DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the amendments filed on March 16, 2021 for application 16/167,029.  Claims 1, 4, 6-7, 10 and 15 were amended, claims 2-3 were cancelled, and claims 1 and 4-20 remain pending in the application.
Response to Arguments
	The Applicant’s arguments filed on March 16, 2021 have been fully considered, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 9 of the Remarks that concerns the objection to claim 4, the amendment to claim 4 cures the deficiency and the objection is withdrawn.
	Regarding the Applicant’s response at page 9 of the Remarks that concerns the interpretation of the claims under § 112(f), the claims are afforded their reasonable interpretation during prosecution.  See MPEP § 2111 (stating “Claims must be given their broadest reasonable interpretation in light of the specification”).  In the Remarks, the “Applicant submits that the meaning of the term ‘security management platform’ would be understood by one skilled in the art upon reviewing the present application as a whole, especially the portions related to Figures 5, 20, and 21.”  The Examiner notes, however, that it’s the structure recited within the claim that’s important.  See MPEP § 2181.  

Regarding the Applicant’s response at pages 9-11 of the Remarks that concerns the § 103 rejection of the independent claims 1, 10, and 15, the Applicant’s arguments in conjunction with the claim amendments are persuasive, and consequently the Examiner conducted a new prior art search. The Applicant’s arguments are now moot with respect to the independent claims because the arguments do not apply to some of the references currently used in the rejection of the aforementioned claims as detailed below.
Regarding the Applicant’s response at page 11 of the Remarks that concerns the § 103 rejection of the dependent claims, the argument for patentability rests upon the patentability of the dependent claims.  Because the independent claims are not 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved after the movement of the primary phrase from which it was lifted.  Or more succinctly, move numbered material first, lettered material last.)
A.	Claims 1, 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Gula et al. (US 2014/0007241, “Gula”) in view of  Ho et al. (US 2017/0171221, “Ho”), and further in view of Klein et al. (US 2017/0339180, “Klein”).
Regarding Claim 1
Gula discloses
A system (abstract, Fig. 2) for assessing security threats (abstract, “The observed and enumerated current connections may be used to model [and thus assess] security threats) to an internal network (Fig. 2, i.e., the network behind the “Internal Firewall 280” and the “External Firewall 284” comprises an internal network) associated with an organization (¶ [0006], “More particularly, in an ideal world all vulnerabilities identified in a network would be patched in real-time, but most organizations tend to have limited resources,” i.e., organizations possess networks, and the network shown in Fig. 2 can be taken as an internal network of an organization), the system comprising: 
one or more scanning mechanisms (Fig. 1, i.e., the “Active Scanner 110” directly connected to the “Internet 160,” and more generally the “active scanners” and “passive scanners”) deployed on the Internet (Figs. 1 & 2, ¶¶ [0029]-[0034], most notably ¶ [0034], “Furthermore, in one implementation, one or more of the active scanners 210 may be distributed at a location that provides visibility into portions of a remote network 260. For example, as shown in FIG. 1, one or more of the active scanners 210 may be distributed at a location in communication with a remote network 260, wherein the term ‘remote network’ used herein may refer to the Internet”), 
1 …; and 
a security management platform (Fig. 2, ¶ [0018], ¶ [0078], i.e., the “processors” and “computer-readable storage medium,” noting that under a means-plus-function interpretation, Gula doesn’t teach the narrowing limitations of Applicant’s Fig. 21.  However, such a narrow construction of the claim would afford little protection to  configured to acquire local netflow (Fig. 5, ¶ [0060], “the one or more passive scanners may observe traffic in the network to identify certain internal hosts or other devices within the network that connect to or otherwise access remote networks and have exploitable vulnerabilities”) that includes all traffic that crossed a perimeter of the internal network (Figs. 1 & 2, ¶ [0034], i.e., the “Internet 160” and the “Internet 260,” where the Internet is considered an “external network” that is distinct from the internal network behind the depicted firewalls) during a certain time interval (¶ [0040], “Accordingly, in one implementation, the active scanners 210 may generally interrogate any suitable device 230 in the network to obtain information describing a snapshot of the network at any particular point in time, the passive scanners 220 may continuously or periodically observe traffic traveling in the network to identify vulnerabilities, assets, or other information that further describes the network,” with the timing of different snapshots establishing a time interval; see also Klein Fig. 1, ¶ [0056], “Once engaged, the network scanning appliance 14 may continue this scan to individually identify and harvest information twenty-four hours per day to capture any devices that enter or leave the internal and/or external network environments,” where the firewall defines a perimeter dividing the “internal network 11(1)” from the “external network 11(2)”),
 examine (Fig. 5, ¶ [0061], “one or more passive scanners may observe…”) the local netflow to detect public communication activities (Fig. 5, ¶¶ [0061]-[0062], “For example, the destination address “0.0.0.0” may generally represent connections to the Internet or other remote networks, whereby the queries to identify the observed , 
each public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network (¶¶ [0061]-[0062], i.e., two IP addresses are discussed, one of which resides with an internal host and the other that is a “destination IP address” that is “outside the network;” see also Klein ¶ [0056], “Once engaged, the network scanning appliance 14 may continue this scan to individually identify and harvest information twenty-four hours per day to capture any devices that enter or leave the internal and/or external network environments.”), and 
for each public communication activity (¶¶ [0061]-[0062]),
2 ….
