Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

             DETAILED ACTION
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4 May 2021 has been entered.	
2.	Claims 1, 10 and 13 have been amended.
3.	Claims 2, 4, 8-9, 16-18 and 21 have been cancelled.
4.	Claim 22 newly added.
5.	Claims 1, 3, 5-7, 10-15, 19-20 and 22 are currently pending and remain rejected.
              
             Responses to the Argument

6.	The applicant’s arguments filed on 4 May 2021 are moot in view of new ground of rejection rendered.
Claim Rejections - 35 USC § 103
	
7.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at 
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459  (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 5-7, 10-15, 19-20 and 22 are rejected under 35 U.S.C §103(a) as being unpatentable over Letal et al. (US Publication No. 20160337389), hereinafter Letal and in view of Engel et al. (US Publication No. 20140165207), hereinafter Engel.  
	
In regard to claim 1: 
generating, at a behavior analysis engine, an entity analysis model by determining connections between a set of known malicious entities and a set of known non-malicious entities, wherein a connection between entities represents that the entities are associated with one another (Letal, ¶15, 18, 59).
Letal does not explicitly suggest, receiving, at the behavior analysis engine, an entity from a network traffic hub in a local network, the entity comprising one of a domain and a network address that is associated with a network communication that is sent from a source device outside of the local network to a networked device in the local network; however in a same of endeavor Engel discloses this limitation (Engel, ¶82, 88, Abstract).
identifying, by using the entity analysis model, a set of connected entities associated with the received entity (Letal, ¶27).
determining relationship information for the received entity by determining whether each entity of the set of connected entities is malicious (Letal, ¶33).

and transmitting, by the behavior analysis engine, processing instructions to the network traffic hub based on the determination of whether the received entity is malicious. (Letal, ¶26, 56-57).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of analyzing known and unknown network entity to determine maliciousness of Letal with the method of monitoring internal and external network anomaly disclosed in Engel because in order to capture user’s login information, IP address who are connecting to a particular organization from the external network stated by Engel at para.88.

In regard to claim 3:
wherein the set of connected entities are identified based on Whois lookups, reverse Domain Name Server (DNS) lookups, or via OpenSSL handshakes with domains (Letal, ¶14).

In regard to claim 5:
wherein the relationship information describes the set of connected entities and characteristics of connections between the set of connected entities (Letal, ¶16).

In regard to claim 6:
wherein the relationship information identifies which entities of the set of connected entities are malicious (Letal, ¶19).

claim 7: 
wherein determining the relationship information comprises applying a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities (Letal, ¶54, 34).
  
In regard to claim 10:
wherein the entity analysis model is trained by determining relationship information for each entity of the set of connected entities (Letal, ¶33).

In regard to claim 11:
further comprising, responsive to determining that the received entity is malicious, transmitting the processing instructions to the network traffic hub to block network traffic associated with the received entity (Letal, ¶26).

In regard to claim 12:
further comprising, responsive to determining that the received entity is not malicious, transmitting the processing instructions to the network traffic hub to allow the received entity to communicate with networked devices in the local network (Letal, ¶17).

In regard to claim 13:
A computer-readable medium comprising instructions that, when executed by a processor, cause the processor to: generate, at a behavior analysis engine, an entity analysis model by determining connections between a set of known malicious entities and a set of known non-malicious entities, wherein a connection between entities represents that the entities are associated with one another (Letal, ¶15, 18, 59).

Letal does not explicitly suggest, receive, at the behavior analysis engine, an entity from a network traffic hub in a local network, the entity comprising one of a domain and a network address that is associated 3with a network communication that is sent from a source device outside of the local network to a networked device in the local network; however in a same of endeavor Engel discloses this limitation (Engel, ¶82, 88, Abstract).
identify, by using the entity analysis model, a set of connected entities associated with the received entity (Letal, ¶27).
determine relationship information for the received entity by determining whether each entity of the set of connected entities is malicious (Letal, ¶33).
determine whether the received entity is malicious based on the determined relationship information (Letal, ¶7, 18, 25).
 and transmit processing instructions to the network traffic hub based on the determination of whether the received entity is malicious (Letal, ¶26, 56-57).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of analyzing known and unknown network entity to determine maliciousness of Letal with the method of monitoring internal and external network anomaly disclosed in Engel because in order to capture user’s login information, IP address who are connecting to a particular organization from the external network stated by Engel at para.88.

In regard to claim 14:
wherein the relationship information identifies which entities of the set of connected entities are malicious (Letal, ¶16).

In regard to claim 15:
wherein to determine the relationship information the instructions further cause the processor to apply a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities (Letal, ¶34, 54).  

In regard to claim 19:
further comprising instructions that cause the processor to, responsive to determining that the received entity is malicious, transmit the processing instructions to the network traffic hub to block network traffic associated with the received entity.  

In regard to claim 20:
further comprising instructions that cause the processor to, responsive to determining that the received entity is not malicious, transmit the processing instructions to the network traffic hub to allow the received entity to communicate with networked devices in the local network (Letal, ¶26).

In regard to claim 22:
a memory (Letal, ¶57).
and a processor device coupled to the memory and configured to: generate, at a behavior analysis engine, an entity analysis model by determining connections between a set of known malicious entities and a set of known non-malicious entities, wherein a connection between entities represents that the entities are associated with one another (Letal, ¶15, 18, 59).

identify, by using the entity analysis model, a set of connected entities associated with the received entity (Letal, ¶27).
determine relationship information for the received entity by determining whether each entity of the set of connected entities is malicious (Letal, ¶33).
determine whether the received entity is malicious based on the determined relationship information (Letal, ¶7, 18, 25).
and transmit processing instructions to the network traffic hub based on the determination of whether the received entity is malicious (Letal, ¶26, 56-57).

                             Conclusion	
	
8.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure (See form “PTO-892 Notice of reference cited).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONJUR RAHIM whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890