DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The objection to the Specification due to informalities has been withdrawn in light of applicant’s amended Specification received 10/7/2021.
Status of Claims
The amendment filed 10/7/2021 has been entered. Claims 1, 10, 18 are currently amended claims. Claims 1-20 are pending in the application.
The objection of claims 4-8 due to informalities is maintained since these claims have not been amended although applicant indicated applicant has amended these claims in Remark filed 10/7/2021 (page 9). 
The rejection of claims 10-17 due to concerns of indefiniteness under 35 USC 112(b) has been revised. The rejection of claims 10-17 due to limitation “uniquely or nearly-uniquely” has been withdrawn upon reconsideration. The limitation “uniquely or nearly-uniquely” is interpreted as uniquely. However the rejection of claims 13, 14 is maintained since applicant failed to address the issue in the amendment.
Response to Arguments
Applicant’s arguments, see pg. 10-11 of the Remarks filed 10/7/2021 regarding claim rejection under 35 USC 103 over prior arts of record have been fully considered and are moot since the arguments do not apply to the current office action with newly applied prior art Gottieb.

Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Objections
Claims 1, 4-8 are objected to because of the following informalities:  
Claim 1 line 8 recites “wherein the advertiser identifier string …” which may read “wherein the advertiser identification string …”.
Claims 4-6 each recites “advertiser identifier string” which appears to be “advertiser identification string” as recited in claim 1. Applicant is suggested to recite as “the advertiser identification string” to be consistent with claim 1.
Claims 7, claim 8, each recites “the cache”. It is suggested to recite “the reputation cache” to be consistent with claim 1.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 13-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 13 line 3, claim 14 line 3, each recites “the file”. There is insufficient antecedent basis for this limitation in the claims. There are multiple elements recited “downloaded file” “file system object” that makes the claim scope unclear. Examiner notes independent claim 10 recites downloaded “file system object”, however “file” has not been recited.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4, 7 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive et al (US 8,990,945B1, hereinafter, "Ranadive"), in view of Gottieb et al (US 9,767,480 B1, hereinafter, “Gottieb”), in further view of Dixon et al (US20060253584A1, hereinafter, “Dixon”) and Brown (US20100251371A1, hereinafter, “Brown”).
	Regarding claim 1, Ranadive teaches:
A computing apparatus, comprising: a processor and a memory; instructions encoded within the memory to instruct the processor (Ranadive, discloses system and method for detecting malicious advertising content, see [Abstract]. And Col. 2 lines 53-58, a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor) to: 
(Ranadive, Col. 7 lines 41-47, System 102 will be able to detect the origin of the malicious element as being site 126 and also note what malicious behavior (e.g., initiating a drive-by download) it is responsible for.  In various embodiments, a browser helper object extension is used to track referrer information for every element that is rendered, such as the enclosing page (i.e. downloaded file) for an iframe); 
inspect a metadata object attached to the downloaded file (Ranadive, Col. 11 lines 4-11, Script 602 decodes into an iframe element: <iframe src="http://www.neildaswani.com” width="0 height=“0” frameborder="Old K/iframe>. As with iframe 402, this iframe, when loaded by a client, could download additional malicious code that will cause a driveby download. Using the techniques described herein, system 102 is able to detect (i.e. inspect) Script 602 as being a malicious element (and, specifically, the source of a driveby download)); 
parse the metadata object to extract an advertiser identification string [from a GET code portion] of a uniform resource locator (URL) (Ranadive, Col. 16 lines 23-30, For each URL provided to it by crawler 1310, content extraction engine 1302 fetches content (e.g., by making an HTTP request) and performs content extraction (i.e. parse the metadata object)…  In the case of shallow content extraction, the extraction engine performs a static analysis of the downloaded content to identify various elements in the content such as JavaScript and iframe elements. And Col. 22 lines 1-3, risk analysis feature extractor 1304 is configured to recognize the names (i.e. string) (or other identifiable features) of JavaScripts that correspond to the serving of advertisements (i.e. advertiser identification string)), [wherein the advertiser identifier string identifies a third-party advertiser different from a vendor of the downloaded file]; (See Gottlieb for teaching of limitation(s) in bracket; Also see Brown below for teaching of limitation “GET code”)
and take a remedial action against the downloaded file (Ranadive, See Fig. 9 step 902 Receive indication that page (i.e. downloaded file) includes malicious element and step 906 Send quarantine instruction (i.e. remedial action)).  
