Notice of Pre-AIA  or AIA  Status
The present application, filed on or after April 12, 2019, is being examined under the first inventor to file provisions of the AIA .

Detailed action
Claims 1-20 are pending and are being considered.
Claims 1, 10, 17 and 20 have been amended.

Response to 112f
Applicants argument filled on 12/30/2021 have been fully considered are persuasive. The examiner acknowledges that the applicant agrees with examiner interpretation of claim 20 for invoking 112f. 
Response to 103
 	Applicants argument filled on 12/30/2021 have been fully considered are persuasive but are moot in view of new grounds of rejection. The argument does not apply to the current art being used.
In response to applicant's argument on page 11 2nd last para of remarks that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e. determining an enterprise risk level for sharing security information….) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

	

CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: security system in claim 20.

Claim limitation(s) “security system” of claim 20 gives their broadest reasonable interpretation of the claim elements with a limited description in the specification. The examiner notes that the security system lie within a threat management facility and the threat management facility having a memory as hardware structure see [0204-0205]. Accordingly claim 20invoke 35 U.S.C. 112 (f) or sixth paragraph, but the corresponding structure is described.

Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ray et al (hereinafter Ray) (US 20160173509) in view of Mahaffey et al (US 20160099963) and further in view of Fang et al (hereinafter Fang) (US 20180211292).


