DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 05/18/2021. Claims 1, 7, 8, 14 and 15 are amended and claims 1-20 remain pending.

Remarks
35 U.S.C. 101 Rejection (Software per se. Analysis)
Per claims 8-14, in response to corrective amendment to claim 8, the 101 rejection of record is withdrawn.

35 U.S.C. 101 (Abstract Idea Analysis for patent eligibility)
Per claims 8-14, in response to corrective amendment to claim 8, the step 1 requirement set forth in PEG2019 is satisfied. As such, claims 8-14 are now determined as “patent eligible”.

Double Patenting Rejection
In response to amendments, the Double Patenting rejection of record is maintained.

Response to Arguments
35 U.S.C. 103 Rejection


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-2, 5-9, 12-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chen, US7949771B1, in view of Kupreev, US2018/0069880A1.

Per claim 1, Chen discloses a method for blocking network connections to network resources of forbidden categories, the method comprising: 
generating clusters of known certificates containing vectors of attributes of the known certificates (In one embodiment, the machine-learning module 220 takes trusted certificates 203 and non-trusted certificates 204 as training data for training the machine-learning module 220 to classify an input digital certificate as trusted or non-trusted.  The trusted certificates 203 and the non-trusted certificates 204 may comprise known trusted and non-trusted SSL digital certificates, respectively – Chen: col. 3, lines 5-27 – Note: a certificate classified as trusted is known to the system); 
(a non-trusted digital certificate is one that cannot be relied on to establish the identity or trustworthiness of a party.  The result of the training, the authentication model 330, may be employed to classify a certificate in the application computer 300 (FIG. 3).  In one embodiment, the machine-learning module 220 comprises a support vector machine (SVM).  Any suitable support vector machine software may be employed to implement the machine-learning module 220 including LIBSVM and Spider SVM software.  Other machine-learning approaches may also be used (e.g., neural networks) without detracting from the merits of the present invention – Chen: col. 3, lines 5-27);
intercepting a certificate when a protected connection is being established between a client and a server (In the preferred embodiment where the authentication model 330 comprises a support vector machine model, the certificate pre-processor 310 converts the incoming certificate 301 into a vector.  Similar to the pre-processor 210 of FIG. 2, the certificate pre-processor 310 may extract the different fields of the incoming digital certificate 301, reduce the fields to an unsigned integer using a hash function, and form the hashes of the different fields into an input vector for input to the authentication model 330.  The authentication model 330 receives and processes the input vector to classify the incoming certificate 301 as either trusted, non-trusted, or unknown digital certificate  – Chen: col. 4, lines 31-42);
determining categories of network resources to which a connection of the client is forbidden (the web server 303 is an unknown party without a trusted certificate authority.  For – Chen: col. 4, lines 62-66 and col. 5, lines 3-12 – Note: an unknown party, i.e., a web server which is not recognized by certificate authorities is not authenticated for connecting to the client, as such connection is forbidden ); 
determining a category of the intercepted certificate (The authentication model 330 receives the input vector from the certificate pre-processor 310 and uses the input vector to classify the incoming certificate 301 as either trusted, non-trusted, or unknown – Chen: col. 5, lines 3-12), the determination of the category of the intercepted certificate comprising: 
identifying a network resource to which the intercepted certificate corresponds, determining whether the intercepted certificate is unknown or known, and determining the category of the intercepted certificate based on whether the certificate is known or unknown (The authentication model 330 may be created in the training computer 200 and distributed to various application computers 300 by a computer security vendor (e.g., Trend Micro Inc.) as a stand alone module or library or as part of a firewall, antivirus, web browser or other computer communication product. In an example operation, the application computer 300 may be communicating with the web server 303 over the Internet.  The web server 303 may comprise a web site in communication with the browser 302.  For example, a user of the application computer 300 may be performing an online financial or confidential transaction with the web server 303 over the Internet.  To initiate secure computer communication with the application computer 300 in accordance with the SSL protocol, the web server 303 sends its SSL certificate, referred to herein as incoming certificate 301, to the application computer 300.  The application computer 300 proceeds to authenticate the incoming certificate 301 to determine the trustworthiness or identity of the web server 303 – Chen: col. 4, lines 42-61 – Note: a web server comprising a web site is a network resource. It provides on-line financial or confidential transactions to the user, i.e., a web browser of the application computer); 
