DETAILED ACTION
The following is final office action in response to applicant’s amendments filed on 02/16/2021 for response of office action mailed on 01/15/2021. Claims 1, 4-6, 11 and 21 have been amended. No claim is cancelled. Claim 22 has been added. Therefore claims 1—22 are now pending.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendment to the specification, filed on 02/16/2021, with respect to the objection on the specification has been fully considered. The amendment overcame the objection, therefore the objection has been withdrawn.
Applicant’s amendments to the claim 4-6, filed on 02/16/2021, with respect to the claim objections have been fully considered. The amendments overcame the objections, therefore the claim objections been withdrawn. 
Applicant’s amendments to the claim 1, filed on 02/16/2021, with respect to the claim rejection under 35 U.S.C 101 has been fully considered. The amendments overcame the rejection. Therefore the rejection has been withdrawn. 
Applicant’s amendments to the claims 1, 11 and 21, filed on 02/16/2021, with respect to the claim rejection under 35 U.S.C 103 have been fully considered.
As provided in further detail below, applicant’s arguments regarding that the references fail to show certain features are unpersuasive in view of the grounds of rejection discussed in detail. Please note that during patent examination, the pending claims even when interpreted in view of the specification must be “given their broadest reasonable interpretation.” Phillips v. AWH Corp., 415 F.3d 1303, 1316, 75 USPQ2d 1321, 1329 (Fed. Cir. 2005), In re Am. Acad, of Sci. Tech. Ctr., 367 F.3d 1359, 1364, 70 USPQ2d 1827, 1830] (Fed. Cir. 2004). As such, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.
Regarding the arguments on independent claim 1 on page 11, applicant simply state the prior art, the combined teachings of Mahaffey and Khalid, alone or in combination, does not describe or suggest each and every recitation set forth in independent claims 1 and 11 as well as those claims dependent thereon. In particular, applicant states meta-information associated with a prior evaluated artifact is inconsistent with the subject application. Examiner carefully reviewed applicant’s arguments but respectfully disagree. First, combination of Mahffey and Khalid teaches the independent claim 1 as detailed in the following section. Second, Mahaffey teaches how to classify/assess the application/object for a mobile device by analyzing stored meta information regarding the application/object. Khalid also teach how to detecting a malicious attack for client device based on both 
Applicant presents no further arguments.
For the above reasons, it is believed that the rejections should be sustained. Accordingly, THIS
ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1, 3-11, 13-20, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey et al. (US20110047594, hereinafter Mahaffey) in view of Khalid et al. (US9432389, hereinafter Khalid). 
Regarding claim 1 and 22, Mahaffey teaches a system for detecting artifacts associated with a cyber-attack (Mahaffey: Abstract: A server gathers data about mobile applications, analyzes the applications, and produces an assessment;  Para. 0035: an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe), comprising: a first network device corresponding to physical electronic device featuring network connection functionality (Mahaffey: Fig. 1: client (101); Para. 0025: mobile communication device 101 may also be referred to as a “mobile client device,” “client device,” “device,” or “client,”); and a second network device remotely located from and communicatively coupled over a network to the first network device (Mahaffey: Fig. 1: Server (151); Para. 0025: one or more servers 151 communicate with one or more mobile communication devices 101 over a cellular, wireless Internet or other network 121), the second network device comprises a data store including stored meta-information associated with each corresponds to meta- information associated with a previously analyzed object and includes a verdict classifying the prior evaluated artifact as a malicious classification or a benign classification (Mahaffey: Fig. 1: Data storage (111); Para. 0025: The one or more servers 151 may have access to a data storage 111 that stores security information for the one or more mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101, or other objects for storage may be stored on servers 151 and/or data storage 111; Para. 0031: Application data includes both data objects and information about data objects, such as behavioral data or metadata; Para. 0032: Application data includes data objects that are malware or spyware; Para. 0033: Application data includes metadata about data objects; Para. 0058:  server 151 chooses which devices to request additional from by analyzing device information and application data previously stored by server; Para. 0075: application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object…..In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis. Server 151 may contain known good component 903, known bad component 905; Para. 0046: some or all of the received data is stored on server 151 or data storage 111; Para. 0075: FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object, assesses the data object to produce assessment information, and transmits the assessment information; Para. 0035: an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe; Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111),  analyze the stored meta-information associated with the prior evaluated artifact (Mahaffey: Fig. 4: receive identification+data object information (405); store data object information (407); analyze data object if necessary (409); Wait for change in data object (417); Para. 0027: server 151 will analyze this data and provide a security related assessment, response and/or other action; Para. 0045: Server 151 can analyze the new application