Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received February 19, 2021.  Claims 1, 3-15 have been amended.  Claims 16-20 have been added.  Therefore, claims 1-20 are pending and addressed below. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Alperovitvh et al. (US2015/0326614 A1, publish date 11/12/2015) (on applicants IDS filed 08/07/2018) in view of Walsh et al. (US7886334 B1, patent date 02/08/2011). 

Claim 1:
With respect to claim 1, Alperovitvh et al. discloses a method (client entities of for generating security information based on execution activities, for acting upon the generated information or policies, and for sharing the generated information or policies with other client entities belonging to a same group, 0075) (Figures 1b and 6) comprising:
identifying, in a security information sharing platform (member client entities 104 of the group 108 may then have their security information automatically shared 110 with other member client entities 104 of the group 108, 0021, Figure 1b), a security indicator that is originated from a first source entity, the security indicator comprising (The agents may observe and act on execution activities of their respective computing devices and may generate security information based on the observed execution activities, 0014) (the security agent 216 may be a kernel-level security agent that observes and acts upon execution activities of its corresponding computing device/mobile device 208, 0033) (generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075),
wherein the security indicator provides a warning of a potential security threat, and the observable is an address or name of the potential security threat (security information may include one or more of threat information, … attack data,  vulnerability information, …  victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies, 0014);
determining a total count of sighting of the observable observed by source entities in the security information sharing platform (the security service 102 may determine the occurrence of a threat based on the security information, 0046) (the rating module 244 may be any one or more applications, processes, threads, algorithms or modules capable of being executed by a processor to associate a client entity 104 with one or both of a rating or a point currency.  The rating module 244 may provide the rating or point currency to the web server 228 for display to other client entities 104, enabling the other client entities 104 to affect the rating or point currency for the client entity 104.  For example, if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234 … the rating module 244 may increase a rating or point currency responsive to a client entity 104, 0057);
determining a reliability level of the first source entity based on the total count of sightings on the observable (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).



However, Walsh et al. teaches a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1), determining a score of the security indicator based on the reliability level of the first source entity: and comparing the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level” (Column 3, lines 12-16).  

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Walsh et al. in Alperovitvh et al. for determining a score of the security indicator based on the reliability level of the first source entity: and comparing the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat as claimed for purposes of enhancing 

Claim 2:
With respect to claim 2, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: determining an authenticity level of the first source entity based on a type of the first source entity, wherein the type of the first source entity comprises: a non-trusted source type or a trusted source type (group information 232 may also include a view of security information 234 that is associated with a group of client entities 104, The group settings may also specify a member client entity 104 or member client entities 104 as a trusted moderator or group of moderators that has the power to control admission to the group, 0044).

Walsh et al. teaches determining an authenticity level of the first source entity based on a type of the first source entity, wherein the type of the first source entity comprises: a non-trusted source type or a trusted source type (If the trust assessment result data indicates that second user 22 is not sufficiently trusted by target user 20, Column 9, lines 61-Column 10, line 6) (trust level range, classify: Trusted Friend, column 21, line 64-Coumn 22, line 2).

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 1.

Claim 3:
With respect to claim 3, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 2, as addressed.  

Alperovitvh et al. discloses the authenticity level of the first source entity (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches wherein determining the score of the security indicator (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level, Column 3, lines 12-16) is further based on the authenticity level of the first source entity (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35).

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claims 1, 13.

Claim 4:
With respect to claim 4, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: identifying, in an external resource that is external to the security information sharing platform, a set of user feedback information about the security indicator (The process 600 includes, at 602a and 602b, agents implemented on computing devices of multiple client entities generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075, Figure 6); and 
determining the reliability level of the first source entity based on the total count of sightings of the observable (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches determining the reliability level of the first source entity based on the set of user feedback Information and the total count of sightings of the observable (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35) (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level, Column 3, lines 12-16).  

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 1.

Claim 5:
With respect to claim 5, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses determining the reliability level of the first source entity based on the total count of sightings of the observable (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches further comprising: providing a survey to collect, a set of user feedback information on the security indicator from users of the security information sharing platform; and determining the reliability level of the first source entity based on the set of user feedback information  (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, the target user may be able to guide the selection of questions, scoring of questions, calculation of trust level, and other aspects of the interrogation and overall trust assessment process,  Column 9, lines 11-35).

