DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the amendments filed on May 18, 2021 for application 15/345,710.  Claims 1, 7-8, 10-12, and 17-19 were amended, and claims 1-4, 6-15, and 17-21 remain pending in the application.
Response to Arguments
	The Applicant’s arguments filed on May 18, 2021 have been fully considered, and the Examiner responds as provided below.
	Regarding the Applicant’s response at pages 7-14 of the Remarks that concerns the § 103 rejection of claim 1, the Applicant’s arguments only consider the portion of the references as cited within the Office Action of March 25, 2021.  More specifically, the argument states, “DiValentin as cited discloses…,” Remarks p. 9, “Baker as cited discloses…,” Remarks p. 11, and “Miliefsky as cited discloses…,” Remarks p. 12.  Accordingly, the arguments are moot because the § 103 rejection presented below relies upon other portions of the references, such DiValentin ¶ [0056] and Miliefsky ¶ [0076].  Together, these references teach or suggest the limitations incorporated via the claim amendments as presented in the arguments, see Remarks pp. 7-8, 9-10, 12, and 13, such as an “endpoint agent” and a “check and extraction” process.	Notwithstanding the Applicant’s aforementioned arguments for patentability, the Applicant suggests “Such vulnerability management systems have traditionally been too 
	Regarding the Applicant’s response at page 14 of the Remarks that concerns the § 103 rejection of the remaining claims, the argument is based upon the patentability of claim 1, and because claim 1 is not allowable over the prior art of record, the remaining claims are similarly not allowable.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a Or more succinctly, move numbered material first, lettered material last.)
	Claims 1-4, 6-15, and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over DiValentin et al. (US 2019/0132358, “DiValentin”) in view of Baker (US 6,775,657, “Baker”), and further in view of Miliefsky (US 2007/0192867, “Miliefsky”) and Kulaga et al. (US 8,209,740, “Kulaga”).
Regarding Claim 1
DiValentin discloses
A method of local-network threat response (Fig. 2, ¶¶ [0037]-[0038]), the method comprising: 
detecting, by a local network backend entity (Fig. 2, ¶¶ [0035]-[0037], i.e., the “threat intelligence server 202” and/or the “analytics server 208” are separate from the “production environment 210” and behind the “networking switch 214,” and thus either or both in combination act as a local backend entity that detect[s] … a security threat upon attack information being supplied via the “honeypot environment 212”), 
a security threat initiated by a local-network host (¶¶ [0026]-[0027], “the threat intelligence server 202 can contextualize and store information associated with … internal security threats” that are initiated by a local-network host, and ¶ [0029], a local-network host is represented by “production environment 210 (e.g., a network endpoint…”) at a local-network honeypot entity (¶ [0034], i.e., after the “networking switch 214 redirects flow to the honeypot environment 212,” the “honeypot environment detect[ed] … at a local-network honeypot entity) of a local network (Fig. 2, ¶ [0025], i.e., the local network is depicted, while the external network is connected to the local network via “wired and/or wireless network” that is not depicted (i.e., the network to the left of “state A”), 
wherein initiating the security threat is using host information received from the local-network honeypot entity identifying a network address of the local-network host (¶ [0034], “honeypot environment 212 … can use process tracing techniques to identify and provide [host] information [to initiat[e] the security threat] associated with an attack,” and ¶ [0018], “…the threat intelligence component 102 can identify key indicators and observables associated with each of the threats.  Indicators and observables [that identify and provide host information associated with an attack] may include, for example, names, identifiers, and/or hashes of processes, objects, files, applications, or services, Internet Protocol (IP) addresses of devices,…,” with the IP address acting as host information that identif[ies] a network address of the local network host and thereby initiat[es] the security threat) of the local network (Fig. 2, ¶ [0025]);
based on receipt of the trigger (¶¶ [0018], [0034], i.e., the IP address as host information is identified with a threat), determining the local-network host (¶ [0029]) initiating the detected security threat (¶ [0034]) …1; and 
2 …, 
one of triggering a threat response (¶ [0042], “For example, endpoint management software can be used to take a snapshot of a system (e.g., the honeypot threat response that was trigger[ed]) 
or (noting that only one limitation need be met, but in the interest of compact prosecution, the Examiner will examine the remainder of the claim) 
3 … 
d …extraction… (¶ [0056], “In some implementations, capture of host-based forensics [that requires an extraction of data for analysis] may be automated,” noting that an extraction is disclosed as “an extraction of artifacts for forensic investigation” at ¶ [0051] of the Applicant’s disclosure/specification in PG-PUB US 2017/0142155)
and a vulnerability scan …4 between the local network backend entity and the local-network host (Figs. 2 & 3, ¶¶ [0039]-[0040], “For example, the management and process orchestration server 204 [acting as part of the local network backend entity] can identify a compromise to the system 200 via network traffic analysis,” i.e., the “traffic analysis” and the other “indicators of compromise” teach or suggest employing a vulnerability scan to detect the comprise such as at “production environment 210” that acts as the local-network host) for the security threat initiated by the local-network host…5.
