Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This communication is a Non-Final Office Action in response to communications received on 1/4/21.
Claim 8 has been previously cancelled.
Claims 1-7, 9-21 have been amended.
Therefore, Claims 1-7, 9-21 are now pending and have been addressed below.


Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/4/21 has been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 6, 13 and 18 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was mapping the one or more of the IP address and e-mail address to a set of physical locations comprising the physical location; wherein first and second one of email address have different regions..”. Specification at [002] provides support for mapping an IP address of the source of the indicator to a physical location. However, specification is silent regarding mapping e-mail address to a set of physical locations. The test for sufficiency is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. For example, the claims recite "mapping e-mail address to a set of physical locations comprising the physical location. Thus the claims merely recite a description of the end desired result ("problem to be solved") and the scope of claims encompasses all techniques to attain that result ("all solutions") without describing how the terms are functionally related. A description that merely renders the invention obvious does not satisfy the requirement, Lockwood v. Am. Airlines, 107 F.3d 1565, 1571-72 (Fed. Cir. 1997). Appropriate correction is required.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-6, 9, 11-18, 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Balderas (US 2015/0180892 A1) in view of Reybok et al. (US 2015/0207813 A1)
Regarding Claims 1, 9 and 15,    Balderas discloses the method/medium ([0031]  DNS server 102, via threat assessment module 103, accesses a variety of services 104-106 to provide security intelligence and determine a threat level of the client device), comprising:
Balderas discloses receiving a security indicator by a system comprising a hardware processor in a security information sharing platform ([0027] The security characteristics (security indicator) of the requesting client, e.g., obtained from an IP reputation service built into or otherwise available to the DNS server, are preferably used to decide whether to provide a "real" or "default" answer--that is, internet protocol (IP) addresses or aliases that will point the client to content servers providing content under the given domain name--or a "misleading" or "false" answer--for example, an answer that points to slower content servers, or servers that are equipped with additional security mechanisms, tar pits, honeypots, or the like, and which may or may not have  DNS server 102, via threat assessment module 103, accesses a variety of services 104-106 to provide security intelligence and determine a threat level of the client device, Fig 4 # 400, 402 receive request), [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service, and the like. [0052]); 
Balderas discloses the geolocation information comprising a physical location associated with a security threat and/or vulnerability ([0013] determine a threat level based on the IP address of the requesting client and factors such as location (country or network) etc. (physical location), [0032]-[0033] the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address, Fig 4 # 408 geolocation service and [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module)
Balderas discloses determining, by the system geolocation information associated with the security indicator (Fig 2 # 204, 208 geolocation service, Fig 4 # 402 originating client IP address, [0013] determine a threat level based on the IP address of the requesting client and factors such as location (country or network) etc., [0032]-[0033] the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), [0037] the DNS server 102 may leverage an IP reputation service 206, a geo-location service 208, and/or invoke a process that examines the request in more detail (e.g., applying firewall rules and regular expression matches, and the like) as indicated by box 210. [0049] The DNS server 312 checks the request to see if client IP address information is included (e.g., the EDNS0 extension field value indicating network portion and client subnet portion of IP of the client that originated the request), [0049]);
Balderas discloses determining, by the system an indicator score associated with the security indicator based on the determined geolocation information ([0033] The reputation service 104 typically returns a threat score (an indicator score) and a confidence number of the given score.  ); the determining of the indicator score comprising:
Balderas discloses accessing a repository storing a plurality of threat level associations, each respective threat level association of the plurality of threat level associations comprising a respective geolocation location, a respective threat level associated with the respective geolocation information and information of a destination location ([0031]-[0032] IP reputation service 102 is used to look up the reputation of the requesting client device 101 based on its IP address. A variety of commercial IP reputation databases (repository) are available from various vendors, including for example Symantec, CommTouch, Webroot, and others.  Moreover, open source IP reputation projects such as Honeypot and dshield.org can be leveraged.,[0033]location of client, [0035], [0037] the DNS server 102 may leverage an IP reputation service 206, a geo-location service 208, and/or invoke a process that examines the request in more detail (e.g., applying firewall rules and regular expression matches, and the like) as indicated by box 210. [0038]-[0039] the DNS server 102 (repository) may maintain several different threat level categories (threat level), bracketed by threat level scores, and may take a different, configurable action in response to a client falling in each category., [0045]-[0046], [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service, and the like.  [0013] )
Balderas discloses  setting the indicator score based on the respective threat level included in a matched threat level association of the plurality of threat level associations ([0033] The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), request history of the client known to the DNS server 102 (e.g., the rate at  the DNS server 102 may maintain several different threat level categories, bracketed by threat level scores, and may take a different, configurable action in response to a client falling in each category (setting client score based on category). [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service, and the like.   ); and
Balderas does not specifically teach comparing the determined geolocation information to the respective geolocation information in the plurality of threat level associations; setting the indicator score based on the threat level included the geolocation information in the matching threat level association matching the determined geolocation information. Balderas however teaches comparing information in the plurality of threat level associations ([0036], [0038] At step 212 the threat level score compared with a configured threshold below which all clients are considered "good".)
