite graph. In the biclique, the client nodes of the biclique map to the same domain nodes. The sub graph engine 112 can use various processes for finding bicliques. For example, a matrix factorization technique may be used, the BronKerbosch technique to find maximal bicliques, a greedy process that builds a biclique cover by identifying and including one biclique at a time in the cover until all edges are covered, etc. In one example, given a node n, the set of its neighbors can be considered An. Consider the set Bn = n Am where m is an element of An. This can be used to show that BiCliquen = <An, Bn> is a clique. Further, find a node x that is not yet assigned to a biclique, with the largest number of neighbors not yet assigned to bicliques. Compute BiC/iquex. Repeat until each of the nodes are assigned to bicliques. This is one approach that may be used to determine bicliques from bipartite graphs.”; paragraph 0031, “The output of the biclique detection approach used is a set of bicliques. Domains in a biclique may have a high likelihood of being related (e.g., being infected with the same malware or use a same executable). This can be used to analyze the graphs to determine additional suspicious or infected client nodes and/or suspicious and/or malware associated domain nodes.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 5, Oprea and Horne disclose the method of claim 1.  Horne discloses wherein rescoring the prior reputation score for the host computer comprises (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated): transmitting, from each of the plurality of host computers, the reputation score for the host computer to each domain to which the host computer is connected in the bipartite graph; receiving, by each of the plurality of host computers, a reputation score for each domain to which the host computer is connected in the bipartite graph; and rescoring, for each of the plurality of host computers, the reputation score for the host computer based on a summation of the received reputation scores for each domain to which the host computer is connected in the bipartite graph (Horne, paragraph 0040, “By way of example, the clients 220, devices 230, and DNS server 240 communicate with each other and/or other components with access to the network 260 via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the network 260 interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages.”); rescoring, for each of the plurality of host computers, the reputation score for the host computer based on a summation of the received reputation scores for each domain to which the host computer is connected (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 8, Oprea and Horne disclose the method of claim 1.  Oprea discloses wherein the predefined condition comprises at least one of: reaching a specified number of iterations; identifying that a delta between rescored reputation scores is less than a predefined threshold; and identifying that no delta between rescored reputation scores  (Oprea, col. 7, lines 38-41, “The algorithm terminates when the score of the top-ranking domain is below a threshold, or when the maximum number of iterations is reached, and returns a list of labeled suspicious domains ordered by suspiciousness level.”).
Regarding claim 13, Oprea discloses a system comprising one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising (Oprea, col. 4, line 64, through col. 5, line 5, “The network security system 105 in the FIG. 1 embodiment is assumed to be implemented using at least one processing device.  Each such processing device generally comprises at least one processor and an associated memory, and implements one or more functional modules for controlling certain features of the network security system 105.  More particularly, the network security system 105 in this embodiment comprises a processor 120 coupled to a memory 122 and a network interface 124.”);
(Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”);
until a predefined condition is satisfied, iteratively, for a plurality of iterations (Oprea, col. 6, lines 58-64, “The algorithm may be based on iterative message-passing between a vertex and its neighbors until convergence or a specified stopping condition is achieved.”);
performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains are exhibiting malicious behavior, wherein the one or more corrective actions comprise [a Markush group]: rescoring a blacklist of known malicious domains to include the one or more domains: ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored reputation scores for each of the plurality of domains respectively (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.); and redirecting network traffic attempting to access the one or more domains (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.).
a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains; setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories; until a predefined condition is satisfied, iteratively: for each of the plurality of host computers, rescoring the reputation score for the host computer based upon one or more respective reputation scores of a subset of the plurality of domains that are connected to the host computer in the bipartite graph, then for each of the plurality of domains, rescoring the reputation score for the domain based upon one or more respective reputation scores of a subset of the plurality of host computers that are connected to the domain in the bipartite graph; determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains are exhibiting malicious behavior; calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers, calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph; after the predefined condition is satisfied, determining, based upon the new reputation scores for each of the plurality of host computers and the new reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains are exhibiting malicious behavior.
