Remarks
Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/29/2021 has been entered.
 
Response to Arguments
Applicant's arguments filed 3/29/2021 have been fully considered but they are not persuasive.
Applicant “believes that the current claims do not merely recite elements at a high level of generality.  Even if the claims are considered to recite an abstract idea, they recite additional features that incorporate any alleged abstract idea into a practical application that can tag received records with client/server identification which is then used to identify potential threats by storing records on respective message queues.”  
Applicant alleges “Rieke fails to teach or suggest that a source/destination of records may be tagged with further information.”  This is not claimed.  The claims include enriching the network reporting information with enrichment data by adding one or more tags of enrichment data to records of the network reporting information comprising, for each of the records of the network reporting information, which is met by Rieke’s disclosure of enriching the data in any fashion, such as by creating a graph, 
Applicant then alleges “The Examiner has alleged that Reike teaches tagging the records, although relies upon Reuff as teaching the records with the particular client/server information.  Applicant notes that Reike merely teaches displaying information in various ways, such as by graphing, highlighting graph portions, etc.  This does not suggest tagging the records with information.”  Yes, it does.  If one is looking at a display that includes a list of information, this certain information may be tagged therein by highlighting that information.  Applicant has provided no reason as to why Applicant believes that this is not the case.  Furthermore, additional examples were provided as to what Rieke discloses with respect to tagging, as previously claimed.  This was quoted in the last paragraph and need not be quoted again.  Therefore, Rieke discloses tagging records with information.  
Applicant alleges “The Examiner has alleged that Reuff teaches identifying each of a source and a destination of the respective record as a client or a server.  Applicant notes that Reuff teaches that ‘the network monitoring system 200 may be configured to implement a set of rules to estimate (i.e., ‘guess’) at the server and client relationship.  The set of rules may be applied in an order that produces the most likely server and client relationship.’  Applicant respectfully submits that estimating the client and server relationship, even when combined with the teachings of Reike, does not suggest tagging records with the client/server information as claimed.”  However, Applicant fails 
Applicant also alleges “Further, there is nothing in either reference that suggests the records, or enhanced records are stored to a respective message queue, or that enhanced records can be processed by applying one or more threat detection modules to the enhanced records and then generating and transmitting alerts.  Applicant respectfully submits that even if combined, the teachings of the prior art fail to teach or suggest the subject matter of the current claims.”  Applicant is attempting to argue at least 4 separate limitations here with no actual argument.  No response can be provided, and Applicant is directed to the below rejections for a full discussion of how this subject matter is being rejected.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 8-10 and 22-24 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 8 includes limitations that appear to be duplicates of subject matter from claim 1.  The application as originally filed does not include basis for 2 separate steps of storing/adding the same information in 2 different message queues, retrieving the information from 2 different message queues, or storing/adding enriched/enhanced information in 2 different message queues.  Claims 9 and 10 are rejected for the same reasons.  Claims 22-24 are rejected for the same reasons.  


(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8-10 and 22-24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 8 includes limitations that appear to be duplicates of subject matter from claim 1.  However, it is unclear just what the difference is between these steps, how they interoperate together, what the scope of the claims is, and how one of ordinary skill in the art would construe these seemingly duplicate steps that do not include basis in the application as originally filed.  Claims 9 and 10 are rejected for the same reasons.  Claims 22-24 are rejected for the same reasons.  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-28 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) receiving and processing data. This judicial exception is not integrated into a practical application because the claims involve abstract ideas similar to FairWarning, Classen, Int. Vent. v. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are rejected under 35 U.S.C. 103 as being unpatentable over Rieke (U.S. Patent Application Publication 2016/0072831) in view of Rueff (U.S. Patent Application Publication 2012/0304130).
Regarding Claim 1,
Rieke discloses a CTI infrastructure comprising:

