Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	Claims 1-21 are pending.


Response to Arguments
2.	Applicant presents arguments pertaining to the amendments as follows:
Without acceding to the propriety of these rejections, Applicant is making various amendments in the hopes of advancing prosecution. Claim 1, for example, now further recites “responsive to detecting a malicious action associated with traffic of the connection, updating the reputation cache such that a signer of an executable program used by the client to establish the connection is categorized as suspicious.” Applicant submits that this feature is not taught or suggested by the art of record.
Although Oliver does mention the use of a “digital signature,” see Oliver at [0024], this appears to be used only to identify a specific file. There is no suggestion of categorizing the signer of a program as suspicious in a reputation cache. None of the other cited references appear to be relevant as to this element.
Thus claim 1 and all claims depending therefrom are believed to be allowable over the cited art (even assuming arguendo a motivation to combine). At least similar arguments apply with equal force to the other independent claims and their respective dependents (although they are of different scope). Reconsideration and withdrawal of the § 103 rejections is thus requested.

Applicant’s arguments have been fully considered, but are moot in view of the new grounds of rejection further encompassing Colvin et al. USPGPUB 2013/0042294 and Cockerill et al. USPGPUB 20180359244. Although Colvin et al. was previously cited in reference to claim 7, Applicant has presented no arguments relating to Colvin et al. 



Claim Rejections - 35 USC § 103
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Howard et al. USPGPUB 20170310693 in view of Oliver et al. USPGPUB 2012/0192275 in further view of Colvin et al. USPGPUB 20130042294 in further view of  Cockerill et al. USPGPUB 20180359244.

In reference to claim 1:
Howard et al. teaches the computer-implementable method for managing network communication, comprising:
responsive to an attempted connection from a client to a server, where in an attempted connection from a client endpoint to a server is viewed as potentially malicious.  Howard et al. [0216] (see also 0263, where the remote endpoint may be a server)
receiving information regarding the connection from the client, where the information regarding the connection is received and may include whether a network request is directed to a remote resource, a pattern of connections, destination addresses, other network activity, and other information which maybe later used to determine if the connection is suspect. Howard et al. [0215]


Howard et al. fails to explicitly teach the method
determining if the information regarding the connection matches an entry of a reputation cache; 
responsive to determining that the information regarding the connection matches an entry of the reputation cache, undertaking a remedial action in accordance with a security policy.  

Howard et al. does not teach the method in which the determination of the information regarding the connection performs a check with a reputation cache entry.  Oliver et al. however teaches a method in which a reputation cache concerning a particular program is determined by first checking a local reputation cache.  

Oliver et al. teaches a method of

determining if the information regarding a program execution attempt matches an entry of a reputation cache, where a determination is made to check the reputation cache locally first.  Oliver et al. [0020] see also [0016], such program execution including programs that themselves initiate connections.    
responsive to determining that the information regarding a program execution attempt matches an entry of the reputation cache, undertaking a remedial action in accordance with a security policy, where a remedial action may be quarantine action.  Oliver et al. [0020] in accordance with a policy.  Oliver et al. Figure 2  see also [0016], such program execution including programs that themselves initiate connections.    

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the connection checking method of Howard et al. with the reputation cache checking of Oliver et al. because it would be beneficial to check a local reputation cache first if it can be determined locally whether or not the connection attempt is malicious.  Doing so would provide a benefit of reducing the computational and network burden on a server or service which might be queried to perform such check, as well as increasing the speed of determining whether a connection should be treated as malicious because the check can be performed locally.


Howard et al. USPGPUB 20170310693 in view of Oliver et al. USPGPUB 2012/0192275 does not explicitly teach however the method further comprising the step of:

responsive to detecting a malicious action associated with traffic of the connection, updating the reputation cache such that a signer of an executable program used by the client to establish the connection is categorized as suspicious.

USPGPUB 20130042294 Colvin et al, [0038] teaches a method of updating a reputation service when an application has performed a malicious action, said updating including the updating of the application reputation.  Colvin et al. expressly teaches that one advantage of performing this updating avoids the “considerable delay” which may occur by waiting for a human expert to update such information manually.  

Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply the step of updating the reputation data in response to detecting a malicious action, in order to provide the benefit of keeping the cache information fresh in a timely manner so to as avoid delays in deploying responses to malware (Colvin et al. [0038] and to avoid relying on inaccurate reputation assessments due to stale information.  


Howard et al. USPGPUB 20170310693 in view of Oliver et al. USPGPUB 2012/0192275 in further view of Colvin et al. USPGPUB 20130042294 however fails to explicitly teach the method where the step of updating the reputation cache is performed such that a signer of an executable program used by the client to establish the connection is categorized as suspicious. 