Gula doesn’t disclose
1 wherein each scanning mechanism is configured to probe at least one Internet 
Protocol (IP) address by transmitting a query designed to elicit a response, and create probe data from responses received from the at least one IP address;
	2 evaluate a risk to the internal network based on an analysis of (i) the local netflow related to the corresponding internal IP address, (ii) the probe data related to the corresponding internal IP address, and (iii) the probe data related to the correspondinq external IP address.
Ho, however, discloses
1 wherein each scanning mechanism is configured to probe at least one Internet 
Protocol (IP) address by transmitting a query designed to elicit a response (Fig. 3, ¶¶ [0039]-[0040], i.e., “In aspects, a real-time IP scanning system, such as exemplary system 200, may receive [elicit[ed]] responses to the communication requests [that acts as a probe to an Internet Protocol (IP) address] transmitted to the computing devices”), and
create probe data from responses received from the at least one IP address (Fig. 3, ¶¶ [0039]-[0040], “In such examples, information identifying the computing devices (e.g., IP address, hostname, URL, etc.) may be identified and extracted from the response [to create probe data],” and “device data (e.g., IP address, hostname, URL, etc.) [that acts as probe data] may be selected by or provided to one or more protocol analyzers…”);
Klein, however, discloses
	2 evaluate a risk to the internal network based on an analysis of (Figs. 10-11, ¶¶ [0071]-[0073], “a screenshot of an example of a graphical user interface showing a representation of node health including vulnerabilities found is shown in FIG. 10, and a screenshot of an example of a graphical user interface showing a representation of node health with a risk level of an identified vulnerability is shown in FIG. 11,” and “In step 144, the network assessment computing device 12 may generate [for analysis] one or more scores and/or other assessments based on the parsed vulnerability data obtained for each of the identified systems, devices, and/or other hosts as completed,” i.e., the “parsed vulnerability data” is obtained for evaluat[ion] from the scanning conducted via the “network scanning appliance 14” and the “network assessment computing device 12;” see also ¶ [0051], “An example of method for assessing in near  
(i) the local netflow related to the corresponding internal IP address (Fig. 1, ¶ [0056], “the network scanning appliance 14 with the network assessment computing device 12 may begin to scan to individually identify and harvest information on any systems, devices or other hosts, such as computers, phones, televisions or any device that accept an Internet Protocol (IP) address by way of example only, currently on the internal network 11(1) in this example” that produces local netflow that is used to obtain the “parsed vulnerability data,” see ¶¶ [0071]-[0073]), 
(ii) the probe data related to the corresponding internal IP address (¶¶ [0056]-[0058], “In this particular example of process 110, in step 112 the network scanning appliance 14 with the network assessment computing device 12 may transmit address resolution protocol (ARP) packets [to yield probe data] to all addresses for systems, devices, and/or other hosts in for example a subnet or other defined network, such as for a particular organization or other entity on the internal network 11(1), although the ARP packets could be sent to systems, devices, and/or other hosts for another defined network which includes … the internal … networks 11(1) … [possessing internal IP addresses;” and ¶¶ [0059]-[0060], i.e., the probe data collected is “transmit[ted]” to the , and 
(iii) the probe data related to the correspondinq external IP address (¶¶ [0056]-[0058], “In this particular example of process 110, in step 112 the network scanning appliance 14 with the network assessment computing device 12 may transmit address resolution protocol (ARP) packets [to yield probe data] to all addresses for systems, devices, and/or other hosts in for example a subnet or other defined network, such as for a particular organization or other entity on the internal network 11(1), although the ARP packets could be sent to systems, devices, and/or other hosts for another defined network which includes … the … external networks … 11(2) [possessing external IP addresses];” and ¶¶ [0059]-[0060], i.e., the probe data collected is “transmit[ted]” to the “host database 40” to be stored where it can then be extracted from a “table” to obtain the “parsed vulnerability data,” see ¶¶ [0071]-[0073]).
	Regarding the combination of Gula and Ho, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula to have included the scanning request feature of Ho. One of ordinary skill in the art would have been motivated to incorporate the scanning request feature of Ho because Ho discusses the problem of detecting botnets through scanning technologies, see Ho ¶ [0001], and Ho teaches a system that provides real-time scanning of IP addresses, see Ho ¶ [0004].
	Regarding the combination of Gula-Ho and Klein, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho to have included the scanning data 
Regarding Claim 4
Gula-Ho-Klein disclose the system of claim 1, and Gula further discloses 
wherein each scanning mechanism (Figs. 1 & 2, ¶¶ [0029]-[0034], e.g., the “active scanners” and “passive scanners”) is further configured to: 
examine traffic originating from, or directed to, each external IP address involved in a public communication activity (Fig. 5, ¶¶ [0061]-[0062]) to determine which services are running on each external IP address (¶ [0063], “the passive scanners may have capabilities to identify specific Internet activities or services (e.g., Skype, YouTube, Pandora, Facebook, Netflix, etc.), which may be leveraged in operation 520 to list IP addresses that perform certain Internet activities, access certain Internet services, have certain client types, or match other suitable criteria.”).
Regarding Claim 5
Gula-Ho-Klein disclose the system of claim 4, and Gula further discloses
wherein said examining (Fig. 5, ¶¶ [0061]-[0064], ) includes…1 
Ho further discloses
1…analyzing content of a header of a data packet included in the traffic (¶ [0039], “In such examples, information identifying the computing devices (e.g., IP address, hostname, URL, etc.) may be identified and extracted from the response,” where analyzing [the] content of a header of a data packet, as that is where the IP address is located within a data packet).
