Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner’s Note
	 Claim 8 recites “ at least one processor” in line 2 of the claim. Specification in paragraphs 0008 & 0010 defines processor as “hardware processor” and in paragraph 0065 it is defined as “central processing unit (CPU).”.
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

s 1-2, 8-9, & 15-16 are rejected under 35 USC 103 as being unpatentable over Joshi (US 20190058714 as mentioned in IDS dated 10-04-2019) in view of  Iwanir (US 20180097803) 
.Regarding claim 1,  Joshi teaches a method for blocking network connections, the method comprising: intercepting a certificate from the server when establishing a protected connection between a server and a client; [Fig 4, please see steps 404, 406, 410 & 414 & 416; para 0089: In step 404, the network device receives information about the host server and/or associated traffic flow of the host server. Hence, the network device can intercept diverse information used to establish a connection between endpoint devices. For example, the information intercepted by the network device can be part of a ServerCertificate TLS handshake message, include attributes of the host server and other information indicating a source, destination, protocol, type of device, etc. The received information can be stored and/or compared to information stored in a cache to make determinations about the flow and/or host server.]
 determining whether the intercepted certificate is similar to one or more forbidden certificates, the determination of whether the intercepted certificate is similar to one or more forbidden certificates comprising the intercepted certificate in accordance with a method of determining similarities between certificates,  [0090] The network device includes one or more policies to identify suspicious or malicious traffic, and can take specified actions on that traffic accordingly. For example, information identifying the host server can be compared against a list of The blacklist may include untrusted certificates or other attributes of flows of host devices that have been deemed suspicious or malicious.]
a method of saving forbidden certificates in a database of forbidden certificates; [0085] In step 310, the network devices can perform an action to mitigate the risk of any malicious session. For example, a network device could be caused to forbid establishing the secured session, terminate an established secured session, and/or block any future sessions related to untrusted certificates, related user devices, or related host devices. For example, the untrusted certificate or host device that presented the untrusted certificate could be added to a blacklist applied against certificates of any future secured sessions. In some embodiments, the blacklisting is a time-based blacklisting that enforces blacklisting untrusted certificate, related user devices, or related host devices for only a limited period of time (e.g., 24 hours). 
blocking the connection when the intercepted certificate is similar to the one or more forbidden certificates.  [0095] The network device could act on any suspicious or malicious traffic in accordance with policies. For example, in step 416, the network device can optionally perform actions to mitigate harm to the protected network. For example, the network device can identify SSL flows and associated rogue hosts with a certificate validation process associated with a ServerCertificate TLS handshake message. Attributes of the host server such as an IP address, server address, and server certificate can be used to classify it as a "rogue," and a combination of these attributes can be stored in memory for application to SSL flows that can be similarly deemed as rogue hosts and blocked from accessing the network protected by the network device.] 
Although Joshi teaches determine untrusted or blacklisted certificate, he does not teach explicitly, however, Iwanir US20180097803) teaches transforming detected certificate.  0030] Examples of rules provided in the rules library 230 include best practices and malicious use detection rules. One example … environment 130. A first example of a malicious use detection rule, using abnormal certificate usage to detect a potential attack, is … installing intrusive certificates 140. A second example of malicious use detection is detecting a certificate .. suspicious chain of certificate authorities. A third example of a malicious use detection rule is to detect changes to certificate deployment made over time, such as, for example, when certificates 140 are regularly updated every six months, an update made at an earlier time or a delayed update is indicative that a change, which indicates a change in routine that may be the result of a malicious party installing intrusive certificates 140. As will be appreciated, the above examples are non-limiting; in various aspects, the rules library 230 contains more or different sets of rules.]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit with the disclosure of Iwanir. The motivation or suggestion would have been to implement a system that will provide  efficient techniques for Various rules representing best practices and malicious use patterns installed or evolved (e.g., via machine learning) for use by a certificate monitor to provide detection, notifications, and automated remediation. and to efficiently manage the certificates according to the rules to affect the deployment of certificates and the monitoring of various devices and environments.. (para 0001-0005, Iwanir)  
Regarding claims 2, 9 & 16,  Joshi teaches wherein the method of determining similarities between certificates comprises: obtaining attributes from the intercepted certificate; expressing a rule in a form of a regular expression, wherein the rule is formed from common attributes of the one or more forbidden certificates that are produced as a result of clustering of a set of the one or more forbidden certificates; and applying the rule to strings of the intercepted certificate, wherein the rule is satisfied when a similarity is found.  [0076] In some embodiments, the network devices can include a number of policies arranged as a hierarchy of configurable policies including one or more rules or criteria applied to the secured sessions. A policy's objective can include identifying a suspicious session by comparing a certificate of each secured session to a list of trusted certificates in a centralized trust store of the network devices, in addition to the trust store of the user device. The received certificate is deemed "untrusted" if it is not in the centralized trust stores and its associated secured session is deemed suspicious of malicious activity. On the other hand, the secured session of a trusted certificate has traffic that can pass to the user device without further action. [0077] A policy's objective can include identifying a suspicious session in accordance with a certificate validation process by examining attributes of each certificate of each secured session in order to determine whether the certificate is valid. For example, a policy could include rules or criteria to check whether a certificate has a valid issue date, has not expired, and is signed by a trusted authority from a list of trusted authorities. If so, the certificate is deemed valid or trusted (similarity is satisfied). Otherwise, the certificate is deemed invalid or untrusted. 