However, in an analogous art, Horne discloses generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains (Horne, paragraph 0013, “A DNS resolution graph can be constructed that takes into account the DNS information. The graph can include client nodes and domain nodes.  As used herein, a client node is a representation of a device on a network that is  being examined that provides requests to the DNS server. The DNS server can respond to the DNS query. Further, as used herein, a domain node is a node representing a domain name used in a query to resolve to an IP address. The domain node can be represented in the form of a domain name in the request. When a client c requests a DNS resolution to domain d, an edge <c,d> is added to the graph.”; paragraph 0014, “DNS resolution graph can be a bipartite graph” paragraph 0012, DNS information stored in a log; paragraph 0041, whitelisted, blacklisted, unlabeled);
setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories (Horne, paragraph 0052-0053, labelling of hosts is based on their connections to suspicious domains; paragraph 0010, whitelist and blacklist; paragraph 0025, whitelist of hosts, whitelists of domains; paragraph 0041, whitelisted, blacklisted, unlabeled);
until a predefined condition is satisfied, iteratively, for a plurality of iterations ; (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated); 
calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the respective reputation scores (Horne, FIG. 4, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious) of the plurality of domains that are connected to the host computer in the bipartite graph, then  (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing); 
after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers (Horner, FIG. 4 and  FIG. 5, paragraph 0043, domain node because of its relationship with suspicious client nodes 510, 512, is labeled as suspicious), calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores (Horne, paragraph 0043, client nodes 510, 512 map to domain node 520) of the plurality of host computers that are connected to the domain in the bipartite graph (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing);
after the predefined condition is satisfied, determining, based upon the new reputation scores for each of the plurality of host computers and the new reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains are exhibiting malicious behavior (Horne, paragraph 0035, “The analysis engine 114 can, in certain examples, further mark suspicious client nodes as to be blacklisted to a service. In this scenario, an indication of to be blacklisted means that the nodes should be included on a blacklist at the service. In one example, the service can include an Intrusion Prevention System (IPS) protecting the network 260. In another example, the service can be a blacklist or reputation service”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Horne with the method/ system/ computer-readable storage device of Oprea, to include, rescoring the reputation scores for each of the plurality of host computers based upon the reputation scores of the plurality of domains, and rescoring the reputation scores for each of the plurality of domains based upon the reputation scores of the plurality of host computers; and determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, whether one or more domains amongst the plurality of domains are exhibiting malicious behavior.
One would have been motivated to provide users with a means for protecting networks from malware (Horne: paragraph 0001).
Regarding claim 14, Oprea and Horne disclose the system of claim 13.  Horne discloses wherein rescoring the prior reputation score for the domain comprises (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated): transmitting, from each of the plurality of domains, the reputation score for the domain to each host computer connected to the domain in the bipartite graph; receiving, by each of the plurality of domains, a reputation score for each host computer connected to the domain in the bipartite graph; and rescoring, for each of the plurality of domains, the reputation score for the domain based on a summation of the received reputation scores for each host computer connected to the domain in the bipartite graph (Horne, paragraph 0040, “By way of example, the clients 220, devices 230, and DNS server 240 communicate with each other and/or other components with access to the network 260 via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the network 260 interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages.”).  Oprea discloses rescoring, for each of the plurality of domains, the reputation score for the domain based on a summation of the received reputation scores for each host computer connected to the domain (Oprea, col. 4, lines 5-13, “The graph inference algorithm 116 is illustratively applied to analyze the contacts between the host devices 102 and the external domains 111 in order to characterize one or more of the external domains as suspicious domains.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 16, Oprea and Horne disclose the system of claim 14.  Horne discloses wherein the operations further comprise, before transmitting the reputation score, bounding a reputation score for a domain associated with a number of connections in the bipartite graph being above a maximum threshold or a number of connections in the bipartite graph being below a minimum (Horne, paragraph 0030, “The sub graph engine 112 determines at least one biclique of the bipartite graph. In the biclique, the client nodes of the biclique map to the same domain nodes. The sub graph engine 112 can use various processes for finding bicliques. For example, a matrix factorization technique may be used, the BronKerbosch technique to find maximal bicliques, a greedy process that builds a biclique cover by identifying and including one biclique at a time in the cover until all edges are covered, etc. In one example, given a node n, the set of its neighbors can be considered An. Consider the set Bn = n Am where m is an element of An. This can be used to show that BiCliquen = <An, Bn> is a clique. Further, find a node x that is not yet assigned to a biclique, with the largest number of neighbors not yet assigned to bicliques. Compute BiC/iquex. Repeat until each of the nodes are assigned to bicliques. This is one approach that may be used to determine bicliques from bipartite graphs.”; paragraph 0031, “The output of the biclique detection approach used is a set of bicliques. Domains in a biclique may have a high likelihood of being related (e.g., being infected with the same malware or use a same executable). This can be used to analyze the graphs to determine additional suspicious or infected client nodes and/or suspicious and/or malware associated domain nodes.