extracting attributes from the intercepted certificate (Similar to the pre-processor 210 of FIG. 2, the certificate pre-processor 310 may extract the different fields of the incoming digital certificate 301, reduce the fields to an unsigned integer using a hash function, and form the hashes of the different fields into an input vector for input to the authentication model 330.  The authentication model 330 receives and processes the input vector to classify the incoming certificate 301 as either trusted, non-trusted, or unknown digital certificate  – Chen: col. 4, lines 31-42); and 
blocking the network connection when the determined category of the intercepted certificate is a category of the determined categories of the network resources to which the connection of the client is forbidden (The authentication model 330 may be created in the training computer 200 and distributed to various application computers 300 by a computer security vendor (e.g., Trend Micro Inc.) as a stand alone module or library or as part of a web browser or other computer communication product…the web browser 302 may be configured to prevent secure communication with the web server 303 if the authentication model 330 deems the incoming certificate 301 as non-trusted or unknown – Chen: col. 4, lines 42-48 and col. 5, lines 9-12), or 
Chen is not relied on to disclose but Chen in view of Kupreev discloses blocking the network connection… when the attributes extracted from the intercepted certificate are found to be similar to attributes of forbidden certificates, wherein when the intercepted certificate is unknown, the attributes extracted from the intercepted certificate are transformed into an N- dimensional vector of the intercepted certificate and wherein the N-dimensional vector is used to compare the intercepted certificate to the clusters of known and forbidden certificates (In one exemplary aspect, the method further comprises: comparing the at least one N-dimensional vector with clusters and a N-dimensional vector of at least one previously constructed statistical model of the web page; and determining and identifying the at least one element of the web page as being anomalous upon detecting at least one of: a distance between the at least one N-dimensional vector of the at least one element of the web page and centers of clusters of statistical models of the web page, in the N-dimensional space, is greater than a radii of the clusters; or a measure of proximity between the at least one N-dimensional vector of the at least one element of the web page and the centers of clusters of the statistical models of the web page, in the N-dimensional space, is greater than a first selected threshold value; or a measure of proximity between the at least one N-dimensional vector of the at least one element and N-dimensional vectors of the clusters of the statistical models of  the web server is configured to: disable a connection with the client computing device in response to detecting that the at least one element of the web page is anomalous) – Kupreev: par. 0011 and 0013 – Note: Chen in view of Kupreev discloses clusters of known and forbidden (untrusted) certificates based on evaluating elements of a web page (an element of markup language) such as hyperlinks, text blocks, text formatting, lists, objects (e.g., media files, applets, scripts, native code and others), images, image maps, tables, forms, characters, and others in accordance with generating a statistical model of a web page based on one or more clusters and using the statistical model for detecting anomalous elements of the web page).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chen in view of Kupreev blocking the network connection …when the attributes extracted from the intercepted certificate are found to be similar to attributes of forbidden certificates, wherein when the intercepted certificate is unknown, the attributes extracted from the intercepted certificate are transformed into an N- dimensional vector of the intercepted certificate and wherein the N-dimensional vector is used to compare the intercepted certificate to the clusters of known and forbidden certificates.
One of ordinary skill in the art would have been motivated because it would allow scanning a detected anomalous element of the web page by an antivirus means to determine if the detected anomalous element may be identified as being safe and therefore a disabled connection/halted transmission may be reestablished – Kupreev: par. 0062.  


Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 15, it recites a non-transitory computer readable medium storing thereon computer executable instructions for blocking network connections to network resources of forbidden categories (Chen: Figures 2-3, pre-processor 210, machine learning module 220 and authentication model 330), including instructions for performing the method steps of claim 1.
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Chen in view of Kupreev discloses features of claims 1, 8 and 15, wherein, when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is based on content of the network resource to which the known certificate corresponds (An N-dimensional vector of an element may include an ordered set of n real numbers, where the numbers may include the coordinates of a vector.  The number of coordinates of the vector is known as the dimensionality of the vector.  The coordinates may determine the position of the corresponding element (such as a script) or group of elements of the same kind (such as the – Kupreev: par. 0034).
The same motivation to modify Chen in view of Kupreev applied to claim 1 above applies here.

