DETAILED ACTION
This office action is in response to communication filed on 6/23/2021.
Claims 1-28 are being considered on the merits.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendments
The amendment filed 6/23/2021 has been entered. Claims 1-28 remain pending in the application. Applicant’s amendments to the Claims have overcome the 112(b) rejection previously set forth in the Non-Final Office Action of 12/23/2020, but raises a new issue. 
Response to Arguments
Regarding the rejection of claim 1 under 35 USC 103:
The Applicant submits on pages 9-10 that neither Visbal (US 8832832 B1) nor Hovor (US 20160065599 A1) “discloses or suggests providing malicious activity detection subsystems that extract meaning information and analyze the extracted meaning information to derive different threat levels that correspond to at least some addresses on the network and a weighting subsystem that provides weighted threat levels for a plurality of the addresses based on the threat levels derived by two or more of the malicious activity detection subsystems. Visbal instead teaches determining a threat score based on quantity of occurrences and recency of each occurrence of an IP address in network alert datasets, in addition to a weighting factor for each data source indicating the accuracy of the data source. And Hovor discloses a system that identifies intelligence types in advisories or the like, and uses third-party rules to distribute them” and thus fails to meet the limitations of claim 1.
The Examiner respectfully disagrees.
In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Further expanding on the arguments presented in the Non-Final Office Action of 12/23/2020, Visbal as modified by Hover teaches the limitation in claim 1. Visbal in Fig. 1 and in Col. 5 L. 36-60 discloses different modules (i.e. malicious activity detection subsystems) determining attack/threat levels (i.e. different threat levels), which includes creating a score for individual or groups of IP addresses (i.e. corresponding to some addresses), where the calculation includes weighting the score/informaiton. Hovor in Fig. 6 and in Para. [0126] discloses extracting text and determining patterns (i.e. meaning information) and determining (i.e. analyzing) the threat type. The Examiner respectfully submits that the reference does provide for malicious activity subsystems extracting meaning information, deriving threat levels, and weighting the threat levels for a plurality of addresses, thus the arguments are not found to be persuasive.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
In this case, Visbal uses unstructured sources to identify threats and Hover provides a better way of extracting and analyzing data from unstructured sources.
Regarding the rejection of claim 10 under 35 USC 103:

The Examiner respectfully disagrees.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Further expanding on the arguments presented in the Non-Final Office Action of 12/23/2020, Maestas as modified by Xue teaches the limitations of claim 10. Maestas in Para. [0029] discloses using the geographic (i.e. physical) proximity with the weighted threat score to create a risk score (i.e. deriving a score based on physical proximity). Xue in Para. [0017], discloses using extracted features (i.e. logical proximity) of the address to determine whether the address is malicious (i.e. threat). The Examiner respectfully submits that the reference does provide for deriving a threat score based on physical and logical proximity, thus the arguments are not found to be persuasive.
Claim Objections
Claim 10 is objected to because of the following informalities:  
Claim 10 has been amended to state “and that is configured to determine measures of physical proximity between addresses for accessing content network”, the term “content network is not clear and not defined in the specification, adding back in “on the” so that it reads “content on the network” would increase clarity.  
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1-3 and 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Visbal (US 8832832 B1) in view of Hover (US 20160065599 A1) .
Regarding claim 1, Visbal teaches A network security system, comprising: a network interface configured to connect the system to a public wide area network that can be accessed with addresses, a first malicious activity detection subsystem operatively connected to the network interface and configured to extract [meaning information] from [the language content of] textual sources accessed using addresses on the network and analyze the extracted meaning information to derive different threat levels in a [first threat category] corresponding to each of at least some addresses for accessing content on the wide area network, one or more further malicious activity detection subsystems operatively connected to the network interface and configured to extract [meaning information] from [the language content of] textual sources accessed using addresses on the network to derive further different threat levels in each of one or more further [threat categories] corresponding to each of at least some addresses for accessing content on the wide area network (Visbal, in Col. 18 lines 50-63, Col. 1 lines 25-52, Col. 3 lines 24-26, Col. 7 L. 14-25, and Col. 9 L. 1-7, discloses a network link (i.e. interface) between the internet (i.e. public wide area network) and the IP reputation system (i.e. activity detection system), where one or more modules (i.e. an activity detection subsystem and one or more further activity detection subsystems) determine network threat events or occurrences (i.e. activity) using (i.e. analyzing) data sources including unstructured (i.e. textual) sources such as e-mail messages, news report or written paper of article, where the threat events and data have different severity or levels)
a weighting subsystem responsive to each of the first and further malicious activity detection subsystems and configured to provide weighted threat levels for each of a plurality of the addresses for accessing content on the wide area network for both the derived threat levels for the first and malicious activity detection subsystem and the derived threat levels for the further malicious activity detection subsystems (Visbal, in Col. 9 L. 20-50, discloses assigning different IP addresses high or low (i.e. levels) weighting, where one or more modules (i.e. an activity detection subsystem and one or more further activity detection subsystems) determine network threat events or occurrences (i.e. activity)) 
and a scoring subsystem responsive to the weighting subsystem and configured to derive an aggregated, weighted threat score for each of the plurality of the addresses for accessing content on the wide area network (Visbal, in Col. 10 L. 39-49, discloses calculating threat reputation scores (i.e. weighted threat score) for IP addresses (i.e. each network address) taking into account the weights).