While Ranadive teaches the main concept of detecting malicious element in advertising content on enterprise website as well as content hosted by third party host, but does not explicitly teach the advertiser identifier string identifies a third-party advertiser different from a vendor of the downloaded file, however in the same field of endeavor Gottlieb teaches:
the advertiser identifier string identifies a third-party advertiser different from a vendor of the downloaded file (Gottlieb, Col. 6 lines 46-53, In some situations, advertisements such as advertiser-related images, … are placed on a publishers (i.e. vendor) web page by the publisher itself.  In other situations, a publisher may sell advertising space to third party companies (i.e. third-party advertiser different from a vendor) that sell that advertising space to advertisers and advertisements may be placed on the publisher web page by the third party company. Also see Fig. 9, and Col. 9 lines 64-65, Advertisement block data 102 for each advertisement block may include advertiser name 104 (i.e. advertiser identifier string),…); Examiner notes a web page can be interpreted as downloaded file since it is downloaded by user from the publisher’s website.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious advertisement detection and remediation of Ranadive by having user download web 
While Ranadive-Gottlieb teaches the main concept of detecting malicious element in advertising content based on inspecting URL of malicious web pages with detection engine, but does not explicitly teach detecting malicious content based on advertiser identification string from reputation cache, however in the same field of endeavor Dixon teaches:
query a reputation cache for a reputation for the third-party advertiser based at least in part on the advertiser identification string (Dixon, discloses method of providing user with indication of reputation of an entity associated with content item, see [Abstract]. And [0020] systems and methods involve utilizing Web crawling to determine the reputation of a Web advertisement network or the reputation of an individual advertisement. And [0135] In any case, the Web content analysis facility 122 may access Web content on the third-party Web server 104 and may comprise a computer program that may perform a Web content analysis function . And [0186] A single Web page may consist of numerous objects named by URLs. Each of these URLs may be looked up in a reputation database (i.e. reputation cache) through the reputation service host 112. And [0321] third-party recommendation resources may themselves be analyzed for reputation); 
receive a deceptive reputation for the third-party advertiser (Dixon, [0150] When a website with a bad reputation (i.e. deceptive reputation) is discovered by the analysis facility 122. And [0321] third-party recommendation resources may themselves be analyzed for reputation);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dixon in the malicious advertisement detection and remediation of Ranadive-Gottieb by providing indication of reputation of an entity associated with content item including content from third party advertiser. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine the downloaded pages as deceptive or bad based on the reputation of the entity in an advertising network to allow the advertising network to check the reputation before placing an ad on the web site (Dixon, [Abstract], [0007]).
While the combination of Ranadive-Gottieb-Dixon teaches the main concept of detecting malicious element in advertising content based on inspecting URL of malicious web pages, but does not explicitly teach extract advertiser identification string from a GET code portion of a URL, however in the same field of endeavor Brown teaches:
[parse the metadata object to extract an advertiser identification string] (see Ranadive for teaching of limitation(s) in bracket as shown above) from a GET code portion of a uniform resource locator (URL) (Brown, discloses method for real-time blocking of malicious requests [Abstract]. And Referring to Fig. 3, and [0038] Malicious code inhibitor 11 preferably uses conventional "GET" or "POST" methods found in web development coding languages, …, for retrieving all information sent to and from the URL, form input, text field, or text area. And [0039] FIG. 3 illustrates a preferred sequence of steps for searching the string and removing or blocking malicious code. In step 300, a main string is preferably received containing the Internet protocol ("IP") address of the source, the URL, and the GET/POST values).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Brown in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon by retrieving information from URL using GET method. This would have been obvious because the person having ordinary skill in the art would have been motivated to extract the information containing the IP address of the source GET/POST value since Ranadive-Dixon can use the method of Brown to extract the advertiser identification string information for real time malicious code detection (Brown, [Abstract], [0038-0039]).