Per claims 5, 12 and 19, Chen in view of Kupreev discloses features of claims 1, 8 and 15, wherein, when the intercepted certificate is determined as being an unknown certificate (if the model 330 cannot classify the incoming certificate (e.g., due to insufficient training), the incoming certificate may be deemed as unknown – Chen: col. 4, lines 6-8), the determination of the category of the unknown certificate comprises: 
determining similarities of the unknown certificate to known certificates for which respective categories have been determined (the distance from the vector (1666, 1889) to the center of the cluster is less than the radius of the cluster, and consequently the element or group of elements whose content may be reflected by the vector belongs to the given  An anomalous element of a web page may include an element of the web page whose vector is not assigned to any one of the clusters of the statistical model constructed for the elements of the given type, or it has a statistical significance below the threshold – Kupreev: par. 0035-0036 and 0042); and 
assigning, to the unknown certificate, a category of a certificate of a known certificate found as being similar to the unknown certificate based on the similarity determination (an element may be assigned to a certain cluster if the value of a distance (in FIG. 2, "d'") from the N-dimensional vector of the element to the nearest N-dimensional vector of an element of the given cluster is less than the maximum allowable (threshold value of the distance [d']) or if the value of the distance (in FIG. 2 "d") from the N-dimensional vector of the element to the center of that cluster is less than the radius of this cluster – Kupreev: par. 0035).
The same motivation to modify Chen in view of Kupreev applied to claim 1 above applies here.

Per claims 6, 13 and 20, Chen-Kupreev discloses features of claims 1, 8 and 15, wherein the intercepted certificate is determined as being an unknown certificate when content of the identified network resource is a network resource of an unknown category (In the preferred – Chen: col. 3, lines 57-67 and col. 4, lines 1-8).

Per claims 7 and 14, Chen in view of Kupreev discloses features of claims 1 and 8, when the intercepted certificate is unknown, known certificates are represented by clusters containing vectors of attributes of the known certificates, forbidden certificates are represented by a cluster containing vectors of attributes of the forbidden certificates, the attributes extracted from the intercepted certificate are transformed into an N- dimensional vector of the intercepted certificate, distances between the N-dimensional vector of the intercepted certificate and each cluster of the clusters containing vectors of attributes of the known certificates is determined, and the intercepted certificate is found as being similar to known certificates of a cluster if: the distance between the N-dimensional vector of the intercepted certificate and a center of the (A cluster may include a set of allowable values of the coordinates of vectors for a strictly defined element or group of elements in N-dimensional space.  According to one exemplary aspect, a selected element or group of elements may be assigned to a certain cluster if a distance from the N-dimensional vector of the element to the center of that cluster is less than the radius of the cluster in the direction of the N-dimensional vector.  FIG. 2 shows an example of the cluster 210'.  In an example, an element may be assigned to a certain cluster if the value of a distance (in FIG. 2, "d'") from the N-dimensional vector of the element to the nearest N-dimensional vector of an element of the given cluster is less than the maximum allowable (threshold value of the distance [d']) or if the value of the distance (in FIG. 2 "d") from the N-dimensional vector of the element to the center of that cluster is less than the radius of this cluster.  For example, the distance from the vector (1666, 1889) to the center of the cluster is less than the radius of the cluster, and consequently the element or group of elements whose content may be reflected by the vector belongs to the given cluster.  On the other hand, the distance from the vector (1686, 1789) to the center of the cluster is greater than the radius of the cluster and the distance to the nearest N-dimensional vector is greater than a threshold value, and therefore the element or group of elements whose content may be reflected by the vector does not belong to that cluster – Kupreev: par. 0035).
The same motivation to modify Chen in view of Kupreev applied to claim 1 above applies here.