Reybok teaches the geolocation information comprising a physical location associated with a security threat and/or vulnerability ([0047] each client network can be associated with one or more market IDs or classifications. corporate address, site address, whether the company operates a secure website, number of employees, financial rating, country of incorporation, and many other types of information can be used., Fig 4A # 403 market ID, demographics, corporate address, site address);  comparing the determined geolocation information to the respective geolocation information in the plurality of threat level associations ([0057] Information is received for different security events (e.g., threats detected from specific files, specific locations (geolocations) or sources on the Internet and threats that are otherwise of concern from a security standpoint) and is exchanged (e.g., with a cloud service) or maintained in a repository in a form that can be readily queried by one or more networks or network security providers., [0061]-[0062] Each event is stored as a discrete record in the repository 609 (or potentially multiple  This information is received and processed by query logic 619, and is run against the (central or distributed) information repository 609.  In this case, the query logic 619 will detect a "hit" because the argument "IP1" will match specific record 613 of the information repository (i.e., that record containing IP address field 613c matching "IP1")., [0067], [0074]); setting the indicator score based on the threat level included in a matched threat level association of the plurality of threat level associations, the geolocation information in the matching threat level association matching the determined geolocation information ([0074] if a central service replies back with a threat ranking that indicates risk (e.g., threat level="high"), the IDS can send a response to a FWS that causes the FWS to block the associated traffic, in real-time.  If the IDS does not detect a threat, or the client network receives no response to its query (or alternatively, a null response), it might then permit an Internet session (e.g., with the threat source) to proceed on an interim basis.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included comparing the determined geolocation information to the respective geolocation information in the plurality of threat level associations setting the indicator score based on the threat level included in a matched threat level association of the plurality of threat level associations, the geolocation information in the matching threat level association matching the determined geolocation information, as disclosed by Reybok in the system disclosed by Balderas, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Balderas discloses displaying security indicator based on determined indicator score ([0047] DNS server 302 can determine a threat level score based on client device's 301 IP address and pass that assessment to the authoritative DNS server 302 with its DNS request 303., [0064]-[0065] The CDN's DNS could return an IP address (preferably a virtual IP) that maps to a  sharing, by the system based on the determined indicator score, the security indicator with a community of entities via the security information sharing platform, the community of entities indicated by the information of the destination location included in the matching threat level association and the sharing of the security indicator via the security information sharing platform to provide protection against an attack of a computing environment.
