DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's submission filed on 11/7/2020 has been entered.   Claims 1-3, 5-12 and 14 are pending.  
Response to Arguments
Applicant's arguments filed on 11/7/2020 have been fully considered but they are not persuasive.
On pages of the Remarks, the Applicants argue “First, the presently claimed invention recites reconciliation of a good address list with a bad address list in order to determine a block list. In other words, both good addresses and bad addresses are used to determine a black list. Conversely, Mashevsky discloses reconciling a white list and black list in order to update the white list. Thus, Mashevsky fails to disclose or suggest using a good address or bad address list, and updates the white list instead of determining a block list. Second, in Mashevsky the white list is updated, whereas, in the presently claimed invention, a block list is determined using the reconciliation. As such, Mashevsky fails to disclose or suggest determining a block list. In fact, Mashevsky actually teaches away from determining a block list. The entirety of the Background in Mashevsky is dedicated to explaining the problems with white lists and false positives, with the rest of Mashevsky disclosing methods for improving the creation of white lists and reduction of false positives. As such, Mashevsky is directed to updating white lists and thus teaches away from determining a block list, as recited in the present claims. 
In response, the Examiner respectfully disagrees and submits that Mashevsky at least discloses a method comprising of creating a new white list of clean objects and comparing the new white list with a black list of malicious objects wherein the objects can be an IP addresses, detecting a collision between the white list and the black list due to an object being assigned to the wrong list, and correcting these lists based on the detected collisions in which if the collision is a false positive event, correcting the white list and correcting the black list if the collision is a false negative event (FIG. 7B). Mashevsky clearly discloses “the detection and correction of the false positives is implemented in two phases--before creation of new anti-virus databases (i.e., malware black lists) and after the anti-virus database is created and new false positives are detected. The system calculates a probability of detection of a certain potential malware object. Based on this probability, the system decides to either correct a white list (i.e., a collection of known clean objects) or update a black list (i.e., a collection of known malware objects).” (col. 4, lines 30-40) Thus Mashevsky not only discloses reconciliation of a good address list with a bad address list in order to update whitelists but also black list.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/8/2021 is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-6, 9, 11 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Saurel et al. (US 8,621,065 hereinafter “Saurel”) in view of Afek et al. (US 2006/0212572 hereinafter “Afek”) further in view of Mashevsky et al. (US 7,640,589 hereinafter Mashevsky).
Regarding claim 1, Saurel discloses a method comprising:
receiving, at a mitigation system, a plurality of requests for one or more network resources to which the mitigation system is providing a mitigation service (FIG. 1-4, col. 2, lines 13-26; i.e. receiving at a monitoring manager or device several requests for the services or resources);
identifying a first request of the plurality of requests as occurring within the first observation cycle (FIG. 1-4, col. 2, lines 13-26; i.e.  monitoring the incoming traffic over a period of time such as examining a request or query log);

adding a first address associated with the first request to a bad address list of the first observation cycle (col. 7, lines 56-58, col. 8, lines 29-35; i.e. adding the dimension value or IP address to a temporary block list);
adding a first address associated with the first request to a block list for blocking requests from each address in the block list, including the first address, for a specified time period (FIG. 1-4, col. 2, lines 22-38, 49-53; i.e. blocking requests originating from the IP address for a specified period of time);
identifying a second request of the plurality of requests as being transmitted from the first address and as occurring within a second observation cycle, the second request occurring within the specified time period (FIG. 4, col. 2, lines 38-57; i.e. monitoring additional requests from the IP address during the specified period of time);
classifying the second request as a good request based on one or more properties of the second request (FIG. 4, col. 2, lines 38-57; i.e. determining that the additional request(s) from the IP address during the specified period of time are below threshold); and
removing the first address from the block list, thereby allowing a future request from the first address to be transmitted to the one or more network resources (FIG. 4, col. 2, lines 38-57, col. 6, lines 16-29, col. 8, lines 25-28; i.e. unblocking the request(s) and/or the dimension value such as IP address).

