DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 03/21/2019. Claims 1-20 are filed.

Priority
This application claims foreign priority to RU2018/123693 filed 06/29/2018.
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/21/2019 and 01/31/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
Claim 1-20 of this application is patentably indistinct from claim 1-20 of Application No. 16/359,417. Pursuant to 37 CFR 1.78(f), when two or more applications filed by the same applicant or assignee contain patentably indistinct claims, elimination of such claims from all but one application may be required in the absence of good and sufficient reason for their retention during pendency in more than one application. Applicant is required to either cancel the patentably indistinct claims from all but one application or maintain a clear line of demarcation between the applications. See MPEP § 822.
In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely 
Claims 1-20 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-20 of copending Application No. 16/359,417 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of the reference application anticipate the respective one of the instant claims 1-20.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Conflicting features of the instant independent claim 1 with respect to corresponding features of claims 1, 3 and 4 in the reference application are shown below.

Claim #
Instant Application
Reference Application
Claim #
1
A method for blocking network connections to network resources of forbidden categories, the method comprising: 

intercepting a certificate when a protected 
connection is being established between a client and a server;  

determining categories of network resources to which a connection of the client is forbidden;  

determining a category of the intercepted certificate, the determination of the category of the intercepted certificate comprising: 

identifying a network resource to which the intercepted certificate corresponds, determining whether the intercepted certificate is unknown or known, and determining the category of the intercepted certificate based on whether the certificate is known or unknown;  

extracting attributes from the intercepted certificate;  and 





blocking the network connection when the 
determined category of the intercepted certificate is a category of the determined categories of the network resources to which the connection of the client is forbidden, or when the attributes extracted from the intercepted certificate are found to be similar to attributes of forbidden certificates. 





intercepting a certificate from the server when establishing a protected 
connection between a server and a client;  





determining whether the intercepted 
certificate is similar to one or more forbidden certificates (Note: categories of forbidden certificates are inherently identified/determined here), the 

determination of whether the intercepted certificate is similar to one or more forbidden certificates (Note: extracting attributes for determining similarity is inherent here) comprising transforming the intercepted certificate in accordance with a 





blocking the connection when the intercepted certificate is similar to the one 
or more forbidden certificates.


3. The method of claim 1, wherein the method of determining similarities 
between certificates comprises: 

obtaining attributes from the intercepted 
certificate;  

constructing an N-dimensional vector based on the obtained 
attributes;  and 

comparing the constructed N-dimensional vector to clusters in the database of forbidden certificates. 
 
4.  The method of claim 3, wherein the intercepted certificate is found to be 
similar to a forbidden certificate of the one or more forbidden certificates 
when: 

a distance between the constructed N-dimensional vector of the 
certificate and a center of at least one cluster in the database is less than a 
radius of the at least one cluster (Note: a center of at least one cluster anticipates a known certificate category);  or 

a measure of proximity between the 
constructed N-dimensional vector and the center of the at least one cluster is 
less than a threshold value.




Examiner’s Note on Patent Eligibility Analysis (Abstract Idea)
Per 2019PEG:

Step 2A, prong one – claim 1 recites “identifying a network resource to which the intercepted certificate corresponds, determining whether the intercepted certificate is unknown or known, and determining the category of the intercepted certificate based on whether the certificate is known or unknown” that is construed as being directed to Abstract Idea (i.e., mental processes grouping defined in 2019PEG for Electrical Arts). Claims 8 and 15 recite a similar limitation.
Step 2A, prong two – claims 1, 8 and 15 recite additional elements and limitations that integrate the indicated abstract idea into a practical application of it.
As such, claims 1-7 and 15-20 are patent “eligible”. 
Claims 8-14 are nonetheless patent “ineligible” because claims 8-14 are directed to software per se. and therefore fail step 1 of the abstract idea analysis.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because they are directed to software per se. As one option, claims may be amended to explicitly recite a hardware component.