	Regarding the combination of Gula and Ho, the rationale to combine Gula and Ho is the same as provided for claim 1, as the subject matter of claim 4 relates to the subject matter of claim 1.
B. 	Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gula in view of Ho and Klein, and further in view of Nakae et al. (US 2004/0172557, “Nakae”) and Ranum et al. (US 2014/0013434, “Ranum”).
Regarding Claim 6
Gula-Ho-Klein disclose the system of claim 4, and Gula further discloses 
further comprising:
1 …; and 
a firewall deployed along the perimeter of the internal network (Figs. 1 & 2, ¶ [0034], i.e., the “internal firewalls 280” and the “external firewalls 284” that separate the “internal network” from the “Internet,” which acts as the internal network, with the boundary between the two defining a permimeter), 
2 …, 
3 …, and 
4 ….
Gula-Ho-Klein doesn’t disclose
	1 a honeypot server configured to isolate an attempt to gain unauthorized access to a cyber asset residing on the internal network;
	2 wherein the firewall is configured to receive a communication from a particular external IP address,
	3 determine that the communication represents an incoming scanning attack, and
	4 prevent a breach of the internal network by deflecting the communication to the honeypot server.
Nakae, however, discloses
	1 a honeypot server configured to isolate an attempt …a (Fig. 1, ¶¶ [0004], [0025], “the input IP packet forwarded to the decoy device” that isolates an attempt to attack the system);
2 wherein the firewall is configured to receive a communication from a particular external IP address (¶ [0025], “, the firewall device includes: a packet filter for determining whether the input IP packet [as a communication] inputted from the external network is to be accepted, based on header information of the input IP packet [, which is a particular external IP address,] and a filtering condition corresponding to the input IP packet”),
	3 determine that the communication represents an incoming …b attack (¶¶ [0025], [0029], “a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether the attack detector detects an attack based on the input IP packet,” and “The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address”), and
	4 prevent a breach of the internal network by deflecting the communication to the honeypot server (¶¶ [0025]-[0027], “a filtering condition manager for managing the .
Ranum, however, discloses
	a … to gain unauthorized access to a cyber asset residing on the internal network (Fig. 3, ¶¶ [0052]-[0053], “operation 340 may further include the passive scanners and the log aggregator monitoring the real-time traffic and system processes in the network to further assist the active scanners in detecting botnet participation in the network,” and “an internal host that has inbound … connections [that comprises an attempt to gain unauthorized access] from other systems that participate in a known botnet;” and ¶ [0036], i.e., a cyber asset included within “vulnerabilities” are “sensitive data such as credit card information” and “passwords for users associated with the assets”);
	b … scanning attack, …(¶¶ [0052]-[0053], i.e., the generic “attack” of Nakae is specifically disclosed by “an active botnet” that is “participating” in “content scanning”)
	Regarding the combination of Gula-Ho-Klein and Nakae, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho-Klein to have included the honeypot feature of Nakae. One of ordinary skill in the art would have been motivated to incorporate the honeypot feature of Nakae because Nakae teaches the advantages of a honeypot or decoy device as known in the art, such as “By processing as above, all the packets determined to be unauthorized can be shut up on the decoy server,” see Nakae ¶ [0008], which thereby improves security.

Regarding Claim 16
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 15, and Nakae further discloses
wherein the honeypot server is configured to isolate attempts…1 (Fig. 1, ¶¶ [0004], [0025], “the input IP packet forwarded to the decoy device” that isolates an attempt to attack the system)
Gula-Ho-Klein-Nakae doesn’t disclose 
1 …to gain unauthorized access to a cyber asset residing on the internal network.
Ranum, however, discloses
1 …to gain unauthorized access to a cyber asset residing on the internal network (Fig. 3, ¶¶ [0052]-[0053], “operation 340 may further include the passive scanners and the log aggregator monitoring the real-time traffic and system processes in the network an attempt to gain unauthorized access] from other systems that participate in a known botnet;” and ¶ [0036], i.e., a cyber asset included within “vulnerabilities” are “sensitive data such as credit card information” and “passwords for users associated with the assets”).
Regarding the combination of Gula-Ho-Klein-Nakae and Ranum, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho-Klein-Nakae to have included the technique to protect against botnet scanning attacks. One of ordinary skill in the art would have been motivated to incorporate the technique to prevent against botnet scanning attacks because Ranum discusses the problem that “any system that operates or otherwise participates in a botnet should be considered fully compromised and a serious threat to an organization (e.g., because botnets can be exploited to introduce viruses or other malware into the network),” see Ranum ¶ [0008], and Nakae discloses a system to “detect botnet participation in [a] network,” see Ranum ¶¶ [0052]-[0053].
C.	Claims 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Gula in view of Ho and Klein, and further in view of Nakae, Ranum, and Ranjan et al. (US 8,762,298, “Ranjan”).
