DETAILED ACTION
The present office action is responsive to communications received on 02/24/2021.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/24/2021 has been entered.

Status of Claims
Claims 1-3, 5-10, and 12-20 were amended.
Claim 21 is new.
Claims 1-21 are pending.

Response to arguments
With respect to the 35 USC § 103 rejection, applicant’s arguments are moot in light of new grounds of rejection. The prior art Singla et al. (US 20160212165 A1) used in this rejection is different from Singla et al. (US 20170142147 A1) used in the previous office action.

Claim Objections
Claims 1 line 17, claim 8 line 20, and claim 15 line 17 are objected to because of the following informalities:  they recite “an reliability of the association” wherein “a reliability of the association” seems more appropriate grammatically.  Appropriate correction is required.

Claim 18 is objected to because of the following informalities:  the claim recites “the at least one one second entity”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.


Claims 1-5, 8-12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Singla et al. (US 20160212165 A1) hereinafter referred to as Singla in view of Neumann (US 9654485 B1) hereinafter referred to as Neumann.

With respect to claim 1, Singla discloses: A computer implemented method for curating threat intelligence data, (Singla [0030] refers to the modules illustrated in Fig. 1 that could perform curating of threat intelligence data as will be mapped below).
comprising: receiving, from each of multiple data sources, at least a portion of threat intelligence data, (Singla [0031] discloses Fig. 2 that illustrates “system capable of determining threat scores based on threat scores of other entities” wherein the system receives as illustrated in Fig. 2 from each of multiple data sources 210a-210c).
wherein the threat intelligence data comprises: a first list of entities of a first type, and for at least one first entity of the entities of the first type, a first reputation score, where the first reputation score indicates a relative threat of the at least one first entity in posing security threat, (Singla [0033] discloses generating “threat scores” through queries that include “various resources 210a, 210b, 210c, 210n like session lists, active lists, assets etc. in a way that it only returns one numeric field”; wherein the numeric field can be used to calculate a final score according to Singla [0034-0035]. In this case, 210a could be mapped to a first list of a first type having a threat score).
a second list of entities of a second type, and for at least one second entity of the entities of the second type, a second reputation score, where the second reputation score indicates a relative threat of the at least one second entity in posing security threat, (Singla [0033] discloses generating 
and an association between the at least one first entity and the at least one second entity; (The first and second entities are associated by the mathematical formula 204 shown in Fig. 2 to form a top level threat score associated with a common entity, see paragraph [0049]).
determining a second updated reputation score for the at least one second entity; (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to determining an update to the any of the reputation scores which implicitly includes a second reputation score, or any number of reputation scores).
determining an updated reputation score for the at least one first entity and updating, in the threat intelligence data, the reputation score of the at least one first entity to the updated reputation score. (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to updating a threat score of a first entity. Wherein Singla claim 1 discloses “A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a device for providing hierarchical threat intelligence” which is mapped to the threat intelligence data which is to be updated).
Singla does not explicitly disclose: a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity
However, Neumann in an analogous art in light of applicant specs paragraph [0014 and 0019] discloses: receiving a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity; (Neumann column 15 lines 20-46 disclose “correlation module 218 may use one or more functions, such as a higher order function, a heuristic function, a schedule, a profile, and/or a probability distribution function, either singularly or in combination to determine correlations among multiple behavioral characteristics … behavioral characteristics in the normalized data are observed (e.g., detected) with a relatively high degree of relevance to each other as indicated by the behavioral characteristic pattern, they may provide evidence of an attack or at least a portion of an attack. The behavioral pattern of each correlation profile 120 may include any combination of behavioral characteristics that may be related to one another.” The paragraph is interpreted that the correlation module sends a value based on a combination of behavioral characteristics, wherein the characteristics are mapped to the first and second entities to determine an attack, mapped to a threat. Further support is found in column 16 lines 10-45 that disclose “the behavioral characteristic correlation module 218 may generate a score (e.g., a fragment score) for each correlated group of behavioral characteristics forming a fragment that represents the degree of relatedness of the behavioral characteristics to one another, and the attack identification module 219 may generate another score (e.g., an attack score) that represents a likelihood that the behavioral fragment or fragments are attack fragments and indicative of an attack.”).
determining a second updated reputation score for the at least one second entity; (Neumann column 17 lines 37-63 disclose one of many behavioral characteristics mapped to the entities which is a “detect unusual port activity”, mapped to a second entity which is the list of ports detected. Wherein “This detection module 306 may provide the noted activity to the behavioral correlation module 216. In some embodiments, the detection module 306 may generate a score for the activity and pass the behavioral characteristic and the associated score to the correlation module” Therefore the port are monitored and an updated threat score is generated whenever an activity is detected, which is interpreted that the score is updated).
determining an updated reputation score for the at least one first entity based at least in part on the confidence value and based on the determining the second updated reputation score of the at least one second entity; (Neumann column 17 line 35 to column 18 line 29 explain one embodiment wherein there are three monitored entities IP, port, and beaconing. The cited portion discloses “The behavioral correlation module 218, which may have sufficient evidence to associate the unusual port activity with a score of 0.80 (e.g., reflecting an assessment of a combination of its severity and confidence) and the unusual beaconing activity with a score of 0.75 (again, reflecting a combination of its severity and confidence), and an overall score (combining the component scores) of 0.40 confidence of a suspicious callback. Furthering the example, the behavioral correlation module 218 may also receive further evidence from another detection module 306 of a potential attack in the form of a malicious IP address match in a communication from the same network device contained in another event log, and associate an overall score of 0.30 confidence of a "callback" to this single-characteristic fragment. Combining this new behavioral fragment with the prior behavioral fragments, the attack identification module 226 may use an attack profile to classify these observed IOCs as an attack in which an adversary is involved in a campaign to steal data. In arriving at this classification, the attack identification module 226 may associate an overall score of 0.90 with these three fragments, which is, in the example, above a threshold of, say, 0.85 for classifying the observed behavior as an attack.” Therefore, the interpretation is that the unusual port score and confidence score based on the correlation determines an updated score of 0.90 for all the fragments, which refers to the entities, which means that first entity score is updated).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla with a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity as disclosed by Neumann in order to ensure better threat detection, by for example, security monitoring 