Examiner’s Note:
Per claim 11, “storing” in a list is generating a data structure and is still construed as software. As an option, an explicit recitation of “a memory”, i.e., a hardware component, in the claim as part of the claimed invention is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-2, 5-6, 8-9, 12-13, 16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi, US2019/0058714A1, in view of Anderson, US2018/0139214A1.

Per claim 1, Joshi discloses a method for blocking network connections to network resources of forbidden categories, the method comprising: 
intercepting a certificate when a protected connection is being established between a client and a server (The environment 200 includes a SDP 208 that can apply certificate validation policies to certificates presented to browsers 210 of the user devices 202 by the host devices 204 during handshaking procedures.  The environment 200 also includes a security tool 212 that can aid in detecting malicious activities and can perform actions to mitigate those activities.  For example, the security tool 212 can decrypt suspicious SSL connections by using a trusted man-in-the-middle technique – Joshi: par. 0045 – Note: man-in-the-middle technique intercepts connections);
determining categories of network resources to which a connection of the client is forbidden (The effectiveness of the SDP 208 is limited by its trust model.  For example, a certificate that is signed by a trusted authority could have expired, the signature of a trusted authority could be forged, the issue date of the certificate could be faked…The SDP 208 improves on the certificate validation process by selectively passing suspicious connections to the security tool 214 for decryption and inspection to identify malicious connection.  The SDP 208 can reduce the load on the security tool 212 by selectively allowing normal flows associated with trusted certificates to forego decryption by the security tool 212 – Joshi: par. 0059-0060); 
determining a category of the intercepted certificate (The SDP 208 improves on the certificate validation process by selectively passing suspicious connections to the security tool 214 for decryption and inspection to identify malicious connection.  The SDP 208 can reduce the load on the security tool 212 by selectively allowing normal flows associated with trusted certificates to forego decryption by the security tool 212.  A flow is "normal" when the secured connection of the flow is "trustworthy" because its certificate passed the validation processes of the SDP 208.  For example, the certificate may be deemed "valid" if it has a valid issue date, expiration date (e.g., not yet expired), is signed by an trusted authority, etc. – Joshi: par. 0045 – Note: identifying normal flow verses suspicious connections, wherein suspicious connections are selectively passed to security tool for decryption and further analysis), the determination of the category of the intercepted certificate comprising: 
identifying a network resource to which the intercepted certificate corresponds, determining whether the intercepted certificate is unknown or known, and determining the category of the intercepted certificate based on whether the certificate is known or unknown (The connections 214-1 and 214-2 are examples of connections that can couple the browsers 210-1 and 210-2 of the user devices 202 and the host devices 204.  The connection 214-1 carries normal traffic associated with a trusted certificate that was validated by the SDP 208.  In contrast, the connection 214-2 carries suspicious traffic associated with an untrusted certificate that was not validated by the SDP 208.  As such, the SDP 208 can reliably identify suspicious activity from the handshake procedure of a connection between endpoint devices – Joshi: par. 0046 – Note: SDP applies certificate validation policies to identify suspicious connections for the browsers requesting content from the host devices based on a (PKI/certificate) trust model and determining untrusted traffic/certificate – Also see par. 0052-0056); 
Joshi is not relied on to explicitly disclose but Joshi in view of Anderson discloses extracting attributes from the intercepted certificate (certificate analysis process 244 may be configured to capture and/or analyze certificate data associated with an encrypted traffic flow.  Such a flow may be, for example, a Transport Layer Security (TLS) or Secure Socket Layer (SSL) traffic flow that uses X.509 certificates or the like.  In turn, certificate analysis process 244 may provide the extracted data feature(s) of the certificate to classifier process 248 for analysis – Anderson: par. 0030 – Note: in the optimization or learning phase, the classifier process uses a model M (that separates data into two classes or labels) to classify new data points, such as information (newly extracted certificates) regarding new traffic flows in the network – par: 32); and 
blocking the network connection when the determined category of the intercepted certificate is a category of the determined categories of the network resources to which the connection of the client is forbidden (The certificate validation policies of the SDP 208 could be applied to incoming network traffic to identify suspicious traffic, which can be offloaded to the security tool 212 for further inspection to identify malicious traffic and take actions to mitigate the effects of the malicious traffic – Joshi: par. 0050 – Note: the trusted man-in-the-middle technique determines whether traffic is malicious and the security tool can block any malicious connections  - see: par. 45), or when the attributes extracted from the intercepted certificate are found to be similar to attributes of forbidden certificates (Classifier process 248 may employ any number of machine learning techniques, to classify the gathered traffic data.  In general, machine learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., traffic data regarding traffic in the network) and recognize complex patterns in the input data.  For example, some machine learning techniques use an underlying model M, whose parameters are optimized for minimizing the cost function associated to M, given the input data…After this optimization/learning phase, classifier process 244 can use the model M to classify new data points, such as information regarding new traffic flows in the network – Anderson: par. 0032 – Note: an unsupervised model looks to whether there are sudden changes in the behavior of the network traffic.  Semi-supervised learning models take a middle ground approach that uses a greatly reduced set of labeled training data. Example machine learning techniques that classifier process 248 can employ may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, mean-shift, etc.) – see par. 0034, wherein the example disclosed model are based on threshold similarity/distance in accordance with known classes/categories).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Joshi in view of Anderson to include extracting attributes from the intercepted certificate; and blocking the network connection when the determined category of the intercepted certificate is a category of the determined categories of the network resources to which the connection of the client is forbidden, or when the attributes extracted from the intercepted certificate are found to be similar to attributes of forbidden certificates.
One of ordinary skill in the art would have been motivated because it would allow performing “a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow” – Anderson: Abstract, such that “the classifier may identify the application as belonging to a particular malware family” – Anderson: par. 0070.  