Regarding Claim 7
Gula in view of Ho and Klein, and further in view of Nakae and Ranum (“Gula-Ho-Klein-Nakae-Ranum”) disclose the system of claim 6, and Gula further discloses
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured to: 
acquire global netflow (Fig. 5, ¶ [0076] “an operation 535 may then analyze the network configurations obtained in operation 510, the active inbound and outbound connections [to acquire global netflow] enumerated in operation 520, and the external network addresses and hosted content identified in the web application scan conducted in operation 530 to determine whether any scanning targets associated therewith may be participating in active botnet;” see also ¶¶ [0071]-[0075] for additional context on remediating botnet participation, that also relates to Fig. 3 and monitoring network activity) that includes all traffic having a certain characteristic (For example, in one implementation, operation 535 may determine that a particular scanning target may be participating in active botnet if the scanning target has an IP address that matches any IP addresses in a database that lists known botnet IP addresses, which may indicate that the scanning target has been infected,” i.e., the certain characteristic comprises an IP address that can be associated with a bot) that traversed the Internet (¶ [0076], i.e., the “outbound connections” comprise traffic that traverses the Internet) during the certain time interval (¶ [0081], “Those skilled in the art will appreciate that the techniques described above in relation to FIG. 5 may be performed at any suitable time [to establish time intervals] to detect potential botnet participation in the network.”), 
filter the global netflow to obtain traffic involving one or more IP addresses…1 (Fig. 3, ¶¶ [0052]-[0053], “operation 330 may detect that a particular host participates in an active botnet if the host has a network address that appears in a database that lists known botnet addresses or visited an external network address that matches a DNS filter[ing] comprises the act of finding an IP address in a database, which serves to filter safe IP addresses from malicious IP addresses), and 
determine that the traffic includes an attempted scan by a bot (¶ [0052], “a host that participates in an active botnet,” and “…if the host has inbound or outbound connections from other systems…,” i.e., active botnet conduct scan[s] via connections to infect other hosts, see also ¶ [0071], “…to allow a botnet operator to command and control the infected host, spread the malicious modules…”).
Gula-Ho-Klein-Nakae-Ranum doesn’t disclose
	1 filter … one or more IP addresses associated with the honeypot server,
Ranjan, however, discloses
	1 filter … one or more IP addresses associated with the honeypot server (Col. 15:29-51, “the BotWatch system (300) includes a list of IP addresses of known bots and C&C servers in the external IP blacklists (403) that may be (i) an external website that tracks botnets, (ii) output from a IPS/IDS that uses signature-based detection, or (iii) output from a honeypot designed to capture bot behaviors,” i.e., the IP address in the database of Ranum I relates back to IP address of the honeypot),
	Regarding the combination of Gula-Ho-Klein-Nakae-Ranum and Ranjan, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho-Klein-Nakae-Ranum to have included the honeypot feature of Ranjan. One of ordinary skill in the art 
Regarding Claim 8
Gula in view of Ho and Klein, and further in view of Nakae, Ranum, and Ranjan (“Gula-Ho-Klein-Nakae-Ranum-Ranjan”) disclose the system of claim 7, and Gula further discloses
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured to: 
1 …, and
2 ….
Ranum further discloses
1 examine the attempted scan to identify a characteristic of the bot (¶ [0052], “operation 330 may detect that a particular host participates in an active botnet [, which attempt[s] scan[s],] if the host has a network address that appears in a database that lists known botnet addresses or visited an external network address that matches [and thus identif[ies]] a DNS name or website [that is a characteristic of the bot and thus] associated with known botnet activity”), and 
2 identify all internal IP addresses presently involved in communicating with the bot (¶ [0076], “in one implementation, operation 535 may determine that a particular scanning target may be participating in active botnet if the scanning target has an IP address that matches any IP addresses in a database that lists known botnet IP identify those local hosts that are communicating with the bot; see also ¶ [0072] of Gula, “As such, operations 630 through 670 may be iteratively performed until all IP addresses in the ConnectedServers data structure have been processed to update the corresponding trust relationship counters and lists.”).
Regarding the combination of Gula and Ranum, the rationale to combine Gula and Ranum is the same as provided for claim 6, as the subject matter of claim 8 relates to the subject matter of claim 6.
Regarding Claim 9
Gula-Ho-Klein-Nakae-Ranum-Ranjan disclose the system of claim 7, and Gula further discloses 
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured: 
1 …, and
2 ….
Ranum further discloses
1 examine the attempted scan to identify a characteristic of the bot (¶ [0052], “operation 330 may detect that a particular host participates in an active botnet [, which attempt[s] scan[s],] if the host has a network address that appears in a database that lists known botnet addresses or visited an external network address that matches [and thus identif[ies]] a DNS name or website [that is a characteristic of the bot and thus] associated with known botnet activity”), and 
2 identify a public communication activity (¶ [0074], i.e., “inbound and outbound connections”) involving the bot and a command-and-control center based on the characteristic (¶ [0071], “The executed malicious software then typically installs one or more modules to allow a botnet operator to command and control [via a command-and-control center] the infected host”).
Regarding the combination of Gula and Ranum, the rationale to combine Gula and Ranum is the same as provided for claim 6, as the subject matter of claim 9 relates to the subject matter of claim 6.
D.	Claims 10-15, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gula in view of Ho and Klein, and further in view of Nakae.