Reybok teaches sharing, by the system based on the determined indicator score, the security indicator with a community of entities via the security information sharing platform, the community of entities indicated by the information of the destination location included in the matching threat level association ([0055] forwarding can be automatic, can be responsive to specific threat levels or trust levels, or can be determined in whole or part according to client-provided rules. For example, the first network can be notified of query results, e.g., in the form of a summary or other data; in one embodiment, query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of "hits," a ranked threat level provided by the central service, [0057] Information is received for different security events (e.g., threats detected from specific files, specific locations or sources on the Internet and threats that are otherwise of concern from a security standpoint) and is exchanged (e.g., with a cloud service) or maintained in a repository in a form that can be readily queried by one or more networks or network security providers. ) and the sharing of the security indicator via the security information sharing platform to provide protection against an attack of a computing environment ([0055] Other actions that can be taken, per numerals 585 and 587 include updated a stored rank and notifying other clients (community) of any updated threat level (585) or notifying other clients of query results or the results of correlation or detected threat (587).  For other clients that utilize an ACP as has been described above, results can optionally be displayed via their respective ACPs' dashboards (589)., Fig 5 B # 583, 587 notify other clients. Other information can also be provided (e.g., a suggested remedial measure) or this can be provided responsive to separate query.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included teach sharing, by the system based on the determined indicator score, the security indicator with a community of entities via the security information sharing platform, the community of entities indicated by the information of the destination location included in the matching threat level association and the sharing of the security indicator via the security information sharing platform to provide protection against an attack of a computing environment, as disclosed by Magee in the system disclosed by Balderas, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Claim 15,    Balderas discloses the system for considering geolocation information in a security information sharing platform ([0031]  DNS server 102, via threat assessment module 103, accesses a variety of services 104-106 to provide security intelligence and determine a threat level of the client device) comprising: Balderas teaches a physical processor ([0071] microprocessor, Fig 6 # 600) 

Regarding claims 4, 11 and 16,    Balderas as modified by Reybok teaches the method of claim 1 and medium of claim 9, wherein the determining of the indicator score further comprising:
Balderas teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address ([0013] determine a threat level based on the IP address of the requesting client and factors such as location (county or network) etc., [0032]-[0033] the location of the client from location services, Fig 4 # 402([0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service), domain name, e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability, and wherein the determining of the indicator score comprises:
Balderas teaches obtaining information relating to plural pieces of threat intelligence, each piece of threat intelligence of the plural pieces of threat intelligence comprising information relating to an incident, attack, indicator sighting, or attacker ([0009], [0039] the DNS server 102 may 
Balderas teaches determining a geolocation for each piece of threat intelligence of the plural pieces threat intelligence (Fig 2 # 204, 208 geolocation service, Fig 4 # 402 originating client IP address, [0013] determine a threat level based on the IP address of the requesting client and factors such as location (county or network) etc., [0032]-[0033] the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), [0037] the DNS server 102 may leverage an IP reputation service 206, a geo-location service 208, and/or invoke a process that examines the request in more detail (e.g., applying firewall rules and regular expression matches, and the like) as indicated by box 210. [0049] The DNS server 312 checks the request to see if client IP address information is included (e.g., the EDNS0 extension field value indicating network portion and client subnet portion of IP of the client that originated the request);
Balderas teaches computing correlations between the determined geolocation for the plural pieces of threat information in the set of threat intelligence ([0064]-[0065] The CDN's DNS could return an IP address (preferably a virtual IP) that maps to a particular CDN content server(s), referred to as a `red flag` address); and 
Balderas teaches setting the indicator score based on the computed correlations ([0033] The reputation service 104 typically returns a threat score and a confidence number of the given score.  The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), [0036] some answers may be marked as valid only for "no-threat" or "low-threat" clients that have a threat score below a defined threshold.  (A common scoring system can be agreed upon.) Other answers can be marked as valid to return for "medium-threat" clients, "high-threat" clients, and so on.); wherein the setting of the indicator score depends on timing information associated with each of the plural pieces of threat intelligence ([0033] The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on 

Regarding claims 5, 12 and 17,    Balderas as modified by Reybok teaches the method of claim 4, further comprising:
Balderas teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address, domain name, e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability ([0013] determine a threat level based on the IP address of the requesting client and factors such as location (county or network) etc., [0032]-[0033] the location of the client from location services, Fig 4 # 402 [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service), 
Balderas discloses the setting of the indicator score based on the computed correlations based on physical location ([0033] The reputation service 104 typically returns a threat score and a confidence number of the given score.  The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), [0036] some answers may be marked as valid only for "no-threat" or "low-threat" clients that have a threat score below a defined threshold.  (A common scoring system can be agreed upon.) Other answers can be marked as valid to return for "medium-threat" clients, "high-threat" clients, and so on., [0033] The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP 
Balderas teach adjusting the indicator score in response to determining that a proportion of the plurality pieces of threat intelligence are linked to a physical location ([0033] The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), request history of the client known to the DNS server 102 (e.g., the rate at which that client has been sending requests in some time period)


Regarding claims 14, 20 and 21,   Balderas as modified by Reybok teaches the method of claim 9, further comprising:
Balderas teaches wherein multiple threat level associations of the plurality of threat level associations match the determined geolocation information ([0030]-[0031] DNS server 102, via threat assessment module 103, accesses a variety of services 104-106 to provide security intelligence and determine a threat level of the client device, Fig 4 # 400, 402 receive request), and the determining of the indicator score comprises: selecting a highest threat level of threat levels included in the multiple threat level associations ([0053], and setting the indicator score based on the highest threat level ([0011] "high-threat" clients, the client may be directed to machines equipped to deal with the perceived threat in a desired way, by virtue of them running particular security software, their capacity, their location, their configuration or other feature., [0039] the DNS server 102 may maintain several different threat level categories, bracketed by threat level scores, and may take a different, configurable action in response to a client falling in each category. )


Claims 2-3, 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Balderas (US 2015/0180892 A1) in view of Reybok et al. (US 2015/0207813 A1) as applied to claims 1 and 9, further in view of Magee et al. (US 2014/0007238 A1)

Regarding Claims 2, 10 and 19,    Balderas as modified by Reybok teaches the method of claim 1 and medium of claim 9, further comprising:
Balderas teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address, domain name, e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability ([0013] a given DNS server leverages an IP reputation service to score a client and thereby determine a threat level based on the IP address of the requesting client.[0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service, Fig 4 # 403, [0049]), wherein the security indicator comprises an observable and/or a security measure to be performed upon detection of the security indicator (Fig 4 # 403-418 and [0050] If the level exceeds the minimum threshold, then flow moves to box 414 where the DNS server 312 determines what alternative action to take., [0051] where the threat level score for the requesting DNS server is very high.  It is desired to block traffic from a certain geography or certain network/ISP associated with the DNS server and/or otherwise treat such traffic in a special manner., [0052] Assuming a threat is detected, the content server can mitigate the threat itself or respond to the client's request with a redirect (e.g., HTTP 302 redirect) sending the client to a different domain name that has been reserved for threats)
Balderas teaches wherein the geolocation information of multiple threat level associations of the plurality of threat level associations match the determined geolocation information ([0046] the DNS server 312 leverages a client IP reputation service and uses the client IP address information provided by the downstream DNS server 302 to make a threat level assessment., [0049] the DNS server 312 determines a threat level using the given client IP address information ; and
Balderas teaches the determining of the indicator score ([0033] The reputation service 104 typically returns a threat score and a confidence number of the given score.  The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address), [0038]-[0039], [0047] DNS server 302 can determine a threat level score based on client device's 301 IP address.) comprising aggregating threat levels included in the multiple threat level associations, to produce an aggregated threat level ([0038] The characteristics/score returned from the service is used to calculate a threat level score.  If more than one service is used, then the various characteristics/scores returned from the services 206-210 are combined into an aggregate threat level score.), and setting the indicator score based on the aggregated threat level ([0038] If more than one service is used, then the various characteristics/scores returned from the services 206-210 are combined into an aggregate threat level score)
Balderas, however does not teach averaging the respective threat levels included in the multiple threat level associations, to produce an averaged threat level and setting the indicator score based on the average threat level.