Regarding claim 4, Ranadive-Gottieb-Dixon-Brown combination further teaches:
The computing apparatus of claim 1, wherein an advertiser identifier string comprises a partner or referrer identifier (Ranadive, Col. 24 lines 11-13, Ad servers typically have their own format for advertisement-related URLs and encode various pieces of information in those URLs such as referrer identifiers…).  

Regarding claim 7, Ranadive-Gottieb-Dixon-Brown combination further teaches:
The computing apparatus of claim 1, wherein the cache is a local cache (Dixon, see Fig. 1 Rep Server with Rep Data (i.e. reputation server with reputation data, reputation repository)).  

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon-Brown combination, further in view of Naef, III (US20090171990, hereinafter, “Naef”).
Regarding claim 2, Ranadive-Gottieb-Dixon-Brown combination teaches:
The computing apparatus of claim 1, 
While the combination of Ranadive-Gottieb-Dixon-Brown does not teach the following limitation(s), however in the similar field of endeavor Naef teaches:
wherein the metadata object comprises a Microsoft New Technology File System (NTFS) alternative data stream (ADS) (Naef, discloses method of identifying similar content using workflow metadata [Abstract]. And [0043] in a group of files including the content, wherein one file includes the metadata and the other files include supporting files or resources, where the group of files includes a linkage, as such the metadata file may be updated as work is performed on the content; attached to the file as an extended attribute, for example, on the Windows NTFS file system the metadata can be attached as an alternative data stream (i.e. ADS) so that it does not modify the actual file but goes along with the file as the file is processed).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Naef in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Brown by using Window NTFS ADS to process workflow metadata. This would have been obvious because the person having ordinary skill in the art would have been motivated to attach metadata as ADS with window NTFS file system (Naef, [Abstract], [0043]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon-Brown-Naef combination as applied above to claim 2, further in view of Mahajan et al (“Design and Development of Improved Stealth Alternate Data Streams”, Thapar Institute of Engineering & Technology, July 2014, hereinafter, “Mahajan”).
Regarding claim 3, Ranadive-Gottieb-Dixon-Brown-Naef combination teaches:
The computing apparatus of claim 2, 
While the combination of Ranadive-Gottieb-Dixon-Brown-Naef does not explicitly teach the following limitation(s), however in the same field of endeavor Mahajan teaches:
wherein the ADS comprises a Zone.Identifier data stream (Mahajan, Section 2.9 Legitimate Use of ADS, Page 23, “Zone Identifiers: When a file is downloaded from internet in an NTFS drive, then an alternate data stream gets attached to the downloaded file. These alternate streams (zone identifiers) stores security information about a file”).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahajan in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Naef by using zone identifier in ADS associated source from where the file is downloaded. This would have been obvious because the person having ordinary skill in the art would have been motivated to improve network security using stealth ADS with NTFS (Mahajan, [Introduction]).

Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon-Brown combination as applied above, further in view of Shiravi Khozani  et al (US20160358209A1, hereinafter, “Shiravi Khozani”).
Regarding claim 5, Ranadive-Gottieb-Dixon-Brown combination teaches:
The computing apparatus of claim 1, 
While the combination of Ranadive-Gottieb-Dixon-Brown does not teach an advertising campaign identifier, however in the same field of endeavor Shiravi Khozani teaches:
wherein the advertiser identifier string comprises an advertising campaign identifier (Shiravi Khozani, discloses method for determining a degree of deceptiveness in online advertisement. And [0070] receiving, at a tracking server, a request for a tracking pixel from a tag comprising code instructions to retrieve at least one online advertisement from an associated advertising server; receiving, at the tracking server, multiple data fields upon requesting the tracking pixel, the data fields comprising a campaign identifier,…).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shiravi Khozani in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Brown by retrieving online advertisement by tracking server using data with data field comprising campaign identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the campaign identifier to extract one or more characteristics associated with online advertisement to determine the deceptiveness of online advertisement (Shiravi Khozani, [Abstract], [0007]).