Regarding Claim 10
Gula discloses
A computer-implemented method (abstract, Figs. 3 & 5) for estimating risk posed by a public communication activity (Fig. 5, ¶¶ [0061]-[0062], “For example, the destination address “0.0.0.0” may generally represent connections to the Internet or other remote networks, whereby the queries to identify the observed outbound connections may include a filter to identify connections from devices within the network to external hosts…”) involving an internal Internet Protocol (IP) address that resides on an internal network and an external IP address that does not reside on the internal network (¶¶ [0061]-[0062], i.e., two IP addresses are discussed, one of which resides with an internal host and the other that is a “destination IP address” that is “outside the network”), 
the method comprising: acquiring, by a security management platform (Figs. 1 & 2, ¶¶ [0029]-[0034], i.e., the “management console 150,” with each of the scanners providing probe data to the “management console” to enable the acquiring of the data), probe data from one or more scanning mechanisms deployed on the Internet (Figs. 1 & 2, ¶¶ [0029]-[0034], most notably ¶ [0034], “Furthermore, in one implementation, one or more of the active scanners 210 may be distributed at a location that provides visibility into portions of a remote network 260,” and Fig. 5, ¶ [0060], “the one or more passive scanners may observe traffic in the network to identify certain internal hosts or other devices within the network that connect to or otherwise access remote networks and have exploitable vulnerabilities”), 
1 …, and 
2 …; 
evaluating, by the security management platform, a risk posed by the public communication activity based on …3  the probe data (Fig. 5, ¶¶ [0063]-[0064], “an operation 530 may then list one or more IP addresses [(which comprise the probe data])] having exploitable client-side vulnerabilities in order to correlate [and thus evaluate] Internet browsing with client-side attacks distinctly from all possible network vulnerabilities. For example, two different systems may both have vulnerable web browsers, but if one never accesses the Internet while the other regularly does so, the one accessing the Internet may pose a substantially greater exploitation risk [by the public communication activities] in the network.”); 
	4 …; and
	5 …,
6 ….
Gula doesn’t disclose
1 wherein each scanning mechanism is configured to probe at least one Internet Protocol (IP) address by transmitting a query designed to elicit a response from a certain service, and 
2 wherein the probe data includes a first response provided by the internal IP address and a second response provided by the external IP address;
3 …an analysis of the first and second responses included…
4 determining, by the security management platform, that the risk exceeds a certain threshold; and 
5 transmitting, by the security management platform, an instruction to a firewall deployed on a perimeter of the internal network, 
6 wherein the instruction instructs the firewall to prevent a future breach of the internal network by deflecting an incoming communication from the external IP address to a honeypot server.
Ho, however, discloses
1 wherein each scanning mechanism is configured to probe at least one Internet Protocol (IP) address by transmitting a query designed to elicit a response from a certain service (Fig. 3, ¶¶ [0039]-[0040], i.e., “In aspects, a real-time IP scanning system, such as exemplary system 200, may receive [elicit[ed]] responses to the communication requests [that acts as a probe to an Internet Protocol (IP) address] transmitted to the computing devices”), and 
2 wherein the probe data includes a first response provided by the internal IP address (¶¶ [0038]-[0039], i.e., the “ping request” originates from an “active scanner” of Gula that has an internal IP address) and a second response provided by the external IP address (¶ [0039], the “ping response” that is sent over the Internet of Gula and has an external IP address);
Klein, however, discloses
	3 …an analysis of the first and second responses included… (Figs. 10-11, ¶¶ [0071]-[0073], “a screenshot of an example of a graphical user interface showing a representation of node health including vulnerabilities found is shown in FIG. 10, and a screenshot of an example of a graphical user interface showing a representation of node health with a risk level of an identified vulnerability is shown in FIG. 11,” and “In step 144, the network assessment computing device 12 may generate [for analysis] one or more scores and/or other assessments based on the parsed vulnerability data obtained for each of the identified systems, devices, and/or other hosts as completed,” i.e., the “parsed vulnerability data” is obtained from the scanning conducted via the “network scanning appliance 14” and the “network assessment computing device 12;” see also ¶ [0051], “An example of method for assessing in near real time or in real time internal and/or external security protection and/or health of internal and/or external network environments will now be described with reference to FIGS. 1-11,” “… the network scanning appliance 14 into the internal network 11(1),…,” and “Additionally, in this particular example the network assessment computing device 12 is located in a secure cloud hosting provider 20 in a cloud environment in the external network 11(2), acts as an external scanner,” with the first response corresponding to the probe data IP addresses associated with “internal network 11(1)” and the second response corresponding to the probe data collected for the IP addresses associated with the “external network 11(2)”)
Nakae, however, discloses
4 determining, by the security management platform (of Gula that includes a firewall), that the risk exceeds a certain threshold (¶¶ [0025], [0028], “A firewall device manages the server by assigning at least one requisite confidence level to each of the plurality of decoy devices in the decoy cluster. When an IP packet is inputted, the firewall device obtains a confidence level of the input IP packet [, which possesses a certain threshold that defines the difference between confidence and no-confidence,] from the confidence manager and determines a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet;” i.e., if the risk exceeds a certain threshold, the input IP packet is forwarded to the decoy device); and 
5 transmitting, by the security management platform (of Gula that includes the “confidence manager” of Nakae), an instruction to a firewall (¶ [0029], “the firewall device obtains a confidence level [as a transmit[ed] instruction] of the input IP packet from the confidence manager and determines a decoy device having a requisite confidence level,”) deployed on a perimeter of the internal network (Gula, Figs. 1 & 2, ¶ [0034], i.e., the “internal firewalls 280” and the “external firewalls 284” that separate the “internal network” from the “Internet,” with the boundary between the two defining a permimeter), 
6 wherein the instruction instructs the firewall to prevent a future breach of the internal network by deflecting an incoming communication from the external IP address to a honeypot server (¶¶ [0025], [0029], “a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device [to prevent a future breach of the internal network] depending on whether the attack detector detects an attack based on the input IP packet.”).
