DETAILED ACTION
This is a non-final Office action in response to communications received on 1/30/2020 and a preliminary amendment received 3/18/2020.  Claims 1-20 were cancelled.  New claims 21-40 were added.  Claims 21-40 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Drawings
The drawings filed 1/30/2020 are acknowledged.
Foreign Priority/Provisional
Provisional priority is acknowledged to 7/27/2017.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 21-31, 33-37 and 39-40 are rejected under 35 U.S.C. 103 as being unpatentable over Lynn (US 2008/0201763) in view of El-Moussa (US 2020/0053104) and Shay (US 2004/0098620).
Regarding claim 21, Lynn discloses the limitations substantially as follows:
An apparatus comprising: 
a memory configured to store multiple copies of network profile data (paras. [0132], [0136]: storing in a database transmission profiles and MAC addresses of access points); 
a processing device, operatively coupled with the memory, configured to: 
receive network profile data from an electronic device that is communicating with the apparatus, wherein the network profile data indicates a set of network parameters detected by the electronic device and wherein the network profile data provides an indication of whether the electronic device is compromised (paras. [0031]-[0034], [0047]-[0048], [0056], [0102], [0124], [0139]-[0140], [0146]: receiving a MAC address, Extended Service Set name, manufacturer, authentication modes and an indicator (i.e. network profile data) from an access point that is communicating with the system/server (i.e. apparatus), wherein indicator indicates whether the access point/network/apparatus has been compromised); 
determine whether the electronic device is compromised based on the network profile data and previous network profile data received from the electronic device (paras. [0124], [0132], [0139]-[0140]: determining whether the access point is compromised based on comparing the MAC address and transmission profile of the access point with an internal database of stored (previous) address and known transmission profile of the access point (i.e. received from the electronic device)); 
in response to determining that the electronic device is compromised, perform one or more security measures (paras. [0031]-[0034], [0133]-[0138]: in response to determining that access point/workstation is compromised, performing active defenses (i.e. security measures)); and 
in response to determining that the electronic device is not compromised, allow the electronic device to communicate with the apparatus (paras. [0031]-[0034], [0072]-[0073, [0133], [0136]: in response to determining that the access point/workstation is not compromised/has not triggered an alarm, allowing the workstation/access point access to communicate with the system/apparatus).
Lynn does not explicitly disclose the remaining limitations of claim 21 as follows:
a memory configured to store multiple copies of encrypted network profile data;
receive encrypted network profile data from an electronic device that is communicating with the apparatus, wherein the encrypted network profile data indicates a set of network parameters detected by the electronic device and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised;
determine whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data received from the electronic device, without decrypting the encrypted network profile data; 
However, in the same field of endeavor El-Moussa discloses the remaining limitations of claim 21 as follows:
	receive encrypted network profile data from an electronic device that is communicating with the apparatus, wherein the encrypted network profile data indicates a set of network parameters detected by the electronic device and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised (El-Moussa, paras. [0009], [0052]-[0053], [0059], [0067], [0069]-[0070], [0076], [0086]: receiving at a traffic detector encrypted network traffic for a connection setup (i.e. encrypted network profile data) from a computer system/electronic device that is communicating with the apparatus, wherein the encrypted network connection setup traffic indicates connection setup segments for parameter configuration (i.e. network parameters) received/detected by the computer system, wherein the encrypted network connection setup traffic is analyzed for high entropy to provide an indicator of malicious network traffic from the computer system) (i.e. indicating the electronic device is compromised); 
	determine whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data, without decrypting the encrypted network profile data (El-Moussa, paras. [0009], [0054], [0056], [0061], [0069], [0078]: determining whether a computer system is the source of a malicious traffic event (i.e. is compromised) based comparing on the measure of the entropy from encrypted network connection setup traffic for a connection setup (i.e. encrypted network profile data) with a reference measure of entropy from previous encrypted network traffic for the connection setup (i.e. previous encrypted network profile data) without decrypting the encrypted network traffic);
in response to determining that the electronic device is compromised, perform one or more security measures (El-Moussa, [0059], [0070]: in response to determining that a computer system/electronic device is the source of a malicious traffic event (i.e. is compromised), perform an action such as terminate network connection or increase security or perform virus scan or a shutdown of a computer system); and 
in response to determining that the electronic device is not compromised, allow the electronic device to communicate with the apparatus (El-Moussa, paras. [0053], [0059]: in response to authenticating a computer system is not the source of a malicious traffic event (i.e. is not compromised), allow the computer system to continue communications with the apparatus client (i.e. determining that the electronic device is not compromised, allowing secure communication between the client and the apparatus).
El-Moussa is combinable with Lynn because both are from the same field of endeavor of monitoring network traffic and identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate El-Moussa’s method of determining whether the electronic device is compromised based on the encrypted network profile data without decrypting the encrypted network profile data with the system of Lynn in order to identify exploitations that “take[] place over an encrypted network connection” (El-Moussa, para. [0068]) while conserving system resources that would be spent by decrypting the encrypted network profile data.  
Neither El-Moussa or Lynn disclose the remaining limitations of claim 21:
a memory configured to store multiple copies of encrypted network profile data;
determine whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data received from the electronic device; 
However, in the same field of endeavor Shay discloses the remaining limitations of claim 21 as follows:
a memory configured to store multiple copies of encrypted network profile data (paras. [0011], [0083], [0085]-[0086], [0095], [0099], [0101]: storing access profiles (i.e. multiple copies) as well as hashed/encrypted SID and UID; 
receive encrypted network profile data from an electronic device that is communicating with the apparatus, and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised (paras. [0043]-[0046], [0054], [0058]-[0059], [0062]-[0063], [0083]-[0087], [0096], [0099]-[0102], Figs. 5-7: receiving encrypted system identifier (SID) and user identifiers (UID) (i.e. network profile data) from X that is transmitted/communicated to a destination, gatekeeper enabled appliance or firewall (i.e. apparatus), wherein the encrypted system and user identifiers indicate that the source node/electronic device has been compromised when the encrypted system and user identifiers do not equal stored encrypted SID and UID values); 
determine whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data received from the electronic device (paras. [0059], [0096], [0099]-[0102], Figs. 5-7: determining whether the source node/electronic device has been compromised based comparing extracted encrypted values SID and UID (i.e. encrypted network profile data) with stored values for SID and UID (i.e. previous network profile data) received from the source node/apparatus); 
Shay is combinable with Lynn and El-Moussa because all three are from the same field of endeavor of monitoring network traffic and identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of determining whether the electronic device is compromised based on comparing the encrypted network profile data with previously encrypted network profile data from the electronic device with the system of Lynn and El-Moussa in order to increase the security of the system by comparing network profile data directly received from the electronic device as well as any calculations derived thereof.  