However, Afek discloses removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period (¶ [0006]; i.e. blocking the source for a period of time; [0089]; but if the packet contents are found to be legitimate, removing the source from the blacklist which is interpreted as removing the source from the blacklist prior the period of time expired).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Afek’s teaching into Saurel in order to allow legitimate network packets to be processed while preventing malicious traffic (Afek, ¶ [0004]-[005], [0089]).
Mashevsky discloses creating and correcting of white lists, creating and correcting of black lists, detecting collisions between the white lists and the black lists and correcting the black lists or white lists (Abstract, FIG. 7B, col. 4, lines 22-39).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Mashevsky’s teaching of comparing or reconciling a while list and a black list to generate accurate white list or black list into teaching of Saurel in view of Afek to disclose reconciling a good address list of the first observation cycle with the bad address list to determine a block list in order to resolve or reduce false positive of false negative occurring during the process of detecting malicious entities (Mashevsky, col. 2, lines 26-67, col. 4, lines 27-39).
Regarding claim 2, Saurel in view of Afek and Mashevsky discloses the method of claim 1, wherein the second request is blocked (Saurel, col. 2, lines 38-57).
Regarding claim 3, Saurel in view of Afek and Mashevsky discloses the method of claim 1, further comprising: transmitting the future request to the one or more network resources, wherein the future request would have been blocked in the specified time period without the removal of the first address from the block list (Saurel, col. 3, lines 1-14, col. 6, lines 29-42).
Regarding claim 5, Saurel in view of Afek and Mashevsky discloses the method of claim 1, wherein adding the first address associated with the first request to a bad address list is based on one or more other requests in the first observation cycle that are from the first address (Saurel, col. 8, lines 29-35).
Regarding claim 6, Saurel in view of Afek and Mashevsky discloses the method of claim 1, wherein analyzing the first request to determine the one or more properties of the first request (Saurel, col. 2, lines 22-38, col. 5, lines 49-60).
Regarding claim 9, Saurel in view of Afek and Mashevsky discloses the method of claim 1, wherein the plurality of requests are received as a set of web server log files, wherein each request comprises a network resource, and a requesting address (Saurel, FIG. 3, col. 2, lines 13-22, col. 5, lines 30-48).
Regarding claim 11, Saurel in view of Afek and Mashevsky discloses the method of claim 10, further comprising: placing each address in the bad address list into a block list if the address is not contained in a whitelisted addresses list (Saurel, col. 8, lines 29-35, col. 9, lines 15-20).
Regarding claim 14, Saurel discloses a system comprising: 

memory, operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the system to perform a method, the method comprising: 
receiving, at a mitigation system, a plurality of requests for one or more network resources to which the mitigation system is providing a mitigation service (FIG. 1-4, col. 2, lines 13-26; i.e.  monitoring the incoming traffic over a period of time such as examining a request or query log); 
identifying a first request of the plurality of requests as occurring within a first observation cycle (FIG. 1-4, col. 2, lines 13-26; i.e.  monitoring the incoming traffic over a period of time such as examining a request or query log); 
classifying the first request as a bad request based on one or more properties of the first request (FIG. 1-4, col. 2, lines 13-26, col. 5, lines 49-56, col. 6, lines 30-50; i.e. determining whether to prevent or block the request from being processed based on dimension values such as IP address); 5U.S. Patent Application Serial No. 14/852,519 Reply to Office Action of January 6, 2017 
adding a first address associated with the first request to a bad address list of the first observation cycle (col. 7, lines 56-58, col. 8, lines 29-35; i.e. adding the dimension value or IP address to a temporary block list);
adding a first address associated with the first request to a block list for blocking requests from each address in the block list, including the first address, for a specified time period (FIG. 1-4, col. 2, lines 22-38, 49-53; i.e. blocking requests originating from the IP address for a specified period of time); 

