Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
This Office Action is in response to the communication and claim amendment
filed on 01/26/2022; Claims 1, 10, and 19 have been amended; and claims 1, 10, and 19 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant amendment, filed on 01/26/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
a. Applicants argue: The references of Zakas and Glass in combination do not teach communication between the processing nodes and the external system are via a proxy, a tunnel, and redirection.to disclose (Applicant Remarks/Arguments, pages 7-8, filed 01/26/2022).
         The Examiner disagrees with the Applicants. The Examiner respectfully submits that does disclose the amended limitations as the following:
Zakas discloses communications between the processing nodes and the external system are via one of a proxy, a tunnel, and redirection (Zakas: par. 0030, Traffic sensors may be implemented as computer program embedded within equipment having a programmed digital computer or processor anywhere within the flow of traffic. Types of equipment may include, but are not limited to, client machines (e.g., network interfaces, I/O ports), routers, switches, firewalls, proxy servers, gateways, and/or a standalone sensor, par. 0031, proxy servers, par. 0035, open network tunnels; See also, fig. 1, pars. 0033, 0039).  It is clear that Zakas does disclose the amended limitation.
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1, 4-10, and 13-19 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Zakas (“Zakas,” US 2006/0026669, published Feb. 2, 2006) in view of Glass et al. (“Glass,” US 2005/0060643, published Mar. 17, 2005) further in view of Werner et al. (“Werner,” US 2006/0031373, published Feb. 9, 2006).
Regarding claim 1, Zakas discloses a distributed security system comprising: 
a plurality of content processing nodes that are located external on the Internet to a network edge of an enterprise (Zakas: fig. 1, par. 0039, plurality of traffic sensors 8; par. 0033, FIG. 1 also shows the system implemented within and between various network configurations including, but not limited to, Internet, Virtual Private Network (VPN), Gateway, DMZ, LAN, and Server Networks) and located external on the Internet (Zakas: fig. 1, par. 0033, In general, a VPN gateway allows remote employees 30, remote office 40, and partner extranet 20 access to internal LAN 50 or server network 80…; par. 0033, FIG. 1 also shows the system implemented within and between various network configurations including, but not limited to, Internet, Virtual Private Network (VPN), Gateway, DMZ, LAN, and Server Networks.), wherein an external system is any of the enterprise, the computer device, and the mobile device, and wherein a content processing node includes hardware configured to 
monitor a content item including a web page, a file, or an e-mail message that is sent from or requested by the external system (Zakas: par. 0012, Unauthorized messages exchanged over authorized channels are extremely difficult to detect, and sometimes impossible to block without impacting the delivery of authorized messages; par. 0043,  Mechanisms for outputting this information to the external network entities may include, real-time messages, e-mail, telephone call, text message, etc.; par. 0014, The present invention monitors and dynamically manages all user traffic not only at point of log-in but through out a user's network experience; par. 0047, Application traffic may include all common network applications such as web, file transfer, email, instant messaging, remote access, file sharing applications, streaming and all of the major application used by enterprise; fig. 3, pars. 0050-0051, monitoring message traffic to suspect target and/or monitoring message traffic from suspect source; par. 0036, At the internal network a traffic sensor may offer virtual network segmentation at the application and data layers for a server and user network in order to continuously monitor the network for security violations and malicious code and implement role based controls; also see, abstract, pars. 0016, 0032, 0035, 0038, 0044-0045, 0066), wherein communications between the processing nodes and the external system are via one of a proxy, a tunnel, and redirection (Zakas: par. 0030, Traffic sensors may be implemented as computer program embedded within equipment having a programmed digital computer or processor anywhere within the flow of traffic. Types of equipment may include, but are not limited to, client machines (e.g., network interfaces, I/O ports), routers, switches, firewalls, proxy servers, gateways, and/or a standalone sensor, par. 0031, proxy servers, par. 0035, open network tunnels; See also, fig. 1, pars. 0033, 0039);
classify the content item via a plurality of data inspection engines that utilize policy data and threat data (Zakas: par. 0038, Traffic sensors automatically identify, classify and track network traffic, instantly providing the system administrator with previously unknown information about network and application usage, data movement and potential policy violations.  Since the approach combines network and security analysis, the administrator has all the tools necessary to ensure the network is optimized to support critical services and is secured against threats; pars. 0044, 0046, 0048); 
      an authority node communicatively coupled to the plurality of content processing nodes and configured to provide the policy data for the external system (Zakas: fig. 1, pars. 0038-0039, An administrator 6 may be provided a means to interface via a workstation or console having a user interface in order to manage components of the central manger 2.  Linked to the central manager 2 are a plurality of traffic sensors 8 which transmit captured packet data and receive rules, policies and watch list objects from the central manager 2) and the threat data for threat classification (Zakas: par. 0038, Traffic sensors automatically identify, classify and track network traffic, instantly providing the system administrator with previously unknown information about network and application usage, data movement and potential policy violations; par. 0014, 0017, 0030, 0031, 0040, 0044-0045). 