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 17, Oprea and Horne disclose the system of claim 13.  Horne discloses wherein rescoring the prior reputation score for the host computer comprises (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated):  transmitting, from each of the plurality of host computers, the reputation score for the host computer to each domain to which the host computer is connected in the bipartite graph: receiving, by each of the plurality of host computers, a reputation score for each domain to which the host computer is connected in the bipartite graph: and rescoring, for each of the plurality of host computers, the reputation score for the host computer based on a in the bipartite graph (Horne, paragraph 0040, “By way of example, the clients 220, devices 230, and DNS server 240 communicate with each other and/or other components with access to the network 260 via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the network 260 interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages.”); and rescoring, for each of the plurality of host computers, the reputation score for the host computer based on a summation of the received reputation scores for each domain to which the host computer is connected (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 20, Oprea discloses a computer-readable storage device storing instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising (Oprea, col. 4, line 64, through col. 5, line 5, “The network security system 105 in the FIG. 1 embodiment is assumed to be implemented using at least one processing device.  Each such processing device generally comprises at least one processor and an associated memory, and implements one or more functional modules for controlling certain features of the network security system 105.  More particularly, the network security system 105 in this embodiment comprises a processor 120 coupled to a memory 122 and a network interface 124.”);
setting an initial reputation score for each of the plurality of host computers and each of a plurality of domains accessed by the plurality of host computers (Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”);
until a predefined condition is satisfied, iteratively, for a plurality of iterations (Oprea, col. 6, lines 58-64, “The algorithm may be based on iterative message-passing between a vertex and its neighbors until convergence or a specified stopping condition is achieved.”);
performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains are exhibiting malicious behavior, wherein the one or more corrective actions comprise [a Markush group]: rescoring a blacklist of known malicious domains to include the one or more domains: ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored reputation scores for each of the plurality of domains respectively (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.); and redirecting network traffic attempting to access the one or more domains (Oprea, col. 7, lines 33-37, “the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores.).
a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains; setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories; until a predefined condition is satisfied, iteratively: for each of the plurality of host computers, rescoring the reputation score for the host computer based upon one or more respective reputation scores of a subset of the plurality of domains that are connected to the host computer in the bipartite graph, then for each of the plurality of domains, calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the respective reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers, calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores of the plurality of host 
However, in an analogous art, Horne discloses generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains (Horne, paragraph 0013, “A DNS resolution graph can be constructed that takes into account the DNS information. The graph can include client nodes and domain nodes.  As used herein, a client node is a representation of a device on a network that is  being examined that provides requests to the DNS server. The DNS server can respond to the DNS query. Further, as used herein, a domain node is a node representing a domain name used in a query to resolve to an IP address. The domain node can be represented in the form of a domain name in the request. When a client c requests a DNS resolution to domain d, an edge <c,d> is added to the graph.”; paragraph 0014, “DNS resolution graph can be a bipartite graph” paragraph 0012, DNS information stored in a log; paragraph 0041, whitelisted, blacklisted, unlabeled);
setting an initial reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in using a classification category from two or more second classification categories (Horne, paragraph 0052-0053, labelling of hosts is based on their connections to suspicious domains; paragraph 0010, whitelist and blacklist; paragraph 0025, whitelist of hosts, whitelists of domains; paragraph 0041, whitelisted, blacklisted, unlabeled);
until a predefined condition is satisfied, iteratively, for a plurality of iterations ; (Horne, paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated); 
calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring, the prior reputation score for the host computer based on an aggregation of the respective reputation scores (Horne, FIG. 4, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious) of the plurality of domains that are connected to the host computer in the bipartite graph, then  (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing); 
after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers (Horner, FIG. 4 and  FIG. 5, paragraph 0043, domain node because of its relationship with suspicious client nodes 510, 512, is labeled as suspicious), calculating a new reputation score for each of the domains in the plurality of domains by rescoring, the prior reputation score for the domain based on an aggregation of the respective reputation scores (Horne, paragraph 0043, client nodes 510, 512 map to domain node 520) of the plurality of host computers that are connected to the domain in the bipartite graph (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing);
after the predefined condition is satisfied, determining, based upon the new reputation scores for each of the plurality of host computers and the new reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains are exhibiting malicious behavior (Horne, paragraph 0035, “The analysis engine 114 can, in certain examples, further mark suspicious client nodes as to be blacklisted to a service. In this scenario, an indication of to be blacklisted means that the nodes should be included on a blacklist at the service. In one example, the service can include an Intrusion Prevention System (IPS) protecting the network 260. In another example, the service can be a blacklist or reputation service”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Horne with the method/ system/ computer-readable storage device of Oprea, to include, rescoring the reputation scores for each of the plurality of host computers based upon the reputation scores of the plurality of domains, and rescoring the reputation scores for each of the plurality of domains based upon the reputation scores of the plurality of host computers; and determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, whether one or more domains amongst the plurality of domains are exhibiting malicious behavior.
One would have been motivated to provide users with a means for protecting networks from malware (Horne: paragraph 0001).
Regarding claim 21, Oprea and Horne disclose the method of claim 21.  Oprea discloses calculating, for the second iteration of the iterations, a third reputation score for each of the domains in the plurality of domains based on a summation of all of the respective reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph (Oprea, column 10, lines 41-49, “The final domain score for a given domain is more particularly computed as a weighted sum of features with the weights being determined through a supervised learning approach illustratively based on linear regression”).  Horne discloses wherein calculating, for the iteration, a new reputation score for each of the host computers in the plurality of host computers by rescoring the prior reputation score for the host computer based on an aggregation of the (Horne, FIG. 4, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious) of the plurality of domains that are connected to the host computer in the bipartite graph(Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing), wherein after calculating, for the iteration, the new reputation scores for each of the host computers in the plurality of host computers (Horne, FIG. 4 and  FIG. 5, paragraph 0043, domain node because of its relationship with suspicious client nodes 510, 512, is labeled as suspicious), calculating a new reputation score for each of the domains in the plurality of domains by rescoring the prior reputation score for the domain based on an aggregation of the respective reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph (Horne, paragraph 0043, client nodes 510, 512 map to domain node 520) of the plurality of host computers that are connected to the domain in the bipartite graph (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated; new reputation score encompasses identify potentially infected clients and periodic processing);comprises.	
Claims 3, 6, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable  over Oprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015, and further in view of Tsou (US20180189667), filed 12/29/2016.
Regarding claim 3, Oprea and Horne disclose the method of claim 2.   
Oprea and Horne do not explicitly disclose wherein the summation of the received reputation scores for each host computer connected to the domain is adjusted based on a sigmoid function including a specified learning rate.
However, in an analogous art, Tsou discloses wherein the summation of the received reputation scores for each host computer connected to the domain is adjusted based on a sigmoid function including a specified learning rate (Tsou, paragraph 0089, “entropy uses the sigmoid function”  “parameter that controls the learning rate”)
(Tsou: paragraph 0089).
Regarding claim 6, Oprea and Horne disclose the method of claim 5.   
Oprea and Horne do not explicitly disclose wherein the summation of the received reputation scores for each domain to which the host computer is connected is adjusted based on a sigmoid function including a specified learning rate.
However, in an analogous art, Tsou discloses wherein the summation of the received reputation scores for each domain to which the host computer is connected is adjusted based on a sigmoid function including a specified learning rate (Tsou, paragraph 0089, “entropy uses the sigmoid function”  “parameter that controls the learning rate”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tsou with the method of Oprea and Horne, to include, wherein the summation of the received reputation scores for each domain to which the host computer is connected is adjusted based on a sigmoid function including a specified learning rate, to provide users with a means for dynamic and heterogeneous environments (Tsou: paragraph 0089).


