DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination (RCE) under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on December 14, 2020 has been entered. 
Response to Amendments
	This office action is responsive to application 15/345,710 and the RCE filed on December 14, 2020.  Claims 1, 6, and 12 were amended, and claims 1-4, 6-15, and 17-21 remain pending in the application.
Response to Arguments
	The Applicant’s arguments filed in association with the RCE have been fully considered, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 8 of the Remarks that concerns the § 112 rejection, the amendments to claims 1 and 12 address the issue of indefiniteness, and the corresponding § 112 rejection is withdrawn.
	Regarding the Applicant’s response at pages 8-15 of the Remarks that concerns the § 103 rejection of independent claims 1 and 12, the Applicant’s arguments in 
	Regarding the Applicant’s response at page 15 of the Remarks that concerns the § 103 rejection of dependent claim 6, the amended claim fails to overcome the prior art as detailed below.
	Regarding the Applicant’s response at page 15 of the Remarks that concerns the § 103 rejection of dependent claims, the argument for patentability rests upon the patentability of the independent claims 1 and 12.  Because independent claims 1 and 12 are not allowable over the prior art of record, the dependent claims are similarly not allowable.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a Or more succinctly, move numbered material first, lettered material last.)
	Claims 1-4, 6-15, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over DiValentin et al. (US 2019/0132358, “DiValentin”) in view of Baker (US 6,775,657, “Baker”), and further in view of Miliefsky (US 2007/0192867, “Miliefsky”) and Kulaga et al. (US 8,209,740, “Kulaga”).
Regarding Claim 1
DiValentin discloses
A method of local-network threat response (Fig. 2, ¶¶ [0037]-[0038]), the method comprising: 
detecting, by a local network backend entity (Fig. 2, ¶¶ [0035]-[0037], i.e., the “threat intelligence server 202” and/or the “analytics server 208” are separate from the “production environment 210” and behind the “networking switch 214,” and thus either or both in combination act as a local backend entity that detect[s] … a security threat upon attack information being supplied via the “honeypot environment 212”), 
a security threat initiated by a local-network host (¶¶ [0026]-[0027], “the threat intelligence server 202 can contextualize and store information associated with … internal security threats” that are initiated by a local-network host, and ¶ [0029], a local-network host is represented by “production environment 210 (e.g., a network endpoint…”) at a local-network honeypot entity (¶ [0034], i.e., after the “networking switch 214 redirects flow to the honeypot environment 212,” the “honeypot environment detect[ed] … at a local-network honeypot entity) of a local network (Fig. 2, ¶ [0025], i.e., the local network is depicted, while the external network is connected to the local network via “wired and/or wireless network” that is not depicted (i.e., the network to the left of “state A”), 
wherein initiating the security threat is using host information received from the local-network honeypot entity identifying a network address of the local-network host (¶ [0034], “honeypot environment 212 … can use process tracing techniques to identify and provide [host] information [to initiat[e] the security threat] associated with an attack,” and ¶ [0018], “…the threat intelligence component 102 can identify key indicators and observables associated with each of the threats.  Indicators and observables [that identify and provide host information associated with an attack] may include, for example, names, identifiers, and/or hashes of processes, objects, files, applications, or services, Internet Protocol (IP) addresses of devices,…,” with the IP address acting as host information that identif[ies] a network address of the local network host and thereby initiat[es] the security threat) of the local network (Fig. 2, ¶ [0025]);
based on receipt of the trigger (¶¶ [0018], [0034], i.e., the IP address as host information is identified with a threat), determining whether the local-network host (¶ [0029]) initiating the detected security threat (¶ [0034]) …1; and 
2 …, 
one of triggering a threat response (¶ [0042], “For example, endpoint management software can be used to take a snapshot of a system (e.g., the honeypot threat response that was trigger[ed]) 
or (noting that only one limitation need be met, but in the interest of compact prosecution, the Examiner will examine the remainder of the claim) 
3 … and a vulnerability scan between the local network backend entity and the local-network host (Figs. 2 & 3, ¶¶ [0039]-[0040], “For example, the management and process orchestration server 204 [acting as part of the local network backend entity] can identify a compromise to the system 200 via network traffic analysis,” i.e., the “traffic analysis” and the other “indicators of compromise” teach or suggest employing a vulnerability scan to detect the comprise such as at “production environment 210” that acts as the local-network host) for the security threat initiated by the local-network host upon detection of the security threat by the local-network honeypot entity (¶¶ [0025]-[0027], [0034]).