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 1.

Claim 6:
With respect to claim 6, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: obtaining an article via a second source entity (the security service may enable a client entity to advertise security information for sharing in exchange for return security information from the receiving client entities, 0068);
determining whether the article includes information related to the security indicator; and
determining a reliability level of the second source entity based on the determination of whether the article includes the information related to of the security indicator (the security service may associate a rating with a client entity, the rating indicative of the client entity's participation in a group of client entities, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070).


Claim 7:
With respect to claim 7, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses wherein the information related to the security indicator comprises at least one of: a threat actor, a campaign, a technique/tactic/procedure (TIP), an organization, an industry sector, a community, a domain name, a timestamp, or a level of severity of the security indicator (The security information may include one or more of threat information, remediation information, attack data, vulnerability information, reverse engineering information, packet data, network flow data, protocol descriptions, victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies., 0014).

Claims 8, 13:
With respect to claims 8, 13, Alperovitvh et al. discloses a non-transitory machine-readable storage medium storing instructions executable by a processor of a computing device (client entities of for generating security information based on execution activities, for acting upon the generated information or policies, and for sharing the generated information or policies with other client entities belonging to a same group, 0075) (Figures 1b and 6), to cause the processor to: 
a processor (Each client entity 104 may have one or more computing devices/mobile devices 208, and each computing device may have processor(s) 210, 0024) that:
identify, in a security information sharing platform (member client entities 104 of the group 108 may then have their security information automatically shared 110 with other member client entities 104 of the group 108, 0021, Figure 1b), a first security indicator that Is originated from a first source entity, the first security indicator comprising a first observable (The agents may observe and act on execution activities of their respective computing devices and may generate security information based on the observed execution activities, 0014) (the security agent 216 may be a kernel-level security agent that observes and acts upon execution activities of its corresponding computing device/mobile device 208, 0033) (generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075);
wherein the security indicator provides a warning of a potential security threat, and the observable is an address or name of the potential security threat (security information may include one or more of threat information, … attack data,  vulnerability information, …  victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies, 0014);
determining a total count of sighting of the observable observed by source entities in the security information sharing platform  (the security service 102 may determine the occurrence of a threat based on the security information, 0046) (the rating module 244 may be any one or more applications, processes, threads, algorithms or modules capable of being executed by a processor to associate a client entity 104 with one or both of a rating or a point currency.  The rating module 244 may provide the rating or point currency to the web server 228 for display to other client entities 104, enabling the other client entities 104 to affect the rating or point currency for the client entity 104.  For example, if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234 … the rating module 244 may increase a rating or point currency responsive to a client entity 104, 0057);
determining a reliability level of the first source entity based on the total count of sightings on the observable (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057);
determine an authenticity level of the first source entity based on a type of the first source entity (group information 232 may also include a view of security information 234 that is associated with a group of client entities 104, The group settings may also specify a member client entity 104 or member client entities 104 as a trusted moderator or group of moderators that has the power to control admission to the group, 0044).

Alperovitvh et al. does not disclose determining a score of the security indicator based on the reliability level of the first source entity and the authenticity level of the first source entity; and compare the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat as claimed.  

However, Walsh et al. teaches a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1), determine an authenticity level of the first source entity based on a type of the first source entity (If the trust assessment result data indicates that second user 22 is not sufficiently trusted by target user 20, Column 9, lines 61-Column 10, line 6) (trust level range, classify: Trusted Friend, column 21, line 64-Coumn 22, line 2); 
determining a score of the security indicator based on the reliability level of the first source entity and the authenticity level of the first source entity (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) and compare the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level” (Column 3, lines 12-16).  

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Walsh et al. in Alperovitvh et al. for determining a score of the security indicator based on the reliability level of the first source entity and the authenticity level of the first source entity; and compare the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat as claimed for purposes of enhancing the social sharing system of Alperovitvh et al. by providing trust assessment which allow for a first user's trust level regarding a second user to be determined on a basis specific to both the first and second users, the trust assessments are based (at least in part) on determining the second user's knowledge about the first user (see Walsh et al. Column 2, lines 11-24)

Claims 9, 14:
With respect to claims 9, 14, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claims 8, 13, as addressed.  