Per claim 8, it recites a system for blocking network connections to network resources of forbidden categories, comprising: at least one processor (the techniques introduced here can be implemented by, for example, programmable circuitry (e.g., one or more microprocessors), programmed with software and/or firmware, entirely in special-purpose hardwired (i.e., non-programmable) circuitry, or in a combination of such forms – Joshi: par. 0107 and Fig. 5) configured to perform the method steps of claim 1.
Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 15, it recites a non-transitory computer readable medium storing thereon computer executable instructions for blocking network connections to network resources of forbidden categories, including instructions for performing the method steps of claim 1 (the techniques introduced here can be implemented by, for example, programmable circuitry (e.g., one or more microprocessors), programmed with software and/or firmware, entirely in special-purpose hardwired (i.e., non-programmable) circuitry, or in a combination of such forms – Joshi: par. 0107 and Fig. 5).
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Joshi in view of Anderson discloses features of claims 1, 8 and 15, wherein, Joshi discloses when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is based on content of the network resource to which the known certificate corresponds (The user devices 202 can each execute a browser (e.g., browser 210), which is a software application for retrieving, presenting, and traversing information resources on a network.  An information resource is identified by a uniform resource identifier (URI/URL) that may be a webpage, image, video or other content… For example, a user of a user device 202 enters a URL into browser 210-1, which is used to initiate a handshake procedure that fetches a certificate from a host device 204.  The certificate is received by the SDP 208 and processed in accordance with configurable validation policies and the central trust store.  The certificate is also received by the browser 210-1 and processed in accordance with validation policies and the user trust store.  Once validated by the user device 202, the browser 210-1 can render the retrieved content...In another example, a user of another host device 204 enters a URL into browser 210-2, which is used to initiate a handshake procedure that fetches a certificate and content from another host device 204.  The certificate is received by the SDP 208 and processed in accordance with the same configurable validation policies.  In this instance, the certificate fails the configurable the validation policies of the SDP 208.  As such, the associated connection is deemed untrusted and is offloaded to the security tool 212, which can decrypt the suspicious connection 214-2 to identify malicious activity – Joshi: par. 0052 and 0056-0057 – Note: a connection associated with a certificate that passes certificate validation policies is construed as a “known” trusted certificate, while a connection associated with a certificate that fails certificate validation policies is construed as a “known” untrusted certificate).
Further, Joshi in view of Anderson discloses when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is based on content of the network resource to which the known certificate corresponds (In one embodiment, classifier process 248 may assess captured traffic data to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications.  Example forms of traffic that can be caused by malware may include, but are not limited to, traffic flows reporting exfiltrated data to a remote entity, spyware or ransomware-related flows, command and control (C2) traffic that oversees the operation of the deployed malware, traffic that is part of a network attack, such as a zero day attack or denial of service (DoS) attack, combinations thereof, or the like.  In further embodiments, classifier process 248 may classify the gathered traffic data to detect other anomalous behaviors (e.g., malfunctioning devices, misconfigured devices, etc.), traffic pattern changes (e.g., a group of hosts begin sending significantly more or less traffic), or the like – Anderson: par. 0031 – Note: a particular (known) family of malware such as exfilteration, spyware, ransomware, command and control, zero day attack and DoS is determined by the classifier).
The same motivation to modify Joshi in view of Anderson applied to claim 1 above applies here.