and provide a security assessment whereby actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results) and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence (Mahaffey: Para. 0123: In order to respond to undesirable applications, such as malware and spyware, as soon as they are identified as such, it may be desirable for server 151 to transmit notifications to mobile communication device 101 about data objects that are determined to be undesirable after previously being classified as good or unknown. In an embodiment, server 151 stores information about data objects encountered by mobile communication device 101 so that if a data object encountered by the device was assessed to be good or unknown but was subsequently determined to be undesirable, server 151 may determine all of the devices that have encountered the data object and transmits a notification indicating that the data object is undesirable; Para. 0091: server 151 establishes the reputation or level of trust for the data object…. trust data is stored by server 151 on the server or in data storage 111 so it may be subsequently used directly or as part of producing an assessment; Para. 0098: assessment data includes the output from an analysis system, such as characterization data, categorization data, trust data, and distribution data. …..One will appreciate that the above assessment data may be provided as an input into to server 151…. server 151 combines assessment data received from multiple sources to produce an aggregated assessment. For example, if a malware author attempts to transmit an assessment to server 151 indicating that a malicious application is safe in the hopes of causing server 151 to produce a false assessment, the server may utilize the number of unique sources providing assessments and the trustworthiness of those sources to produce the aggregated assessment. If one hundred assessments are received from different, reliable sources such as network operators and enterprises that indicate the application to be malicious, but ten thousand assessments from a particular unverified source indicate the application to be safe, the server produces an aggregated assessment indicating the application to be malicious) or (b) identify inconsistent verdicts for the same prior evaluated artifact (Mahaffey: Para.0045: a security system installed on mobile communication device 101 may report application data for a data object to server 151 for purposes of receiving an assessment of the data object. ……a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results; Para. 0048: the assessment for the data object may change. For example, a data object that may previously have been assessed as safe or unknown may later be identified as malicious; Para. 0129: the system…can recall the previous assessment; Para. 0152: decision component 907 may operate as an additional security component to compensate for any weaknesses from known good component 903 or known bad component 905 and to identify new threats that have not been previously identified; Para. 0040: the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable). 
Yet, Mahaffey does not explicitly teach retroactive reclassification logic.
However, in the same field of endeavor, Khalid teaches retroactive reclassification logic (Khalid: Fig. 2A: classification engine (160); Claim 22: the results of the second analysis including one or more of (i) a score based on anomalous characteristics detected during the second analysis of the multi-flow object, (ii) the anomalous characteristics, or (iii) an updated score different than the score if (a) the first analysis of the multi-flow object produced a first score used by the classification engine to classify the multi-flow object as malicious or benign and (b) the second analysis is directed to the multi-flow object that includes additional information that was not analyzed during the first analysis).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Mahaffey to include retroactive reclassification logic as disclosed by Khalid. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious attack as suggested by Khalid (Khalid: Col. 1, line 10-12).
Regarding claim 3 and 13, combination of Mahaffey and Khalid teaches the system of claim 1. In addition, Mahaffey further teaches wherein the retroactive reclassification logic of the second network device being configured to identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence including identifying the stored meta-information includes a source address of a malicious website as detected by the trusted cybersecurity intelligence (Mahaffey: Para. 0059: application data for a data object that is gathered and transmitted by mobile communication device 101 to server 151 may include behavioral data about the data object. Usage of such data by server 151, such as during analysis, is discussed more in depth below. Behavioral data may include information about what the data object did when it ran on the device. Examples of behavioral data include information about network connections caused by the data object (e.g., server names, source/destination addresses and ports, duration of connection, connection protocols, amount of data transmitted and received, total number of connections, frequency of connections, and network interface information for the connection, DNS requests made); Para. 0085: server 151 determines whether a data object causes a mobile communication device 101 to access malicious Internet or other public or private networks. For example, a data object that causes a mobile communication device to access a malicious website may subject the device to exploitation. An embodiment of this disclosure allows for resolution of transmitted Inter- or Intranet addresses (e.g., URLs) to determine whether the address will direct the mobile communication device to a safe website, rather than a nefarious website or phishing scam. This information can be stored as it relates to a particular data object). 