DiValentin doesn’t disclose
	1 … is registered in a predetermined database of an endpoint threat management system where at least results of previous vulnerability scans of the local network are registered;
	2 based on determining whether the local-network honeypot entity identifying the network address of the local-network host initiating the detected security threat is registered in the predetermined database of the endpoint threat management system,
3 executing a threat response operation at the endpoint threat management system to automatically perform a network-internal vulnerability lookup and….
Baker, however, discloses
	1 … is registered …a,b  (Col. 4:33-46, “The registry maintained by network node 120 includes entries indicative of host nodes registered as being able to perform intrusion detection services,” where the intrusion detection services collectively make up an endpoint threat management system; see also the endpoint threat management system as disclosed by Kulaga Fig. 1, Col. 15:17-16:32, i.e., the “first PC 103” that hosts an “antivirus application”;
	2 based on determining whether the local-network honeypot entity (of DiValentin) identifying the network address (of DiValentin) of the local-network host (of DiValentin) initiating the detected security threat (of DiValentin) is registered in the predetermined database (of Kulaga) of the endpoint threat management system, (Col. 4:33-46 Fig. 2, Col. 5:10-29, i.e., step 215 that makes the determination in the affirmative or the negative as it relates to employing an endpoint threat management system; and Miliefsky ¶ [0052], “The Clustering software will enable multiple Anti-Hacker Proactive Network Security system computer-based network appliances which are within the same network to operate as a clustered system to share workload, as necessary for any and all functions which may be clustered such as network scanning, vulnerability assessment through CVE testing, reporting, remediation and other critical functionality that may be too CPU intensive for one system alone in a large network,” i.e., Miliefsky teaches the use of the endpoint threat management system to conserve CPU resources of a large network),
Kulaga, however, discloses
a …in a predetermined database of an endpoint threat management system…b (Col. 15:17-16:32, i.e., the “antivirus database” is a database that is associated with an endpoint threat management system, where the “antivirus database” is predetermined so as to remain “updated” or “new”)
Miliefsky, however, discloses
	b …where at least results of previous vulnerability scans of the local network are registered (¶¶ [0055]-[0057], “…automatically scan various computer-based network equipment for a complete and thorough vulnerability assessment through common vulnerabilities and exposures (CVEs) tests,” where the results of the CVE tests can be employed in the “Automated Remediation Clients [that can] be deployed as agents running remotely on each system within the Computer-Based network,” where the results of the tests correspond to or may be incorporated within the “antivirus database” as disclosed by Kulaga)
3 executing a threat response operation at the endpoint threat management system to automatically perform a network-internal vulnerability lookup (¶ [0057], “Automated Remediation Clients may be deployed as agents running remotely [as a threat response operation] on each system within the Computer-Based network. These Automated Remediation Clients will take their remediation instructions securely from the Anti-Hacker Proactive Network Security system or cluster of systems, under Administrator control either automatically, manually or a combination of both.  Each remediated system will no longer contain the CVE that placed the system at risk,” i.e., via the network-internal vulnerability lookup, the vulnerability was identified and lookup[ed] to remedy the risk)…. 