	Regarding claim 22, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
El-Moussa discloses the limitations of claim 22 as follows:
	The apparatus of Claim 21, wherein to perform the one or more security measures, the processing device is further configured to: 
	drop one or more packets received from the electronic device (El-Moussa, paras. [0059]: terminating a connection or shutting down the electronic device); (see also Shay, Fig. 3, 240, paras. [0035], [0059], [0063], [0087]: dropping packets).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate El-Moussa’s method of dropping packets with the system of Lynn and Shay in order to increase the security of the system by preventing packets from being received from electronic devices that have been determined to be compromised.

	Regarding claim 23, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Shay discloses the limitations of claim 23 as follows:
	The apparatus of Claim 21, wherein to perform the one or more security measures, the processing device is further configured to: 
	request authentication credentials from the electronic device (paras. [0035], [0087], [0092], [0102]: upon determining that the requesting device/electronic device is not known/authenticated (i.e. may be compromised), requesting further identification (i.e. authentication credentials) from the device to determine whether a policy applies that still permits the request to be granted).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of requesting additional identification from the user device after a determination of untrust/compromise has been made with the system of Lynn and El-Moussa in order to provide the system with more flexibility by enabling the user/administrator to configure specific policy exceptions in which indicators of compromise would not cause a request to be dropped.  