2.	Claims 3-4, 10-11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Chen, US7949771B1 in view of Kupreev, US2018/0069880A1 as applied to claims 1, 8 and 15 above, further in view of Gupta, US2020/0028848A1.

Per claims 3, 10 and 17, Chen in view of Kupreev discloses features of claims 1, 8 and 15. Chen in view of Kupreev is not relied on to disclose but further in view of Gupta discloses wherein when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is determined in accordance with a list of certificates (At any moment in time, any number of application authentication certificates are received and stored into a certificate repository (operation 1)… The application authentication certificates are associated with a particular application that a particular entity desires to run securely within the shared computing platform 101.  At some later moment in time, a user that desires to run the application selects it from an application repository 104 (e.g., through browsing actions).  The selection of an application from the application repository causes (1) initiation of a download of the selected application (operation 2) to a storage location on the cluster ( ), (2) initiation of a process to identify a previously-provided application-specific digital certificate (e.g., from the certificate repository) – Gupta: par. 0030) , wherein a given certificate of the list of certificates is assigned a category of an address of a network resource to which the given certificate corresponds (the rows of a tabular embodiment of mapping data structure 114 can comprise application digital certificate information 402 from the application digital certificates 108.  The rows of mapping data structure 114 can also comprise instance- – Gupta: par. 0054-0056).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chen-Kupreev further in view of Gupta to include when the intercepted certificate is determined as being a known certificate, the determination of the category of the known certificate is determined in accordance with a list of 
One of ordinary skill in the art would have been motivated because it would allow “efficiently providing a higher degree of security than is afforded by self-signed certificates alone while avoiding wasteful resource usage associated with generating individual digital certificates for each user of each given application” – Gupta: par. 0006.

Per claims 4, 11 and 18, Chen, Kupreev and Gupta disclose claims 3, 10 and 17, wherein the list of certificates is established by: 
storing categories of network resources on a list (as illustrated in FIG. 4, the rows of a tabular embodiment of mapping data structure 114 can comprise application digital certificate information 402 from the application digital certificates 108.  The rows of mapping data structure 114 can also comprise instance-specific information 404 corresponding to the instances of containerized applications 1063. [0055] More specifically, for example, each table row might describe a unique combination of a containerized application instance.  Strictly as one example, a table row might comprise an entry that characterizes an application type or name (e.g., appB, or SQL_Server, etc.) such as is shown in the column labeled "appType".  Further, each row might also comprise an application instance identification information such as an "appID" (e.g., appB_1, appB_2, etc.) of the underlying containerized application – Gupta: par. 0054-0055); 
(each row might also comprise an "ipAddress" and "port" of the instance – Gupta: par. 0054-0055); and 
for each category on the list of categories of network resources, storing a list of certificates and addresses of network resources corresponding to the list of certificates (as illustrated in FIG. 4, the rows of a tabular embodiment of mapping data structure 114 can comprise application digital certificate information 402 from the application digital certificates 108.  The rows of mapping data structure 114 can also comprise instance-specific information 404 corresponding to the instances of containerized applications 1063…each row might also comprise an application instance identification information such as an "appID" (e.g., appB_1, appB_2, etc.) of the underlying containerized application.  Still further each row might include, a public key or "pubKey" from the application digital certificate of the containerized application.  In some cases, a row will hold more than one key, where the additional columns of a row hold respective keys from multiple certificates.  Still further, each row might also comprise an "ipAddress" and "port" of the instance – Gupta: par. 0054-0055).
The same motivation to modify Chen-Kupreev further in view of Gupta applied to claim 3 above applies here.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Kupreev (US2018/0103043A1) is directed to obtaining data about elements of a tested web page; generating at least one N-dimensional vector characterizing elements of the tested web page; retrieving a statistical model of known malicious web page elements; comparing the at least one N-dimensional vector with clusters of the statistical model of known malicious web page elements, by measuring the distance of the N-dimensional vector of the element and centers of all clusters of the statistical model; and identifying at least one malicious element of the tested web page based on results of the comparison.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/AREZOO SHERKAT/Examiner, Art Unit 2434