With respect to claim 2, Singla in view of Neumann disclose: The computer implemented method of claim 1, further comprising: receiving, via a user interface, a query for the at least one first entity; retrieving, from the threat intelligence data, the updated reputation score for the at least one first entity; and displaying, via the user interface, the updated reputation score in response to the query. (Singla [0024] “The device can receive a selection input selecting the updated first user interface element. When the user interface element is selected, the presentation module 134 can cause presentation of the calculated threat score of the first subset in response.” The displaying via user interface is shown in Fig. 6 as explained in the paragraph; see also paragraphs [0042, 0044, and 0052-0053]).

With respect to claim 3, Singla in view of Neumann disclose: The computer implemented method of claim 1, further comprising receiving a request to update a third reputation score of at least one third entity of the entities of the first type, (Singla [0031] discloses Fig. 2 which illustrates multiple resources, which could be mapped to any number of other entities such as third or fourth … etc. to calculate threat scores).
wherein determining the updated reputation score of the at least one first entity is further based at least in part on updating the third reputation score. (Singla Fig. 2 illustrates that the top level threat score 202 of first entity is based on other entities 210a-210c, see Singla [0041 and 0049]).

With respect to claim 4, Singla in view of Neumann disclose: The computer implemented method of claim 3, wherein the request is received via a user interface. (Singla [0024] discloses “The device can receive a selection input selecting the updated first user interface element. When the user interface element is selected, the presentation module 134 can cause presentation of the calculated threat score of the first subset in response.” The displaying via user interface is shown in Fig. 6 as explained in the paragraph; see also paragraphs [0042, 0044, and 0052-0053]).