While Visbal teaches weighing and generating score from textual sources, Visbal fails to explicitly teach generating meaning from the language content of the text sources.
However, Hover from the analogous technical field teaches: configured to extract meaning information from the language content of textual sources accessed using addresses on the network and analyze the extracted meaning to derive further different threat levels in each of one or more further threat categories (Hover, in Para. [0027], discloses parsing unstructured data (i.e. textual sources) using such things as natural language processing (i.e. language content) to identify relevant threat information (i.e. meaning information) and based on that data (i.e. analyzing) assigning intelligence types (i.e. threat categories)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal to incorporate the teachings of Hover, with a motivation to provide more accurate correlation of threat intelligence information from multiple sources (Hover, in Para. [0017]).
Regarding claim 2, Visbal as modified by Hover teaches the system of claim 1. 
Visbal further teaches further including a threat level quantizer responsive to the scoring subsystem and configured to quantize the weighted threat score for an address Visbal, in Col. 8 lines 5-43 and Fig. 4 elements 430, discloses the IP reputation system (i.e. encompasses the quantizer) considering the threat score when representing the risk level (i.e. threat level) as bombs (i.e. discreet)).
Regarding claim 3, Visbal as modified by Hover teaches the system of claim 2. 
Visbal further teaches further including a user interface area responsive to the scoring subsystem and the quantizer and configured to display the quantized weighted threat score in a manner that also conveys one of the threat levels (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the numerical threat score and the risk level (i.e. threat level) as bombs).
Regarding claim 5, Visbal as modified by Hover teaches the system of claim 1. 
Visbal further teaches further including a user interface area responsive to the scoring subsystem and configured to display the weighted threat score (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the threat score).
Regarding claim 6, Visbal as modified by Hover teaches the system of claim 5. 
Visbal further teaches further including a further user interface area that is configured to display at least some of the different threat levels and further different threat levels from which the  (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the risk level (i.e. threat level) as bombs).
Regarding claim 7, Visbal as modified by Hover teaches the system of claim 1. 
As detailed above Visbal further teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with an IP address (Visbal, in Col. 1 lines 25-30, discloses determining a threat score for an IP address).
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Visbal in view of Hover in further view of Roytman (US 20150237062 A1).
Regarding claim 4, Visbal as modified by Hover teaches the system of claim 2. 
While Visbal as modified by Hover teaches the elements of claim 1, Visbal as modified by Hover fails to explicitly teach using color to display the threat score.
However, Roytman from the analogous technical field teaches further including a user interface area responsive to the scoring subsystem and the quantizer and configured to display the quantized weighted threat score in a color that also conveys one of the threat levels (Roytman, in Para. [0082], discloses displaying a color that corresponds to the criticality of the risk score (i.e. threat score)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Hover to incorporate the teachings of Roytman, with a motivation to indicate the criticality of the risk score (i.e. threat score) to the customer (Roytman, Para. [0081]).
Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Visbal in view of Hover in further view of Xue (US 20140298460 A1).
Regarding claim 8, Visbal as modified by Hover teaches the system of claim 10. 
While Visbal as modified by Hover teaches the elements of claim 1, Visbal as modified by Hover fails to explicitly teach detecting malicious activity associated with URLs.
However, Xue from the analogous technical field teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with a URL (Xue, in Para. [0006], discloses using classification models to detect malicious URLs).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Hover to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Regarding claim 9, Visbal as modified by Hover teaches the system of claim 1. 