Regarding claim 6, Ranadive-Gottieb-Dixon-Brown combination teaches:
The computing apparatus of claim 1, wherein the advertiser identifier string comprises a union of a partner or referrer identifier (Ranadive, Col. 24 lines 11-13, Ad servers typically have their own format for advertisement-related URLs and encode various pieces of information in those URLs such as referrer identifiers…) and 
While the combination of Ranadive-Gottieb-Dixon-Brown does not teach an advertising campaign identifier, however in the same field of endeavor Shiravi Khozani teaches:
an advertising campaign identifier string (Shiravi Khozani, discloses method for determining a degree of deceptiveness in online advertisement. And [0070] receiving, at a tracking server, a request for a tracking pixel from a tag comprising code instructions to retrieve at least one online advertisement from an associated advertising server; receiving, at the tracking server, multiple data fields upon requesting the tracking pixel, the data fields comprising a campaign identifier,…).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shiravi Khozani in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Brown by retrieving online advertisement by tracking server using data with data field comprising campaign identifier. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the campaign identifier to extract one or more characteristics associated with online advertisement to determine the deceptiveness of online advertisement (Shiravi Khozani, [Abstract], [0007]).  

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon-Brown combination, further in view of Falkowitz  et al (US20160134588A1, hereinafter, “Falkowitz”).
Regarding claim 8, Ranadive-Gottieb-Dixon-Brown combination teaches:
The computing apparatus of claim 1, 
While the combination of Ranadive-Gottieb-Dixon-Brown does not explicitly teach the following limitation, however in the same field of endeavor Falkowitz teaches:
wherein the cache is a remote global or enterprise cache (Falkowitz, discloses identifying security threats and remediation measure in an enterprise network. And [0035] enrichment logic 124: querying one or more enrichment data sources 150 (i.e. reputation cache) to obtain other information about web pages for the purpose of assisting the identification of threats and the determination of a reputation for the web pages).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Falkowitz in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Brown by using reputation data from enrichment data sources to obtain information about wen pages to identify threats. This would have been obvious because the person having ordinary skill in the art would have been motivated to use reputation data in an enterprise network to identify security threats in order to provide specific remediation measure (Falkowitz, [Abstract]).  

Regarding claim 9, Ranadive-Gottieb-Dixon-Brown-Falkowitz combination further teaches:
The computing apparatus of claim 8, wherein the instructions are further to cache the reputation locally (Dixon, see Fig. 1 Rep Server with Rep Data (i.e. reputation server with reputation data, reputation repository)).  

