Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 10/26/2021 have been fully considered but they are not persuasive. 
Examiner has withdrawn the 101 rejection from the previous office action.
3.	Applicant argues that the combination of Bosco and Laswell do not specifically disclose “based at least in part on the determination that the unknown software object does not have a reliable global reputation, share the local reputation for the unknown software object with the global security cache”, as recited in independent claims.
In response to Applicants arguments, the Examiner respectfully disagrees with the applicant and would like to show that Bosco in view of Laswell discloses based at least in part on the determination that the unknown software object does not have a reliable global reputation, share the local reputation for the unknown software object with the global security cache. The Examiner points out that Bosco discloses the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC, and both tier 1 SCCs can maintain duplicate copies of the reputation database (Col 12, lines 25-35). Further Laswell discloses the determination can be via a query and response to a server, from information stored at the device in memory 132, by processing events to determine the reputations, etc. In one example, 
Examiner asserts that the processing events to determine the reputations and a global reputation database is germane to the determination that the unknown software object does not have a reliable global reputation, as described in Applicant’s invention. 
As such the Examiner maintains the rejection.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1-4, 6, 9, 11-13 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bosco (US Patent 10735378) in view of Laswell (US Patent Pub. 20160269430).

As per claim 1:  Bosco discloses a computing apparatus, the computing apparatus being an endpoint device, and comprising: a processor and a memory; a network interface; and a security agent comprising instructions encoded within the memory to instruct the processor to (See abstract):
identify an unknown software object on the endpoint device (Col 3, lines 49-52; identify threats and can also identify new threats using, for example, a counter associated with one or more properties of network packets);
receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation (Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC);
compute, on the endpoint device,  a local reputation for the unknown software object (Col 12, lines 25-35; local reputation data); and
based at least in part on the determination that the unknown software object does not have a reliable global reputation, share the local reputation for the unknown software object with the global security cache (Col 12, lines 25-35; the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC, and both tier 1 SCCs can maintain duplicate copies of the reputation database).
See Laswell; Paragraph 22; The determination can be via a query and response to a server, from information stored at the device in memory 132, by processing events to determine the reputations, etc. In one example, the information for the determination can come from a security intelligence feed from a global reputation database, such as a malware repository, open source black lists, 3.sup.rd party commercial sources, etc.).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC by adopting Laswell's teaching for determination coming from a security intelligence feed from a global reputation database. The motivation would have been to improve software license management.
As per claim 2:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, wherein sharing the local reputation for the unknown software object comprises uploading a hash of the unknown software object (See Laswell; Paragraph 23; The known information can be stored in a database and fingerprinting/hashing can be used to determine the code/patterns of activity).
As per claim 3:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, wherein sharing the local reputation for the unknown software See Laswell; Paragraph 28; Metadata about the type of malware can be used in the associations).
As per claim 4:  The combination of Bosco and Laswell discloses the computing apparatus of claim 3, wherein the metadata comprise multi-dimensional metadata (See Laswell; Paragraph 28; Metadata about the type of malware can be used in the associations).
As per claim 6:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, wherein computing a local reputation for the unknown software object comprises performing local deep static analysis on the unknown software object (See Laswell; Paragraph 13; Deep inspection filters are augmented through the use of reputation information).
As per claim 9:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, wherein the security agent further comprises instructions to receive from the global reputation store a not-reliable reputation based at least in part on analysis by other endpoints (See Laswell; Paragraph 47; The computing device 500 can be placed in-line between two endpoints).
As per claim 11:  Bosco discloses one or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to instruct a processor to:
detect on an endpoint device a security object, and determine that the security object does not have a locally-cached security reputation (Col 3, lines 49-52; identify threats and can also identify new threats using, for example, a counter associated with one or more properties of network packets);
receive from the non-local reputation store a response that the security object lacks a reliable reputation  (Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC);
analyze the security object to assign the security object a provisional local reputation (Col 12, lines 25-35; local reputation data); and
based at least in part on the response that the security object lacks a reliable reputation, upload the provisional local reputation to the non-local reputation store (Col 12, lines 25-35; the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC, and both tier 1 SCCs can maintain duplicate copies of the reputation database).