With respect to claim 5, Singla in view of Neumann disclose: The computer implemented method of claim 1, wherein the determining the second updated reputation score comprises receiving a request to update the second reputation score of the at least one second entity to the second updated reputation score. (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to update threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc. as long as the user is submitting queries. Further support for the updating is also disclosed by Singla [0036] that recites, “Each time a threat score changes, it can notify the score change listener component. In some examples, the score change listener component will be responsible for notifying other threat scores using the changed threat score to re-calculate their score based on the new value.”).

With respect to claim 8, Singla discloses: A device for curating threat intelligence data, comprising: a memory for storing threat intelligence data and one or more parameters or instructions for curating the threat intelligence data; (Singla [0030] refers to the modules illustrated in Fig. 1 that could perform curating of threat intelligence data as will be mapped below).
and at least one processor coupled to the memory, wherein the at least one processor is configured to: receive, from each of multiple data sources, at least a portion of the threat intelligence data, (Singla [0031] discloses Fig. 2 that illustrates “system capable of determining threat scores based on threat scores of other entities” wherein the system receives as illustrated in Fig. 2 from each of multiple data sources 210a-210c).
wherein the threat intelligence data comprises: a first list of entities of a first type, and for at least one first entity of the entities of the first type, a first reputation score, where the first reputation score indicates a relative threat of the at least one first entity in posing security threat, (Singla [0033] discloses generating “threat scores” through queries that include “various resources 210a, 210b, 210c, 210n like session lists, active lists, assets etc. in a way that it only returns one numeric field”; wherein the numeric field can be used to calculate a final score according to Singla [0034-0035]. In this case, 210a could be mapped to a first list of a first type having a threat score).
a second list of entities of a second type, and for at least one second entity of the entities of the second type, a second reputation score, where the second reputation score indicates a relative threat of the at least one second entity in posting security threat, (Singla [0033] discloses generating “threat scores” through queries that include “various resources 210a, 210b, 210c, 210n like session lists, active lists, assets etc. in a way that it only returns one numeric field” wherein the numeric field can be used to calculate a final score according to Singla [0034]. 210b could be mapped to the second list of a second type for example).
and an association between the at least one first entity and the at least one second entity; (The first and second entities are associated by the mathematical formula 204 shown in Fig. 2 to form a top level threat score associated with a common entity, see paragraph [0049]).
determine a second updated reputation score for the at least one second entity; (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to determining an update to the any of the reputation scores which implicitly includes a second reputation score, or any number of reputation scores).
determine an updated reputation score for the at least one first entity; and update, in the threat intelligence data, the reputation score of the at least one of first entity to the updated reputation score. (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to updating a threat score of a first entity. Wherein Singla claim 1 discloses “A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a device for providing hierarchical threat intelligence” which is mapped to the threat intelligence data which is to be updated).
Singla does not explicitly disclose: a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity.
However, Neumann in an analogous art in light of applicant specs paragraph [0014 and 0019] discloses: receive a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity; (Neumann column 15 lines 20-46 disclose “correlation module 218 may use one or more functions, such as a higher order function, a heuristic 
determine a second updated reputation score for the at least one second entity; (Neumann column 17 lines 37-63 disclose one of many behavioral characteristics mapped to the entities which is a “detect unusual port activity”, mapped to a second entity which is the list of ports detected. Wherein “This detection module 306 may provide the noted activity to the behavioral correlation module 216. In some embodiments, the detection module 306 may generate a score for the activity and pass the behavioral characteristic and the associated score to the correlation module” Therefore the port are monitored and an updated threat score is generated whenever an activity is detected, which is interpreted that the score is updated).
determine an updated reputation score for the at least one first entity based at least in part on the confidence value and based on the determining the second updated reputation score of the at least one second entity; (Neumann column 17 line 35 to column 18 line 29 explain one embodiment wherein there are three monitored entities IP, port, and beaconing. The cited portion discloses “The behavioral correlation module 218, which may have sufficient evidence to associate the unusual port activity with a score of 0.80 (e.g., reflecting an assessment of a combination of its severity and confidence) and the unusual beaconing activity with a score of 0.75 (again, reflecting a combination of its severity and confidence), and an overall score (combining the component scores) of 0.40 confidence of a suspicious callback. Furthering the example, the behavioral correlation module 218 may also receive further evidence from another detection module 306 of a potential attack in the form of a malicious IP address match in a communication from the same network device contained in another event log, and associate an overall score of 0.30 confidence of a "callback" to this single-characteristic fragment. Combining this new behavioral fragment with the prior behavioral fragments, the attack identification module 226 may use an attack profile to classify these observed IOCs as an attack in which an adversary is involved in a campaign to steal data. In arriving at this classification, the attack identification module 226 may associate an overall score of 0.90 with these three fragments, which is, in the example, above a threshold of, say, 0.85 for classifying the observed behavior as an attack.” Therefore, the interpretation is that the unusual port score and confidence score based on the correlation determines an updated score of 0.90 for all the fragments, which refers to the entities, which means that first entity score is updated).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla with a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity as disclosed by Neumann in order to ensure better threat detection, by for example, security monitoring 