Claims 10, 12-14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive et al (US 8,990,945B1, hereinafter, "Ranadive"), in view of Gottieb et al (US 9,767,480 B1, hereinafter, “Gottieb”), in further view of Dixon et al (US20060253584A1, hereinafter, “Dixon”).
	Regarding claim 10, Ranadive teaches:
One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions (Ranadive, discloses system and method for detecting malicious advertising content, see [Abstract]. And Col. 2 lines 53-58, a computer program product embodied on a computer readable storage medium) to: 
detect a user interaction with a downloaded file system object (Ranadive, Col. 3 lines 23-26, clients such as clients 104-108 access content (i.e. interaction with file system object) served by sites 114-118 via one or more networks represented herein as a single network cloud 150. Col. 3 lines 65-67, Examples of content that can be used in conjunction with the techniques described herein include HTML pages (including JavaScript), PDF documents, and executables (i.e. downloaded file system object). And Col. 26 lines 33-37, module 110 can be configured to check the URLs requested by the user's browser against the information stored in database 202 and to block any suspicious or malicious advertisements from being rendered); 
inspect a metadata object associated with the downloaded file system object (Ranadive, Col. 11 lines 4-11, Script 602 decodes into an iframe element: <iframe src="http:// www.neildaswani.com” width="0 height=“0” frameborder="Old K/iframe>. As with iframe 402, this iframe (i.e. metadata), when loaded by a client, could download additional malicious code that will cause a driveby download. Using the techniques described herein, system 102 is able to detect (i.e. inspect) Script 602 as being a malicious element (and, specifically, the source of a driveby download)); 
parse the metadata object to extract an identification string that uniquely or nearly-uniquely identifies a third-party advertiser as having referred the file system object (Ranadive, Col 3 lines 62-65, System 102 is configured to perform a variety of analyses on the content served by sites such as site 114, detect suspicious elements present in that content (or loaded from third party sources (i.e. third-party advertiser) when the content is accessed). And Col 24 lines 62-65, As explained above, it is also possible that the advertisement is being served by a third party, such as is illustrated in FIG. 26 where ad network 2602 is responsible for serving (via malicious server 2612) a malicious advertisement. See also Fig. 28, and Col 25 lines 40-42, Forensic information is also provided (i.e. identification string that uniquely or nearly-uniquely identifies), in region 2808, about the malicious advertisement) [for download from a vendor different from the third-party advertiser]; (See Gottlieb for teaching of limitation(s) in bracket)
and act on the reputation (Ranadive, See Fig. 9 step 902 Receive indication that page includes malicious element and step 906 Send quarantine instruction (i.e. action)).  
While Ranadive teaches the main concept of detecting malicious element in advertising content on enterprise website as well as content hosted by third party hoster, but does not explicitly teach for download from a vendor different from the third-party advertiser, however in the same field of endeavor Gottlieb teaches:
[parse the metadata object to extract an identification string that uniquely or nearly-uniquely identifies a third-party advertiser as having referred the file system object] (see Ranadive above) for download from a vendor different from the third-party advertiser (Gottlieb, Col. 6 lines 46-53, In some situations, advertisements such as advertiser-related images, … are placed on a publishers (i.e. vendor) web page by the publisher itself.  In other situations, a publisher may sell advertising space to third party companies (i.e. third-party advertiser different from a vendor) that sell that advertising space to advertisers and advertisements may be placed on the publisher web page by the third party company. Also see Fig. 9, and Col. 9 lines 64-65, Advertisement block data 102 for each advertisement block may include advertiser name 104 (i.e. advertiser identifier string),…); Examiner notes in this case publisher is different from the third party companies.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious advertisement detection and remediation of Ranadive by having user download web content from third-party and identify third-party name from downloaded content. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify advertiser identification string as advertiser name to associate the advertiser name to the advertising content for tracking and discovery of advertisements on publisher web pages (Gottlieb, [Abstract]).
While Ranadive-Gottlieb teaches the main concept of the invention, but does not explicitly teach the following limitation(s), however in the same field of endeavor Dixon teaches:
(Dixon, [0020] systems and methods involve utilizing Web crawling to determine the reputation of a Web advertisement network or the reputation of an individual advertisement (i.e. third party advertiser). And [150] When a website with a bad reputation (i.e. deceptive reputation) is discovered by the analysis facility 122. And [0321] third-party recommendation resources may themselves be analyzed for reputation);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dixon in the malicious advertisement detection and remediation of Ranadive-Gottieb by providing indication of reputation of an entity associated with content item. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine the downloaded pages as deceptive or bad based on the reputation of the entity in an advertising network to allow the advertising network to check the reputation before placing an ad on the web site (Dixon, [Abstract], [0007]).