Regarding claim 4 and 14, combination of Mahaffey and Khalid teaches the system of claim 11. In addition, Mahaffey teaches wherein the retroactive reclassification logic of the second network device being configured to conduct an analysis of the stored meta-information associated with the inconsistent verdicts for the same prior evaluated verdict by at least 2726/101966-0150PAtty. Docket No.: 101966.0150P 132008461 a12/17/18-61-WWS (P01-1736.02)analyzing differences in an operating environment utilized in assigning a first verdict of the same prior evaluated artifact and an operating environment utilized in assigning a second verdict to the same prior evaluated artifact differing from the first verdict (Mahaffey: Para. 0123: server 151 only transmits a notification to device 101 if the data object that is the subject of the notification can operate on the device's operating system. For example, if a device runs Blackberry and has encountered an Android spyware application, server 151 would not transmit a notification to the device; however, if the device encountered a Blackberry spyware application, server 151 would transmit a notification
Regarding claim 5 and 15, combination of Mahaffey and Khalid teaches the system of claim 1. 
Yet, the combination does not teach wherein the retroactive reclassification logic of the second network device being configured to conduct an analysis of the stored meta-information associated with the inconsistent verdicts for the same prior evaluated verdict by at least analyzing differences a type of the cybersecurity analysis conducted to render the first verdict and a type of cybersecurity analysis conducted to render the second verdict.
However, in the same field of endeavor, Khalid teaches wherein the retroactive reclassification logic of the second network device being configured to conduct an analysis of the stored meta-information associated with the inconsistent verdicts for the same prior evaluated verdict by at least analyzing differences a type of the cybersecurity analysis conducted to render the first verdict and a type of cybersecurity analysis conducted to render the second verdict (Khalid: Fig. 4B: conduct static analysis (430); conduct dynamic (VM-based) analysis (445); aggregate VM based results (450); col. 18, line 12-23: dynamic (VM-based) analysis is scheduled and performed on information associated with the suspect multi-flow object to produce VM-based results (blocks 445 and 450). Based on both the multi-flow analysis results and the VM-based results, a determination is made as to whether the multi-flow object should be classified as being part of a malicious attack as set forth in block 455. If so, information associated with the malicious attack is stored and an alert and/or report may be generated to identify that the multi-flow object is associated with a malicious attack (block 460). Otherwise, the suspect multi-flow object is concluded as being benign). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the retroactive reclassification logic of the second network device being configured to conduct an analysis of the stored meta-information associated with the inconsistent verdicts for the same prior evaluated verdict by at least analyzing differences a type of the cybersecurity analysis conducted to 
Regarding claim 6 and 16, combination of Mahaffey and Khalid teaches the system of claim 1. In addition, Mahaffey teaches wherein the retroactive reclassification logic of the second network device being configured to conduct an analysis of the stored meta-information associated with the inconsistent verdicts for the same prior evaluated verdict by at least analyzing differences a source of the prior evaluated artifact associated with the first verdict and a source of the prior evaluated artifact associated with the second verdict (Mahaffey: Para. 0037: metadata, such as a package name, application name, file name, file size, permissions requested, cryptographic signer, download source, a unique identifier such as a UUID, and other information may be sufficient as identifying information for a data object; thus, if server 151 receives appropriate identifying information, it can determine if the data object is undesirable. One skilled in the art will appreciate that there are a variety of methods by which a data object can be identified in such a way that can allow server 151 to determine if a data object installed on device 101 is malicious without having to transmit the entire data object to server 151). 
Regarding claim 7 and 17, combination of Mahaffey and Khalid teaches the system of claim 1. In addition, Mahaffey teaches wherein the retroactive reclassification logic of the second network device being configured to tag one or more of the inconsistent verdicts that are determined to correspond to one or more incorrect verdicts on subsequent cybersecurity analyses of the stored meta-information associated with the inconsistent verdicts (Mahaffey: Para. 0040: server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101. In an embodiment, the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable; Para. 0088: add tags for a data object; Para. 0097: Such information can be in the form of readable text, a machine readable format, or may include a “score,” a badge, an icon or other symbolic rating). 
Regarding claim 8 and 18, combination of Mahaffey and Khalid teaches the system of claim 7. In addition, Mahaffey teaches wherein the second network device further comprises a reclassification notification plug-in, the reclassification notification plug-in to notify affected customers pertaining to the one or more incorrect verdicts (Mahaffey: Para. 0040: server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101. In an embodiment, the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable). 