With respect to claim 9, Singla in view of Neumann disclose: The device of claim 8, wherein the at least one processor is further configured to: receive, via a user interface, a query for the at least one first entity; retrieve, from the threat intelligence data, the updated reputation score for the at least one first entity; and display, via the user interface, the updated reputation score in response to the query. (Singla [0024] “The device can receive a selection input selecting the updated first user interface element. When the user interface element is selected, the presentation module 134 can cause presentation of the calculated threat score of the first subset in response.” The displaying via user interface is shown in Fig. 6 as explained in the paragraph; see also paragraphs [0042, 0044, and 0052-0053]).

With respect to claim 10, Singla in view of Neumann disclose: The device of claim 8, wherein the at least one processor is further configured to receive a request to update a third reputation score of at least one third entity of the entities of the first type, (Singla [0031] discloses Fig. 2 which illustrates multiple resources, which could be mapped to any number of other entities such as third or fourth … etc. to calculate threat scores).
wherein the at least one processor is configured to determine the updated reputation score of the at least one first entity further based at least in part on updating the third reputation score. (Singla Fig. 2 illustrates that the top level threat score 202 of first entity is based on other entities 210a-210c, see Singla [0041 and 0049]).

With respect to claim 11, Singla in view of Neumann disclose: The device of claim 10, wherein the request is received via a user interface. (Singla [0024] discloses “The device can receive a selection input selecting the updated first user interface element. When the user interface element is selected, the presentation module 134 can cause presentation of the calculated threat score of the first subset in response.” The displaying via user interface is shown in Fig. 6 as explained in the paragraph; see also paragraphs [0042, 0044, and 0052-0053]).

With respect to claim 12, Singla in view of Neumann disclose: The device of claim 8, wherein the at least one processor is configured to determine the second updated reputation score at least in part by receiving a request to update the second reputation score of the at least one second entity to the second updated reputation score. (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to update threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc. as long as the user is submitting queries. Further support for the updating is also disclosed by Singla [0036] that recites, “Each time a threat score changes, it can notify the score change listener component. In some 