While Visbal as modified by Hover teaches the elements of claim 1, Visbal as modified by Hover fails to explicitly teach detecting malicious activity associated with Internet Domain Names.
However, Xue from the analogous technical field teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with an Internet Domain Name (Xue, in Para. [0017], discloses using domain (i.e. Internet Domain Name) confidence level in detecting malicious features).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Hover to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Claims 10-14, 16-18 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Maestas (US 20140283085 A1) in view of Xue (US 20140298460 A1).
	Regarding claim 10, Maestas teaches a network security system, comprising: a source of malicious addresses that lists addresses for accessing content on the network associated with malicious activity (Maestas, in Para. [0021 and 0023], discloses acquiring (i.e. receiving) IP threat information (i.e. malicious addresses) from an Internet Risk Intelligence Provider (IRIP) (i.e. source) which includes potentially high risk IP addresses (i.e. network addresses)).
	Maestas further teaches an address proximity engine responsive to the source of malicious activity data that is configured to determine measures of physical proximity between addresses for accessing content on the network (Maestas, in Para. [0029 and claim 9], discloses determining the geographic (i.e. physical) proximity characteristics associated with an IP address (i.e. network address) in relation to one or more other IP addresses (i.e. network addresses)),
	a threat scoring subsystem responsive to the address proximity engine and to the source of malicious addresses that is configured to derive a [logical] proximity score for a particular address for accessing content on the network based on the determined measure of [logical] proximity to at least one of the malicious addresses for accessing content on the network from the source of malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining the proximity of potentially high risk IP address (i.e. a particular network address) to one or a cluster of high risk addresses (i.e. malicious addresses) to determine the risk (i.e. score) for the IP address (i.e. particular network address).
While Maestas teaches determining physical proximity, Maestas fails to explicitly teach determining proximity not related to physical proximity.
However, Xue from the analogous technical field teaches determine measures of logical proximity between addresses for accessing content on the network (Xue, in Para. [0017 and 0053], discloses determining whether an URL is malicious based on lexical distance of domains and age, confidence level, or rank of the domain (i.e. Internet Domain Name) and determining brand name edit distances for URLs and checking URLs against lists (i.e. several logical non-physical proximities).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
	Regarding claim 11, Maestas as modified by Xue teaches the system of claim 10. 
Maestas further teaches wherein the threat scoring subsystem is configured to derive a threat score based on threats from a plurality of different physically or logically proximate malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining a risk score (i.e. threat score) based on the proximity of the IP addresses to one or more IP addresses (i.e. plurality of different addresses) which are high risk (i.e. threat/malicious).
Regarding claim 12, Maestas as modified by Xue teaches the system of claim 10. 
Maestas further teaches wherein the threat scoring subsystem includes weighted averaging logic configured to derive a weighted threat score based on a weighted average of threats from a plurality of malicious addresses at different degrees of proximity (Maestas, in Para. [0029], discloses combining the distance to the cluster (i.e. threats) with the weighted threat score of the cluster (i.e. threats) to determine the risk score (i.e. threat score)).
Regarding claim 13, Maestas as modified by Xue teaches the system of claim 10. 
Maestas further teaches wherein the source of malicious addresses and the address proximity engine are configured on IP addresses (Maestas, in Para. [0021 and 0027], discloses providing IP addresses and determining distance based on IP addresses).
Regarding claim 14, Maestas as modified by Xue teaches the system of claim 10. 
Xue further teaches wherein the source of malicious addresses and the address proximity engine are configured on URLs (Xue, in Para. [0053], discloses determining brand name edit distances for URLs and checking URLs against lists).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to further incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Regarding claim 16, Maestas as modified by Xue teaches the system of claim 10. 
While Maestas as modified by Xue teaches the elements of claim 10, Maestas as modified previously by Xue fails to explicitly teach determining proximity based on content on the network.
Xue further teaches wherein the address proximity engine detects proximity at least in part based on associations extracted from content on the network (Xue, in Para. [0017], discloses determining whether an URL is malicious based on site/page information (i.e. content on the network)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to further incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Regarding claim 17, Maestas as modified by Xue teaches the system of claim 10. 
Xue further teaches wherein the source of malicious addresses and the address proximity engine are configured on Internet Domain Names (Xue, in Para. [0017], discloses determining whether an URL is malicious based on lexical distance of domains and age, confidence level, or rank of the domain (i.e. Internet Domain Name)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to further incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Regarding claim 18, Maestas as modified by Xue teaches the system of claim 10. 