Regarding claim 9 and 19, combination of Mahaffey and Khalid teaches the system of claim 7. In addition, Mahaffey teaches wherein the second network device further comprises a reclassification notification plug-in, the reclassification notification plug-in retains tags associated with the one or more incorrect verdicts and notifies a customer of the one or more incorrect pertaining to the customer in response to a message initiated by the customer via a portal (Mahaffey: Para. 0040: server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101. In an embodiment, the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable. In block 207, mobile communication device 101 receives the notification, and in block 209, the mobile communication device 101 takes action based upon the notification; Para. 0035: Assessments may result from collecting and/or processing data by server 151 and may be exposed by server 151 to users or other systems via an API, user interfaces; Para. 00128: mobile communication device transmits a request to server 151 to provide assessments for multiple data objects and server 151 transmits assessments for those multiple data objects to the device; Para. 0088: one or more users can sign in to a community voting system provided as a web application where they can search and browse all applications known to server 151). 
Regarding claim 10 and 20, combination of Mahaffey and Khalid teaches the system of claim 1. 
Yet, the combination does not teach wherein the retroactive reclassification logic of the second network device being invoked in response to a triggering event, the triggering event includes a scheduled event that is conducted internally within the second network device.
However, in the same field of endeavor, Khalid teaches wherein the retroactive reclassification logic of the second network device being invoked in response to a triggering event, the triggering event includes a scheduled event that is conducted internally within the second network device (Khalid: Col. 4, line 52-55: in response to a triggering event, the classification engine issues multi-flow feedback signaling to the network-traffic static analysis logic; Col. 4, line 65 to Col. 5, line 5: Upon receipt of the multi-flow feedback signaling, the classification engine receives results of a Subsequent static analysis from the network-traffic static analysis logic. For instance, as described above, the network-traffic static analysis logic may be configured, in response to the multi-flow feedback signaling, to conduct the second (in-depth) static analysis and the second static analysis results are returned to the classification engine; Fig. 2A: scheduler (260); Col. 18, line 55-61: dynamic (VM-based) analysis is scheduled and performed on information associated with the suspect multi-flow object to produce the VM-based results (blocks 480 and 482). Based on the VM-based results, a determination is made as to whether the multi-flow object should be classified as being part of a malicious attack (e.g., indicative of an exploit) as set forth in block 490)

Regarding claim 11, Mahaffey teaches A cybersecurity intelligence hub configured for network connectivity to a plurality of cybersecurity sensors to detect whether an artifact is associated with a cyber-attack without execution of the artifact (Mahaffey: Fig. 10, server (151), mobile devices (101), web crawler (1003), application marketplace data gathering system (1005); Para. 0069: that server 151 may receive data from sources other than mobile communication devices for use in analyzing a data object and producing assessments. FIG. 10 illustrates an embodiment in which server 151 may receive data from multiple sources and transmit assessment information for multiple uses. One or more servers 151 are illustrated as a “cloud” to emphasize that multiple servers may operate in coordination to provide the functionality disclosed herein. One or more mobile communication devices 101 are illustrated as a group to emphasize that multiple devices 101 may transmit and receive information to and from server 151; Para. 0070: In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems. Such systems may be separate from server 151 or may be part of server 151. In an embodiment, a data gathering system directly updates a database or other storage on server 151 or data storage 111 with information for one or more data objects. In an embodiment, a data gathering system communicates with server 151 to provide information to server 151. There are many types of systems that may be used as data feeds to server 151. Some examples include web crawlers 1003, application marketplace data gathering systems 1005, honeypots, and other systems that may feed information related to mobile device applications to server 151; Para. 0107: when mobile communication device 101 assesses a data object, such as an application package or executable, to determine whether the data object is malicious or otherwise undesirable, the device sends a request to server 151 for an assessment of the data object, the request containing identifying information for the data object…. transmitting identifying information such as an application's package name and hash; Para. 0109: mobile communication device 101 may extract features from a data object to assist in server 151 producing an assessment. In an embodiment mobile communication device 101 performs static analysis on the data object to extract application data to transmit to server 151. For example, on Android, the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package); a global data store communicatively coupled to the hardware processor, the global data store comprises stored meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts, each stored meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts corresponds to meta- information associated with a previously analyzed object and includes a verdict classifying the prior evaluated artifact in accordance with a malicious classification or a benign classification (Mahaffey: Fig. 1: Data storage (111); Para. 0025: The one or more servers 151 may have access to a data storage 111 that stores security information for the one or more mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101. Data, assessment information, information about the mobile communication devices 101, or other objects for storage may be stored on servers 