However, Bosco does not specifically disclose query a non-local reputation store for a reliable reputation for the security object (See Laswell; Paragraph 22; The determination can be via a query and response to a server, from information stored at the device in memory 132, by processing events to determine the reputations, etc. In one example, the information for the determination can come from a security intelligence feed from a global reputation database, such as a malware repository, open source black lists, 3.sup.rd party commercial sources, etc.).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to 
As per claim 12: The combination of Bosco and Laswell discloses the one or more tangible, non-transitory computer-readable mediums of claim 11, wherein instructions are further to receive from the non-local reputation store a not-reliable reputation based at least in part on analysis by other endpoints (See Laswell; Paragraph 47; The computing device 500 can be placed in-line between two endpoints).
As per claim 13:  The combination of Bosco and Laswell discloses the one or more tangible, non-transitory computer-readable mediums of claim 12, wherein the instructions are further to act on the not-reliable reputation (See Laswell; Paragraph 22; The determination can be via a query and response to a server, from information stored at the device in memory 132, by processing events to determine the reputations, etc. In one example, the information for the determination can come from a security intelligence feed from a global reputation database, such as a malware repository, open source black lists, 3.sup.rd party commercial sources, etc.).
As per claim 19:  Bosco discloses a computer-implemented method of providing globally cached reputations for unknown security objects on an endpoint device, comprising:
Col 3, lines 49-52; identify threats and can also identify new threats using, for example, a counter associated with one or more properties of network packets);
determining that the security object is not permitted to operate on the endpoint without a sufficiently-positive reputation (Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC);
determining that the non-local security repository has not assigned the security object a global reputation (Col 12, lines 25-35; the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC, and both tier 1 SCCs can maintain duplicate copies of the reputation database);
locally analyzing the security object on the endpoint device to assign the security object a provisional reputation (Col 12, lines 25-35; local reputation data); and
based at least in part upon the determination that the non-local security repository has not assigned the security object a global reputation, uploading the provisional reputation to the non-local security repository (Col 12, lines 25-35; the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC, and both tier 1 SCCs can maintain duplicate copies of the reputation database).
However, Bosco does not specifically disclose querying a non-local security repository for a global reputation for the security object (See Laswell; Paragraph 22; The determination can be via a query and response to a server, from information stored at the device in memory 132, by processing events to determine the reputations, etc. In one example, the information for the determination can come from a security intelligence feed from a global reputation database, such as a malware repository, open source black lists, 3.sup.rd party commercial sources, etc.).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC by adopting Laswell's teaching for determination coming from a security intelligence feed from a global reputation database.
As per claim 20:  The combination of Bosco and Laswell discloses the method of claim 19, wherein uploading the provisional reputation comprises uploading a hash of the security object (See Laswell; Paragraph 23; The known information can be stored in a database and fingerprinting/hashing can be used to determine the code/patterns of activity).


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Bosco (US Patent 10735378) in view of Laswell (US Patent Pub. 20160269430) and in view of Friedman (US Patent Pub. 20180191838).

As per claim 5:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation (See Bosco; Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC).
Bosco in view of Laswell do not specifically disclose wherein computing a local reputation for the unknown software object comprises performing local sandbox analysis on the unknown software object (See Friedman Paragraph 40; This may include running the object in a sandbox environment, expert status analysis, or other security techniques. These may help to establish a new reputation for the object).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC by adopting Friedman's teaching for running the object in a sandbox environment, expert status analysis, or other security techniques. The motivation would have been to improve software license management.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bosco (US Patent 10735378) in view of Laswell (US Patent Pub. 20160269430) and in view of Jakobsson (US Patent Pub. 20180091453).

As per claim 7:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation (See Bosco; Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC).
Bosco in view of Laswell do not specifically disclose wherein computing a local reputation for the unknown software object comprises performing local behavioral analysis on the unknown software object (See Jakobsson; Paragraph 27; analysis server 102 receives information about one or more messages sent by a user of message server 106 (e.g., receives the message or a portion of the message, a recipient identifier included in the message, etc.). This information may be utilized by analysis server 102 to identify message behavior and/or message contacts of the user).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC by adopting Jakobsson’s teaching for identify message behavior and/or message contacts of the user. The motivation would have been to improve software license management.