	Regarding claim 18, Ranadive teaches:
An enterprise security function, comprising: a processor; a memory; 61Attorney Docket No.:Patent Application04796-1338 (P200110)Mitigation of Deceptive Advertisementsa network interface; and instructions encoded within the memory (Ranadive, discloses system and method for detecting malicious advertising content, see [Abstract]. And Col. 2 lines 53-58, a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. And Col. 3 lines 44-47, System 102, site 114, and site 118 respectively comprise standard commercially available server hardware (e.g., having multi-core processors, 4+ Gigabytes of RAM, and Giga bit network interface adapters)) to: 
receive an incoming data stream via the network interface (Ranadive, Col. 5 lines 45-47, Crawler 204 is configured to enumerate the URLs of the pages hosted by a given site such as site 114 and to provide them to detection engine 206. And Referring to Fig. 3, Col. 9 lines 26-27, The process begins at 302 when the page is crawled. Examiner notes the communication between crawler and detection engine is through network interface); 
identify the incoming data stream for analysis (Ranadive, Col. 6 lines 18-23, In the first phase of analysis, content analyzer 208 performs static and dynamic analysis of the content.  Static analysis module 214 is configured to parse pages' content and recognize patterns of information, such as signatures of known malware, the presence of script tags and iframes and their content, etc. Also see Fig. 3 step 304 Analyze Page); 
determine that the incoming data stream includes an advertisement (Ranadive, Col. 4 lines 37-42, search provider 112 (which may also be in control of one or more ad servers such as ad server 120) can be configured to provide malicious advertisement detection and remediation services with respect to the advertisements that are placed on its search pages and/or any advertisements that are served by ad network 138. And Col. 7 lines 30-32, The instrumented browser can also be used to keep track of redirections. For example, when an advertisement needs to be served on behalf of site 114, ad server 120 is contacted); 
identify an advertisement source of the identifier, the advertisement source comprising an identification string (Ranadive, Col 3 lines 62-65, System 102 is configured to perform a variety of analyses on the content served by sites such as site 114, detect suspicious elements present in that content (or loaded from third party sources (i.e. third-party advertiser) when the content is accessed). And Col 24 lines 62-65, As explained above, it is also possible that the advertisement is being served by a third party, such as is illustrated in FIG. 26 where ad network 2602 is responsible for serving (via malicious server 2612) a malicious advertisement. See also Fig. 28, and Col 25 lines 40-42, Forensic information is also provided (i.e. identification string that uniquely or nearly-uniquely identifies), in region 2808, about the malicious advertisement) [that identifies a third-party advertiser that provided a referral to download an object from a vendor different from the third-party advertiser]; (See Gottlieb for teaching of limitation(s) in bracket)
and apply a remedial action to the incoming data stream (Ranadive, See Fig. 9 step 902 Receive indication that page (i.e. downloaded file) includes malicious element and step 906 Send quarantine instruction (i.e. remedial action)).  
While Ranadive teaches the main concept of detecting malicious element in advertising content on enterprise website as well as content hosted by third party hoster, but does not explicitly teach for download from a vendor different from the third-party advertiser, however in the same field of endeavor Gottlieb teaches:
[identify an advertisement source of the identifier, the advertisement source comprising an identification string] (see Ranadiveabove) that identifies a third-party advertiser that provided a referral to download an object from a vendor different from the third-party advertiser (Gottlieb, Col. 6 lines 46-53, In some situations, advertisements such as advertiser-related images, … are placed on a publishers (i.e. vendor) web page by the publisher itself.  In other situations, a publisher may sell advertising space to third party companies (i.e. third-party advertiser different from a vendor) that sell that advertising space to advertisers and advertisements may be placed on the publisher web page by the third party company. Also see Fig. 9, and Col. 9 lines 64-65, Advertisement block data 102 for each advertisement block may include advertiser name 104 (i.e. advertiser identifier string),…); Examiner notes in this case publisher is different from the third party companies.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious advertisement detection and remediation of Ranadive by having user download web content from third-party and identify third-party name from downloaded content. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify advertiser identification string as advertiser name to associate the advertiser name to the advertising content for tracking and discovery of advertisements on publisher web pages (Gottlieb, [Abstract]);
While Ranadive-Gottieb teaches the main concept of the invention, but does not explicitly teach the following limitation(s), however in the same field of endeavor Dixon teaches:
query a reputation cache for a reputation for the third-party advertiser (Dixon, [0020] In embodiments, systems and methods involve utilizing Web crawling to determine the reputation of a Web advertisement network or the reputation of an individual advertisement); 
receive a deceptive reputation for the third-party advertiser (Dixon, [150] When a website with a bad reputation (i.e. deceptive reputation) is discovered by the analysis facility 122. And [0321] third-party recommendation resources may themselves be analyzed for reputation);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dixon in the malicious advertisement detection and remediation of Ranadive-Gottieb by providing indication of reputation of an entity associated with content item. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine the downloaded pages as deceptive or bad based on the reputation of the entity in an advertising network to allow the advertising network to check the reputation before placing an ad on the web site (Dixon, [Abstract], [0007]).