Regarding claims 8 & 16, these claims are interpreted to be same as claim 1 and rejected for the same reasons as set forth for claim1.

Claims 3-5, 7, 10-12, 14 & 17-19 are rejected under 35 USC 103 as being unpatentable over Joshi in view of  Iwanir and Burriesci (US20180300319)
Regarding claims 3, 10 & 17  although Joshi and Iwanir teach obtaining attributes from the intercepted certificate;  they do not teach explicitly, however, Burriesci teaches constructing an N-dimensional vector based on the obtained  characteristics and comparing the constructed N-dimensional vector to clusters in the database.  [0028] The fingerprints produced by fingerprint server 140 for the sensors of Systems A and B may be represented in a multidimensional space, where each dimension is defined as a separate characteristic of the sensor, such as the periodicity of the functions produced from the processing of the sensor readings data by the fingerprint server or an informative word or phrase in sensor names or descriptions resulting from the processing of the metadata by the fingerprint server. In some embodiments, the portions of the fingerprint corresponding to metadata may be reduced to numerical values. The multidimensional space may then be defined as an n-dimensional space where the sensor fingerprint for each sensor may consist of n numbers, each number corresponding to a characteristic (attribute) of the sensor as determined by the readings data, the metadata, etc. Accordingly, each fingerprint may be represented as a point in n-dimensional space of n sensor characteristics. In some embodiments, the numbers may be real numbers. In other embodiments, the numbers may also be complex numbers.]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit and Iwanir with the disclosure of Burriesci. The motivation or suggestion would have been to implement a system that will provide efficient techniques for calculating proximity distance. (para 0001-0006, Burriesci)
Regarding claims 4, 11 & 18,  although Joshi and Iwanir teach wherein the intercepted certificate is found to be similar to a forbidden certificate of the one or more forbidden certificates , Burriesci teaches when: a distance between the constructed N-dimensional vector of finerprint and a center of at least one cluster in the database is less than a radius of the at least one cluster; or a measure of proximity between the constructed N-dimensional vector and the center of the at least one cluster is less than a threshold value.  [0084] As new sensors/fingerprints are processed, a proximity value for those fingerprints may be computed by calculating the distance between the fingerprint and the derivative average fingerprint for each cluster. A cluster assignment may be then made if a sensor has a proximity value from the "center" of the cluster that is less than a certain threshold value. In some embodiments, once a proximity value is below the threshold for a certain cluster, the computation of additional proximity values (and the corresponding search for another cluster) may stop. 