	Regarding claim 24, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Shay discloses the limitations of claim 24 as follows:
	The apparatus of Claim 21, wherein the processing device is further configured to: 
	determine whether the encrypted network profile data has been received from the electronic device; and in response to determining that the encrypted network profile data has not been received, prevent the electronic device from communicating with the apparatus (paras. [0054], [0058]-[0059], [0062]-[0063]: determining from the initial sequence number (ISN) and request whether the user has been authenticated and session established (i.e. indicating that the system and user identifiers (network profile data) have not yet been transmitted to a destination, gatekeeper enabled apparatus or firewall to establish session)), and in response to determining that the user needs to be authenticated, preventing a session from being established with destination, gatekeeper enabled appliance or firewall until the user is authenticated).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of preventing the electronic device from communicating with the apparatus upon determining that the encrypted network profile data and authentication of the user have not yet occurred with the system of Lynn and El-Moussa in order to increase the security of the system by ensuring that communication with the appliance is not permitted until the user of the electronic device is authenticated.  

	Regarding claim 25, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Lynn discloses the limitations of claim 25 as follows:
	The apparatus of Claim 21, wherein the apparatus is one of a router and a server (Lynn, paras. [0018], [0048]-[0049], [0057]: system/apparatus is a server) (see also El-Moussa, paras. [0052]-[0053]: apparatus is router or hardware or software components of a network).

	Regarding claim 26, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Lynn discloses the limitations of claim 26 as follows:
	The apparatus of Claim 21, wherein the apparatus is configured as a first-hop router coupled to a local area network (LAN) and a wide area network (WAN) (Figs. 2A-2E, paras. [0018], [0048]-[0049]: access points, such as a router, are coupled to  WLAN (LAN + Wireless networks).

	Regarding claim 27, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
El-Moussa discloses the limitations of claim 27 as follows:
	The apparatus of Claim 21, wherein the encrypted network profile data is received in existing traffic transmitted to the apparatus (El-Moussa, paras. [0052]-[0053], [0086]: encrypted network connection setup traffic (i.e. network profile data) is received in existing encrypted network traffic transmitted to an apparatus).
The same motivation to combine utilized in claim 21 is equally applicable in the instant claim.

	Regarding claim 28, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
El Moussa discloses the limitations of claim 28 as follows:
	The apparatus of Claim 21, wherein the encrypted network profile data is received in one or more packets addressed to the apparatus (El-Moussa, paras. [0052]-[0053], [0086]: encrypted network connection setup traffic (i.e. network profile data) is received in packets addressed to an apparatus as a connection endpoint in the network).
The same motivation to combine utilized in claim 21 is equally applicable in the instant claim.

	Regarding claim 29, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Lynn discloses the limitations of claim 29 as follows:
	The apparatus of Claim 21, wherein the set of network parameters comprises a network address of the apparatus (paras. [0102]: obtained network parameters include MAC addresses for each of the system components workstations and access points).

	Regarding claim 30, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Lynn discloses the limitations of claim 30 as follows:
	The apparatus of Claim 21, wherein the set of network parameters comprises a network identifier of a network detected by the apparatus (paras. [0070]-[0071], [0102]: network parameters include Extended Service Set names for each of the access points detected).

	Regarding claim 31, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Lynn discloses the limitations of claim 31 as follows:
	The apparatus of Claim 21, wherein the set of network parameters comprises one or more device identifiers of one or more electronic devices detected by the apparatus (para. [0102]: network parameters include MAC addresses of the workstations detected by the system).