Alperovitvh et al. discloses wherein instructions are executed to cause the processor to: to identify, in the security Information sharing platform, a second security indicator that is originated from a second source entity, the second security indicator comprising a second observable (The agents may observe and act on execution activities of their respective computing devices and may generate security information based on the observed execution activities, 0014) (the security agent 216 may be a kernel-level security agent that observes and acts upon execution activities of its corresponding computing device/mobile device 208, 0033) (generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075);
determine an authenticity level of the second source entity based on a type of the second source entity (group information 232 may also include a view of security information 234 that is associated with a group of client entities 104, The group settings may also specify a member client entity 104 or member client entities 104 as a trusted moderator or group of moderators that has the power to control admission to the group, 0044); and
determine an indicator score of the second security indicator based on the reliability level of the second source entity and the authenticity level of the second source entity (the security service may enable at least one client entity in  the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1), (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35);
determine a reliability level of the second source entity based on a total count of sightings of the second observable observed by the source entities in the security information sharing platform (If the trust assessment result data indicates that second user 22 is not sufficiently trusted by target user 20, Column 9, lines 61-Column 10, line 6) (trust level range, classify: Trusted Friend, column 21, line 64-Coumn 22, line 2); 
determine an indicator score of the security indicator based on the reliability level of the first source entity and the authenticity level of the first source entity (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level” (Column 3, lines 12-16).  

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claims 8, 13.

Claim 10:
With respect to claim 10, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 8, as addressed.  

Alperovitvh et al. discloses wherein the instructions are executable to cause the processor to: determine a number of security events that are created in the security information sharing platform, wherein the security events include the first security Indicator (Based on the observed execution activities, the security agents 216 may generate security information which the security agent 216 may act upon and provide to other security agents 216 of the same client entity 104 and of other client entities 104 in a group with the client entity 104 of the security agent 216, 0033); and
determine the reliability level of the first source entity based on the number of security events (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches determining the reliability level of the first source entity based on the number of security events and the total count of sightings of the observable (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35) (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level, Column 3, lines 12-16).  

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 8.

Claim 11:
With respect to claim 11, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 8, as addressed.  

Alperovitvh et al. discloses wherein the instructions are executable to cause the processor to: obtain, from a second source entity, a first sighting of the first observable, the first sighting of file first observable indicating that the first observable has been observed by the second source entity; obtain, from a third source entity, a second sighting of the first observable, the second sighting of the first observable indicating that the first observable has been observed by the third source entity; instructions to determine a number of sightings of the first observable, the sightings of the first, observable including the first and second sightings of the first observable; and instructions to determine the reliability level of the first source entity based on the number of sightings (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Claim 12:
With respect to claim 12, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 8, as addressed.  

Walsh et al. teaches further comprising: comparing the first set of user feedback information and the second set of user feedback information; and adjusting the reliability level of the first source entity based on the comparison (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35).

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 8.

Claim 15:
With respect to claim 15, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claim 13, as addressed.  

Alperovitvh et al. discloses wherein the instructions are executable to cause the processor to: obtain a set of votes regarding the security indicator from users of the security information sharing platform, individual votes of the set of votes indicating whether the security indicator is accurate (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Walsh et al. teaches including the set of votes in a first set of user feedback information (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35) and determining the reliability level of the first source entity based on the total count of sightings of the observable and the first set of user feedback information (a plurality of users 18, 20, and 22 and their interactions with an exemplary trust assessment system 10 (Column 7, lines 20-25) (Figure 1) (Connection 52 may also represent feedback provided to a target user 20 while the interrogation of second user 22 is in progress, The degree of involvement can vary from observation, calculation of trust level, Column 9, lines 11-35) (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level, Column 3, lines 12-16).  
 
Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claim 13.

Claims 16, 17, 19:
With respect to claims 16, 17, 19, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claims 13, 8, and 1, as addressed.  