Regarding claims 5, 12 & 19,  although Joshi and Iwanir teach wherein the intercepted certificate is found to be similar to a forbidden certificate of the one or more forbidden certificates , Burriesci teaches wherein, when constructing the N-dimensional vector based on the obtained characteristics , different weights are used for each characteristics to calculate coordinates of respective characteristics.  [0069] In some embodiments, linear or of higher order transformations may be applied to the fingerprint values. The transformations may be applied, for example, to place the fingerprint values in certain ranges. In some embodiments, the transformations may provide weighting of the fingerprint values to assign certain values in the fingerprint a higher importance compared to other values. ]
Regarding claims 7 & 14,  Joshi teaches wherein the attributes of a given certificate comprise one or more of: a date and a time of a start and an end of validity of the given certificate, an owner of the given certificate of a signature key, a public key, a name and details of a certification center, a designation of a cryptographic algorithm, information on a restricted use of a signature, an indication of a country issuing the given certificate, frequency characteristics of symbols of the given certificate, and line offsets in the given certificate and their respective lengths.  [0060] The SDP 208 improves on the certificate validation process by selectively passing suspicious connections to the security tool 214 for decryption and inspection to identify malicious connection. The SDP 208 can reduce the load on the security tool 212 by selectively allowing normal flows associated with trusted certificates to forego decryption by the security tool 212. A flow is "normal" when the secured connection of the flow is "trustworthy" because its certificate passed the validation processes of the SDP 208. For example, the certificate may be deemed "valid" if it has a valid issue (start)  date, expiration (end) date (e.g., not yet expired), is signed by an trusted authority, etc. ]
Claims 6, 13 & 20 are rejected under 35 USC 103 as being unpatentable over Joshi in view of Iwanir and Burriesci and Jurgenson (US20180069934)
Regarding claims 6, 13 & 20,  Joshi, Iwanir & Burriesci teach certificate attribute they do not teach explicitly, however, Jurgensen wherein the coordinates of a given identifier are based on frequencies of occurrences of the given identifier. [0030] In various aspects, different weights may be applied to the geolocation values based on the frequency of use of a given identifier, a physical or temporal proximity of one login attempt to another login attempt, a physical proximity to the centralized location (which may be calculated recursively), a given time range at which the located remote login 210 was made (e.g., during business hours,].  [0023] Entities (devices or user accounts) that frequently connect to a given site 120 may be noted and mapped by either the domain controller 124 or the monitor 126 as using the given site 120 as their "home" site 120, whereas entities that infrequently connect to the given site 120 may be noted as connecting to a "guest" site 120. In one aspect, entities are mapped to the one site 120 on which they are most active (locally, remotely, or locally and remotely), while in other aspects a given entity may have "home" status on more than one site 120 or on no sites 120 based on a minimum number of connections to a given site 120. For example, a user based out of Office A and whose account is associated with a first site 120 as a "home," may be transferred to Office B and begin using a second site 120 associated with Office B more frequently. The example user's account may be remapped to the second site 120 as a "home" over the course of several days/weeks/months as the user connects to Office B more frequently than Office A's site 120. Contrarily, if the example user used (and left) a first device at Office A and the user were assigned a new device at Office B, the fist device may remain associated with the first site 120 as its "home." In another example, a salesperson who frequently travels and logs on remotely to a first site 120 and a second site 120 may have each site 120 consider itself the "home" of the user's account due to the frequency at which the salesperson connects to each site 120 and the salesperson exceeding a minimum number of connections to each site 120 during a time period. When the monitor 126 determines the calculated location of the site 120, it may exclude the location information from "guest" entities, provide greater emphasis on the location information from "home" entities, or treat the location information equivalently, regardless of home/guest status. The monitor 126 may also periodically reevaluate whether a given entity has home or guest status on a given site 120. ]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshi, Iwanir and Burriesci. with the disclosure of Jurgenson. The motivation or suggestion would have been to implement a system that will provide efficient techniques to improve the security of the network and to improve the efficiency of the network and the devices connected to that network.. (para 0001-0006, Jurgenson)
 (Alternative Set of Rejection)
Claims 1-2, 8-9, & 15-16. are rejected under 35 USC 103 as being unpatentable over Joshi (US 20190058714 as mentioned in IDS dated 10-04-2019) in view of  Iwanir (US 20180097803) 

.Regarding claim 1,  Joshi teaches a method for blocking network connections, the method comprising: intercepting a certificate from the server when establishing a protected connection between a server and a client; [Fig 4, please see steps 404, 406, 410 & 414 & 416; para 0089: In step 404, the network device receives information about the host server and/or associated traffic flow of the host server. Hence, the network device can intercept diverse information used to establish a connection between endpoint devices. For example, the information intercepted by the network device can be part of a ServerCertificate TLS handshake message, include attributes of the host server and other information indicating a source, destination, protocol, type of device, etc. The received information can be stored and/or compared to information stored in a cache to make determinations about the flow and/or host server.]