Regarding claim 15, Oprea and Horne disclose the system of claim 14.   

However, in an analogous art, Tsou discloses wherein the summation of the received reputation scores for each host computer connected to the domain is adjusted based on a sigmoid function including a specified learning rate (Tsou, paragraph 0089, “entropy uses the sigmoid function”  “parameter that controls the learning rate”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tsou with the system of Oprea and Horne, to include, wherein the summation of the received reputation scores for each host computer connected to the domain is adjusted based on a sigmoid function including a specified learning rate, to provide users with a means for dynamic and heterogeneous environments (Tsou: paragraph 0089).
Regarding claim 18, Oprea and Horne disclose the system of claim 17.   
Oprea and Horne do not explicitly disclose wherein the summation of the received reputation scores for each domain to which the host computer is connected is adjusted based on a sigmoid function including a specified learning rate.
However, in an analogous art, Tsou discloses wherein the summation of the received reputation scores for each domain to which the host computer is connected is adjusted based on a sigmoid function including a specified learning rate (Tsou, paragraph 0089, “entropy uses the sigmoid function”  “parameter that controls the learning rate”).
(Tsou: paragraph 0089).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable  over Oprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015, and further in view of Kalle (US8826444), filed 7/9/2010.
Regarding claim 9, Oprea and Horne disclose the method of claim 1.  
Horne discloses wherein: setting the initial reputation scores for each of a plurality of domains using a classification category from the two or more second classification categories comprises setting the initial reputation scores for each of a plurality of domains using one or more of (Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”);
rescoring, for each of the plurality of domains, the prior reputation score for the domain comprises rescoring, for each of the plurality of domains and for a first iteration in the plurality of iterations and using the one or more respective reputation scores of the subset of the plurality of host computers that are connected to the domain in the bipartite graph, the initial reputation score for the domain that comprises one or more of (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; paragraph 0012, a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated).
Oprea and Horne do not explicitly disclose a positive value indicating a known good domain; a first negative value indicating a known malicious domain; and a second negative value indicating a known suspicious domain, wherein the second negative value is less than the first negative value; the positive value indicating a known good domain; the first negative value indicating a known malicious domain; and the second negative value indicating a known suspicious domain, wherein the second negative value is less than the first negative value.
However, in an analogous art, Kalle discloses a positive value indicating a known good domain; a first negative value indicating a known malicious domain; and a second negative value indicating a known suspicious domain, wherein the second negative value is less than the first negative value; the positive value indicating a known good domain; the first negative value indicating a known malicious domain; and the second negative value indicating a known suspicious domain, wherein the second negative value is less than the first negative value (Kalle, col. 15, line 64, through col. 16, line 11, “In the above examples, positive values (e.g., addition) are used for the first and second SHASTA factors associated with "bad" and "warn" web domain reputations.  Conversely, negative values (e.g., subtraction) are used for the third and fourth SHASTA factors associated with web domain reputations categorized as "secure" or "good." However, in FIG. 8 and elsewhere herein, the systems and methods described herein are not limited to using positive values for more malicious domains and negative values for less malicious domains.  Rather, the relationships may be inverted so that positive values are associated with less malicious domains, and negative values are associated with more malicious domains.  In that case, domains may be classified as malicious if the web domain reputation score is less than or equal to (or merely less than) the maliciousness threshold.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use articulated reasoning with some rational underpinning to support a legal conclusion of obviousness.  More specifically, use of exemplary rationales that may support a conclusion of obviousness include: "Obvious to try" - choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; and/ or known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.
Kalle is concerned with a comparison between four types of scores: bad, warn, secure, and good.  The scoring and rescoring in col. 15, line 64, through col. 16, line 11, and FIG. 8, is not the only way to make such a comparison.  Cases where a positive value indicates a good domain, a first negative value indicates a known malicious domain, and a second negative value indicates a known suspicious domain are predictable to one of ordinary skill in the art.
the positive value indicating a known good domain; the first negative value indicating a known malicious domain; and the second negative value indicating a known suspicious domain, wherein the second negative value is less than the first negative value.