With respect to claim 15, Singla discloses: A non-transitory computer-readable medium, comprising code executable by one or more processors for curating threat intelligence data, (Singla [0030] refers to the modules illustrated in Fig. 1 that could perform curating of threat intelligence data as will be mapped below).
the code comprising code for: receiving, from each of multiple data sources, at least a portion of threat intelligence data, (Singla [0031] discloses Fig. 2 that illustrates “system capable of determining threat scores based on threat scores of other entities” wherein the system receives as illustrated in Fig. 2 from each of multiple data sources 210a-210c).
wherein the threat intelligence data comprises: a first list of entities of a first type, and for at least one first entity of the entities of the first type, a first reputation score, where the first reputation score indicates a relative threat of the at least one first entity in posing security threat, (Singla [0033] discloses generating “threat scores” through queries that include “various resources 210a, 210b, 210c, 210n like session lists, active lists, assets etc. in a way that it only returns one numeric field”; wherein the numeric field can be used to calculate a final score according to Singla [0034-0035]. In this case, 210a could be mapped to a first list of a first type having a threat score).
a second list of entities of a second type, and for at least one second entity of the entities of the second type, a second reputation score, where the second reputation score indicates a relative threat of the at least one second entity in posing security threat, (Singla [0033] discloses generating “threat scores” through queries that include “various resources 210a, 210b, 210c, 210n like session lists, 
and an association between the at least one first entity and the at least one second entity; (The first and second entities are associated by the mathematical formula 204 shown in Fig. 2 to form a top level threat score associated with a common entity, see paragraph [0049]).
determining a second updated reputation score for the at least one second entity; (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to determining an update to the any of the reputation scores which implicitly includes a second reputation score, or any number of reputation scores).
determining an updated reputation score for the at least one first entity; and updating, in the threat intelligence data, the reputation score of the at least one first entity to the updated reputation score.  (Singla [0041] discloses “receive an update notification of one or more of the calculated threat scores from a listener. The listener can receive updates to the calculated threat scores” which is mapped to updating a threat score of a first entity. Wherein Singla claim 1 discloses “A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a device for providing hierarchical threat intelligence” which is mapped to the threat intelligence data which is to be updated).
Singla does not explicitly disclose: a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity.
However, Neumann in an analogous art in light of applicant specs paragraph [0014 and 0019] discloses: receiving a confidence value corresponding to an reliability of the association between the at least one first entity and the at least one second entity; (Neumann column 15 lines 20-46 disclose “correlation module 218 may use one or more functions, such as a higher order function, a heuristic function, a schedule, a profile, and/or a probability distribution function, either singularly or in combination to determine correlations among multiple behavioral characteristics … behavioral characteristics in the normalized data are observed (e.g., detected) with a relatively high degree of relevance to each other as indicated by the behavioral characteristic pattern, they may provide evidence of an attack or at least a portion of an attack. The behavioral pattern of each correlation profile 120 may include any combination of behavioral characteristics that may be related to one another.” The paragraph is interpreted that the correlation module sends a value based on a combination of behavioral characteristics, wherein the characteristics are mapped to the first and second entities to determine an attack, mapped to a threat. Further support is found in column 16 lines 10-45 that disclose “the behavioral characteristic correlation module 218 may generate a score (e.g., a fragment score) for each correlated group of behavioral characteristics forming a fragment that represents the degree of relatedness of the behavioral characteristics to one another, and the attack identification module 219 may generate another score (e.g., an attack score) that represents a likelihood that the behavioral fragment or fragments are attack fragments and indicative of an attack.”).
determining a second updated reputation score for the at least one second entity; (Neumann column 17 lines 37-63 disclose one of many behavioral characteristics mapped to the entities which is a “detect unusual port activity”, mapped to a second entity which is the list of ports detected. Wherein “This detection module 306 may provide the noted activity to the behavioral correlation module 216. In some embodiments, the detection module 306 may generate a score for the activity and pass the behavioral characteristic and the associated score to the correlation module” Therefore the port are 
determining an updated reputation score for the at least one first entity based at least in part on the confidence value and based on determining the second updated reputation score of the at least one second entity; (Neumann column 17 line 35 to column 18 line 29 explain one embodiment wherein there are three monitored entities IP, port, and beaconing. The cited portion discloses “The behavioral correlation module 218, which may have sufficient evidence to associate the unusual port activity with a score of 0.80 (e.g., reflecting an assessment of a combination of its severity and confidence) and the unusual beaconing activity with a score of 0.75 (again, reflecting a combination of its severity and confidence), and an overall score (combining the component scores) of 0.40 confidence of a suspicious callback. Furthering the example, the behavioral correlation module 218 may also receive further evidence from another detection module 306 of a potential attack in the form of a malicious IP address match in a communication from the same network device contained in another event log, and associate an overall score of 0.30 confidence of a "callback" to this single-characteristic fragment. Combining this new behavioral fragment with the prior behavioral fragments, the attack identification module 226 may use an attack profile to classify these observed IOCs as an attack in which an adversary is involved in a campaign to steal data. In arriving at this classification, the attack identification module 226 may associate an overall score of 0.90 with these three fragments, which is, in the example, above a threshold of, say, 0.85 for classifying the observed behavior as an attack.” Therefore, the interpretation is that the unusual port score and confidence score based on the correlation determines an updated score of 0.90 for all the fragments, which refers to the entities, which means that first entity score is updated).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla with a confidence value corresponding to an 