Regarding the combination of Gula and Ho, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula to have included the scanning request feature of Ho. One of ordinary skill in the art would have been motivated to incorporate the scanning request feature of Ho because Ho discusses the problem of detecting botnets through scanning technologies, see Ho ¶ [0001], and Ho teaches a system that provides real-time scanning of IP addresses, see Ho ¶ [0004].
Regarding the combination of Gula-Ho and Klein, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho to have included the scanning data analysis feature of Klein. One of ordinary skill in the art would have been motivated to incorporate the scanning analysis feature of Klein because Klein teaches a “method for assessing in near real time or in real time internal and/or external security protection and/or health of internal and/or external network environments.”  See Klein ¶ [0051].
	Regarding the combination of Gula-Ho-Klein and Nakae, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho-Klein to have included the 
Regarding Claim 11
Gula in view of Ho and Klein, and further in view of Nakae (“Gula-Ho-Klein-Nakae”) disclose the computer-implemented method of claim 10, and Gula further discloses
further comprising: acquiring, by the security management platform (Figs. 1 & 2, ¶¶ [0029]-[0034]), local netflow (Fig. 5, ¶ [0060], “the one or more passive scanners may observe traffic in the network to identify certain internal hosts or other devices within the network that connect to or otherwise access remote networks and have exploitable vulnerabilities”) that includes all traffic that crossed the perimeter of the internal network (Figs. 1 & 2, ¶ [0034], i.e., the “Internet 160” and the “Internet 260,” where the Internet is considered an “external network” that is distinct from the internal network behind the depicted firewalls) during a certain time interval (¶ [0040], “Accordingly, in one implementation, the active scanners 210 may generally interrogate any suitable device 230 in the network to obtain information describing a snapshot of the network at any particular point in time, the passive scanners 220 may continuously or periodically observe traffic traveling in the network to identify vulnerabilities, assets, or other information that further describes the network,” with the timing of different snapshots establishing a time interval).

Regarding Claim 12
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 11, and Gula further discloses 
further comprising: examining (Fig. 5, ¶¶ [00]-[00], “one or more passive scanners may observe…”), by the security management platform (Figs. 1 & 2, ¶¶ [0029]-[0034]), the local netflow to identify all public communication activities involving the external IP address (Fig. 5, ¶¶ [0061]-[0062], “For example, the destination address “0.0.0.0” may generally represent connections to the Internet [that involve[e] the external IP address] or other remote networks, whereby the queries to identify the observed outbound connections may include a filter to identify connections from devices within the network to external hosts…”).
Regarding Claim 13
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 11, and Gula further discloses 
wherein said acquiring comprises: acquiring, by the security management platform (Figs. 1 & 2, ¶¶ [0029]-[0034]), global netflow (Fig. 5, ¶ [0076] “an operation 535 may then analyze the network configurations obtained in operation 510, the active inbound and outbound connections [to acquire global netflow] enumerated in operation 520, and the external network addresses and hosted content identified in the web application scan conducted in operation 530 to determine whether any scanning targets associated therewith may be participating in active botnet;” see also ¶¶ [0071]-[0075] for additional context on remediating botnet participation, that also relates to Fig. 3 and monitoring network activity) that includes all traffic having a certain characteristic (For certain characteristic comprises an IP address that can be associated with a bot) that traversed the Internet (¶ [0076], i.e., the “outbound connections” comprise traffic that traverses the Internet) during the certain time interval (¶ [0081], “Those skilled in the art will appreciate that the techniques described above in relation to FIG. 5 may be performed at any suitable time [to establish time intervals] to detect potential botnet participation in the network.”); and
filtering the global netflow to obtain the local netflow (¶ [0072], i.e., Table 4 illustrates various “clients” that have been filter[ed] to asses “internally exploitable services” (i.e., local netflow) and “exploitable Internet services” (i.e., global netflow).
Regarding Claim 14
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 10, and Gula further discloses
wherein the security management platform (Figs. 1 & 2, ¶¶ [0029]-[0034]) resides on a computer server (¶ [0034], i.e., a computer server such as “computer server 230”) that is communicatively coupled to the internal network (Fig. 2, i.e., the internal network resides behind the “internal firewall” and “external firewall” to which the server is connected).