Regarding claim 1 Ray teaches A computer program product comprising computer executable code embodied in a non- transitory computer-readable medium that, when executing on a threat management facility for an enterprise network, performs the steps of: (Ray on [0007-0008 and 0012] teaches a computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, such as threat management facility for enterprise network);
providing a first interface of the threat management facility for monitoring activity on a plurality of compute instances of the enterprise network (Ray Fig 1 and text on [0059] teaches Threat management facility 100 includes The detection techniques facility 130 (i.e. first interface) for monitoring the enterprise facility 102 network (i.e. enterprise network) or end-point devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like. The detection techniques facility 130 may include monitoring activity and stored files on computing facilities, such as on server facilities 142 (i.e. plurality of computing instance in enterprise network 102 ), desktop computers, laptop computers, other mobile computing devices); 
providing a second interface of the threat management facility for communications with local security agents on the plurality of compute instances that provide local security to the plurality of compute instances against malicious network activity (Ray on [0037-0038] teaches  the enterprise facility 102 may include administration 134, a firewall 138A, an appliance 140A, server 142A, network devices 148A-B, clients 144A-D (i.e. compute instance) such as protected by computer security facilities 152 (i.e. local security agents). See on [0062-0063] teaches security facility 152, located on a computer's desktop, which may provide threat protection to a user, and associated enterprise facility 102. The end-point computer security facility 152 may be an application loaded onto the computer platform, the threat management facility 100, and associated end-point computer security facility 152, may provide seamless threat protection to the plurality of clients 144, and client facility types, across the enterprise facility 102. See on [0070-0071] teaches the threat management facility 100 to protect the out-of-enterprise facility 102 mobile client facility (e.g., the client’s 144 D-F) that has an embedded end-point computer security facility 152, such as by providing URI filtering in personal routers, using a web appliance as a DNS proxy (i.e. interaction using second interface). The threat management facility interacts with network enterprise 102 through security facility 152. See on [0040-0042] teaches the security management facility 122 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like);
providing a third interface of the threat management facility for providing programmatic access to the threat management facility by one or more resources outside the enterprise network (Ray on [0085] teaches the analysis facility 212 (i.e. third interface) may provide a remote processing resource for analyzing malicious activities and creating rules suitable for detecting drifts 210 or threats based on information received from the servers 202 (i.e. which is outside of enterprise network 102). The analysis facility 212 may be part of the threat management facility 204 as shown. The analysis facility 212 may include a variety of analysis tools such as machine interface for receiving information. See [0108-0111] teaches the analysis facility 506 (i.e. third interface) may also receive threat information from a third-party source 508 (i.e. outside of enterprise network) such as MITRE Corporation or any other public, private, educational or other organization that gathers information on network threats and provides analysis and threat detection information for use by others);
 providing a security system for managing use of third party security resources within the enterprise network, (Ray Fig 1 block 100, 122 and text on [0038 and 0040-0041] teaches the security management facility 122 (i.e. security system) of threat management facility 11 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest (i.e. managing third party security resources)).
Although Ray teaches data available through first interface and second interface of threat management system (Ray Fig 1 and text on [0037-0038 and 0059-0063]), but fails to explicitly teach the security system configured to controllably expose security data for the enterprise network available through the first interface to the third party security resources accessing the threat management facility through the third interface, controllably expose configuration of the local security agents accessible through the second interface to the third party security resources through the third interface, and configure one or more of the plurality of compute instances of the enterprise network in response to the third party security resources based on the security data available through the first interface; receiving event vectors from the plurality of compute instances at the threat management facility (Mahaffey on [0340] teaches Assessments may result from collecting and/or processing data by server 3551 (i.e. security system in instant case) and may be exposed by server 3551 to users or other systems via an API, user interfaces. See on [0470] teaches server exposes trust data to third-parties via an API. See on [0571] teaches assessments for a group of devices are exposed by server 3551 in the form of an API for use by external services such as management consoles. For example, server 3551 may expose risk ratings for the group of devices to a centralized security reporting system via an HTTP API. See on [0153] teaches the server 111 can also transmit the security data to a remote client computer 233 through a client computer widget, a web site 235 or via e-mail 237);
[[controllably expose a programmatic interface for configuration of the local security agents by the third-party security resources using the programmatic interface ]] and configure one or more of the plurality of compute instances of the enterprise network to use the third party security resources for enforcement of security policies for the enterprise network based on the security data available through (Mahaffey on [0552-0553] teaches this assessment information (i.e. equivalent to security data) can be used to guide decisions regarding whether to download and install different types of data objects (i.e. third party resource). Such information can be useful to an individual user trying to decide whether to install a certain application (i.e. third-party resource) on his mobile communications device (i.e. configuration of compute instance). Such information can also be useful to an IT administrator trying to decide whether to deploy a certain application to a plurality of mobile communications devices. In an embodiment, a user or IT administrator can use this assessment information for application policy enforcement. See on [0481] teaches an assessment indicates whether a data object is allowed to run on a device given policy set by an administrator. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 3551 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application. See on [0586] teaches a mobile device deployment may already have a device management server or service in place, it may be desirable for server 3551 to supply data to a device management server that actually performs the policy enforcement. In an embodiment, server 3551 interfaces with a device management server to configure application policy on the device management server);
receiving event vectors from the plurality of compute instances at the threat management facility through the first interface (Mahaffey on [0144-0146] teaches the local security component 105 sends the security event information to the information gathering component 107 that quantifies the security events and the severity of the security events. For example, the information gathering component 107 processes the detected security events and produces security state assessment results for the mobile device 101. See on [0156] teaches the remote security component may receive information about both security event and non-security -event data received by the mobile device (i.e. receiving event from plurality of compute instance e.g. local security component and mobile device));
 storing the event vectors in an event store for the threat management facility, wherein the security data controllably exposed to the third party security resources includes at least a portion of the stored event vectors (Mahaffey on [0148] teaches the security component produces an event log that is stored and updated as new events (i.e. event vector interpreted as group of events in view of [00163] of instant application). See also on [0189] teaches Server 911 may also store a database of security events. Further teaches the local security component analyzes the cumulative security events and the non-security event data to determine an overall security status for the mobile device 219. This security assessment is based upon the type, severity and quantity of the security events, their associated data, and the non-security events and data that are received and processed by the mobile device 101 (i.e. exposing stored event vector)).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mahaffey into the teaching of Ray by exposing data and configuration information to a remote user. One would be motivated to do so in order to maintain security of device based on configuration information by granting or denying access (Mahaffey on [0009-0011]).
	Although the combination teaches receiving event vector, storing the event vector in a database and charging fee for service (i.e. metering facility), but the combination fails to teach providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store, and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the (Fang on [0093-0094] teaches the dispute interface module 850 (i.e. programmatic interface interpreted in view of [00145] of instant application as an interface for submitting updates) may provide a portal and/or user interface to the RU record tracking component 220 via which a client may select to dispute one or more RUs. Further teaches when an RU is disputed (e.g., by a client via the dispute interface module 850), the RU record status updating module 860 may update the RU status (i.e. configuration of local security agent). See also on [0081] teaches the RU record tracking component 220 may and/or modify status codes in stored within an RU record);
providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).
and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the compute instances (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Fang into the combined teaching of Ray and Mahaffey by having metered access for third-party resources. One would be motivated to do so in order to manage third party security resources (Fang on [0004-0005]).