While Maestas as modified by Xue teaches the elements of claim 10, Maestas as previously modified by Xue fails to explicitly teach operating on an autonomous system level.
Xue further teaches wherein the source of malicious addresses and the address proximity engine are configured on an autonomous system level (Xue, in Para. [0006], discloses training classification models using machine learning algorithms (i.e. autonomous system level)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to further incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Regarding claim 28, Maestas as modified by Xue teaches the system of claim 10. 
	Maestas further teaches an address proximity is further configured to determine a measure of physical proximity between network addresses (Maestas, in Para. [0029 and claim 9], discloses determining the geographic (i.e. physical) proximity characteristics associated with an IP address (i.e. network address) in relation to one or more other IP addresses (i.e. network addresses)),
	wherein the threat scoring subsystem is further configured to derive a score for a particular network address based on its proximity to at least one of the malicious addresses from the source of malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining the geographic proximity of potentially high risk IP address (i.e. a particular network address) to one or a cluster of high risk addresses (i.e. malicious addresses) to determine the risk (i.e. score) for the IP address (i.e. particular network address).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Maestas in view of Xue, in further view of Coskun (US 20150163235 A1).
Regarding claim 15, Maestas as modified by Xue teaches the system of claim 10. 
While Maestas as modified by Xue teaches the elements of claim 10, Maestas as modified by Xue fails to explicitly teach determining proximity based on subnets.
However, Coskun from the analogous technical field teaches wherein the address proximity engine detects proximity at least in part based on membership in subnets (Coskun, in Para. [0013-0014], discloses determining proximity based on netblocks (i.e. groups of IP addresses) and portions thereof referred to as sub-netblocks (i.e. subnets)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to incorporate the teachings of Coskun, with a motivation to improve network safety through reducing ambiguity in malicious IP addresses identification (Coskun, Para. [0050]).
Claims 19, 21, and 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over  Bingham (US 20150215334 A1) in view of Hover.
Regarding claim 19, Bingham teaches and a threat prediction subsystem responsive to each of the first and further activity detection subsystems and configured to predict future threat levels for each of a plurality of addresses on the public wide area network based on the application of a trained predictive model to the extracted and analyzed information from the first and further activity detection subsystems (Bingham, in Para. [0031-0032 and 0034-0035], discloses a processing cluster (i.e. threat prediction subsystem) which uses a machine learning system (i.e. trained predictive model) to process security data (i.e. analyzed, extracted information) to generate a reputation score for each IP address which represents a confidence level (i.e. threat level)).
While Bingham teaches detecting activity, Bingham fails to explicitly teach extracting information from textual sources on the public network.
However, Hover from the analogous technical field teaches A network security system, comprising: a network interface configured to connect the system to a public wide area network, a first and analyze meaning information from the language content of textual sources accessed using addresses on the public wide area network over a period of time, one or more further activity detection subsystems operatively connected to the network interface and configured to extract and analyze meaning information from the language content of textual sources accessed using addresses on the public wide area network over a period of time (Hover, in Fig. 1 and in Para. [0027-0028], discloses receiving unstructured data (i.e. text) from a variety of sources connected to the web (i.e. public wide area network) and then parsing the unstructured data (i.e. text) to identify relevant threat information (i.e. analyzed, meaning information) using such things as natural language processing (i.e. from language content)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham to incorporate the teachings of Hover, with a motivation to provide more accurate correlation of threat intelligence information from multiple sources (Hover, in Para. [0017]).
Regarding claim 21, Bingham as modified by Hover teaches the system of claim 19. 
Bingham further teaches wherein the prediction subsystem is responsive to an address proximity engine that is configured to determine a measure of physical or logical proximity between network addresses (Bingham, in Para. [0025 and 0051], discloses including in the security data geographical location of an IP address and determining proximity between IP addresses).
Regarding claim 26, Bingham as modified by Hover teaches the system of claim 19. 
Bingham further teaches wherein the threat prediction subsystem is configured to classify information according to ontologies (Bingham, in Para. [0017], discloses identifying threat attributes and creating a behavior profile (i.e. ontology)).
Regarding claim 27, Bingham as modified by Hover teaches the system of claim 19. 
As detailed above Bingham further teaches wherein the threat prediction subsystem is configured to calculate a risk score (Bingham, in Para. [0017], discloses generating a reputation score (i.e. risk score) for an IP address.