Regarding claim 12, Ranadive-Gottieb-Dixon combination further teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 10, wherein the reputation is a reputation for deceptivity (Dixon, [0016] systems and methods involve providing a reference to alternative Web content with a good reputation when requested Web content has a bad reputation. Examiner notes a bad reputation is a reputation for deceptivity for one of ordinary skilled in the art).  

Regarding claim 13, Ranadive-Gottieb-Dixon combination further teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 10, wherein acting on the reputation comprises blocking execution of the file if the third-party advertiser has a reputation for being deceptive (Dixon, [0295] FIG. 13 illustrates a transaction alert 1300 produced by a warning/alert facility 114 for downloads.  The transaction alert 1300 may be produced, for example, in connection with a download that carries a poor reputation or from a source that contains a poor reputation (i.e. deceptive reputation). And [0364] reputation data for the third parties involved in an attention brokering process (ad creator, ad sponsor, broker, etc.) may be employed to block certain advertisements).

Regarding claim 14, Ranadive-Gottieb-Dixon combination further teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 10, wherein acting on the reputation comprises removing the file if the third-party advertiser has a reputation for being deceptive (Dixon, [0366] poor reputation sponsored content may not be provided to the user. It may be filtered or otherwise removed by the reputation service host 112).  

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon combination as applied above, further in view of Yun (US10,116,688B1, hereinafter, “Yun”).
Regarding claim 11, Ranadive-Gottieb-Dixon combination teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 10, 
While the combination of Ranadive-Gottieb-Dixon does not expressly teach the following limitation, in the same field of endeavor Yun teaches:
wherein the user interaction comprises executing the file system object as an installer (Yun, discloses method for detecting potential malicious files [Abstract]. And Col. 6 lines 3-6, when a user directs file 208 to open or execute, file 208 may launch an application (e.g., an installer application or an application that executes files of the same type as file 208) that facilitates executing file 208).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Yun in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon by detecting a potential malicious file before computing device executes the file. This would have been obvious because the person having ordinary skill in the art would have been motivated to allow computing system to determine the computing device is attempting to execute file in order to prevent the computing device from executing the potential malicious file (Yun, [Abstract]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon combination as applied above, further in view of Naef, III (US20090171990, hereinafter, “Naef”).
Regarding claim 15, Ranadive-Gottieb-Dixon combination teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 10, 
While the combination of Ranadive-Gottieb-Dixon does not teach the following limitation(s), however in the similar field of endeavor Naef teaches:
wherein the metadata object comprises a Microsoft New Technology File System (NTFS) alternative data stream (ADS) (Naef, discloses method of identifying similar content using workflow metadata [Abstract]. And [0043] in a group of files including the content, wherein one file includes the metadata and the other files include supporting files or resources, where the group of files includes a linkage, as such the metadata file may be updated as work is performed on the content; attached to the file as an extended attribute, for example, on the Windows NTFS file system the metadata can be attached as an alternative data stream (i.e. ADS) so that it does not modify the actual file but goes along with the file as the file is processed).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Naef in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon by using Window NTFS ADS to process workflow metadata. This would have been obvious because the person having ordinary skill in the art would have been motivated to attach metadata as ADS with window NTFS file system so that it does not modify the actual file but goes along with the file as the file is processed (Naef, [Abstract], [0043]).  