Per claims 5, 12 and 19, Joshi in view of Anderson discloses features of claims 1, 8 and 15, wherein, when the intercepted certificate is determined as being an unknown certificate (classifier process 244 can use the model M to classify new data points, such as information regarding new traffic flows in the network – Anderson: par. 0032), the determination of the category of the unknown certificate comprises: 
determining similarities of the unknown certificate to known certificates for which respective categories have been determined (the certificate features can also be combined with other flow characteristics related to the TLS session (e.g., metrics regarding the traffic flow, the ciphersuite in use or offered, TLS extensions, etc.), to determine whether the application executed by the client and associated with the traffic flow is malware.  If so, the classifier may also be configured to identify the malware family to which the application belongs – Anderson: par. 0046 – Note: Example machine learning techniques that classifier process 248 can employ may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, mean-shift, etc.) – par. 0034); and 
assigning, to the unknown certificate, a category of a certificate of a known certificate found as being similar to the unknown certificate based on the similarity determination (a classifier may, based on the certificate data features of an encrypted flow of interest, classify the application associated with the TLS session.  For example, using the above approach, the classifier may identify the application as belonging to a particular malware family – Anderson: par. 0070).
The same motivation to modify Joshi in view of Anderson applied to claim 1 above applies here.

Per claims 6, 13 and 20, Joshi in view of Anderson discloses features of claims 1, 8 and 15, wherein the intercepted certificate is determined as being an unknown certificate when content of the identified network resource is a network resource of an unknown category (a classifier may, based on the certificate data features of an encrypted flow of interest, classify the application associated with the TLS session.  For example, using the above approach, the classifier may identify the application as belonging to a particular malware family.  In further embodiments, the techniques herein can also be used more generally to identify the application itself, regardless of whether or not the application is malicious… if the classifier is configured to simply identify the application associated with the encrypted traffic flow, the device may cause any number of appropriate quality of service (QoS) parameters to be set in the network regarding the flow – Anderson: par. 0070 and 0072).
The same motivation to modify Joshi in view of Anderson applied to claim 1 above applies here.

2.	Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi, US2019/0058714A1, in view of Anderson, US2018/0139214A1 as applied to claims 1, 8 and 15 above, and further in view of Grebennikov, US2014/0095866A1.