151 and/or data storage 111; Para. 0031: Application data includes both data objects and information about data objects, such as behavioral data or metadata; Para. 0032: Application data includes data objects that are malware or spyware; Para. 0033: Application data includes metadata about data objects; Para. 0058:  server 151 chooses which devices to request additional from by analyzing device information and application data previously stored by server; Para. 0075: application data (e.g., data object content, metadata, behavioral data, marketplace metadata) is gathered for a data object…..In block 1103, application data for the data object is stored on server 151 or data storage 111 so that the data may be used at a different time than when it is gathered; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communications device 101 may be configured to send application data, such as a hash identifier, for a suspect data object to server 151 for analysis. Server 151 may contain known good component 903, known bad component 905; Para. 0046: some or all of the received data is stored on server 151 or data storage 111; Para. 0075: FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object, assesses the data object to produce assessment information, and transmits the assessment information; Para. 0035: an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe; Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111); analyze the stored meta-information associated with the prior evaluated artifact (Mahaffey: Mahaffey: Fig. 4: receive identification+data object information (405); store data object information (407); analyze data object if necessary (409); Wait for change in data object (417); Para. 0027: server 151 will analyze this data and provide a security related assessment, response and/or other action; Para. 0045: Server 151 can analyze the new application and provide a security assessment whereby actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results) and either (a) identify whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence (Mahaffey: Para. 0123: In order to respond to undesirable applications, such as malware and spyware, as soon as they are identified as such, it may be desirable for server 151 to transmit notifications to mobile communication device 101 about data objects that are determined to be undesirable after previously being classified as good or unknown. In an embodiment, server 151 stores information about data objects encountered by mobile communication device 101 so that if a data object encountered by the device was assessed to be good or unknown but was subsequently determined to be undesirable, server 151 may determine all of the devices that have encountered the data object and transmits a notification indicating that the data object is undesirable; Para. 0091: server 151 establishes the reputation or level of trust for the data object…. trust data is stored by server 151 on the server or in data storage 111 so it may be subsequently used directly or as part of producing an assessment; Para. 0098: assessment data includes the output from an analysis system, such as characterization data, categorization data, trust data, and distribution data. …..One will appreciate that the above assessment data may be provided as an input into to server 151…. server 151 combines assessment data received from multiple sources to produce an aggregated assessment. For example, if a malware author attempts to transmit an assessment to server 151 indicating that a malicious application is safe in the hopes of causing server 151 to produce a false assessment, the server may utilize the number of unique sources providing assessments and the trustworthiness of those sources to produce the aggregated assessment. If one hundred assessments are received from different, reliable sources such as network operators and enterprises that indicate the application to be malicious, but ten thousand assessments from a particular unverified source indicate the application to be safe, the server produces an aggregated assessment indicating the application to be malicious) or (b) identify inconsistent verdicts for the same prior evaluated artifact (Mahaffey: Para.0045: a security system installed on mobile communication device 101 may report application data for a data object to server 151 for purposes of receiving an assessment of the data object. ……a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results; Para. 0048: the assessment for the data object may change. For example, a data object that may previously have been assessed as safe or unknown may later be identified as malicious; Para. 0129: the system…can recall the previous assessment; Para. 0152: decision component 907 may operate as an additional security component to compensate for any weaknesses from known good component 903 or known bad component 905 and to identify new threats that have not been previously identified; Para. 0040: the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable). 
Yet, Mahaffey does not explicitly teach a communication interface; a hardware processor communicatively coupled to the communication interface; a memory communicatively coupled to the hardware processor, the memory including a data management and analytics engine including at least a retroactive reclassification logic.
communication interface logic (310); processor (300); Col. 15, line 9-11: TDP system 210 1 comprises one or more processors 300 that are coupled to communication interface logic 310 via a first transmission medium 320); a memory communicatively coupled to the hardware processor (Khalid: Claim 8: a memory communicatively coupled to the processor), the memory including a data management and analytics engine including at least a retroactive reclassification logic (Khalid: Fig. 2A: management system (220); static analysis engine (120); classification engine (160)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Mahaffey to include a communication interface; a hardware processor communicatively coupled to the communication interface; a memory communicatively coupled to the hardware processor, the memory including a data management and analytics engine including at least a retroactive reclassification logic as disclosed by Khalid. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious attack as suggested by Khalid (Khalid: Col. 1, line 10-12).