Claims 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon-Naef combination as applied above to claim 15, further in view of Mahajan et al (“Design and Development of Improved Stealth Alternate Data Streams”, Thapar Institute of Engineering & Technology, July 2014, hereinafter, “Mahajan”).
Regarding claim 16, Ranadive-Gottieb-Dixon-Naef combination teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 15, 
While the combination of Ranadive-Gottieb-Dixon-Naef does not explicitly teach the following limitation(s), however in the same field of endeavor Mahajan teaches:
(Mahajan, Section 2.9 Legitimate Use of ADS, Page 23, “Zone Identifiers: When a file is downloaded from internet in an NTFS drive, then an alternate data stream gets attached to the downloaded file. These alternate streams (zone identifiers) stores security information about a file”).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahajan in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon-Naef by using zone identifier in ADS associated source from where the file is downloaded. This would have been obvious because the person having ordinary skill in the art would have been motivated to improve network security using stealth ADS with NTFS (Mahajan, [Introduction]).

Regarding claim 17, Ranadive-Gottieb-Dixon-Naef-Mahajan combination further teaches:
The one or more tangible, non-transitory computer-readable storage media of claim 16, 
wherein acting on the reputation comprises altering the Zone.Identifier data stream to remove the identification stream if the third-party advertiser has a reputation for being deceptive (Mahajan, Fig. 2.13 (page 24) shows capability of deleting Zone.Identifier attached to a downloaded file. And section 4.1.3 Deletion of ADS, “After the detection of the presence of ADS, the next step is to get rid of unnecessary hidden files which are either not required or which are malicious in nature”).  

Claims 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon combination as applied above to claim 18, further in view of Gukal et al (US20170093910A1, hereinafter, “Gukal”).
Regarding claim 19, Ranadive-Gottieb-Dixon combination teaches:
The enterprise security function of claim 18, 
While the combination of Ranadive-Gottieb-Dixon does not teach the following limitation(s), however in the same field of endeavor Gukal teaches:
wherein identifying the incoming data stream for analysis comprises inspecting a network protocol of the incoming data stream (Gukal, discloses method to dynamically deploy deception mechanisms to detect threats to a network [Abstract]. And [0352] the network protocol engine 1942 may produce indicators that the describe the source and destination of HTTP-based packets, a description of the webpages associated with the packets, as well as any malicious content downloaded as a result of the HTTP packets. And [0359] the network protocol analysis engine 2044 includes sub-modules for Simple Mail Transfer Protocol (SMTP) traffic 2072 (e.g., email), Server Message Block (SMB) traffic 2074 (e.g. resource sharing packets), and FTP traffic 2076). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gukal in the malicious advertisement detection and remediation of Ranadive-Gottieb-Dixon by using network protocol engine to analyze network traffic such as content downloaded as result of HTTP packets. This would have been obvious because the person having ordinary skill in the art .

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Ranadive-Gottieb-Dixon combination as applied above to claim 18, further in view of Sood et al (US20160226913A1, hereinafter, “Sood”).
Regarding claim 20, Ranadive-Gottieb-Dixon combination teaches:
The enterprise security function of claim 18, 
While the combination of Ranadive-Gottieb-Dixon does not teach the following limitation(s), however in the similar field of endeavor Sood teaches:
wherein the enterprise security function is a virtual network function (Sood, discloses NFV infrastructure performing security monitoring services. And [0023] the NFV infrastructure 108 includes one or more computing nodes 110 capable of managing (e.g., creating, moving, destroying, etc.) a number of virtual machines (VMs) that are configured to operate as virtualized network function (VNF) instances. And [0049] the NFV security services controller 102 is configured to enforce any updates to the security monitoring policy based on the remediation policy, such as by a remedial action that may be taken to address the threat or validate the anomaly.  For example, the remedial action may include blocking certain network traffic (i.e., certain network packets), streaming certain network traffic to a deep packet inspection (DPI) VNF instance, rate limiting or throttling the network traffic, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Sood in the 
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Watkins et al (US20150281258A1). Discloses detecting malicious ad content by processing the ad content and automatically determining whether the ad content is associated with a malicious app.
Le Chevalier et al (US 10,699,295 B1). Discloses determining a fraudulent content in an advertisement including a digital image which is extracted for identification information and supplemental information to calculate a scam score for advertisement.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436