Regarding Claim 15
Gula discloses
A system (abstract, Fig. 2) comprising: one or more scanning mechanisms (Fig. 1, i.e., the “Active Scanner 110” directly connected to the “Internet 160,” and more generally the “active scanners” and “passive scanners”) deployed on the Internet (Figs. 1 & 2, ¶¶ [0029]-[0034], most notably ¶ [0034], “Furthermore, in one implementation, one or more of the active scanners 210 may be distributed at a location that provides visibility into portions of a remote network 260. For example, as shown in FIG. 1, one or more of the active scanners 210 may be distributed at a location in communication with a remote network 260, wherein the term “remote network” used herein may refer to the Internet”), 
1 …; and 
a security management platform (Fig. 2, ¶ [0018], ¶ [0078], i.e., the “processors” and “computer-readable storage medium,” noting that under a means-plus-function interpretation, Gula doesn’t teach the narrowing limitations of Applicant’s Fig. 21.  However, such a narrow construction of the claim would afford little protection to infringement upon issuing of a patent.  Accordingly, the Examiner awaits the Applicant’s response to the § 112(f) issue presented above) configured to acquire local netflow (Fig. 5, ¶ [0060], “the one or more passive scanners may observe traffic in the network to identify certain internal hosts or other devices within the network that connect to or otherwise access remote networks and have exploitable vulnerabilities”) that includes all traffic that crossed a perimeter of an internal network (Figs. 1 & 2, ¶ [0034], i.e., the “Internet 160” and the “Internet 260,” where the Internet is considered an “external network” that is distinct from the internal network behind the depicted firewalls) during a certain time interval (¶ [0040], “Accordingly, in one implementation, the active scanners time interval), 
examine (Fig. 5, ¶ [0061], “one or more passive scanners may observe…”) the local netflow to detect a public communication activity (Fig. 5, ¶¶ [0061]-[0062], “For example, the destination address “0.0.0.0” may generally represent connections to the Internet or other remote networks, whereby the queries to identify the observed outbound connections may include a filter to identify connections from devices within the network to external hosts…”) involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network (¶¶ [0061]-[0062], i.e., two IP addresses are discussed, one of which resides with an internal host and the other that is a “destination IP address” that is “outside the network”), 
2 …
determine that the risk (of Klein) posed by the public communication activity…3 (Fig. 5, ¶¶ [0063]-[0064], “an operation 530 may then list one or more IP addresses [(which comprise the probe data])] having exploitable client-side vulnerabilities in order to correlate [and thus evaluate] Internet browsing with client-side attacks distinctly from all possible network vulnerabilities. For example, two different systems may both have vulnerable web browsers, but if one never accesses the Internet while the other by the public communication activities] in the network.”), and
4 ….
Gula doesn’t disclose
1 wherein each scanning mechanism is configured to probe at least one Internet Protocol (IP) address by transmitting a query designed to elicit a response, and create probe data from any responses received from the at least one IP address;
2 evaluate a risk posed by the public communication activity based on (i) a first response provided by the internal IP address that is included in the probe data and (ii) a second response provided by the external IP address that is included in the probe data;
3 …exceeds a certain threshold, and 
4 notify a firewall deployed along a perimeter of the internal network that future communications received from the external IP address should be deflected to a honeypot server.
Ho, however, discloses
1 wherein each scanning mechanism is configured to probe at least one Internet 
Protocol (IP) address by transmitting a query designed to elicit a response (Fig. 3, ¶¶ [0039]-[0040], i.e., “In aspects, a real-time IP scanning system, such as exemplary system 200, may receive [elicit[ed]] responses to the communication requests [that acts as a probe to an Internet Protocol (IP) address] transmitted to the computing devices”), and
create probe data from any responses received from the at least one IP address (Fig. 3, ¶¶ [0039]-[0040], “In such examples, information identifying the computing create probe data],” and “device data (e.g., IP address, hostname, URL, etc.) [that acts as probe data] may be selected by or provided to one or more protocol analyzers…”);
Klein, however, discloses
	2 evaluate a risk posed by the public communication activity based on (Figs. 10-11, ¶¶ [0071]-[0073], “a screenshot of an example of a graphical user interface showing a representation of node health including vulnerabilities found is shown in FIG. 10, and a screenshot of an example of a graphical user interface showing a representation of node health with a risk level of an identified vulnerability is shown in FIG. 11,” and “In step 144, the network assessment computing device 12 may generate [for analysis] one or more scores and/or other assessments based on the parsed vulnerability data obtained for each of the identified systems, devices, and/or other hosts as completed,” i.e., the “parsed vulnerability data” is obtained for evaluat[ion] from the scanning conducted via the “network scanning appliance 14” and the “network assessment computing device 12;” see also ¶ [0051], “An example of method for assessing in near real time or in real time internal and/or external security protection and/or health of internal and/or external network environments will now be described with reference to FIGS. 1-11,” “… the network scanning appliance 14 into the internal network 11(1),…,” and “Additionally, in this particular example the network assessment computing device 12 is located in a secure cloud hosting provider 20 in a cloud environment in the external network 11(2), acts as an external scanner…”)
(i) a first response provided by the internal IP address that is included in the probe data (¶¶ [0056]-[0058], “In this particular example of process 110, in step 112 the network scanning appliance 14 with the network assessment computing device 12 may transmit address resolution protocol (ARP) packets [to yield probe data as a first response] to all addresses for systems, devices, and/or other hosts in for example a subnet or other defined network, such as for a particular organization or other entity on the internal network 11(1), although the ARP packets could be sent to systems, devices, and/or other hosts for another defined network which includes … the internal … networks 11(1) … [possessing internal IP addresses;” and ¶¶ [0059]-[0060], i.e., the probe data as a first response is collected and “transmit[ted]” to the “host database 40” to be stored where it can then be extracted from a “table” to obtain the “parsed vulnerability data,” see ¶¶ [0071]-[0073]) and 
(ii) a second response provided by the external IP address that is included in the probe data (¶¶ [0056]-[0058], “In this particular example of process 110, in step 112 the network scanning appliance 14 with the network assessment computing device 12 may transmit address resolution protocol (ARP) packets [to yield probe data as a second response] to all addresses for systems, devices, and/or other hosts in for example a subnet or other defined network, such as for a particular organization or other entity on the internal network 11(1), although the ARP packets could be sent to systems, devices, and/or other hosts for another defined network which includes … the … external networks … 11(2) [possessing external IP addresses];” and ¶¶ [0059]-[0060], i.e., the probe data as a second response is collected and “transmit[ted]” to the “host database ;
Nakae, however, discloses
3 …exceeds a certain threshold (¶¶ [0025], [0028], “A firewall device manages the server by assigning at least one requisite confidence level to each of the plurality of decoy devices in the decoy cluster. When an IP packet is inputted, the firewall device obtains a confidence level of the input IP packet [, which possesses a certain threshold that defines the difference between confidence and no-confidence,] from the confidence manager and determines a decoy device having a requisite confidence level, which is not greater than the obtained confidence level, as a destination of the input IP packet;” i.e., if the risk exceeds a certain threshold, the input IP packet is forwarded to the decoy device), and 
4 notify a firewall (¶ [0029], “The firewall device receives an attack detection alert…”) deployed along a perimeter of the internal network (Gula, Figs. 1 & 2, ¶ [0034], i.e., the “internal firewalls 280” and the “external firewalls 284” that separate the “internal network” from the “Internet,” with the boundary between the two defining a permimeter) that future communications received from the external IP address should be deflected to a honeypot server (¶¶ [0025]-[0027], “a filtering condition manager for managing the filtering condition corresponding to the input IP packet forwarded to the decoy device depending on whether the attack detector detects an attack based on the input IP packet”).