	Regarding claim 33, Lynn discloses the limitations substantially as follows:
A method comprising:
	receiving, by a network device, network profile data from an electronic device that is communicating with the network device, wherein the network profile data indicates a set of network parameters detected by the electronic device and wherein the network profile data provides an indication of whether the electronic device is compromised (paras. [0031]-[0034], [0047]-[0048], [0056], [0102], [0124], [0139]-[0140], [0146]: receiving a MAC address, Extended Service Set name, manufacturer, authentication modes and an indicator (i.e. network profile data) from an access point that is communicating with the system/server (i.e. apparatus), wherein indicator indicates whether the access point/network/apparatus has been compromised); 
	determining, by the network device, whether the electronic device is compromised based on the network profile data and previous network profile data received from the electronic device (paras. [0124], [0132], [0139]-[0140]: determining whether the access point is compromised based on comparing the MAC address and transmission profile of the access point with an internal database of stored (previous) address and known transmission profile of the access point (i.e. received from the electronic device)); 
	in response to determining that the electronic device is compromised, performing one or more security measures (paras. [0031]-[0034], [0133]-[0138]: in response to determining that access point/workstation is compromised, performing active defenses (i.e. security measures)); and 
	in response to determining that the electronic device is not compromised, allowing the electronic device to communicate with the network device (paras. [0031]-[0034], [0072]-[0073, [0133], [0136]: in response to determining that the access point/workstation is not compromised/has not triggered an alarm, allowing the workstation/access point access to communicate with the system/apparatus).
Lynn does not disclose the remaining limitations of claim 33 as follows:
	receiving, by a network device, encrypted network profile data from an electronic device that is communicating with the network device, wherein the encrypted network profile data indicates a set of network parameters detected by the electronic device and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised;
	determining, by the network device, whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data, without decrypting the encrypted network profile data
However, in the same field of endeavor, El-Moussa discloses the limitations of claim 33 as follows:
	receiving, by a network device, encrypted network profile data from an electronic device that is communicating with the network device, wherein the encrypted network profile data indicates a set of network parameters detected by the electronic device and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised (El-Moussa, paras. [0009], [0052]-[0053], [0059], [0067], [0069]-[0070], [0076], [0086]: receiving at a traffic detector encrypted network traffic for a connection setup (i.e. encrypted network profile data) from a computer system/electronic device that is communicating with the apparatus, wherein the encrypted network connection setup traffic indicates connection setup segments for parameter configuration (i.e. network parameters) received/detected by the computer system, wherein the encrypted network connection setup traffic is analyzed for high entropy to provide an indicator of malicious network traffic from the computer system) (i.e. indicating the electronic device is compromised); 
	determining, by the network device, whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data, without decrypting the encrypted network profile data (El-Moussa, paras. [0009], [0054], [0056], [0061], [0069], [0078]: determining whether a computer system is the source of a malicious traffic event (i.e. is compromised) based comparing on the measure of the entropy from encrypted network connection setup traffic for a connection setup (i.e. encrypted network profile data) with a reference measure of entropy from previous encrypted network traffic for the connection setup (i.e. previous encrypted network profile data) without decrypting the encrypted network traffic); 
in response to determining that the electronic device is compromised, perform one or more security measures (El-Moussa, [0059], [0070]: in response to determining that a computer system/electronic device is the source of a malicious traffic event (i.e. is compromised), perform an action such as terminate network connection or increase security or perform virus scan or a shutdown of a computer system); and 
in response to determining that the electronic device is not compromised, allow the electronic device to communicate with the apparatus (El-Moussa, paras. [0053], [0059]: in response to authenticating a computer system is not the source of a malicious traffic event (i.e. is not compromised), allow the computer system to continue communications with the apparatus client (i.e. determining that the electronic device is not compromised, allowing secure communication between the client and the apparatus).
El-Moussa is combinable with Lynn because both are from the same field of endeavor of monitoring network traffic and identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate El-Moussa’s method of determining whether the electronic device is compromised based on the encrypted network profile data without decrypting the encrypted network profile data with the system of Lynn in order to identify exploitations that “take[] place over an encrypted network connection” (El-Moussa, para. [0068]) while conserving system resources that would be spent by decrypting the encrypted network profile data.  
Neither Lynn or El-Moussa disclose the remaining limitations of claim 33 as follows:
	determining, by the network device, whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data received from the electronic device
However, in the same field of endeavor Shay discloses the remaining limitations of claim 33 as follows:
	receiving, by a network device, encrypted network profile data from an electronic device that is communicating with the network device, and wherein the encrypted network profile data provides an indication of whether the electronic device is compromised (paras. [0043]-[0046], [0054], [0058]-[0059], [0062]-[0063], [0083]-[0087], [0096], [0099]-[0102], Figs. 5-7: receiving encrypted system identifier (SID) and user identifiers (UID) (i.e. network profile data) from X that is transmitted/communicated to a destination, gatekeeper enabled appliance or firewall (i.e. apparatus), wherein the encrypted system and user identifiers indicate that the source node/electronic device has been compromised when the encrypted system and user identifiers do not equal stored encrypted SID and UID values);
	determining, by the network device, whether the electronic device is compromised based on the encrypted network profile data and previous encrypted network profile data received from the electronic device (paras. [0059], [0096], [0099]-[0102], Figs. 5-7: determining whether the source node/electronic device has been compromised based comparing extracted encrypted values SID and UID (i.e. encrypted network profile data) with stored values for SID and UID (i.e. previous network profile data) received from the source node/apparatus);
Shay is combinable with Lynn and El-Moussa because all three are from the same field of endeavor of monitoring network traffic and identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of determining whether the electronic device is compromised based on comparing the encrypted network profile data with previously encrypted network profile data from the electronic device with the system of Lynn and El-Moussa in order to increase the security of the system by comparing network profile data directly received from the electronic device as well as any calculations derived thereof.  