One would have been motivated to provide users with the benefits of using client reputation data to classify web domains (Kalle: col. 1, lines 41-51).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable  over Oprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015, and further in view of Kalle (US8826444), filed 7/9/2010, and further in view of Hotchkiss (US20150288715), filed 4/2/2015.
Regarding claim 10, Oprea, Horne, and Havelka disclose the method of claim 9.  
Horne discloses rescoring, for each of the plurality of domains, the prior reputation score for the domain comprises rescoring, for each of the plurality of domains other than any domains that are included in the blacklist of known malicious domains or the whitelist of good domains, the prior reputation score for the domain (Horne, paragraph 0041, “In this example, domain nodes 320, 322, 324, 326 can be whitelisted, while domain nodes 332, 334 are blacklisted or otherwise labeled as suspicious (e.g., relating to a non-existent domain, relating to a domain generation algorithm based on syntax, etc.), and domain nodes 340, 342, 344 can be unlabeled nodes (e.g., not yet associated with a whitelist, a blacklist, or other type of label).”; a plurality of iterations encompasses DNS information stored in a log, logs over a time period can be processed; paragraph 0030, processing is repeated).
Oprea, Horne, and Kalle do not explicitly disclose wherein the initial reputation score for a domain included in a blacklist of known malicious domains or a whitelist of good domains is precluded from rescoring.
However, in an analogous art, Hotchkiss discloses wherein the initial reputation score for a domain included in a blacklist of known malicious domains or a whitelist of good domains is precluded from rescoring (Hotchkiss, paragraph 0058, “the IP address may be permanently or temporarily added to the blacklist depending upon a wide variety of factors and considerations”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hotchkiss with the method of Oprea, Horne, and Kalle, to include, wherein the initial reputation score for a domain included in a blacklist of known malicious domains or a whitelist of good domains is precluded from rescoring, to provide users with a means for preventing unauthorized login attempts (Hotchkiss: paragraph 0002).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentableOprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015, and further in view of Nachenberg (US8904520), filed 3/19/2009.
Regarding claim 11, Oprea and Horne disclose the method of claim 1.  
Oprea discloses wherein setting the initial reputation scores for each of a plurality of host computers using a classification category from the two or more first classification categories comprises setting the initial reputation scores for each of a plurality of host computers using one or more of (Oprea, col. 10, lines 9-22, “In this embodiment, the network security system 400 is configured to detect communities of suspicious domains with similar features that are likely part of the same campaign.  The belief propagation algorithm may be initiated in the above-noted hint mode using seeds corresponding to known suspicious domains.  The host devices that have initiated communications with those domains are considered known compromised hosts.”).
Horne discloses rescoring, for each of the plurality of host computers, the prior reputation score for the host computer comprises rescoring, for each of the plurality of host computers and for a first iteration in the plurality of iterations and using the one or more respective reputation scores of the subset of the plurality of domains that are connected to the host computer in the bipartite graph, the initial reputation score for the host computer that comprises one or more of (Horne, paragraph 0042, “The bipartite graph 400 can be used at to identify potentially infected clients. In one example, client node 410 can be considered potentially infected because it is related to a threshold number of domain nodes 420, 422, 424 that are labeled as suspicious. For illustrative purposes, in this example, the threshold number is three. In practice the threshold can be larger.”).
Oprea and Horne do not explicitly disclose a positive value indicating a host computer known not associated with known malicious behavior; and a negative value indicating a host computer associated with known malicious behavior; and the positive value indicating a host computer known not associated with known malicious behavior: and the negative value indicating a host computer associated with known malicious behavior.