	Regarding the combination of DiValentin and Baker, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention 
	Regarding the combination of DiValentin-Baker and Miliefsky, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security system of DiValentin-Baker to have included the vulnerability system feature of Miliefsky. One of ordinary skill in the art would have been motivated to incorporate the vulnerability system feature of Miliefsky because Miliefsky teaches a “system [that] detected a rogue or high risk asset and took action, automatically,” with the automation increasing the effectiveness of the DiValentin-Baker system.
Regarding the combination of DiValentin-Baker-Miliefsky and Kulaga, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified security system of DiValentin-Baker-Miliefsky to have included antivirus database feature of Kulaga. One of ordinary skill in the art would have been motivated to incorporate the antivirus database feature of Kulaga because 
Regarding Claim 2
DiValentin in view of Baker, and further in view of Miliefsky and Kulaga (“DiValentin-Baker-Miliefsky-Kulaga”) disclose the method of claim 1, and DiValentin further discloses 
wherein said detecting comprises: 
identifying an abnormal local-network activity (¶ [0027], “In the present example, one or more threat indicators” that serve to identify and abnormal local-network activity), and 
identifying the IP address of the local-network host initiating the identified abnormal local-network activity (¶ [0027], “In the present example, one or more threat indicators (e.g., an IP block of addresses) may be associated with a particular security threat”).
Regarding Claim 3
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 2, and DiValentin further discloses 
said abnormal local-network activity including at least one of predefined connection establishment (¶ [0026], “a peer organization can share (e.g., via the peer exchange 112, shown in FIG. 1), information associated with an IP block of addresses targeting a particular type of resource (e.g., a database server)”), predefined authentication attempt and malware upload or installation (noting only one limitation need be met with the limitation of “at least one of”).
Regarding Claim 4
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses 
wherein said triggering comprises: 
transferring information on at least the IP address of the local-network host initiating the detected security threat (¶ [0018], “Indicators and observables [of the detected security threat] may include, for example, names, identifiers, and/or hashes of processes, objects, files, applications, or services, Internet Protocol (IP) addresses of devices, registry keys to be accessed or modified, user accounts, or other suitable indicators and observables of a security threat.”) from the local-network honeypot entity to the local-network backend entity (¶¶ [0034]-[0035], “The honeypot environment 212, for example, can use process tracing techniques to identify and provide information associated with an attack,” and “During stage (I), information is provided by the honeypot environment 212 to the indicator analytics server 208.”).
Regarding Claim 6
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses
detecting the security threat is based on at least one of a request for a secure shell connection with the local-network honeypot entity or a determined actual network address of the local-network honeypot entity identifying the network address of the local-network host (¶ [0027], “ In the present example, one or more threat indicators (e.g., an IP block of addresses) may be associated with a particular security threat (e.g., a secure shell (SSH) brute force attack)”).
Regarding Claim 7
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Baker further discloses 
wherein said operation of the endpoint threat management system (Col. 4:33-46; and see also Kulaga Fig. 1, Col. 15:17-16:32) comprises: …1
DiValentin further discloses
1 …retrieving information for the local-network host by activating a check (¶ [0042], “The snapshot [that serves as an activat[ed] … check], for example, may provide one or more potential indicators of compromise [that comprise retriev[ed] information], based on a list of currently running processes, recently (e.g., within a predetermined timeframe, such as a minute, ten seconds, a second, or another suitable timeframe) ended processes, and/or recently modified objects in a similar timeframe.”) and/or extraction by an endpoint agent installed on the local-network-host (only one limitation need be met with the use of “or”).
Regarding the combination of DiValentin and Baker, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 7.
Regarding Claim 8
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 7, and DiValentin further discloses 
said information including at least one of: information on properties of the local-network host, information on properties of the detected security threat (¶ [0042], “…a list of currently running processes, recently (e.g., within a predetermined timeframe, such properties of the detected security threat), a memory dump, at least one file hash, at least one meta information on ongoing processes and/or connections, at least one copy of a binary, and at least one network interface data dump (noting only one limitation need be met).