Per claims 3, 10 and 17, Joshi in view of Anderson discloses features of claims 1, 8 and 15, wherein Joshi in view of Anderson is not relied on to explicitly disclose but Joshi in view of Anderson further in view of Grebennikov discloses when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is determined in accordance with a list of certificates (Note: there is a list of certificates, i.e., certificate 1-X and company 1 may be associated with one or more of such certificates – see Fig. 6), wherein a given certificate of the list of certificates is assigned a category of an address of a network resource to which the given certificate corresponds (Abnormalities in existing and new data are detected at 620 using the abnormality detection module 520.  This operation analyzes the certificates stored in the database 505.  An example of records stored in the database 505 is depicted in FIG. 6…it is possible to use preset rules for identifying suspicious certificates of the following type: "if a new certificate appears in the database for the existing URL address, and if there is more than six months left before the expiry of the existing certificate, then the new certificate is considered suspicious".  For example, the following events are considered suspicious: [0075] Occurrence of a new certificate for a known company or a known URL address; [0076] Modification of the certification center and/or Internet service provider for a known company or URL address; [0077] Differences in contact data and/or geographical location between older and newer certificates of a known company or URL address, etc. – Grebennikov: par. 0074-0077).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Joshi in view of Anderson further in view of Grebennikov to include when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is determined in accordance with a list of certificates, wherein a given certificate of the list of certificates is assigned a category of an address of a network resource to which the given certificate corresponds.
One of ordinary skill in the art would have been motivated because it would allow “an analysis of the static data (intrinsic and extrinsic) for existing and new certificates stored in the database 505 to determine a measure of suspiciousness for any of the certificates” – Grebennikov: par. 0043.

3.	Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi, US2019/0058714A1, Anderson, US2018/0139214A1 and Grebennikov, US2014/0095866A1 as applied to claims 3, 10 and 17 above, and further in view of Hubbard, US2008/0133540A1.

Per claims 4, 11 and 18, the combined features of Joshi, Anderson and Grebennikov disclose claims 3, 10 and 17.  Joshi, Anderson and Grebennikov is not relied on to explicitly disclose but further in view of Hubbard discloses wherein the list of certificates is established by: 
storing categories of network resources on a list (In one embodiment, the categorized URLs may be stored in a two-column database table such as the one shown in FIG. 6A.  In one embodiment, the table may include a URL column 172 which may simply store the URL string that has been characterized.  The Category column 174 may store data about the how that URL has been characterized by database module 114 (as will be described in detail below).  In one embodiment, the URL field may be indexed so that it may be more quickly searched in real time.  Because the list of categorized URLs may reach well into the millions of URLs, a fast access routine is beneficial – Hubbard: par. 0077); 
for each category on the list of categories of network resources (Note: categorized URLs), storing addresses of network resources assigned to the category (Hubbard: Fig. 6A); and 
Joshi, Anderson and Grebennikov further in view of Hubbard also discloses for each category on the list of categories of network resources, storing a list of certificates and addresses of network resources corresponding to the list of certificates (FIG. 6 illustrates an example of a table data structure representing gathered certificates, as might be stored in the database 505.  In one embodiment, the database 505 contains information received both from the certificate itself and from outside sources.  For instance, as shown in FIG. 6, the table includes the following fields: the company named in the certificate (the owner); the URL address specified in the certificate; the certificate's serial number; the certification center which issued the certificate; the company actually owning the certificate…  In other embodiments, additional fields can be introduced, corresponding to other key parameters of the certificate, as well as the relevant data received from outside agents.  For example, a field can be added that would include information on the actual URL address for the certificate (the URL address from which the certificate was received) – Grebennikov: par. 0089 and Fig. 6).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Joshi, Anderson and Grebennikov further in view of Hubbard to include storing categories of network resources on a list; for each category on the list of categories of network resources, storing addresses of network resources assigned to the category.
One of ordinary skill in the art would have been motivated because it would allow immediately categorizing large numbers of URLs based on stored properties when a new definition of active content is identified – Hubbard: par. 0140.

4.	Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi, US2019/0058714A1, in view of Anderson, US2018/0139214A1 as applied to claims 1 and 8 above, and further in view of Pereira, US10924503B1.