With respect to claim 16, Singla in view of Neumann disclose: The non-transitory computer-readable medium of claim 15, further comprising code for: receiving, via a user interface, a query for the at least one first entity; retrieving, from the threat intelligence data, the updated reputation score for the at least one first entity; and displaying, via the user interface, the updated reputation score in response to the query. (Singla [0024] “The device can receive a selection input selecting the updated first user interface element. When the user interface element is selected, the presentation module 134 can cause presentation of the calculated threat score of the first subset in response.” The displaying via user interface is shown in Fig. 6 as explained in the paragraph; see also paragraphs [0042, 0044, and 0052-0053]).

With respect to claim 17, Singla in view of Neumann disclose: The non-transitory computer-readable medium of claim 15, further comprising code for receiving a request to update a third reputation score of at least one third entity of the entities of the first type, (Singla [0031] discloses Fig. 
wherein the code for determining determines the updated reputation score of the at least one first entity further based at least in part on updating the third reputation score. (Singla Fig. 2 illustrates that the top level threat score 202 of first entity is based on other entities 210a-210c, see Singla [0041 and 0049]).

With respect to claim 18, Singla in view of Neumann disclose: The non-transitory computer-readable medium of claim 15, wherein the code for determining the second updated reputation score comprises code for receiving a request to update the second reputation score of the at least one one second entity to the second updated reputation score. (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to update threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc. as long as the user is submitting queries. Further support for the updating is also disclosed by Singla [0036] that recites, “Each time a threat score changes, it can notify the score change listener component. In some examples, the score change listener component will be responsible for notifying other threat scores using the changed threat score to re-calculate their score based on the new value.”).

Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Singla in view of Neumann as applied to claims 1-5, 8-12, and 15-18 above, and further in view of Kirsch (US 20090037469 A1) hereinafter referred to as Kirsch.

With respect to claim 7, Singla in view of Neumann disclose: The computer implemented method of claim 1, 
They do not explicitly disclose “second type comprises file hash”.
However, Kirsch in an analogous art discloses: wherein the first type comprises internet protocol (IP) addresses, and wherein the second type comprises file hashes. (Kirsch [0050] discloses “Network reputation is defined as a ratio of the number of unique good to bad IP addresses within this network sending unsolicited email messages.” Additionally, Kirsch [0051] discloses “Content attributes are defined as individual content elements comprising the email message such as URLs, body text hashes”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla  and Neumann as combined above wherein the first type comprises internet protocol (IP) addresses, and wherein the second type comprises file hashes as disclosed by Kirsch to give the claimed method the capability of determining if an email is a threat or not (see Kirsch [0018-0019]).

With respect to claim 14, Singla in view of Neumann disclose: The device of claim 8, 
They do not explicitly disclose “second type comprises file hash”.
However, Kirsch in an analogous art discloses: wherein the first type of entity comprises internet protocol (IP) addresses, and wherein the second type of entity comprises file hashes. (Kirsch [0050] discloses “Network reputation is defined as a ratio of the number of unique good to bad IP addresses within this network sending unsolicited email messages.” Additionally, Kirsch [0051] discloses “Content attributes are defined as individual content elements comprising the email message such as URLs, body text hashes”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla  and Neumann as combined above wherein the first type comprises internet protocol (IP) addresses, and wherein the second type comprises file hashes as disclosed by Kirsch to give the claimed method the capability of determining if an email is a threat or not (see Kirsch [0018-0019]).