Regarding Claim 9
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
said operation of the local-network vulnerability management system (¶¶ [0086], [0135]) comprising: 
retrieving information for the local-network host by performing a lookup from a local-network vulnerability database (¶ [0131], “It will also retain a database of past audits allowing for differential audits comparing previous audits with older audits as well as incremental audits which test for only the latest known vulnerabilities,” with the “test” requiring the use of the “database” via a lookup that provides information for the local-network host that is potentially vulnerable).
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 9.
Regarding Claim 10
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
wherein said operation of the local-network vulnerability management system (¶¶ [0086], [0135]) comprises: 
retrieving information for the local-network host by performing a scan of the local-network host (¶ [0098], “The vulnerability assessment component is based on a SmartScan engine which scans network assets [to retriev[e] information] for flaws and weaknesses in the systems”), 
said information including at least one of: information on properties of the local-network host and information on properties of the detected security threat, system type, at least one opened port, at least one ongoing service, at least one system version, and at least one security vulnerability (¶¶ [0040]-[0041], “The method will dynamically detect and map changes to LAN and WAN connected equipment including searching for equipment which may be deemed as rogue and creating a network-based assets list, wherein the list contains information as to the location of the network-based assets.,” and “The list may contain information as to the Internet Protocol (IP) address of said network-based assets, and the list may contain information as to the open Ports of said network-based assets and related application, session, transport, sockets and other internet protocol (IP) related information.”).
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 10.
Regarding Claim 11
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses 
wherein said operation of the endpoint threat management system comprises: blocking or isolating the local-network host on a local-network level and/or blocking or isolating at least one process of the local-network host relating to the detected security threat (¶ [0038], “Updated threat information, for example, can be provided to the management and process orchestration server 204, where it can be used to generate another predetermined course of action and/or to block future attacks. For example, the threat information can be used to direct network topology changes (e.g., further stages E, F, and G), based on the observed honeypot activity,” with the changes in topology serving to isolate[] and/or block[] threats).
Regarding Claim 21
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
wherein based on executing the operation of a local-network vulnerability management system (¶¶ [0086], [0135]) to perform a vulnerability scan (¶ [0098]), the method comprising: 
automatically generating and issuing a corresponding report comprising information retrieved …1 and the local-network honeyspot entity to show that the local-network vulnerability management system has been executed (¶¶ [0086], [0135], the “[countermeasure communication] system will also send an alert through E-mail and SMS paging to an IT Manager or designated end user to let them know that the system detected a rogue or high risk and took action, automatically.”).
DiValentin further discloses
1 …by the endpoint threat management system… (¶ [0054], “In some implementations, one or more notifications may optionally be sent (408)” for the endpoint threat management system as disclosed by DiValentin, and “notifications” being sent in the manner as disclosed by Miliefsky)
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 21.
Regarding Claims 12-15
With respect to claims 12-15, a corresponding reasoning as given earlier for dependent claims 1-4 applies, mutatis mutandis, to the subject matter of claims 12-15, respectively. Therefore, claims 12-15 are rejected, for similar reasons, under the grounds set forth for claims 1-4, respectively.
Regarding Claim 17
With respect to dependent claim 17, a corresponding reasoning as given earlier for dependent claims 7 and 8 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 17 is rejected, for similar reasons, under the grounds set forth for claims 7 and 8.
Regarding Claim 18
With respect to dependent claim 18, a corresponding reasoning as given earlier for dependent claims 9 and 10 applies, mutatis mutandis, to the subject matter of claim 18. Therefore, claim 18 is rejected, for similar reasons, under the grounds set forth for claims 9 and 10.

Regarding Claims 19
With respect to claim 19, a corresponding reasoning as given earlier for claim 11 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 11.
Regarding Claim 20
With respect to claim 20, a corresponding reasoning as given earlier for claim 1 applies, mutatis mutandis, to the subject matter of claim 1. Therefore, claim 20 is rejected, for similar reasons, under the grounds set forth for claim 1.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 8:00-5:00 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491