Per claims 7 and 14, Joshi in view of Anderson discloses features of claims 1 and 8, when the intercepted certificate is unknown, known certificates are represented by clusters containing vectors of attributes of the known certificates, forbidden certificates are represented by a cluster containing vectors of attributes of the forbidden certificates, the attributes extracted from the intercepted certificate are transformed into an N- dimensional vector of the intercepted certificate (the remote server may identify a cluster of data objects, such as vectors, that represent a number of IP addresses corresponding to non-malicious network traffic.  The cluster of VPC flow log data vectors or other data objects may be determined using a suitable clustering algorithm, such as a connectivity model, a centroid model, a distribution model, a density model, K means clustering, and the like – Pereira: col. 16, lines 58-60), distances between the N-dimensional vector of the intercepted certificate and each cluster of the clusters containing vectors of attributes of the known certificates is determined, and the intercepted certificate is found as being similar to known certificates of a cluster if: the distance between the N-dimensional vector of the intercepted certificate and a center of the cluster is less than a radius of the cluster, or a measure of proximity between the N-dimensional vector and the center of the cluster is less than a threshold value (the remote server may determine a distance between a vector representing the first VPC flow log data and the cluster of VPC flow log data vectors…The distance may be compared to a threshold value.  For example, if the distance is equal to or less than a threshold value, meaning that the vector is similar to the cluster, the network traffic associated with the first VPC flow log data may be determined to be non-malicious network traffic.  Likewise, if the distance is equal to or greater than the threshold value, meaning relatively more dissimilar, the network traffic may be determined to be malicious network traffic – Pereira: col. 17, lines 12-20 – Note: the disclosed clustering based on feature vectors of non-malicious IP addresses renders obvious clustering based on feature vectors of malicious/forbidden IP addresses because per MPEP 2141 (KSR rationales to support rejections under 35 U.S.C. 103), choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success is “obvious to try”).
The same motivation to modify Joshi in view of Anderson applied to claim 1 above applies here.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Joshi in view of Anderson further in view of Pereira to include when the intercepted certificate is unknown, known certificates are represented by clusters containing vectors of attributes of the known certificates, forbidden certificates are represented by a cluster containing vectors of attributes of the forbidden certificates, the attributes extracted from the intercepted certificate are transformed into an N- dimensional vector of the intercepted certificate, distances between the N-dimensional vector of the intercepted certificate and each cluster of the clusters containing vectors of attributes of the known certificates is determined, and the intercepted certificate is found as being similar to known certificates of a cluster if: the distance between the N-dimensional vector of the intercepted certificate and a center of the cluster is less than a radius of the cluster, or a measure of proximity between the N-dimensional vector and the center of the cluster is less than a threshold value.
One of ordinary skill in the art would have been motivated because it would allow to “determine, using a machine learning model, a probability value indicative of a likelihood an IP address, domain, or other computer system identifier is associated with non-malicious network traffic” wherein, in turn, “the probability value may be determined to satisfy a confidence score threshold value” based on which “a user feedback indication that the first IP address is associated with non-malicious network traffic may be determined and/or received” and “The machine learning model may be retrained using the user feedback indication” in order to “improve subsequent classifications” – Pereira: col. 10, lines 30-45.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Kopp (US2018/0176240A1) discloses parsing out secure session data 406 and certificate validation check data 408 from HTTP access logs 402.  Secure session data 406 may include, for example, data indicative of the clients and domains involved in secure sessions in the network, timing information for the secure sessions (e.g., when a secure sessions was requested or established, etc.), or any other information that can be captured from the HTTP traffic associated with a secure session.
Camp (US2018/0294978A1) discloses a learning certificate authentication system comprising a certificate downloader configured to obtain a certificate, a feature extractor in communication with the certificate downloader that is configured to (i) parse information associated with the certificate and a pattern of use into actionable features and (ii) calculate a value associated with at least one of the actionable features, a classification extractor configured to process the vector with a learning model based on the pattern of use information.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AREZOO SHERKAT/            Examiner, Art Unit 2434