It would have been obvious to one of ordinary skill in the art before the effective filing date to implement the reputation cache by means of a reputation of signers, categorizing or updating such signers as suspicious, thereby providing the benefit of allowing flagging as malicious applications attested to by a particular signer based on reputation without expending the resources to directly analyze such applications directly.  


In reference to claim 2:
Howard et al. in view of Oliver et al. in further view of Colvin et al. in further view of Cockerill et al. teaches the method of Claim 1, wherein the remedial action comprises at least one of increasing inspection of the traffic of the connection and prevention of communication of the traffic, where the remedial action may comprise further inspection of the connection, such as whether the user is present or by flagging a popup regarding the connection.  Howard et al. [0217] or perform further analysis of the connection [0218-0220], or prevention of the communication of the traffic occurs when  Howard et al. [0223]


In reference to claim 3:
Howard et al. in view of Oliver et al. in further view of Colvin et al. in further view of Cockerill et al. teaches the method of Claim 1, wherein the information regarding the connection comprises information regarding the client and information regarding an executable program used by the client to establish the connection, where the information regarding the connection may comprise the program information which initiated the connection.   Oliver et al. [0020] through the 103 combination.


In reference to claim 4:
Howard et al. in view of Oliver et al. in further view of Colvin et al. in further view of Cockerill et al. teaches the method of Claim 1, wherein the information regarding the connection comprises information regarding the server, where the information regarding the connection may comprise information regarding the request being directed to a source of malware, or whether such remote location (0263) is an unusual destination address.  Howard et al. [0215] 

In reference to claim 5:
where the information concerning the connection may comprise a digital signature of the program used by the reputation service to check reputation of the program.  Oliver et al. [0024, 0020] via 103 combination see also Oliver Figure 4


In reference to claim 6:
Howard et al. in view of Oliver et al. in further view of Colvin et al. in further view of Cockerill et al. teaches the method of Claim 1, further comprising building the reputation cache by correlating malicious actions to execution of particular executable programs on particular clients, where the reputation cache is built up via correlating the malicious actions to particular executables on clients, where the actions of the program, broadly construed to include lack of actions, is used to build the reputation profile of a particular executable.  Oliver et al. [0029-0030 see also 0036 table 1, indicating a situation where program is known to cause the malicious action of poor performance.


In reference to claim 7:
Howard et al. in view of Oliver et al. in further view of Colvin et al. in further view of Cockerill et al. teaches the method of Claim 1, further comprising responsive to determining that the information regarding the connection does not match an entry of the reputation cache: 
allowing the traffic, inspecting the traffic, undertaking a remedial action in response to detecting the malicious action, where responsive to determining that the information concerning the connection does not match an entry in the reputation cache Oliver et al. [0020] may prompt the user to allow the traffic or further inspect the traffic via a cloud service or perform a remedial action such as a quarantine.
Updating the reputation cache in response to detecting a malicious action associated with the traffic, where the reputation cache is updated in response to detecting a malicious action Colvin et al, [0038] as combined with Howard et al. in view of Oliver et al. (the updating of the cache of Oliver et al. in response to detecting a malicious action) 



Claim 8 is substantially similar to claim 1 and is rejected for the same reasons.
Claim 9 is substantially similar to claim 2 and is rejected for the same reasons.
Claim 10 is substantially similar to claim 3 and is rejected for the same reasons.
Claim 11 is substantially similar to claim 4 and is rejected for the same reasons.
Claim 12 is substantially similar to claim 5 and is rejected for the same reasons.
Claim 13 is substantially similar to claim 6 and is rejected for the same reasons.
Claim 14 is substantially similar to claim 7 and is rejected for the same reasons.

Claim 15 is substantially similar to claim 1 and is rejected for the same reasons.
Claim 16 is substantially similar to claim 2 and is rejected for the same reasons.
Claim 17 is substantially similar to claim 3 and is rejected for the same reasons.

Claim 19 is substantially similar to claim 5 and is rejected for the same reasons.
Claim 20 is substantially similar to claim 6 and is rejected for the same reasons.
Claim 21 is substantially similar to claim 7 and is rejected for the same reasons.



Conclusion
5.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


6.       The following art not relied upon is made of record:
US 20140173723 teaches a method of updating the reputations of specific addresses when it detects malicious network traffic from said address.
US 20150096018 teaches a method of using a reputation indicator to detect for malware.
US 20100005291 teaches the use of a reputation service.
US 20120023583 teaches a proactive method of detecting malware infected devices.
US 9430646 teaches a method of detecting unknown bots and botnets.


7.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS M HO whose telephone number is (571)270-7862.  The examiner can normally be reached on 11-7:30PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/THOMAS  HO/
Examiner, Art Unit 2494

/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494