Magee teaches averaging threat levels included in the multiple threat level associations, to produce an averaged threat level and setting the indicator score based on the average threat level (Claim 9 the threat information scoring engine applies a weighted mathematical average to the threat module scores, based on a plurality of weights assigned to each of the plurality of scoring modules. [0050] If the address in the intelligence record does not appear in the blacklist, it may be either filtered or designated for a lower priority or lower threat level.  If the address does appear in the blacklist filter, the record may be designated for a higher priority or higher threat level.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included averaging threat levels included in the multiple threat level associations, to produce an averaged threat level and setting the indicator score based on the average threat level, as disclosed by Magee in the system disclosed by Balderas, for the motivation of providing a method for collective threat intelligence gathering and processing includes a data collector, which interfaces with a plurality of intelligence information sources ([0015] Magee) and providing threat alerts to consumers ([0040] Magee)


Regarding Claim 3,    Balderas as modified by Reybok teaches the method of claim 1 and medium of claim 9, wherein the determining of the indicator score based on the determined geolocation information comprises:
Balderas teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address, domain name, e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability([0013] a given DNS server leverages an IP reputation service to score a client and thereby determine a threat level based on the IP address of the requesting client.[0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service, Fig 4 # 403, [0049]),
Balderas teaches determining the indicator score responsive to determining that the determined geolocation information indicates a threat associated with the security indicator ([0009] the domain name system is sometimes the target of attack, or, just as maliciously, used by attackers to find machines that they wish to attack, such as those hosting a particular website or web application., [0039]) 
Balderas does not teach wherein the security indicator comprises a level of relevance associated with the security indicator, the level of relevance being a level of relevance of the security indicator to the community of entities, a level of severity associated with the security indicator, and a type of security indicator; 
Reybok teaches wherein the security indicator comprises a level of relevance associated with the security indicator, the level of relevance being a level of relevance of the security indicator to the community of entities ([0005] relevancy function i.e. threats can be prioritized based on severity, , a level of severity associated with the security indicator ([0044] any type of score or indicator can be used to express threat severity (e.g., H/M/L for high, medium low, a numerical score such as 0-99, or some other type of indicator, [0076] the threat level is gauged at a specific level, e.g., "low," "medium" or "high. [0078]threat severity level)., and a type of security indicator ([0073] a threat detected by the intrusion monitoring or detection service (IDS) can be converted to a template or object with specific fields or attributes, and these fields or attributes, [0074] DS has a record matching a specified identifier with a specific threat indication (type)); Reybok teaches wherein the setting of the indicator score comprises scaling one or more of the determined geolocation information ([0082] a "high" threat level associated with IP Address (identifier) 123.123.123.123 [0084] the IP address can represent a destination IP address or other identifier (e.g., associated with inbound or outbound traffic), and the threat level field can be configured to query whether the IPS is aware of any vulnerability associated with the destination, [0076]), the respective threat level association corresponding to the determined geolocation information ([0082] threat level for IP address), and a level of relevance of the security indicator to the community of entities by a weight([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank (weight) events for relevance, the weight indicating the weight or influence the one or more of the determined geolocation information ([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank (weight) events for relevance, [0047]), the respective threat level association corresponding to the determined geolocation information ([0082] threat level for IP address), and a level of relevance of the security indicator has on the indicator score ([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank events for relevance).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included wherein the security indicator comprises a level of relevance associated with the security indicator, the level of relevance being a level of relevance of the security indicator to the community of entities, a level of severity associated with the security indicator, and a type of security indicator; wherein the setting of the indicator score comprises scaling one or more of the determined geolocation information, the respective threat level association corresponding to the determined geolocation information, and a level of relevance of the security indicator to the community of entities by a weight, the weight indicating the weight or influence the one or more of the determined geolocation information, the respective threat level association corresponding to the determined geolocation information, and a level of relevance of the security indicator has on the indicator score, as disclosed by Reybok in the system disclosed by Balderas/Reybok, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Balderas/Reybok do not specifically teach determining the indicator score indicates that the community is a target of a threat;