	Regarding claim 34, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
El-Moussa and Shay disclose the limitations of claim 34 as follows:
The method of Claim 33, wherein performing the one or more security measures comprises one or more of: 
dropping one or more packets received from the electronic device (El-Moussa, paras. [0059]: terminating a connection or shutting down the electronic device); (see also Shay, Fig. 3, 240, paras. [0059], [0087]: dropping packets); and 
	request authentication credentials from the electronic device (paras. [0035], [0087], [0092], [0102]: upon determining that the requesting device/electronic device is not known/authenticated (i.e. may be compromised), requesting further identification (i.e. authentication credentials) from the device to determine whether a policy applies that still permits the request to be granted).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of requesting additional identification from the user device after a determination of untrust/compromise has been made with the system of Lynn and El-Moussa in order to provide the system with more flexibility by enabling the user/administrator to configure specific policy exceptions in which indicators of compromise would not cause a request to be dropped.  

	Regarding claim 35, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Shay discloses the limitations of claim 35 as follows:
The method of Claim 33, further comprising: 
	determining whether the encrypted network profile data has been received from the electronic device; and in response to determining that the encrypted network profile data has not been received, preventing the electronic device from communicating with the network device (paras. [0054], [0058]-[0059], [0062]-[0063]: determining from the initial sequence number (ISN) and request whether the user has been authenticated and session established (i.e. indicating that the system and user identifiers (network profile data) have not yet been transmitted to a destination, gatekeeper enabled apparatus or firewall to establish session)), and in response to determining that the user needs to be authenticated, preventing a session from being established with destination, gatekeeper enabled appliance or firewall until the user is authenticated).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of preventing the electronic device from communicating with the apparatus upon determining that the encrypted network profile data and authentication of the user have not yet occurred with the system of Lynn and El-Moussa in order to increase the security of the system by ensuring that communication with the appliance is not permitted until the user of the electronic device is authenticated.  

	Regarding claim 36, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Shay discloses the limitations of claim 36 as follows:
The method of Claim 33, wherein determining whether the electronic device is compromised further comprises: 
comparing a portion of the encrypted network profile data with a portion of the previous encrypted network profile data, wherein each of the portion of the encrypted network profile data and the portion of the previous encrypted network profile data corresponds to a particular network parameter from the set of network parameters (paras. [0059], [0096], [0099]-[0102], Figs. 5-7: determining whether the source node/electronic device has been compromised based on comparing extracted encrypted values SID and UID (i.e. portions of the encrypted network profile data) with stored values for SID and UID (i.e. previous network profile data) received from the source node/apparatus), where the extracted encrypted values SID and UID (i.e. each portion of the encrypted network profile data) and the previously stored SID and UID (i.e. portions of the previous encrypted network profile data) correspond to parameters of the source node).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shay’s method of comparing portions of the encrypted network profile data with the system of Lynn and El-Moussa in order to strengthen the security of the system by requiring comparison and validation of multiple parts of network profile data prior to determining that the electronic device is compromised.

	Regarding claim 37, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Lynn discloses the limitations of claim 37 as follows:
The method of Claim 36, further comprising detecting that hacking attempts are being performed by the electronic device, after determining that the electronic device is compromised (Lynn, paras. [0020]-[0021], [0079], [0103], [0132], [0140]: after determining that the access point is compromised, determining that the access is participating in hacking attempts using honeytrap).