DiValentin doesn’t disclose
	1 … is registered in a predetermined database of an endpoint threat management system where at least results of previous vulnerability scans of the local network are registered, wherein registration in the predetermined database of the endpoint threat management system is based on an endpoint agent installed on the local-network host;
	2 based on determining the local-network honeypot entity identifying the network address of the local-network host initiating the detected security threat is registered in the predetermined database of the endpoint threat management system,
3 executing a threat response operation comprising activating …d and extraction by the endpoint agent installed on the local-network host to automatically perform a network-internal vulnerability lookup and…
4 …at the local-network host of known opened ports or services…
5 …to perform the local-network threat response.
Baker, however, discloses
	1 … is registered …a,b  (Col. 4:33-46, “The registry maintained by network node 120 includes entries indicative of host nodes registered as being able to perform intrusion detection services,” where the intrusion detection services collectively make up an endpoint threat management system; see also the endpoint threat management system as disclosed by Kulaga Fig. 1, Col. 15:17-16:32, i.e., the “first PC 103” that hosts an “antivirus application”…c;
	2 based on determining the local-network honeypot entity (of DiValentin) identifying the network address (of DiValentin) of the local-network host (of DiValentin) initiating the detected security threat (of DiValentin) is registered in the predetermined database (of Kulaga) of the endpoint threat management system, (Col. 4:33-46 Fig. 2, Col. 5:10-29, i.e., step 215 that makes the determination in the affirmative or the negative as it relates to employing an endpoint threat management system; and Miliefsky ¶ [0052], “The Clustering software will enable multiple Anti-Hacker Proactive Network Security system computer-based network appliances which are within the endpoint threat management system to conserve CPU resources of a large network),
4 …at the local-network host of known opened ports or services… (Col. 5:46-50, “When the network activity is processed [via the scanning as disclosed by Miliefsky] at step 225 of FIG. 2, it looks for patterns of misuse. Patterns can be as simple as an attempt to access a specific port [that is open[] and thus vulnerable] on a specific host,”)
Kulaga, however, discloses
a …in a predetermined database of an endpoint threat management system…b (Col. 15:17-16:32, i.e., the “antivirus database” is a database that is associated with an “antivirus application” that acts as an endpoint threat management system, where the “antivirus database” is predetermined so as to remain “updated” or “new”)
Miliefsky, however, discloses
	b …where at least results of previous vulnerability scans of the local network are registered (¶¶ [0055]-[0057], “…automatically scan various computer-based network equipment for a complete and thorough vulnerability assessment through common vulnerabilities and exposures (CVEs) tests,” where the results of the CVE tests can be employed in the “Automated Remediation Clients [that can] be deployed as agents running remotely on each system within the Computer-Based network,” where 
c wherein registration in the predetermined database (of Kulaga) of the endpoint threat management system (of DiValentin) is based on an endpoint agent installed on the local-network host (¶ [0076], “ Each micro-appliance may comprise a small, solid state device that runs security software [that acts as an endpoint agent] out of memory, such as random access memory,” where the “micro-appliance” discloses a local-network host as similarly disclosed by DiValentin, and the “security system” discloses an endpoint threat management system as similarly disclosed by DiValentin; and ¶ [0076], “The device may store data locally [in the predetermined database], including assessments, security updates, network or computer asset status, and the like,” i.e., the predetermined database disclosed by Kulaga is similarly disclosed by Miliefsky);
3 executing a threat response operation comprising activating a check and …d by the endpoint agent (¶ [0076]) installed on the local-network host (¶ [0057], “Then, the Administrator can configure various scheduled events [that act within a threat response operation] to enable the system to automatically scan [as a check] various computer-based network equipment for a complete and thorough vulnerability assessment through common vulnerabilities and exposures (CVEs) tests,” noting that a check is disclosed as “a deep scan” at ¶ [0051] of the Applicant’s disclosure/specification in PG-PUB US 2017/0142155) to automatically perform a network-internal vulnerability lookup (¶ [0057], “Automated Remediation Clients may be deployed as agents running remotely [as a threat response operation] on each system within the Computer-Based network. These Automated Remediation Clients will take their remediation instructions automatically, manually or a combination of both.  Each remediated system will no longer contain the CVE that placed the system at risk,” i.e., via the network-internal vulnerability lookup, the vulnerability was identified and lookup[ed] to remedy the risk)… 
5 …to perform the local-network threat response (¶¶ [0057], [0076]).