 determining whether the intercepted certificate is similar to one or more forbidden certificates, the determination of whether the intercepted certificate is similar to one or more forbidden certificates comprising the intercepted certificate in accordance with a method of determining similarities between certificates,  [0090] The network device includes one or more policies to identify suspicious or malicious traffic, and can take specified actions on that traffic accordingly. For example, information identifying the host server can be compared against a list of blacklisted host servers in step 406. That is, a policy can be applied to the received information related to the flow or host server to determine whether the host server is on a blacklist of suspicious or malicious host devices. The blacklist may include untrusted certificates or other attributes of flows of host devices that have been deemed suspicious or malicious.]
a method of saving forbidden certificates in a database of forbidden certificates; [0085] In step 310, the network devices can perform an action to mitigate the risk of any malicious session. For example, a network device could be caused to forbid establishing the secured session, terminate an established secured session, and/or block any future sessions related to untrusted certificates, related user devices, or related host devices. For example, the untrusted certificate or host device that presented the untrusted certificate could be added to a blacklist applied against certificates of any future secured sessions. In some embodiments, the blacklisting is a time-based blacklisting that enforces blacklisting untrusted certificate, related user devices, or related host devices for only a limited period of time (e.g., 24 hours). 
blocking the connection when the intercepted certificate is similar to the one or more forbidden certificates.  [0095] The network device could act on any suspicious or malicious traffic in accordance with policies. For example, in step 416, the network device can optionally perform actions to mitigate harm to the protected network. For example, the network device can identify SSL flows and associated rogue hosts with a certificate validation process associated with a ServerCertificate TLS handshake message. Attributes of the host server such as an IP address, server address, and server certificate can be used to classify it as a "rogue," and a combination of these attributes can be stored in memory for application to SSL flows that can be similarly deemed as rogue hosts and blocked from accessing the network protected by the network device.] 
Although Joshi teaches determine untrusted or blacklisted certificate, he does not teach explicitly, however, Iwanir US20180097803) teaches transforming detected certificate.  0030] Examples of rules provided in the rules library 230 include best practices and malicious use detection rules. One example … environment 130. A first example of a malicious use detection rule, using abnormal certificate usage to detect a potential attack, is … installing intrusive certificates 140. A second example of malicious use detection is detecting a certificate .. suspicious chain of certificate authorities. A third example of a malicious use detection rule is to detect changes to certificate deployment made over time, such as, for example, when certificates 140 are regularly updated every six months, an update made at an earlier time or a delayed update is indicative that a change, which indicates a change in routine that may be the result of a malicious party installing intrusive certificates 140. As will be appreciated, the above examples are non-limiting; in various aspects, the rules library 230 contains more or different sets of rules.]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit with the disclosure of Iwanir. The motivation or suggestion would have been to implement a system that will provide  efficient techniques for Various rules representing best practices and malicious use patterns installed or evolved (e.g., via machine learning) for use by a certificate monitor to provide detection, notifications, and automated remediation. and to efficiently manage the certificates according to the rules to affect the deployment of certificates and the monitoring of various devices and environments.. (para 0001-0005, Iwanir)  
Regarding claims 2, 9 & 16,  Joshi teaches wherein the method of determining similarities between certificates comprises: obtaining attributes from the intercepted certificate; expressing a rule in a form of a regular expression, wherein the rule is formed from common attributes of the one or more forbidden certificates that are produced as a result of clustering of a set of the one or more forbidden certificates; and applying the rule to strings of the intercepted certificate, wherein the rule is satisfied when a similarity is found.  [0076] In some embodiments, the network devices can include a number of policies arranged as a hierarchy of configurable policies including one or more rules or criteria applied to the secured sessions. A policy's objective can include identifying a suspicious session by comparing a certificate of each secured session to a list of trusted certificates in a centralized trust store of the network devices, in addition to the trust store of the user device. The received certificate is deemed "untrusted" if it is not in the centralized trust stores and its associated secured session is deemed suspicious of malicious activity. On the other hand, the secured session of a trusted certificate has traffic that can pass to the user device without further action. [0077] A policy's objective can include identifying a suspicious session in accordance with a certificate validation process by examining attributes of each certificate of each secured session in order to determine whether the certificate is valid. For example, a policy could include rules or criteria to check whether a certificate has a valid issue date, has not expired, and is signed by a trusted authority from a list of trusted authorities. If so, the certificate is deemed valid or trusted (similarity is satisfied). Otherwise, the certificate is deemed invalid or untrusted. 
