Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

             DETAILED ACTION (Corrected)

1. 	This action is response to the amendment filed on 27 October 2021. 
	
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant’s representative Eric P. Jensen on 12 November 2021.

The application has been amended by the examiner as follows: 
               IN THE CLAIM
1.	(Currently Amended) A method comprising:
	generating, at a behavior analysis engine, an entity analysis model by determining connections between a set of known malicious entities and a set of known non-malicious entities, wherein a connection between entities represents that the entities are associated with one another;
receiving, at the behavior analysis engine, an entity from a network traffic hub in a local network, the entity comprising one of a domain and a network address that is 
identifying, by using the entity analysis model, a set of connected entities associated with the received entity; 
determining relationship information for the received entity by applying a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities; 
determining whether the received entity is malicious based on the determined relationship information; and 
transmitting, by the behavior analysis engine, processing instructions to the network traffic hub based on the determination of whether the received entity is malicious. 

2.	(Cancelled)

3.	(Previously Presented) The method of claim 1, wherein the set of connected entities are identified based on Whois lookups, reverse Domain Name Server (DNS) lookups, or via OpenSSL handshakes with domains.

4.	(Cancelled)



6.	(Previously Presented) The method of claim 1, wherein the relationship information identifies which entities of the set of connected entities are malicious.

7-9.	(Cancelled)

10.	(Previously Presented) The method of claim 1, wherein the entity analysis model is trained by determining relationship information for each entity of the set of connected entities.

11.	(Previously Presented) The method of claim 1, further comprising, responsive to determining that the received entity is malicious, transmitting the processing instructions to the network traffic hub to block network traffic associated with the received entity.

12.	(Previously Presented) The method of claim 1, further comprising, responsive to determining that the received entity is not malicious, transmitting the processing instructions to the network traffic hub to allow the received entity to communicate with networked devices in the local network. 

13.	(Currently Amended) A non-transitory computer-readable medium comprising instructions that, when executed by a processor, cause the processor to:

receive, at the behavior analysis engine, an entity from a network traffic hub in a local network, the entity comprising one of a domain and a network address that is associated with a network communication that is sent from a source device outside of the local network to a networked device in the local network;
identify, by using the entity analysis model, a set of connected entities associated with the received entity;
determine relationship information for the received entity by applying a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities;
determine whether the received entity is malicious based on the determined relationship information; and
transmit processing instructions to the network traffic hub based on the determination of whether the received entity is malicious.

14-18.	(Cancelled)

19.	(Previously Presented) The computer-readable medium of claim 13, further comprising instructions that cause the processor to, responsive to determining that the 

20.	(Previously Presented) The computer-readable medium of claim 13, further comprising instructions that cause the processor to, responsive to determining that the received entity is not malicious, transmit the processing instructions to the network traffic hub to allow the received entity to communicate with networked devices in the local network.

21.	(Cancelled)

22.	(Currently Amended) A computing device comprising:
	a memory; and
	a processor device coupled to the memory and configured to:
	generate, at a behavior analysis engine, an entity analysis model by determining connections between a set of known malicious entities and a set of known non-malicious entities, wherein a connection between entities represents that the entities are associated with one another;
receive, at the behavior analysis engine, an entity from a network traffic hub in a local network, the entity comprising one of a domain and a network address that is associated with a network communication that is sent from a source device outside of the local network to a networked device in the local network;

determine relationship information for the received entity by applying a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities;
determine whether the received entity is malicious based on the determined relationship information; and
transmit processing instructions to the network traffic hub based on the determination of whether the received entity is malicious.

                                                           Allowable Subject Matter

2.	Claims 1, 3, 5-6, 10-13, 19-20 and 22 are allowable in light of the Applicant’s argument and in light of the prior art made of record.

                          Reasons for Allowance

3.	The following is an examiner's statement of reasons for allowance: 
Upon searching variety of databases, the examiner considering Applicant’s provided prior-art and examiner research of prior-art with are mention in form-892 and with the respect of Applicant’s arguments clarify the difference and uniqueness of invention. It still hold the novelty even if the closest prior art US Publication No. 20160337389 and the Applicant’s provided IDS, 20160162779 combined. 
Claims 1, 13 and 22 in conjunction with all other limitations of the dependent claims, “determining relationship information for the received entity by applying a recursive process to each entity of the set of connected entities to determine a maliciousness of each entity of the set of connected entities." and independent claims are not taught nor suggested by the prior art of record (PTO-892). 
Therefore, Claims 1, 3, 5-6, 10-13, 19-20 and 22 are hereby allowed in view of applicant’s persuasive arguments and in the light of amendments to the claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

        Conclusion

4. 	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure (see form “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. The examiner can normally be reached on 7:00 AM -5:00 PM (Mo-Th).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-2419.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


 /Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890