Zakas does not explicitly disclose “perform threat detection on the content item when the content is classified as unknown”.
However, in an analogous art, Glass discloses “perform threat detection on the content item when the content is classified as unknown” (Glass: par. 0019, The ability of a document classification system to accurately determine the classification of an unknown document, such as an email message, can be measured by the relative quantity of errors it makes).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Glass with the method and system of Zakas to include “perform threat detection on the content item when the content is classified as unknown”. One would have been motivated to provide the set of potentially duplicated and significant unclassified document features to each of sample document feature sets with annotation values, and values are compared to determine which of sample sets shares in common with unclassified set, for setting largest weighted quantity of features classified and annotated as significant. The significant similarity measurement and classification values are output based on weighted ratio (Glass: abstract).

However, in an analogous art, Werner discloses “distribute the content item when the content is classified as clean or after a cleaning process” (Werner: par. 0008,… the sender is classified as "friendly" and the email message is classified as "not spam" and delivered to its ultimate destination ); and
 preclude distribute of the content item when the content item is classified as violating (Werner: par. 0008, …the sender is classified as "not friendly", the sender's  reliability value is decreased, and the email message is classified as spam and prevented from being delivered.);
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Werner with the method and system of Zakas and Glass to include “distribute the content item when the content is classified as clean or after a cleaning process; and preclude distribute of the content item when the content item is classified as violating.” One would have been motivated to reduce the frequency of false positive and over blocking when monitoring incoming messages, thereby improving the reliability of spam detection (Werner: pars. 0005-0006).
Regarding claim 4, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein the plurality of content processing nodes are distributed through a geographic region (Zakas: fig. 1, pars.  0030, 0031, 0033, 0039)
Regarding claim 5, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakasa further disclose, wherein all data destined for or received from the Internet, from the external system, is processed through the content processing node (Zakas: fig. 1, pars.  0030, 0031, 0033, 0039). 
Regarding claim 6, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein specific data specified for the external system is processed through the content processing node (Zakas: fig. 1, pars.  0030, 0031, 0033, 0039). 
Regarding claim 7, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein the content item is precluded if any one of the plurality of data inspection engines has a violation (Zakas: par. 0046, FIG. 2 shows analysis tool 36 at each traffic sensor 8 designed to identify and classify all network traffic using data present in OSI layers 2-7 of every network frame, thereby linking traffic to applications, users, and network hosts to enable detailed identification and prevention of vulnerabilities, threats and policy violations.).
Regarding claim 8, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein the content item includes one or more parts C=[c1, c2, . . . , cm], and the content item is violating if any of the plurality of data inspection engines generates an output that is violating for any part C=[c1, c2, . . . , cm] (Zakas: pars. 0036, 0038, Traffic sensors integrate transparently into a network and instantly provide real-time information about all network traffic activity… Traffic sensors automatically identify, classify and track network traffic, instantly providing the system administrator with previously unknown information about network and application usage, data movement and potential policy violations; par. 0044 traffic sensor 8 allow network traffic to be dynamic managed, classified and monitored; par. 0046, … FIG. 2 shows analysis tool 36 at each traffic sensor 8 designed to identify and classify all network traffic using data present in OSI layers 2-7 of every network frame, thereby linking traffic to applications, users, and network hosts to enable detailed identification and prevention of vulnerabilities, threats and policy violations… ). 
Regarding claim 9, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein the plurality of data inspection engines include a detection processing filter that is used as a front end to looking at the threat data, to reduce processing time thereof (Zakas: fig. 1, pars.  0030, 0031, 0033, 0039). 