Magee teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address, domain name e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability ([0047] a threat information record is considered unique if both the relevant address or other identifier for the record (i.e. domain name, IP address, ASN address, e-mail address, file hash, URL) and the categorization for that record is unique in the database 30 (or data warehouse 40).);  determining the indicator score indicates that the community is a target of a threat ([0092]-[0093] Once the threat intelligence information received from the information sources 20 is fully processed and scored, then at step 208 of FIG. 2, the threat intelligence information is prepared for distribution to the consumers., [0095]-[0099], [0004] 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included determining the indicator score indicates the community is a target of a threat, as disclosed by Magee in the system disclosed by Balderas, for the motivation of providing a method for collective threat intelligence gathering and processing includes a data collector, which interfaces with a plurality of intelligence information sources ([0015] Magee) and providing threat alerts to consumers ([0040] Magee)

Claims 6, 13 and 18 rejected under 35 U.S.C. 103 as being unpatentable over Balderas (US 2015/0180892 A1) in view of Reybok et al. (US 2015/0207813 A1) as applied to claims 1 and 9, further in view of Albertson (US 9,009,827 B1)

Regarding claims 6, 13 and 18,    Balderas as modified by Reybok teaches the method of claim 1 and medium of claim 9, wherein the method further comprises:
Balderas teaches wherein the security indicator comprises one or more of an Internet Protocol (IP) address, domain name, e-mail address. Uniform Resource Locator (URL), and a software file hash associated with the security threat and/or vulnerability([0013] determine a threat level based on the IP address of the requesting client and factors such as location (county or network) etc., [0032]-[0033] the location of the client from location services, Fig 4 # 402 [0049] the DNS server 312 determines a threat level using the given client IP address information and leveraging various services such as an IP reputation module, geo-location module, request analyzer service), 
Balderas teaches determining the indicator score for the first piece of threat information based on geolocation information/physical location ([0033] The reputation service 104 typically returns a threat score and a confidence number of the given score.  The DNS server may combine this score with other factors, such as the location of the client from location service 105 (e.g., which could be geographic location based on IP address or network location based on IP address); wherein the adjusting of the indicator score comprises increasing the indicator score in response to determining that a majority of the pieces of threat intelligence are linked to the physical location ([0033] The DNS server may combine this score with other factors, such as the location of the .
Balderas does not teach wherein the community of entities comprises a vertical-based community, wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities; 
Reybok teaches wherein the community of entities comprises a vertical-based community ([0004] open community forum for sharing potential threat information), wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank events for relevance, [0043] pooling security event information from respective, diverse networks and filtering that information for relevance., [0076] the threat level is gauged at a specific level, e.g., "low," "medium" or "high. [0078]threat severity level).,),  and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities ([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank events for relevance [0044] any type of score or indicator can be used to express threat severity (e.g., H/M/L for high, medium low, a numerical score such as 0-99, or some other type of indicator).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included wherein the community of entities comprises a vertical-based community, wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities
Balderas does not specifically teach increasing the indicator score in response to determining that a majority of the pieces of threat intelligence are linked to the physical location
Reybok teaches increasing the indicator score in response to determining that a majority of the pieces of threat intelligence are linked to the physical location ([0006] pool security events (e.g., possible network threats) and that then filter and/or rank those events for relevance., [0031] the ranking of the possible threat is increased in severity [0044] rank of the detected threat is upgraded (311); nearly any type of score or indicator can be used to express threat severity (e.g., H/M/L for high, medium low, a numerical score such as 0-99, or some other type of indicator, [0045] particular security event may later become correlated with other events and have an increased threat ranking, Fig 3 #307, 309, 311)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included increasing the indicator score in response to determining that a majority of the pieces of threat intelligence are linked to the physical location, as disclosed by Reybok in the system disclosed by Balderas/Reybok, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Balderas teaches determine a threat level based on the IP address of the requesting client and factors such as location (country or network) etc. (physical location) ([0013]). However,  Balderas does not teach mapping the one or more of the IP address and e-mail address to a set of physical locations comprising the physical location, 