With respect to claim 20, Singla in view of Neumann disclose: The non-transitory computer-readable medium of claim 15, 
They do not explicitly disclose “second type comprises file hash”.
However, Kirsch in an analogous art discloses: wherein the first type comprises internet protocol (IP) addresses, and wherein the second type comprises file hashes. (Kirsch [0050] discloses “Network reputation is defined as a ratio of the number of unique good to bad IP addresses within this network sending unsolicited email messages.” Additionally, Kirsch [0051] discloses “Content attributes are defined as individual content elements comprising the email message such as URLs, body text hashes”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla  and Neumann as combined above wherein the first type comprises internet protocol (IP) addresses, and wherein the second type comprises file hashes as .

Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Singla in view of Neumann as applied to claims 1-5, 8-12, and 15-18 above, and further in view of Rubinstein et al. (US 20140196110 A1) hereinafter referred to as Rubinstein.

With respect to claim 6, Singla in view of Neumann disclose: The computer implemented method of claim 1, further comprising: receiving updated threat intelligence data including a third updated reputation score for the at least one first entity; (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to receive updated threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc.)
They do not explicitly disclose: and updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score.
However, Rubinstein in an analogous art discloses: and updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score. (Rubinstein [0044] discloses “the confidence update module 216 updates the user's confidence score based on the reputation of the user” wherein the reputation is determined based on change in reputation score. The 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla and Neumann as combined above with updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score as disclosed by Rubinstein in order to provide better services within a social networking system, and detect untrustworthy entities (see Rubinstein [0003-0004]).

With respect to claim 13, Singla in view of Neumann disclose: The device of claim 8, wherein the at least one processor is further configured to: receive updated threat intelligence data including a third updated reputation score for the at least one first entity; (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to receive updated threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc.)
They do not explicitly disclose: and update the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score.  
However, Rubinstein in an analogous art discloses: and update the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score. (Rubinstein [0044] 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla and Neumann as combined above with updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score as disclosed by Rubinstein in order to provide better services within a social networking system, and detect untrustworthy entities (see Rubinstein [0003-0004]).

With respect to claim 19, Singla in view of Neumann disclose: The non-transitory computer-readable medium of claim 15, further comprising code for: receiving updated threat intelligence data including a third updated reputation score for the at least one first entity; (Singla [0033] discloses “the numbers that the user can generate from various data sources (e.g., event resources, other threat scores, etc.). The data sources can include data queries or queries to threat scores 208. The data queries can be built on various resources 210a, 210b, 210c, 210n” which is mapped that the data queries are input by user to receive updated threat scores for entities 210a-210c wherein the update could be any number second, third, fourth, etc.)
They do not explicitly disclose: and updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score.
However, Rubinstein in an analogous art discloses: and updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score. (Rubinstein [0044] discloses “the confidence update module 216 updates the user's confidence score based on the reputation of the user” wherein the reputation is determined based on change in reputation score. The change in the reputation score is mapped to third updated reputation score or any number of updated reputation scores results in updating the confidence accordingly).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla and Neumann as combined above with updating the confidence value corresponding to the reliability of the association based at least in part on determining a difference between the updated reputation score and the third updated reputation score as disclosed by Rubinstein in order to provide better services within a social networking system, and detect untrustworthy entities (see Rubinstein [0003-0004]).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Singla in view of Neumann as applied to claims 1-5, 8-12, and 15-18 above, and further in view of Joshi et al. (US 20180374151 A1) hereinafter referred to as Joshi.

With respect to claim 21, Singla in view of Neumann disclose: The computer implemented method of claim 1, 
They do not explicitly disclose “machine learning models”.
However, Joshi in an analogous art discloses: further comprising training one or more machine learning models based on the updated reputation score. (Joshi [0031] discloses “train a machine learning model to generate and dynamically maintain a reputation score for each digital identity … dynamically update the reputation score of the given digital identity as an activity is conducted”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Singla and Neumann as combined above with further comprising training one or more machine learning models based on the updated reputation score as disclosed by Joshi to generate and dynamically maintain a reputation score for each digital identity (see Joshi [0031]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANY S GADALLA whose telephone number is (571)272-2322.  The examiner can normally be reached on Mon to Fri 8:30AM - 5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/H.S.G./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493