Regarding claim 10, Zakas teaches a content processing node comprising: 
 a processor for performing instructions and one or more memory devices (Zakas: fig. 1, pars. 0016, 0030, 0039) for storing instructions and data, wherein the content processing node is part of a distributed security system (Zakas: fig. 1,  par. 0039, plurality of traffic sensors 8) and is located external on the Internet  to a network edge of an enterprise and located external on the Internet from one of a computer device and a mobile device associated with a user (Zakas: fig. 1, par. 0033, In general, a VPN gateway allows remote employees 30, remote office 40, and partner extranet 20 access to internal LAN 50 or server network 80…; par. 0033, FIG. 1 also shows the system implemented within and between various network configurations including, but not limited to, Internet, Virtual Private Network (VPN), Gateway, DMZ, LAN, and Server Networks), wherein an external system is any of the enterprise, the computer device, and the mobile device,
wherein the instructions cause the processor to perform steps of receive policy data for the external system and threat data threat classification from an authority node in the distributed security system (Zakas: fig. 1, pars. 0038-0039, An administrator 6 may be provided a means to interface via a workstation or console having a user interface in order to manage components of the central manger 2.  Linked to the central manager 2 are a plurality of traffic sensors 8 which transmit captured packet data and receive rules, policies and watch list objects from the central manager; par. 0038, Traffic sensors automatically identify, classify and track network traffic, instantly providing the system administrator with previously unknown information about network and application usage, data movement and potential policy violations; par. 0014, 0017, 0030, 0031, 0040, 0044-0045),
monitor a content item including a web page, a file, or an e-mail message]] that is sent from or requested by the external system (Zakas: par. 0012, Unauthorized messages exchanged over authorized channels are extremely difficult to detect, and sometimes impossible to block without impacting the delivery of authorized messages; par. 0043,  Mechanisms for outputting this information to the external network entities may include, real-time messages, e-mail, telephone call, text message, etc.; par. 0014, The present invention monitors and dynamically manages all user traffic not only at point of log-in but through out a user's network experience; par. 0047, Application traffic may include all common network applications such as web, file transfer, email, instant messaging, remote access, file sharing applications, streaming and all of the major application used by enterprise; fig. 3, pars. 0050-0051, monitoring message traffic to suspect target and/or monitoring message traffic from suspect source ;  par. 0036, At the internal network a traffic sensor may offer virtual network segmentation at the application and data layers for a server and user network in order to continuously monitor the network for security violations and malicious code and implement role based controls; also see, abstract, pars. 0016, 0032, 0035, 0038, 0044-0045, 0066), wherein communications between the processing nodes and the external system are via one of a proxy, a tunnel, and redirection (Zakas: par. 0030, Traffic sensors may be implemented as computer program embedded within equipment having a programmed digital computer or processor anywhere within the flow of traffic. Types of equipment may include, but are not limited to, client machines (e.g., network interfaces, I/O ports), routers, switches, firewalls, proxy servers, gateways, and/or a standalone sensor, par. 0031, proxy servers, par. 0035, open network tunnels; See also, fig. 1, pars. 0033, 0039),
classify the content item via a plurality of data inspection engines that utilize the policy data and the threat data (Zakas: par. 0038, Traffic sensors automatically identify, classify and track network traffic, instantly providing the system administrator with previously unknown information about network and application usage, data movement and potential policy violations.  Since the approach combines network and security analysis, the administrator has all the tools necessary to ensure the network is optimized to support critical services and is secured against threats; pars. 0044, 0046, 0048), 
.
However, in an analogous art, Glass discloses “perform threat detection on the content item when the content is classified as unknown” (Glass: par. 0019, The ability of a document classification system to accurately determine the classification of an unknown document, such as an email message, can be measured by the relative quantity of errors it makes).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Glass with the method and system of Zakas to include “perform threat detection on the content item when the content is classified as unknown.” One would have been motivated to provide the set of potentially duplicated and significant unclassified document features to each of sample document feature sets with annotation values, and values are compared to determine which of sample sets shares in common with unclassified set, for setting largest weighted quantity of features classified and annotated as significant. The significant similarity measurement and classification values are output based on weighted ratio (Glass: abstract).
Zakas and Glass do not explicitly disclose distribute the content item when the content is classified as clean or after a cleaning process; and preclude distribute of the content item when the content item is classified as violating;
However, in an analogous art, Werner discloses “distribute the content item when the content is classified as clean or after a cleaning process” (Werner: par. 0008,… the sender is classified as "friendly" and the email message is classified as "not spam" and delivered to its ultimate destination); and
 preclude distribute of the content item when the content item is classified as violating (Werner: par. 0008, …the sender is classified as "not friendly", the sender's reliability value is decreased, and the email message is classified as spam and prevented from being delivered.);
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Werner with the method and system of Zakas and Glass to include “distribute the content item when the content is classified as clean or after a cleaning process; amd preclude distribute of the content item when the content item is classified as violating.” One would have been motivated to reduce the frequency of false positive and over blocking when monitoring incoming messages, thereby improving the reliability of spam detection (Werner: pars. 0005-0006).
Regarding claim 13, claim 13 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Regarding claim 14, claim 14 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 16
Regarding claim 17, claim 17 is similar in scope to claim 8, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 9, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is directed to a non-transitory computer readable medium comprising instructions that, when executed, cause a processor to associated with the method claimed in claim 10; claim 19 is similar in scope to claim 10, and is therefore rejected under similar rationale.