Claim 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Khalid, and further in view of Stransky-Heilkron (US20170180395, hereinafter SH).
Regarding claim 2 and 12, combination of Mahaffey and Khalid teaches the system of claim 1. 
In addition Mahaffey further teaches process and return one or more response messages to a request message operating as a query to via an administrative portal or a customer portal (Mahaffey: Para. 0035: Assessments may result from collecting and/or processing data by server 151 and may be exposed by server 151 to users or other systems via an API, user interfaces; Para. 0037: To prevent taxing network 121 and server 151 with network traffic, various methods may be used to reduce the amount of data requested by and transmitted to server 151. For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid. If the server 151 has not yet performed an assessment for the data object, the server 151 may return a response indicating that the assessment is unknown and/or request additional data from the mobile communication device 101; Para. 0073: server 151 provides a user interface by which someone may provide information to server 151 about a specific data object, a group of data objects; Para. 00128: mobile communication device transmits a request to server 151 to provide assessments for multiple data objects and server 151 transmits assessments for those multiple data objects to the device; Para. 0088: one or more users can sign in to a community voting system provided as a web application where they can search and browse; Para. 0097: server may publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a given data object is known good or known bad, and transmit a response to an API call querying for the assessment of the data object. Such information can be in the form of readable text, a machine readable format, or may include a “score,” a badge, an icon or other symbolic rating).
In addition, Khalid further teaches wherein the retroactive reclassification logic of the second network device operates as a software module in communication with analytics logic deployed within the second network device and analytics logic (Khalid: Fig. 2A: Fig. 2A: static analysis engine (120); network-traffic static analysis logic (125); classification engine (160); Col. 7, line 17-26: the network-traffic static analysis logic 125 is configured to aggregate multiple related flows as a multi-flow object and analyze characteristics of the multi-flow object for use in classifying the multi-flow object as either benign or malicious. According to one embodiment of the disclosure, multi-flow analysis results 175 may be provided to classification engine 160 for classification of the multi-flow object; Col. 5, line 29-34: Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions).
Yet, the combination does not explicitly teach the logic is a plug-in software module.
However, in the same field of endeavor, SH teaches a logic is a plug-in software (SH: Para. 0019: The malware detection logic 104, 110, 126, 130 and the security clients 120a-120n may be implemented in either hardware as an external device or in software as a plug-in, installed, or downloaded module).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include the logic is a plug-in software module as disclosed by SH. One of ordinary skill in the art would have been motivated to make this modification in order to detect the presence of malware as suggested by  SH (SH: Para. 0016). 
Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Zaitsev (US8056136, hereinafter Zaitsev). 
Regarding claim 21, Mahaffey teaches a computerized method for detecting artifacts associated with a cyber-attack, comprising: storing meta-information associated with each prior evaluated artifact of a plurality of prior evaluated artifacts, each meta-information associated with a prior evaluated artifact of the plurality of prior evaluated artifacts includes a verdict classifying the prior evaluated artifact, the verdict being one of a plurality of classifications including a malicious classification or a benign classification (Mahaffey: Fig. 1: data storage (111); Para. 0025: Data, assessment information, information about the mobile communication devices 101, or other objects for storage may be stored on servers 151 and/or data storage 111; Para. 0031: Application data includes both data objects and information about data objects, such as behavioral data or metadata; Para. 0032: Application data includes data objects that are malware or spyware; Para. 0033: Application data includes metadata about data objects; Para. 0058: server 151 chooses which devices to request additional from by analyzing device information and application data previously stored by server; Para. 0075: FIG. 11 illustrates an embodiment in which server 151 aggregates application data for a data object, stores the information, generates characterizations and categorizations for the data object, assesses the data object to produce assessment information, and transmits the assessment information; Para. 0035: an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe; Para. 0046: server 151 stores the results of the assessment on the server or on data storage 111. If, when an assessment for a data object is required 309 and a previous assessment for the data object exists and is considered valid, server 151 retrieves the previous assessment from data storage 111; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151); analyzing the stored meta-information associated with the prior evaluated artifact (Mahaffey: Fig. 4: receive identification+data object information (405); store data object information (407); analyze data object if necessary (409); Wait for change in data object (417); Para. 0027: server 151 will analyze this data and provide a security related assessment, response and/or other action; Para. 0045: Server 151 can analyze the new application and provide a security assessment whereby actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognize this update as different from the first version of the application so that it will produce a new assessment of the second version and not just report the first assessment. Server 151 can analyze the updated application and provide a security assessment