	Regarding the combination of DiValentin and Baker, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security system of DiValentin to have included the registration database feature of Baker. One of ordinary skill in the art would have been motivated to incorporate the registration database feature of Baker because DiValentin discusses “contextualize[ing] internal threat intelligence” and an “analytics server 208 [that] can identify one or more indicators that are potentially actionable,” see DiValentin ¶¶ [0014] and [0036], respectively, and Baker teaches a “registry information [having] entries indicative of host nodes registered as being able to perform intrusion detection services,” see Baker Col. 4:33-46.  The teaching of the registry of Baker suggests a further “actionable” means for the “analytics server 208” to conduct in order to increase the effectiveness of the security system of DiValentin. 
	Regarding the combination of DiValentin-Baker and Miliefsky, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security system of DiValentin-Baker to have included the vulnerability system feature of Miliefsky. One of ordinary skill in the art would have been motivated to incorporate the vulnerability system feature of Miliefsky because Miliefsky 
Regarding the combination of DiValentin-Baker-Miliefsky and Kulaga, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified security system of DiValentin-Baker-Miliefsky to have included antivirus database feature of Kulaga. One of ordinary skill in the art would have been motivated to incorporate the antivirus database feature of Kulaga because teaches that downloading antivirus databases to a computer is a means to maintain “updated” virus protection.  See Kulaga Col. 16:14.
Regarding Claim 2
DiValentin in view of Baker, and further in view of Miliefsky and Kulaga (“DiValentin-Baker-Miliefsky-Kulaga”) disclose the method of claim 1, and DiValentin further discloses 
wherein said detecting comprises: 
identifying an abnormal local-network activity (¶ [0027], “In the present example, one or more threat indicators” that serve to identify and abnormal local-network activity), and 
identifying the IP address of the local-network host initiating the identified abnormal local-network activity (¶ [0027], “In the present example, one or more threat indicators (e.g., an IP block of addresses) may be associated with a particular security threat”).

Regarding Claim 3
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 2, and DiValentin further discloses 
said abnormal local-network activity including at least one of predefined connection establishment (¶ [0026], “a peer organization can share (e.g., via the peer exchange 112, shown in FIG. 1), information associated with an IP block of addresses targeting a particular type of resource (e.g., a database server)”), predefined authentication attempt and malware upload or installation (noting only one limitation need be met with the limitation of “at least one of”).
Regarding Claim 4
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses 
wherein said triggering comprises: 
transferring information on at least the IP address of the local-network host initiating the detected security threat (¶ [0018], “Indicators and observables [of the detected security threat] may include, for example, names, identifiers, and/or hashes of processes, objects, files, applications, or services, Internet Protocol (IP) addresses of devices, registry keys to be accessed or modified, user accounts, or other suitable indicators and observables of a security threat.”) from the local-network honeypot entity to the local-network backend entity (¶¶ [0034]-[0035], “The honeypot environment 212, for example, can use process tracing techniques to identify and provide information associated with an attack,” and “During stage (I), information is provided by the honeypot environment 212 to the indicator analytics server 208.”).
Regarding Claim 6
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses
detecting the security threat is based on at least one of a request for a secure shell connection with the local-network honeypot entity or a determined actual network address of the local-network honeypot entity identifying the network address of the local-network host (¶ [0027], “ In the present example, one or more threat indicators (e.g., an IP block of addresses) may be associated with a particular security threat (e.g., a secure shell (SSH) brute force attack)”).
Regarding Claim 7
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Baker further discloses 
wherein said operation of the endpoint threat management system (Col. 4:33-46; and see also Kulaga Fig. 1, Col. 15:17-16:32) comprises: …1
DiValentin further discloses
1 …retrieving information for the local-network host by activating the check (¶ [0042], “The snapshot [that serves as an activat[ed] … check], for example, may provide one or more potential indicators of compromise [that comprise retriev[ed] information], based on a list of currently running processes, recently (e.g., within a predetermined timeframe, such as a minute, ten seconds, a second, or another suitable timeframe) ended processes, and/or recently modified objects in a similar timeframe;” see also Kulaga ¶ [0057], “Then, the Administrator can configure various scheduled events [that act within a threat response operation] to enable the system to automatically scan [as a check] various computer-based network equipment for a complete and thorough vulnerability assessment through common vulnerabilities and exposures (CVEs) tests,” noting that a check is a broad limitation that can be multi-dimensional and have many associated processes) and extraction by the endpoint agent (of Miliefsky ¶ [0076]) installed on the local-network-host (¶ [0056], “In some implementations, capture of host-based forensics [that requires an extraction of data for analysis] may be automated”).
Regarding the combination of DiValentin and Baker, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 7.
Regarding the combination of DiValentin-Baker and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 7.