Claims 2, 11, and 20 are rejected under 35 U.S.C. 103(a)  as being unpatentable over Zakas (“Zakas,” US 2006/0026669, published Feb. 2, 2006) in view of Glass et al. (“Glass,” US 2005/0060643, published Mar. 17, 2005) further in view of Werner et al. (“Werner,” US 2006/0031373, published Feb. 9, 2006), and Zhang et al. (“Zhang,” US 2009/0165081, filed  Dec. 21, 2007), and Morss et al. (“Morss,” US 2009/0006569, filed Jun. 28, 2007).
Regarding claim 2, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas further discloses wherein the policy data defines access privileges, content allowability (Zakas: pars. 0038, 0064, Administrators grant rights and permission by assigning role or group to the users; par. 0010, Access control systems are generally designed to force users to authenticate themselves before they are granted access to a restricted system or network, usually by forcing a user to present a username and password, a token-based authentication credential and/or other access control techniques.  Access control can be embedded within a system or can be part of an external authentication system to request and inspect the credentials of users.), and wherein the thread includes spam email domains (Glass: pars. 0007, 0019; Werner: par. 0008).
Zakas, Glass, and Werner do not explicitly disclose wherein the policy data defines restricted domains.
However, in an analogous art, Zhang discloses “the policy data defines restricted domains” (Zhang: fig. 2, par. 0021,… At 204, a first access policy may be defined for the first domain.  This access policy may act to limit access to the first domain to certain trusted domains.  Embodiments are possible where the access policy does not allow users or resources corresponding to any other domain to access resources of the first domain...).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Zhang with the method and system of Zakas, Glass, and Werner to include “the policy data defines restricted domains.” One would have been motivated to reduce or eliminate the security threat of malicious software or individuals gaining access to the resources controlled by the domains (Zhang: abstract, pars. 0005, 0015, 0043)
Zakas, Glass, Werner, and Zhang do not explicitly disclose wherein the threat data includes known viruses and malware sites.
However, in an analogous art, Morss teaches wherein the threat data includes known viruses and malware sites (Morss: par. 0026, the various message features include but is not limited to an information regarding web site content; a number of web sites hosting malware, spyware or SPAM …, email, spam, and/or virus volume being sent from the domain or the host IP address based on customer field statistics; pars. 0005, 0015).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teaching of Morss with the method and system of Zakas, Glass, Werner, and Zhang to include wherein the threat data includes known viruses, malware sites, and spam email domains.  One would have been motivated to provide the filter protects the hardware, software, and the data of the recipient from damage.  The transmission or reception of the unwanted messages is prevented by the filter (Morss: pars. 0005-0007).
Regarding claim 11, claim 11 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is similar in scope to claim 11, and is therefore rejected under similar rationale.
Claims 3 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Zakas (“Zakas,” US 2006/0026669, published Feb. 2, 2006) in view of Glass et al. (“Glass,” US 2005/0060643, published Mar. 17, 2005) further in view of Werner et al. (“Werner,” US 2006/0031373, published Feb. 9, 2006), and Mualem et al. (“Mualem,” US 2005/0018618, published Jan. 27, 2005).
Regarding claim 3, the combination of Zakas, Glass, and Werner discloses the distributed security system of claim 1. Zakas, Glass, and Werner do not explicitly disclose 
However, in an analogous art, Mualem teaches wherein the content processing node is configured to update the authority node based on the threat detection, and wherein the authority node is configured update the threat data based on the update and to provide updated threat data to the plurality of content processing nodes (Mualem: figs. 2-3, threat detection system 100, threat Management System 200; par. 0092, Threat detection system 100  includes network interface portion 120, processor portion 140, memory portion 160, and management and administration portion 180  …; par. 0093 Processor portion 140 controls the flow of network traffic through the threat detection device 100.  Processor portion 140 analyzes the data collected from the network, determines what action must be taken with respect to each network packet examined, and generates output to the threat management system 200.  Threat detection system 100 further includes a memory portion 160.  In operation, processor portion 140 retrieves data from and stores data for use by the threat detection system 100 in memory portion 160.  Management and administration portion 180 communicates with threat management system 200 through communication link 199.  Through management and administration portion 180, alerts and other data may be forwarded to the threat management system 200 for display to an administrator, and updates to the configuration of the threat detection may be delivered to threat detection system 100; fig. 7, pars. 0056, 0112).
(Mualem: par. 0006).
Regarding claim 12, claim 12 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

February 16th, 2022 


/JAHANGIR KABIR/Primary Examiner, Art Unit 2439