whereby actions can be taken based on the results); responsive to identifying whether the verdict associated with the prior evaluated artifact is in conflict with trusted cybersecurity intelligence, modifying a classification of the verdict to be consistent with a classification supported by the trusted cybersecurity intelligence (Mahaffey: Para. 0070: In addition to gathering data from mobile communication devices, server 151 can receive information pertaining to data objects from a variety of data gathering systems; Para. 0091: server 151 establishes the reputation or level of trust for the data object…. trust data is stored by server 151 on the server or in data storage 111 so it may be subsequently used directly or as part of producing an assessment; Para. 0123: In order to respond to undesirable applications, such as malware and spyware, as soon as they are identified as such, it may be desirable for server 151 to transmit notifications to mobile communication device 101 about data objects that are determined to be undesirable after previously being classified as good or unknown. In an embodiment, server 151 stores information about data objects encountered by mobile communication device 101 so that if a data object encountered by the device was assessed to be good or unknown but was subsequently determined to be undesirable, server 151 may determine all of the devices that have encountered the data object and transmits a notification indicating that the data object is undesirable; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151); notifying one or more customers that received the incorrect classification to modify one or more entries within a local data store including meta-information associated with the prior evaluated artifact corresponds to meta- information associated with a previously analyzed object and to alter the incorrect classification for the prior evaluated artifact to the correct classification (Mahaffey: Para. 0040: server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device data specific to mobile communication device 101. In an embodiment, the notification is due to the device previously having sent application data corresponding to a data object that was not initially assessed by the server 151 to be undesirable but was subsequently determined by the server 151 to be undesirable; Para. 0137: data store 111 may contain malware definitions that are continuously updated and accessible by server 151). 
Yet, Mahaffey does not explicitly teach responsive to identifying inconsistent verdicts for the same prior evaluated artifact, analyzing the meta-information associated with the inconsistent verdicts to select one of the inconsistent verdicts as a correct classification for the prior evaluated artifact and at least one of the inconsistent verdicts as an incorrect classification.
However, in the same field of endeavor, Zaitsev teaches responsive to identifying inconsistent verdicts for the same prior evaluated artifact, analyzing the meta-information associated with the inconsistent verdicts to select one of the inconsistent verdicts as a correct classification for the prior evaluated artifact and at least one of the inconsistent verdicts as an incorrect classification (SH: Col. 9, line 65 to Col. 10, line 44: FIG. 5 illustrates one example embodiment of statistical analysis algorithm performed by the interpreter module 240 for identifying correlations between inconsistent analysis results received from two or more analytical modules. In step 510, the interpreter module receives inconsistent analysis results from two or more analytical modules. The results are inconsistent when some analytical modules identify the suspicious object as malicious while other analytical modules as non-malicious. ….. the interpreter module may use statistical analysis to identify correlations between various parameters of the suspicious object and similar parameters of other malicious and non-malicious objects stored in the central database 230. ….. At step 530, the interpreter module performs the statistical analysis by searching the central database 230 for other objects having substantially similar file path parameters (e.g., objects downloaded from the same website as the suspicious object). If, in step 540, the interpretation module determines that the total number of identified malicious objects having substantially similar file path parameter exceeds the total number of non-malicious objects having substantially similar file path by a certain percentage (e.g., at least 25%) or other criteria, then the interpretation module may conclude that the suspicious object is malicious… If in steps 550 all parameters have been used, but the statistical analysis have not rendered a conclusive answer as to whether the object is malicious or not, all analysis results may be sent to a human expert for review in step 560. Next, in step 570, the interpreter module stores/updates results of the statistical analysis or results of the human expert review in the central database, and in step 580, reports results of the analysis to the security application 215 that originated the information query). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Mahaffey to include responsive to identifying inconsistent verdicts for the same prior evaluated artifact, analyzing the meta-information associated with the inconsistent verdicts to select one of the inconsistent verdicts as a correct classification for the prior evaluated artifact and at least one of the inconsistent verdicts as an incorrect classification as disclosed by Zaitsev. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious activity and classify the threat as suggested by Zaitsev (Zaitsev: Col. 5, line 54-62). 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
 can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438       
                                                                                                                                                                                                                                                                                                                                                                                        /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438