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Hover in further view of Xue.
Regarding claim 20, Bingham as modified by Hover teaches the system of claim 19. 
While Bingham as modified by Hover teaches the elements of claim 19, Bingham as modified above by Hover fails to explicitly teach using a Support Vector Machine (SMV).
However, Xue from the analogous technical field teaches wherein the threat prediction subsystem employs a Support Vector Machine supervised learning model (Xue, in Para. [0042], discloses using Support Vector Machine to train classification models (i.e. threat prediction subsystem)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Hover in further view of Visbal.
Regarding claim 22, Bingham as modified by Hover teaches the system of claim 19. 
While Bingham as modified by Hover teaches the elements of claim 19, Bingham as modified by Hover above does not explicitly teach detecting non-malicious behavior from known bad actors.
However, Visbal from the analogous technical field teaches wherein the first activity detection subsystem detects non-malicious behavior of known bad actors (Visbal, in Col. 14 lines 51-61, discloses investigating whether an IP address with a high threat reputation score (i.e. known bad actor) is being used in a non-malicious way (i.e. non-malicious behavior)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover to incorporate the teachings of Visbal, with a motivation to know if the threat is the IP address or a user account before blacklisting the IP address (Visbal, Col. 14 lines 51-61).
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Hover in further view of Shaffer (US 20150170152 A1) and Curcic (US 20150215332 A1).
Regarding claim 23, Bingham as modified by Hover teaches the system of claim 19. 
While Bingham as modified by Hover teaches the elements of claim 19, Bingham as modified above by Hover fails to explicitly teach using open web, social media, forums and paste site sources.
However, Shaffer from the analogous technical field teaches wherein the activity detection subsystems are configured to detect activity from sources that include open web, social media, forums, paste sites (Shaffer, in Para. [0017 and 0022], discloses identifying problems (i.e. activity) from sources including social media messages, forums, message history databases (i.e. paste sites) and using web mining systems (i.e. open web)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover to incorporate the teachings of Shaffer, with a motivation to better and more efficiently process problems detected on social media (Shaffer, Para. [0001-0002]).  
While Bingham as modified by Hover and Shaffer teaches the elements of claim 19, Bingham as modified above by Hover and Shaffer fails to explicitly teach using dark net sources.
However, Curcic from the analogous technical field teaches wherein the activity detection subsystems are configured to detect activity from sources that include dark net sites including TOR/Onion sites (Curcic, in Para. [0077], discloses updating a risk score based on information gathered from the darknet).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover and Shaffer to incorporate the teachings of Curcic, with a motivation to provide the risk score based on the level of security in view of the darknet intelligence data (Curcic, Para. [0077]).
Claims 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Hover in further view of Kotler (US 9473522 B1).
Regarding claim 24, Bingham as modified by Hover teaches the system of claim 19. 
While Bingham as modified by Hover teaches the elements of claim 19, Bingham as modified above by Hover fails to explicitly teach detecting activity associated with hashes, file names, and malware.
However, Kotler from the analogous technical field teaches wherein the activity detection subsystems are configured to detect activity associated with technical entities including hashes, filenames and malware (Kotler, in Col. 10 lines 61-67, Col. 3 lines 3-4, and Col. 3 lines 35-40, discloses actions (i.e. activities) including malware and information including hash of data and filenames).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover to incorporate the teachings of Shaffer, with a motivation to protect systems against malicious actions by quantifying risk of malicious actions (Kotler, Col. 3 lines 41-48).  
Regarding claim 25, Bingham as modified by Hover teaches the system of claim 19. 
While Bingham as modified by Hover teaches the elements of claim 19, Bingham as modified above by Hover fails to explicitly teach detecting activity associated with cyber attacks, exploits, and data leaks.
However, Kotler from the analogous technical field teaches wherein the activity detection subsystems are configured to detect activity associated with events including cyber attacks, exploits,  (Kotler, in Col. 10 L. 61- Col. 11 L. 3, discloses actions (i.e. activities) including cyber crime (i.e. cyber attack), exploits and data leaks).
 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Hover to incorporate the teachings of Shaffer, with a motivation to protect systems against malicious actions by quantifying risk of malicious actions (Kotler, Col. 3 lines 41-48).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208. The examiner can normally be reached M-Th 9:00-18:00 (Flex).

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JESSICA J SOUTH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/TRANG T DOAN/Primary Examiner, Art Unit 2431