classifying the second request as a good request based on one or more properties of the second request (FIG. 4, col. 2, lines 38-57; i.e. determining that the additional request(s) from the IP address during the specified period of time are below threshold); and 
removing the first address from the block list, thereby allowing a future request from the first address to be transmitted to the one or more network resources (FIG. 4, col. 2, lines 38-57, col. 6, lines 16-29, col. 8, lines 25-28; i.e. unblocking the request(s) and/or the dimension value such as IP address).
Saurel does not explicitly disclose removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period; reconciling a good address list of the first observation cycle with the bad address list to determine a block list.
However, Afek discloses removing based on classifying the second request as a good request, the first address from the block list prior to expiration of the specified time period (¶ [0006]; i.e. blocking the source for a period of time; [0089]; but if the packet contents are found to be legitimate, removing the source from the blacklist which is interpreted as removing the source from the blacklist prior the period of time expired).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Afek’s teaching into Saurel in 
Mashevsky discloses creating and correcting of white lists, creating and correcting of black lists, detecting collisions between the white lists and the black lists and correcting the black lists or white lists (Abstract, FIG. 7B, col. 4, lines 22-39).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Mashevsky’s teaching of comparing or reconciling a while list and a black list to generate accurate white list or black list into teaching of Saurel in view of Afek to disclose reconciling a good address list of the first observation cycle with the bad address list to determine a block list in order to resolve or reduce false positive of false negative occurring during the process of detecting malicious entities (Mashevsky, col. 2, lines 26-67, col. 4, lines 27-39).
Claims 7-8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Saurel in view of Afek and Mashevsky and further in view of Chebolu et al. (US 2005/0060412 hereinafter “Chebolu”).
Regarding claim 7, Saurel in view of Afek and Mashevsky discloses the method of claim 1.
Saurel in view of Afek and Mashevsky does not explicitly disclose wherein the one or more properties of the first request indicate a request for network resource that is on a list of prohibited network resources.
However, Chebolu discloses wherein the one or more properties of the first request indicate a request for network resource that is on a list of prohibited network resources (¶ [0079]-[0080]).

Regarding claim 8, Saurel in view of Afek and Mashevsky discloses the method of claim 1.
Saurel in view of Afek and Mashevsky does not explicitly disclose wherein the one or more properties of the second request indicate a request for network resource that is on a list of allowed network resources.
However, Chebolu discloses wherein the one or more properties of the second request indicate a request for network resource that is on a list of allowed network resources (¶ [0078]-[0080]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Chebolu’s teaching into Saurel in view of Afek and Mashevsky in order to consult or make a lookup request to a server for additional information to determine whether to authorize a request (Chebolu, ¶ [0080]).
Regarding claim 10, Saurel in view of Afek and Mashevsky discloses the method of claim 9, further comprising: analyzing each request from the set and placing each requesting address into the bad address list, and otherwise placing the requesting address in a good address list (Saurel, col. 8, lines 29-35, col. 9, lines 15-20, 39-47).

However, Chebolu discloses if the request is not a member of the allowed network resource list and the request is a member of the prohibited network resource list, and otherwise placing the requesting address in a good address list (¶ [0078]-[0080])
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Chebolu’s teaching into Saurel in view of Afek and Mashevsky in order to consult or make a lookup request to a server for additional information to determine whether to authorize a request (Chebolu, ¶ [0080]).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Saurel in view of Afek and Mashevsky and further in view of Weiser et al. (US 2013/0152153 hereinafter “Weiser”).
Regarding claim 12, Saurel in view of Afek and Mashevsky discloses the method of claim 11.
Saurel in view of Afek and Mashevsky does not explicitly disclose further comprising: sending the block list to a firewall system.
However, Weiser discloses sending the block list to a firewall system (¶ [0114]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Weiser’s teaching into Saurel in view of Afek and Mashevsky in order to provide network security (Weiser, ¶ [0114]).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311.  The examiner can normally be reached on Monday-Friday 9-5 PT.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-8311.






/C. N./
Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435