Walsh et al. teaches wherein the instructions to compare the score of the security indicator to the at least one threshold value (The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level” (Column 3, lines 12-16) include instructions that cause the processor to:
compare the score of the security indicator to a first threshold value and a second threshold value;
in response to a determination that the score of the security indicator is below the first threshold value, continue monitoring the security indicator;
in response to a determination that the score of the security indicator is above the first threshold value but below the second threshold value, generate a recommendation to perform a further investigation on the security indicator; and
in response to a determination that the score of the security indicator is above the 
(The target trust level may comprise a minimum or even maximum level, range of levels, or any other suitable specification of conditions the trust assessment questions may be scored and the collective scores analyzed to determine the degree of trust.  For example, the scores for each question may be added into a lump sum, with different trust levels specified as ranges (e.g. "low": 0-33; "medium": 34-66; "high": 66-100; "highest": 100 and above).  Ranges may overlap, of course, Column 13, lines 13-35).

Alperovitvh et al. and Walsh et al. are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Walsh et al. is recited in claims 1, 8, and 13.

Claims 18, 20:
With respect to claims 18, 20, the combination of Alperovitvh et al. and Walsh et al. discloses the limitations of claims 17 and 8, as addressed.  

Walsh et al. teaches in response to the determination that the security indicator is the actual security threat, blocking any event that matches the security indicator (For example, the exit criteria may specify a minimal trust level.  Once the computed trust level for the second user meets or exceeds the minimal trust level, the session may be discontinued, Column 4, lines 21-24)



Response to Remarks/Arguments
Applicant's arguments filed on February 19, 2021 have been fully considered but they are not persuasive.  In the remarks, Applicant argues that:

Claim 1:
(1) In Alperovitch, the security service does not determine a total count of sightings of an observable observed by the client entities in the group. Alperovitch does not disclose that a total number of sightings of the observable is counted.  Alperovitch does not determine the reliability level of a client entity, let alone determining the reliability level of a client entity based on a total number of sightings of the observable originated from that client entity.  The participation of the client entity does not indicate the reliability level of the client entity. Moreover, the rating of the client entity in Alperovitch is not based on the total count of sightings of an observable of a security indicator.  Accordingly, determining a rating of a client entity, as discussed in Alperovitch, is not the same as determining a reliability level of the source entity, as recited in claim 1.
Therefore, Alperovitch fails to teach or suggest, “determining a total count of sightings of the observable observed by source entities in the security information sharing platform” and “determining a reliability level of the first source entity based on the total count of sightings of the observable,” as recited in independent claim 1.

Claim 3:
(2) Alperovitch discusses the rating of a client entity based on the client entity’s participation in the group. However, the client entity is not the security indicator originated from that client entity. Thus, the rating of the client entity is not the same as a score of a security indicator, as recited in claim 1.  Alperovitch does not determine a score of a security indicator based on the reliability level of the source entity, as recited in claim 1.  Alperovitch does not compare the score of the security indicator to at least one threshold value in order to determine whether the security indicator is an actual security threat.  Alperovitch does not compare the rating of client entity (allegedly equivalent to the “score” of the security indicator recited in the claim) to a threshold value to determine whether a security indicator is an actual security threat. Therefore, Alperovitch fails to teach or suggest, “determining a score of the security indicator based on the reliability level of the first source entity” and “comparing the score of the security indicator to at least one threshold value to determine whether the security indicator is an actual security threat,” as recited in independent claim 1.


In response to applicant arguments (1) and (2), Examiner respectfully disagrees.  Alperovitch et al. discloses “security information may include one or more of threat information … attack data,  vulnerability information, …  victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies” (0014), “the security service 
102 may determine the occurrence of a threat based on the security information” (0046), “the rating module 244 may be any one or more applications, processes, threads, algorithms or modules capable of being executed by a processor to associate a client entity 104 with one or both of a rating or a point currency.  The rating module 244 may provide the rating or point currency to the web server 228 for display to other client entities 104, enabling the other client entities 104 to affect the rating or point currency for the client entity 104.  For example, if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104” (0056), “the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234 … the rating module 244 may increase a rating or point currency responsive to a client entity 104” (0057).  Walsh et al. teaches “The resulting scores may be used in a calculation to determine a trust level.  For example, the scores may be summed, averaged, or otherwise manipulated to determine an aggregate score, which is then cross-referenced to a trust level” (Column 3, lines 12-16).  Therefore, examiner maintains that the combination of Alperovitch et al. and Walsh et al. does teach and suggest this limitation.  


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433