A collection of at least one CTI server, the collection configured for (Exemplary Citations: for example, Paragraphs 109-132 and associated figures):
Receiving the network reporting information collected by the plurality of network devices, the network reporting information comprising a plurality of records each comprising an indication of a source and destination of network traffic (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; receiving/collecting data , source and destination IP addresses and ports, flow directions are identified, for example);
Storing the received plurality of records in a record message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; received/collected information and flows, record list, database, listing on an interface, or the like, as examples);
Enriching the network reporting information with enrichment data by adding one or more tags of enrichment data to records of the network reporting information comprising, for each of the records of the network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; enriching 
Identifying each of a source and a destination of the respective record retrieved from the message queue based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; source and destination IP addresses and ports, for example);
Tagging the source and destination of the respective record (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; as above, for example); and
Storing the enhanced record with the tagged source and destination in an enhanced message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; creating graph or other data structure using the above, updating the above described queue with additional 
Processing the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged to identify potential security vulnerabilities by applying one or more threat detection models to at least the enhanced records (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; detecting vulnerabilities using models, such as graphs, lists, or other data structures, for example); and
Transmitting one or more alerts based on at least one identified potential security vulnerability (Exemplary Citations: for example, Paragraphs 109-133 and associated figures; alert or report, for example);
But does not explicitly disclose that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a client or a server, that the tagging the source and destination of the respective record tags 
Rueff, however, discloses that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a client or a server (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example); 
That the tagging the source and destination of the respective record tags them as the identified client or server (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example); and
That the sources and destinations are tagged as either clients or servers (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client 
That the enhanced record includes the tagged client or server information (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the endpoint identification techniques of Rueff into the network analysis and reporting system of Rieke in order to allow the system to determine whether a source or destination is a client or server, to provide for better reporting and endpoint type estimation, to facilitate around-the-clock data collection regardless of maintenance cycles, to provide administrators with all relevant information, and/or to increase security in the system.  
Regarding Claim 15,
Claim 15 is a method claim that corresponds to infrastructure claim 1 and is rejected for the same reasons.  
Regarding Claim 4,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that adding one or more tags of the enrichment data further comprises:

Adding the determined informational data to the network reporting information as the one or more tags (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 18,
Claim 18 is a method claim that corresponds to infrastructure claim 4 and is rejected for the same reasons.  
Regarding Claim 5,
Rieke as modified by Rueff discloses the infrastructure of claim 4, in addition, Rieke discloses that one or more of the source IP address, and the destination IP address is determined dynamically (Exemplary Citations: for example, Paragraphs 80, 95, 109-132 and associated figures; changing IP addresses, and/or IP addresses set via DHCP, for example).  
Regarding Claim 19,
Claim 19 is a method claim that corresponds to infrastructure claim 5 and is rejected for the same reasons.  
Regarding Claim 8,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for:

Retrieving network reporting information from the first message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; analyzing the above, for example); and
Adding the enriched network reporting information to a second message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; creating graph or other data structure using the above, for example).  
Regarding Claim 22,
Claim 22 is a method claim that corresponds to infrastructure claim 8 and is rejected for the same reasons.  
Regarding Claim 9,
Rieke as modified by Rueff discloses the infrastructure of claim 8, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for:
Retrieving the enriched network reporting information from the second message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; retrieving the graph or other data structure, for example);

Adding the further enriched network reporting information to a third message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; updated graph or other data structure, for example).  
Regarding Claim 23,
Claim 23 is a method claim that corresponds to infrastructure claim 9 and is rejected for the same reasons.  
Regarding Claim 10,
Rieke as modified by Rueff discloses the infrastructure of claim 9, in addition, Rieke discloses that the further enriching comprises one or more of informational data tagging, and dynamic information tagging (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 24,
Claim 24 is a method claim that corresponds to infrastructure claim 10 and is rejected for the same reasons.  
Regarding Claim 11,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for summarizing the enriched network 
Regarding Claim 25,
Claim 25 is a method claim that corresponds to infrastructure claim 11 and is rejected for the same reasons.  
Regarding Claim 12,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the enriched network reporting information is processed by threat analysis components (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 26,
Claim 26 is a method claim that corresponds to infrastructure claim 12 and is rejected for the same reasons.  
Regarding Claim 13,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that one or more potential security vulnerabilities is retrieved by an alerts component that generates one or more alerts (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; alert generating component, for example).  
Regarding Claim 27,
Claim 27 is a method claim that corresponds to infrastructure claim 13 and is rejected for the same reasons.  

Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the network reporting information comprises one or more of NetFlow data, firewall information, IPFIX data, and DNS data (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 28,
Claim 28 is a method claim that corresponds to infrastructure claim 14 and is rejected for the same reasons.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/Jeffrey D. Popham/Primary Examiner, Art Unit 2432