Reybok teaches mapping the one or more of the IP address and e-mail address to a set of physical locations comprising the physical location, (Fig 8A # 803customer ID, threats, [0061]-[0062] 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included mapping the one or more of the IP address and e-mail address to a set of physical locations comprising the physical location, as disclosed by Reybok in the system disclosed by Balderas, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Balderas/Reybok do not teach wherein the set of physical locations comprises a region, country, state, city, and/or zip code, wherein first and second ones of the one or more of the IP address and e-mail address have different ones of the region, country, state, city, and/or zip code; and extrapolating the different ones of the region, country, state, city, and/or zip code to a common one of the region, country, state, city, and/or zip code, 
Albertson teaches mapping the one or more of the IP address and email to a set of physical locations comprising the physical location (Fig 8A Col 14 lines 24-40 using the IP addresses and or identity of the person as seeds (see the Cluster references), and an alert may be added to a queue.  For example, if the speed threshold was set to a speed, such as, 2,000 miles per hour, then an alert would appear if there was a login between the United States and Japan within an hour of each other.) , wherein the set of physical locations comprises a region, country, state, city, and/or zip code, wherein first and second ones of the one or more of the IP address and e-mail address have different ones of the region, country, state, city, and/or zip code (Col 14 lines 24-40; and extrapolating the different ones of the region, country, state, city, and/or zip code to a common one of the region, country, state, city, and/or zip code (Col 14 lines 24-40 logins by the same person from the United States and India (different country) within minutes and/or one hour of each other.  Thus, the ruleset 820 includes code instructions that cause an entity's computing device and/or the security sharing system to find all VPN logins for a particular person.),
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included wherein the set of physical locations comprises a region, country, state, city, and/or zip code, wherein first and second ones of the one or more of the IP address and e-mail address have different ones of the region, country, state, city, and/or zip code; and extrapolating the different ones of the region, country, state, city, and/or zip code to a common one of the region, country, state, city, and/or zip code, as disclosed by Albertson in the system disclosed by Balderas/Reybok, for the motivation of providing a method for receiving a plurality of security attack data from one or more entities regarding one or more security attacks detected by respective entities and sharing security information with other entities (Col 1 lines 59-67 Albertson).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Balderas (US 2015/0180892 A1) in view of Reybok et al. (US 2014/0007238 A1) as applied to claim 1, further in view of Chan et al. (US 2016/0134644 A1)
Regarding claims 7,    Balderas as modified by Reybok teaches the method of claim 1, wherein the, and wherein the method further comprises:
Balderas does not teach wherein the community of entities comprises a vertical-based community, wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities, and 
Reybok teaches wherein the community of entities comprises a vertical-based community ([0004] open community forum for sharing potential threat information), wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator([0005] relevancy function i.e. threats can be prioritized based on severity, [0006] rank events for relevance, [0043] pooling security event information from respective, diverse networks and filtering that information for relevance., [0076] the threat level is gauged at a specific level, e.g., "low," "medium" or "high. [0078]threat severity level).,),  and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included wherein the community of entities comprises a vertical-based community, wherein the indicator score comprises a severity indicator indicating a level of severity associated with the security indicator and a relevance indicator score indicating a level of relevance of the security indicator to the community of entities, as disclosed by Reybok in the system disclosed by Balderas/Reybok, for the motivation of providing a method for exchange of network security information between similarly situated networks.  Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity ([0005] Reybok).
Balderas/Reybok do not teach wherein the determining of the indicator score comprises: accessing a community threat profile specifying that a security indicator associated with a geolocation in a first country is a greater threat than a security indicator associated with a geolocation in a second country; wherein the indicator score is based on whether the determined geolocation information specifies a geolocation in the first country or a geolocation in the second country.