Regarding Claim 8
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 7, and DiValentin further discloses 
said information including at least one of: information on properties of the local-network host, information on properties of the detected security threat (¶ [0042], “…a list of currently running processes, recently (e.g., within a predetermined timeframe, such as a minute, ten seconds, a second, or another suitable timeframe) ended processes, and/or recently modified objects in a similar timeframe,” all of which comprise properties of the detected security threat), a memory dump, at least one file hash, at least one meta information on ongoing processes and connections, at least one copy of a binary, or at least one network interface data dump (noting only one limitation need be met).
Regarding Claim 9
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
said operation of the local-network vulnerability management system (¶¶ [0086], [0135]) comprising: 
retrieving information for the local-network host by performing a lookup from a local-network vulnerability database (¶ [0131], “It will also retain a database of past audits allowing for differential audits comparing previous audits with older audits as well as incremental audits which test for only the latest known vulnerabilities,” with the “test” requiring the use of the “database” via a lookup that provides information for the local-network host that is potentially vulnerable).
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 9.
Regarding Claim 10
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
wherein said operation of the local-network vulnerability management system (¶¶ [0086], [0135]) comprises: 
retrieving information for the local-network host by performing a scan of the local-network host (¶ [0098], “The vulnerability assessment component is based on a SmartScan engine which scans network assets [to retriev[e] information] for flaws and weaknesses in the systems”), 
said information including at least one of: information on properties of the local-network host and information on properties of the detected security threat, system type, at least one opened port, at least one ongoing service, at least one system version, or at least one security vulnerability (¶¶ [0040]-[0041], “The method will dynamically detect and map changes to LAN and WAN connected equipment including searching for equipment which may be deemed as rogue and creating a network-based assets list, wherein the list contains information as to the location of the network-based assets.,” and “The list may contain information as to the Internet Protocol (IP) address of said network-based assets, and the list may contain information as to the open Ports of said network-based assets and related application, session, transport, sockets and other internet protocol (IP) related information.”).
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 10.
Regarding Claim 11
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and DiValentin further discloses 
wherein said operation of the endpoint threat management system comprises at least one of: blocking or isolating the local-network host on a local-network level, or blocking or isolating at least one process of the local-network host relating to the detected security threat (¶ [0038], “Updated threat information, for example, can be provided to the management and process orchestration server 204, where it can be used to generate another predetermined course of action and/or to block future attacks. isolate[] or block[] threats).
Regarding Claim 21
DiValentin-Baker-Miliefsky-Kulaga discloses the method of claim 1, and Miliefsky further discloses 
wherein based on executing the operation of a local-network vulnerability management system (¶¶ [0086], [0135]) to perform a vulnerability scan (¶ [0098]), the method comprising: 
automatically generating and issuing a corresponding report comprising information retrieved …1 and the local-network honeyspot entity to show that the local-network vulnerability management system has been executed (¶¶ [0086], [0135], the “[countermeasure communication] system will also send an alert through E-mail and SMS paging to an IT Manager or designated end user to let them know that the system detected a rogue or high risk and took action, automatically.”).
DiValentin further discloses
	1 …by the endpoint threat management system… (¶ [0054], “In some implementations, one or more notifications may optionally be sent (408)” for the endpoint threat management system as disclosed by DiValentin, and “notifications” being sent in the manner as disclosed by Miliefsky)
Regarding the combination of DiValentin and Miliefsky, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 21.
Regarding Claims 12-15
With respect to claims 12-15, a corresponding reasoning as given earlier for dependent claims 1-4 applies, mutatis mutandis, to the subject matter of claims 12-15, respectively. Therefore, claims 12-15 are rejected, for similar reasons, under the grounds set forth for claims 1-4, respectively.
Regarding Claim 17
With respect to dependent claim 17, a corresponding reasoning as given earlier for dependent claims 7 and 8 applies, mutatis mutandis, to the subject matter of claim 17. Therefore, claim 17 is rejected, for similar reasons, under the grounds set forth for claims 7 and 8.
Regarding Claim 18
With respect to dependent claim 18, a corresponding reasoning as given earlier for dependent claims 9 and 10 applies, mutatis mutandis, to the subject matter of claim 18. Therefore, claim 18 is rejected, for similar reasons, under the grounds set forth for claims 9 and 10.
Regarding Claims 19
With respect to claim 19, a corresponding reasoning as given earlier for claim 11 applies, mutatis mutandis, to the subject matter of claim 11. Therefore, claim 11 is rejected, for similar reasons, under the grounds set forth for claim 11.
Regarding Claim 20
With respect to claim 20, a corresponding reasoning as given earlier for claim 1 applies, mutatis mutandis, to the subject matter of claim 1. Therefore, claim 20 is rejected, for similar reasons, under the grounds set forth for claim 1.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491