However, in an analogous art, Nachenberg discloses a positive value indicating a host computer known not associated with known malicious behavior; and a negative value indicating a host computer associated with known malicious behavior; and the positive value indicating a host computer known not associated with known malicious behavior: and the negative value indicating a host computer associated with known malicious behavior (Nachenberg, col. 9, lines 21-45, “In another embodiment, the host reputation scoring module 442 generates the host reputation score for a host 160 by applying a classifier 460 to the reputation information associated with entities that communicate with the host 160.  In this embodiment, the host reputation scoring module 442 generates a classifier 460 based on a training set of reputation information associated with entities that communicate with hosts 160 that are known to have good reputations and a training set of reputation information associated with entities that communicate with hosts 160 that are known to have bad reputations.  According to the embodiment, the host reputation scoring module 442 may use any type of machine learning algorithm to generate the classifier 460 such as Bayesian algorithms, Support Vector Machine algorithms or regression-based algorithms.  The classification algorithm used by the host reputation scoring module 442 learns a set of values which specify the relative importance of the different types of reputation information and their associated values in determining whether the host is associated with a good reputation or a bad reputation and stores these values as a classifier 460.  The host reputation scoring module 442 applies the values specified in the classifier 460 to reputation information associated with entities that communicate with hosts 160 in order to generate the host reputation score for the host 160.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use articulated reasoning with some rational underpinning to support a legal conclusion of obviousness.  More specifically, use of exemplary rationales that may support a conclusion of obviousness include: "Obvious to try" - choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; and/ or known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.
Nachenberg is concerned with applying values to generate a host reputation score for the host based on association with entities that communicate with the host.  The reputation scoring in col. 9, lines 21-45, discloses the host reputation score is based on values.  Cases where a positive value indicates a host not associated with known malicious behavior and a negative value indicates a host associated with known malicious behavior are predictable to one of ordinary skill in the art.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nachenberg with the method/ system/ computer-readable storage device of Oprea and Horne, to include a positive value indicating a host computer known not associated with known malicious behavior; and a negative value indicating a host computer associated with known malicious behavior; and the positive value indicating a host computer known not associated with known malicious behavior: and the negative value indicating a host computer associated with known malicious behavior.
One would have been motivated to provide users with the benefits of assessing the reputations of software applications installed on clients (Nachenberg: col. 1, lines 47-49).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable  over Oprea (US9635049), filed March 31, 2015 in view of  Horne (WO2016/118153), international filing date 1/23/2015, and further in view of Buccella (US20100153354), filed 12/17/2008.
Regarding claim 12, Oprea and Horne disclose the method of claim 1.  
Oprea and Horne do not explicitly disclose further comprising: assigning one or more time periods associated with identified Internet Protocol (IP) addresses for the plurality of host computers; propagating a portion of a reputation score for a host computer associated with an IP address corresponding to a first time period to the same IP address corresponding to one or more additional time periods; and rescoring the reputation scores for each of the plurality of host computers based on the assigned time periods and the propagated portion of a reputation score.
However, in an analogous art, Buccella discloses further comprising: assigning one or more time periods associated with identified Internet Protocol (IP) addresses for the plurality of host computers; propagating a portion of a reputation score for a host computer associated with an IP address corresponding to a first time period to the same IP address corresponding to one or more additional time periods; and rescoring the reputation (Buccella, paragraph 0031, “The method of FIG. 2 also includes calculating (216), by the search engine (126), for the particular search term (104) and for each of the rich media objects (235, 243, 251), in dependence upon the number (106) of tags (240, 248, 256) associated with the rich media objects (235, 243, 251) and the reputation scores (206) of the users (201) that associated the tags (240, 248, 256) with the rich media objects (235, 243, 251), a search result score (218).  Calculating (216) a search result score (218) in dependence upon the number (106) of tags (240, 248, 256) associated with the rich media objects (235, 243, 251) and the reputation scores (206) of the users (201) that associated the tags (240, 248, 256) with the rich media objects (235, 243, 251) may be carried out in various ways including, for example, summing, for each rich media object, the sum of reputation scores of tagging users and the number of tags for the rich media object, or summing a weighted average of the sum of reputation scores of tagging users and the number of tags for the rich media object, or in other ways as will occur to readers of skill in the art.  A `tagging user` of a rich media object as the term is used in this specification is a user that has associated tag with the rich media object.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Buccella with the method of Oprea and Horne, to include, wherein the initial reputation scores for each of a plurality of host computers comprise one or more of: a positive value indicating a host computer known not associated with known malicious behavior; and a negative value indicating a host computer associated with known malicious behavior, to provide users (Buccella: paragraph 0006).


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/W.J.M/Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439