Regarding claims 8 & 16, these claims are interpreted to be same as claim 1 and rejected for the same reasons as set forth for claim1.

Claims 3-4, 7,10-11, 14 & 17-18 are rejected under 35 USC 103 as being unpatentable over Joshi in view of  Iwanir and Kupreev (EP 3 306 511 A1 as mentioned in IDS dated 10-04-2019)
Regarding claims 3, 10 & 17  although Joshi and Iwanir teach obtaining attributes from the intercepted certificate;  they do not teach explicitly, however, Kupreev teaches constructing an N-dimensional vector based on the obtained  characteristics and comparing the constructed N-dimensional vector to clusters in the database.  [0022] An N-dimensional vector of an element may include an ordered set of n real numbers, where the numbers may include the coordinates of a vector. The number of coordinates of the vector is known as the dimensionality of the vector.The coordinates may determine the position of the corresponding element (such as a script) or group of elements of the same kind (such as the elements of forms) of a web page (could also be for certificate) in N-dimensional space (Fig. 2 shows an example of two dimensional space). The vector may be obtained by transformation of information about the content of the element or group of elements. The vector may reflect certain information about the content of the element or group of elements. In one example, each coordinate may reflect one of the characteristics of the content of the element, for example, one
coordinate may characterize the number of operators in the script, another the number of eval operators.] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit and Iwanir with the disclosure of Kupreev. The motivation or suggestion would have been to implement a system that will provide efficient techniques for preventing malicious attack by hackers. (para 0001-0005, Kupreev)
Regarding claims 4, 11 & 18,  although Joshi and Iwanir teach wherein the intercepted certificate is found to be similar to a forbidden certificate of the one or more forbidden certificates , Kupreev teaches when: a distance between the constructed N-dimensional vector of webpage and a center of at least one cluster in the database is less than a radius of the at least one cluster; or a measure of proximity between the constructed N-dimensional vector and the center of the at least one cluster is less than a threshold value.  [[0023] A cluster may include a set of allowable values of the coordinates of vectors for a strictly defined element or
group of elements in N-dimensional space. According to one example, a selected element or group of elements may be assigned to a certain cluster if a distance from the N-dimensional vector of the element to the center of that cluster is less than the radius of the cluster in the direction of the N-dimensional vector. Fig. 2 shows an example of the cluster 210'. In an example, an element may be assigned to a certain cluster if the value of a distance (in Fig. 2, "d'") from the N-dimensional vector of the element to the nearest N-dimensional vector of an element of the given cluster is less than the maximum allowable (threshold value of the distance {d']) or if the value of the distance (in Fig. 2 "d") from the N- dimensional vector of the element to the center of that cluster is less than the radius (threshold) of this cluster. For example, the distance from the vector (1666, 1889) to the center of the cluster is less than the radius of the cluster, and consequently
the element or group of elements whose content may be reflected by the vector belongs to the given cluster. On the other hand, the distance from the vector (1686, 1789) to the center of the cluster is greater than the radius of the cluster and the distance to the nearest N-dimensional vector is greater than a threshold value, and therefore the element or group of elements whose content may be reflected by the vector does not belong to that cluster. Variants of distances for evaluating proximity may include, but limit to the following: linear distance, Euclidean distance, the square of Euclidean
distance, generalized Minkowski exponential distance, Chebyshev distance, Manhattan distance and others.
 Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit and Iwanir with the disclosure of Kupreev. The motivation or suggestion would have been to implement a system that will provide efficient techniques for preventing malicious attack by hackers. (para 0001-0005, Kupreev)
Regarding claims 7 & 14,  Joshi teaches wherein the attributes of a given certificate comprise one or more of: a date and a time of a start and an end of validity of the given certificate, an owner of the given certificate of a signature key, a public key, a name and details of a certification center, a designation of a cryptographic algorithm, information on a restricted use of a signature, an indication of a country issuing the given certificate, frequency characteristics of symbols of the given certificate, and line offsets in the given certificate and their respective lengths.  [0060] The SDP 208 improves on the certificate validation process by selectively passing suspicious connections to the security tool 214 for decryption and inspection to identify malicious connection. The SDP 208 can reduce the load on the security tool 212 by selectively allowing normal flows associated with trusted certificates to forego decryption by the security tool 212. A flow is "normal" when the secured connection of the flow is "trustworthy" because its certificate passed the validation processes of the SDP 208. For example, the certificate may be deemed "valid" if it has a valid issue (start)  date, expiration (end) date (e.g., not yet expired), is signed by an trusted authority, etc. ]


Claims 5, 12, & 19- are rejected under 35 USC 103 as being unpatentable over Joshi in view of Iwanir, Kupreev and Burriesci (US20180300319)
Regarding claims 5, 12 & 19,  although Joshi, Iwanir and Kupreev teach wherein the intercepted certificate is found to be similar to a forbidden certificate of the one or more forbidden certificates , Burriesci teaches wherein, when constructing the N-dimensional vector based on the obtained characteristics , different weights are used for each characteristics to calculate coordinates of respective characteristics.  [0069] In some embodiments, linear or of higher order transformations may be applied to the fingerprint values. The transformations may be applied, for example, to place the fingerprint values in certain ranges. In some embodiments, the transformations may provide weighting of the fingerprint values to assign certain values in the fingerprint a higher importance compared to other values. ]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshit, Iwanir and Kupreev with the disclosure of Burriesci. The motivation or suggestion would have been to implement a system that will provide efficient techniques for calculating proximity distance. (para 0001-0006, Burriesci)

Claims 6, 13 & 20 are rejected under 35 USC 103 as being unpatentable over Joshi in view of Iwanir, Burriesci, Kupreev and Jurgenson (US20180069934)
Regarding claims 6, 13 & 20,  Joshi, Iwanir & Burriesci teach certificate attribute they do not teach explicitly, however, Jurgensen wherein the coordinates of a given identifier are based on frequencies of occurrences of the given identifier. [0030] In various aspects, different weights may be applied to the geolocation values based on the frequency of use of a given identifier, a physical or temporal proximity of one login attempt to another login attempt, a physical proximity to the centralized location (which may be calculated recursively), a given time range at which the located remote login 210 was made (e.g., during business hours,].  [0023] Entities (devices or user accounts) that frequently connect to a given site 120 may be noted and mapped by either the domain controller 124 or the monitor 126 as using the given site 120 as their "home" site 120, whereas entities that infrequently connect to the given site 120 may be noted as connecting to a "guest" site 120. In one aspect, entities are mapped to the one site 120 on which they are most active (locally, remotely, or locally and remotely), while in other aspects a given entity may have "home" status on more than one site 120 or on no sites 120 based on a minimum number of connections to a given site 120. For example, a user based out of Office A and whose account is associated with a first site 120 as a "home," may be transferred to Office B and begin using a second site 120 associated with Office B more frequently. The example user's account may be remapped to the second site 120 as a "home" over the course of several days/weeks/months as the user connects to Office B more frequently than Office A's site 120. Contrarily, if the example user used (and left) a first device at Office A and the user were assigned a new device at Office B, the fist device may remain associated with the first site 120 as its "home." In another example, a salesperson who frequently travels and logs on remotely to a first site 120 and a second site 120 may have each site 120 consider itself the "home" of the user's account due to the frequency at which the salesperson connects to each site 120 and the salesperson exceeding a minimum number of connections to each site 120 during a time period. When the monitor 126 determines the calculated location of the site 120, it may exclude the location information from "guest" entities, provide greater emphasis on the location information from "home" entities, or treat the location information equivalently, regardless of home/guest status. The monitor 126 may also periodically reevaluate whether a given entity has home or guest status on a given site 120. ]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Joshi, Iwanir, Burriesc and Kupreevi. with the disclosure of Jurgenson. The motivation or suggestion would have been to implement a system that will provide efficient techniques to improve the security of the network and to improve the efficiency of the network and the devices connected to that network.. (para 0001-0006, Jurgenson)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER KHAN whose telephone number is (571)272-8574.  The examiner can normally be reached on Monday-Friday-8:00am - 5:00pm (EST).If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497