8 is rejected under 35 U.S.C. 103 as being unpatentable over Bosco (US Patent 10735378) in view of Laswell (US Patent Pub. 20160269430) and in view of Dreyfus (US Patent 9990511).

As per claim 8:  The combination of Bosco and Laswell discloses the computing apparatus of claim 1, receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation (See Bosco; Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC).
Bosco in view of Laswell do not specifically disclose wherein computing a local reputation for the unknown software object comprises performing local heuristic analysis of a user reaction to the unknown software object (See Dreyfus; Col 9, lines 50-55; the endpoint system can detect file encryption by a malicious application based on heuristics data or analysis as the application executes on the endpoint system).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation data in its instance of a reputation database with the second tier 1 SCC by adopting Dreyfus teaching for detect file encryption by a malicious application based on heuristics data or analysis as the application executes on the endpoint system. The motivation would have been to improve software license management.

Claims 10 and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bosco (US Patent 10735378) in view of Laswell (US Patent Pub. 20160269430) and in view of Rajagopal (US Patent 10686783).

As per claim 10:  The combination of Bosco and Laswell discloses the computing apparatus of claim 9, receive a response from the global reputation store and determine that the unknown software object does not have a reliable global reputation (See Bosco; Col 12, lines 25-35; each tier 2 SCC could share some of the reputation data (e.g., global reputation data) with the associated tier 1 SCC).
Bosco in view of Laswell do not specifically disclose wherein the security agent further comprises instructions to assign a weight to the not-reliable reputation (See Rajagopal; claim 1; A local reputation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation 
As per claim 14:  The combination of Bosco and Laswell discloses the one or more tangible, non-transitory computer-readable mediums of claim 12, wherein instructions are further to receive from the non-local reputation store a not-reliable reputation based at least in part on analysis by other endpoints (See Laswell; Paragraph 47; The computing device 500 can be placed in-line between two endpoints).
Bosco in view of Laswell do not specifically disclose wherein the instructions are further to assign a weight to the not-reliable reputation (See Rajagopal; claim 1; A local reputuation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Bosco in view of Laswell in it’s entirety, to modify the technique of Bosco for the first tier 1 SCC could share all of the reputation 
As per claim 15:  The combination of Bosco, Laswell and Rajagopal discloses the one or more tangible, non-transitory computer-readable mediums of claim 14, wherein assigning the weight comprises assessing a prevalence of the security object (See Rajagopal; claim 1; A local reputation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).
As per claim 16:  The combination of Bosco, Laswell and Rajagopal discloses the combination of Bosco and Laswell discloses the one or more tangible, non-transitory computer-readable mediums of claim 14, wherein assigning the weight comprises assessing a type of analysis performed by one or more other endpoints to derive the not-reliable reputation (See Rajagopal; claim 1; A local reputation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).
As per claim 17:  The combination of Bosco, Laswell and Rajagopal discloses the one or more tangible, non-transitory computer-readable mediums of claim 14, wherein assigning the weight comprises assessing a time since last encounter for the security object (See Rajagopal; claim 1; A local reputation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).
As per claim 18:  The combination of Bosco, Laswell and Rajagopal discloses the one or more tangible, non-transitory computer-readable mediums of claim 14, wherein assigning the weight comprises comparing an operating environment of one or more endpoints that contributed to the not-reliable reputation to an operating environment of a local host (See Rajagopal; claim 1; A local reputation score associated with the access point is dynamically determined (306) by the connection manager based on a set of parameters and pre-defined weights assigned to each of the set of parameters. The secure access connection is established (314) between the host device and the electronic device through the access point by the connection manager, based on comparison of an updated global reputation score with a pre-defined threshold).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472.  The examiner can normally be reached on 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ANTHONY D BROWN/Primary Examiner, Art Unit 2433