	Regarding claim 39, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Lynn discloses the limitations of claim 39 as follows:
The method of Claim 36, further comprising detecting that denial of service attacks is being performed by the electronic device, after determining that the electronic device is compromised (Lynn, paras. [0023], [0132]-[0134], [0140]: after determining that the access point is compromised, determining that the access point is part of denial-of-service attacks using honeytrap).

	Regarding claim 40, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Lynn discloses the limitations of claim 40 as follows:
	The method of Claim 33, wherein the network device is one of a router and a server coupled to the electronic device through one or more networks (Lynn, paras. [0018], [0048]-[0049]: system/network device comprises routers and a server coupled to the access points through a wireless network) (see also El-Moussa, paras. [0052]-[0053]: apparatus is router or hardware or software components of a network).

Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Lynn (US 2008/0201763) in view of El-Moussa (US 2020/0053104) and Shay (US 2004/0098620), as applied to claim 21, further in view of Sorenson III (US 2014/0310391, hereafter “Sorenson”).
	Regarding claim 32, Lynn, El-Moussa, and Shay disclose the limitations of claim 21.
Neither Lynn, Shay or El-Moussa discloses the limitations of claim 32 as follows:
The apparatus of Claim 21, wherein the set of network parameters comprises one or more of: 
	a list of rejected incoming connection requests; and 
	a list of rejected outgoing connection requests.
However, in the same field of endeavor Sorenson discloses the remaining limitations of claim 32 as follows:
The apparatus of Claim 21, wherein the set of network parameters comprises one or more of: 
	a list of rejected incoming connection requests (para. [0065]: nodes/apparatus receive network data comprising indicating/listing number of times connection requests (i.e. incoming and outgoing) have been rejected); and 
	a list of rejected outgoing connection requests (para. [0065]: nodes/apparatus receive network data comprising indicating/listing number of times connection requests (i.e. incoming and outgoing) have been rejected).
Sorenson is combinable with Lynn, El-Moussa and Shay because all four are from the same field of endeavor of identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Sorenson’s method of indicating a number of times incoming connection requests have been rejected with the system of Lynn, El-Moussa and Shay in order to enable the nodes to reject connection requests at different probabilities at two or more different levels of utilizations and accept an incoming connection request if it has been rejected over a threshold number of times (Sorenson, paras. [0064]-[0065]).  

Claim 38 is rejected under 35 U.S.C. 103 as being unpatentable over Lynn (US 2008/0201763) in view of El-Moussa (US 2020/0053104) and Shay (US 2004/0098620), as applied to claim 21, further in view of Singh (US 2006/0098585).
	Regarding claim 38, Lynn, El-Moussa, and Shay disclose the limitations of claim 33.
Neither Lynn, El-Moussa, or Shay disclose the limitations of claim 38 as follows:
The method of Claim 36, further comprising detecting port scanning at the electronic device or port scanning by the electronic device, after determining that the electronic device is compromised.
However, in the same field of endeavor Singh discloses the limitations of claim 38 as follows:
The method of Claim 36, further comprising detecting port scanning at the electronic device or port scanning by the electronic device, after determining that the electronic device is compromised (para. [0053]: after identifying destinations (i.e. electronic device) that are suspicious (i.e. are compromised), identifying that the suspicious source is port scanning).
Singh is combinable with Lynn, El-Moussa and Shay because all four are from the same field of endeavor of identifying threats to a network.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Singh’s method of detecting compromised/suspicious devices that are port scanning with the system of Lynn, El-Moussa and Shay in order to be increase the security of the system by enabling the system to better determine what type of countermeasures to take against an attack by determining the type of attack that is being made against the system.

Conclusion
For the above-stated reasons, claims 21-40 are rejected.
Prior art considered but not relied upon includes:
1) Skuratovich has enabling the message to be authenticated without decrypting it and applying hash function to payload once encrypted, where the request also comprises integrity check data for detecting alterations/tampering before decrypting it (see paras. [0128] and [0270]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/SHARON S LYNCH/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        


.