	Regarding the combination of Gula and Ho, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have 
Regarding the combination of Gula-Ho and Klein, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho to have included the scanning data analysis feature of Klein. One of ordinary skill in the art would have been motivated to incorporate the scanning analysis feature of Klein because Klein teaches a “method for assessing in near real time or in real time internal and/or external security protection and/or health of internal and/or external network environments.”  See Klein ¶ [0051].
Regarding the combination of Gula-Ho-Klein and Nakae, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the scanning system of Gula-Ho-Klein to have included the honeypot feature of Nakae. One of ordinary skill in the art would have been motivated to incorporate the honeypot feature of Nakae because Nakae teaches the advantages of a honeypot or decoy device as known in the art, such as “By processing as above, all the packets determined to be unauthorized can be shut up on the decoy server,” see Nakae ¶ [0008], which thereby improves security.
Regarding Claim 17
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 15, and Nakae further discloses
wherein the firewall is configured to, upon receiving a communication from the external IP address, deflect the communication to the honeypot server to prevent a breach of the internal network (¶¶ [0025], [0029], “a filtering condition manager for managing the filtering condition corresponding to the input IP packet [from the external IP address] forwarded to the decoy device [to prevent a breach of the internal network] depending on whether the attack detector detects an attack based on the input IP packet.”).
Regarding Claim 20
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 15, and Gula further discloses 
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured to: examine traffic originating from, or directed to, the external IP address (Fig. 5, ¶¶ [0061]-[0062]) to determine which services, if any, are running on the external IP address (¶ [0063], “the passive scanners may have capabilities to identify specific Internet activities or services (e.g., Skype, YouTube, Pandora, Facebook, Netflix, etc.), which may be leveraged in operation 520 to list IP addresses that perform certain Internet activities, access certain Internet services, have certain client types, or match other suitable criteria.”).
E.	Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gula in view of Ho and Klein, and further in view of Nakae and Ranjan.
Regarding Claim 18
Gula-Ho-Klein-Nakae disclose the computer-implemented method of claim 15, and Gula further discloses
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured to: 
1 …; and 
monitor botnet activity by identifying all public communication activities involving any external IP address included in the blacklist (Fig. 5, ¶¶ [0061]-[0062], “For example, the destination address “0.0.0.0” may generally represent connections to the Internet [that involve[e] the external IP address] or other remote networks, whereby the queries to identify the observed outbound connections may include a filter to identify connections from devices within the network to external hosts…;” and ¶ [0045], i.e., active scanners being used in an audit to detect botnets; see also Ranum, e.g., ¶ [0023] for detecting potential botnet activity).
Gula-Ho-Klein-Nakae doesn’t disclose
	1 add the external IP address to a blacklist associated with a botnet;
Ranjan, however, discloses
	1 add the external IP address to a blacklist associated with a botnet (Col. 15:29-51, “the BotWatch system (300) includes a list of IP addresses of known bots and C&C servers in the external IP blacklists (403) [that were add[ed] to create the blacklist]] that may be (i) an external website that tracks botnets, (ii) output from a IPS/IDS that uses signature-based detection, or (iii) output from a honeypot designed to capture bot behaviors,” i.e., the IP address in the database of Ranum I relates back to IP address of the honeypot),
	Regarding the combination of Gula-Ho-Klein-Nakae and Ranjan, it would have been obvious for one of ordinary skill in the art before the effective filing date of the 
Regarding Claim 19
Gula in view of Ho and Klein, and further in view of Nakae and Ranjan disclose the system of claim 18, and Gula further discloses
wherein the security management platform (Fig. 2, ¶ [0018], ¶ [0078]) is further configured to: 
Ranjan further discloses
update the blacklist on a periodic basis by removing those external IP addresses that have not been involved in any public communication activities for a certain period of time (Col. 15:29-51, “The IP blacklists (403) is either updated whenever the external source releases a new list, or is queried individually for each new IP address detected in the incoming flows (401). Due to the temporary nature of bots, (e.g., computer users may clean their devices and remove bots) a timestamp is assigned to each entry in the external IP blacklists (403) and stale entries are removed after a pre-determined time interval.”).
Regarding the combination of Gula and Ranjan, the rationale to combine Gula and Ranjan is the same as provided for claim 18, as the subject matter of claim 18 relates to the subject matter of claim 19.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491