Chan teaches accessing a community threat profile specifying that a security indicator associated with a geolocation in a first country is a greater threat than a security indicator associated with a geolocation in a second country ([0002] a user in a country with continuous civil unrest may, on a day-to-day basis, be more accustomed to gun violence than a user in a country with little-to-no civil unrest and thus the threat threshold for the user in the country with continuous civil unrest may be different than a threat threshold for a user in a country with little-to-no civil unrest., Fig 6A # 606, 612, 614, 616, [0042], [0063] country has a high threat level (e.g., the country is at war with another country, is under threat of military action, and/or under a terrorist threat)]; wherein the indicator score is based on whether the determined geolocation information specifies a geolocation in the first country or a geolocation in the second country ([0056] the threat level 612 may comprise a numerical value score indicative of the probability that the user will experience a threat of a type associated with the threat level while at the location (e.g., or within a defined .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have included accessing a community threat profile specifying that a security indicator associated with a geolocation in a first country is a greater threat than a security indicator associated with a geolocation in a second country; wherein the indicator score is based on whether the determined geolocation information specifies a geolocation in the first country or a geolocation in the second country., as disclosed by Chan in the system disclosed by Balderas/Reybok, for the motivation of providing a method for providing user with threat level associated with a location/country in order to keep user safe ([0001] Chan)

Response to Arguments
Applicant's arguments filed 1/4/21 have been fully considered but they are not persuasive. 
Regarding 101 rejection, 35U.S.C 101 rejection is withdrawn in view of amendments and  applicant remark’s
Regarding 103 rejection, Applicant’s arguments have been considered but they are not persuasive. Applicant states that Balderas does not teach “accessing a repository storing …threat level associations….”. Examiner respectfully disagrees. Balderas teaches accessing a repository storing …threat level associations… ( [0036] no threat, low threat, medium or high threat, [0038]-[0039] the DNS server (repository) 102 may maintain several different threat level categories (threat level associations), bracketed by threat level scores, and may take a different, configurable action in response to a client falling in each category). Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Chan-Gove et al. (US 2016/0379326 A1) discloses physical and cybersecurity vulnerabilities are analyzed and measured with threats to disclose potential impacts to people, properties, processes, special events, and related critical infrastructures and industries.  Overall risk scores are instantly displayed as color coded icons on a worldwide electronic map/dashboard at any geolocation, Abstract [0002], [0128],
Thomson et al. (US 9,596,256 B1) discloses display, via a user interface, of the security indicator based on the determined indicator score (Abstract lines 9-12 generate a graphical representation of a cyber-threat confidence score for user interface display via the user interactive risk evaluation component, Fig 3B # 340a-d); determining a severity of the determined geolocation information (Fig 2B # 206b and 206c criticality of threat, Fig 3B # 304a, and Col 2 lines 24-37 The TIC can use a combination of the data source, threat indicator classification and severity of the threat indicator into an overall risk score representing a confidence level of the received threat indicator.). Thomson teaches determine, based on geolocation information of a security indicator in the security information sharing platform, a severity indicator score for the security indicator (Col 6 lines 55-67 a TIC score is calculated as a rating of the severity of a threat indicator (e.g., 205).  Such a TIC score can be calculated as associated with an independent threat incident, and/or associated with a network because the threat incident can promulgate through the elements of the network.)
Gong et al. (US 10,095,866 B2) discloses system for threat risk scoring of security threats including severity and relevance scores and reporting data.
Albertson (US 9923925) discloses security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities.
Chan et al (US 20160134644) discloses geolocation safety awareness.
Horne et al. (US 2015/0371044 A1) discloses targeted security alerts
Magee et al. (US 2014/0007238 A1) teaches sharing, by the system based on the determined indicator score, of the security indicator to a first community of entities via the security information sharing platform to provide protection against an attack of a computing environment ([0091] The data about new threats then forms part of the information passed on to the consumers of the  The threat intelligence information is then filtered to improve the quality of the information.  The information is then validated, to further improve the quality of the information and to assign each item of information a threat score.  The information is then re-formatted to integrate with additional tools used by the network administrators to monitor threats to their information networks such as security information and event management (SIEM) tools like ArcSight, enVision or Q1 Radar., [0040], [0048])

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGEETA BAHL whose telephone number is (571)270-7779.  The examiner can normally be reached on 7:30 - 4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynda Jasmin can be reached on 571-272-6782.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANGEETA BAHL/Primary Examiner, Art Unit 3629