10 Ray teaches a method comprising (Ray on [0005] teaches a method); 
monitoring activity on a plurality of compute instances of an enterprise network through a first interface of a threat management facility (Ray Fig 1 and text on [0059] teaches Threat management facility 100 includes The detection techniques facility 130 (i.e. first interface) for monitoring the enterprise facility 102 network (i.e. enterprise network) or end-point devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like. The detection techniques facility 130 may include monitoring activity and stored files on computing facilities, such as on server facilities 142 (i.e. plurality of computing instance in enterprise network 102 ), desktop computers, laptop computers, other mobile computing devices);
communicating with local security agents on the compute instances through a second interface of the threat management facility (Ray on [0037-0038] teaches  The enterprise facility 102 may include administration 134, a firewall 138A, an appliance 140A, server 142A, network devices 148A-B, clients 144A-D (i.e. compute instance) such as protected by computer security facilities 152 (i.e. local security agents). See on [0062-0063] teaches security facility 152, located on a computer's desktop, which may provide threat protection to a user, and associated enterprise facility 102. The end-point computer security facility 152 may be an application loaded onto the computer platform, the threat management facility 100, and associated end-point computer security facility 152, may provide seamless threat protection to the plurality of clients 144, and client facility types, across the enterprise facility 102. See on [0070-0071] teaches the threat management facility 100 to protect the out-of-enterprise facility 102 mobile client facility (e.g., the clients 144 D-F) that has an embedded end-point computer security facility 152, such as by providing URI filtering in personal routers, using a web appliance as a DNS proxy (i.e. interaction using second interface). The threat management facility interacts with network enterprise 102 through security facility 152. See on [0040-0042] teaches the security management facility 122 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like);
 providing programmatic access to the threat management facility by one or more resources outside the enterprise network through a third interface of the threat management facility (Ray on [0085] teaches the analysis facility 212 (i.e. third interface) may provide a remote processing resource for analyzing malicious activities and creating rules suitable for detecting drifts 210 or threats based on information received from the servers 202 (i.e. which is outside of enterprise network 102). The analysis facility 212 may be part of the threat management facility 204 as shown. The analysis facility 212 may include a variety of analysis tools such as machine interface for receiving information. See [0108-0111] teaches the analysis facility 506 (i.e. third interface) may also receive threat information from a third-party source 508 (i.e. outside of enterprise network) such as MITRE Corporation or any other public, private, educational or other organization that gathers information on network threats and provides analysis and threat detection information for use by others);
operating a security system on the threat management facility (Ray Fig 1 block 100, 122 and text on [0038 and 0040-0041] teaches The security management facility 122 (i.e. security system) of threat management facility 11 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources).
Although Ray teaches data available through first interface and second interface of threat management system (Ray Fig 1 and text on [0037-0038 and 0059-0063]), but fails to explicitly teach the security system configured to; controllably expose security data for the enterprise network available through the first interface to (Mahaffey on [0340] teaches Assessments may result from collecting and/or processing data by server 3551 (i.e. security system) and may be exposed by server 3551 to users (i.e. remote user as per para 0167 ) or other systems via an API, user interfaces. See on [0470] teaches server exposes trust data to third-parties via an API. See on [0571] teaches assessments for a group of devices are exposed by server 3551 in the form of an API for use by external services such as management consoles. For example, server 3551 may expose risk ratings for the group of devices to a centralized security reporting system via an HTTP API. See on [0153] teaches the server 111 can also transmit the security data to a remote client computer 233 through a client computer widget, a web site 235 or via e-mail 237);
controllably expose configuration of the local security agents accessible through the second interface to the one or more resources outside the enterprise network through the third interface (Mahaffey on [0402 and 0404- 0405] teaches device configuration information 3678 is generated at the server and is transmitted from the server (i.e. security system) to one or more client such as client device 3501, a client device 3680, or both (i.e. remotely connected see para 0167), a configuration profile, configuration file, or configuration settings. See on [0427] teaches server 3551 sends configuration to mobile communications device 3501 requesting that the device send specific types of behavioral data at a specific frequency. See on [0584] teaches the policy configuration user interface on mobile communications device 3501 or server 3551 includes an interface for viewing applications that would be blocked or allowed as part of a configuration change. If the configuration change interface is displayed on mobile communications device 3501, the device may send requests for data to server 3551 to populate the interface).
and configure one or more of the plurality of compute instances of the enterprise network to use the one or more resources outside the enterprise network for enforcement of security policies of the enterprise network, wherein to configure is based on the security data available through the first interface that is controllably exposed to the one or more resources outside the enterprise network (Mahaffey on [0552-0553] teaches this assessment information (i.e. equivalent to security data) can be used to guide decisions regarding whether to download and install different types of data objects (i.e. third party resource). Such information can be useful to an individual user trying to decide whether to install a certain application (i.e. third-party resource) on his mobile communications device. Such information can also be useful to an IT administrator trying to decide whether to deploy a certain application to a plurality of mobile communications devices. In an embodiment, a user or IT administrator can use this assessment information for application policy enforcement. See on [0481] teaches an assessment indicates whether a data object is allowed to run on a device given policy set by an administrator. If multiple policies are configured on server 3551 and data storage 3511 stores which policy is to be applied to a device 3501, then a given data object may have multiple assessments that depend on the policy of the device querying for an assessment. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 3551 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application. See on [0586] teaches a mobile device deployment may already have a device management server or service in place, it may be desirable for server 3551 to supply data to a device management server that actually performs the policy enforcement. In an embodiment, server 3551 interfaces with a device management server to configure application policy on the device management server);
 Page 4 of 12EFS-WebPATENTS USSN 16/383,439SPHS-0132-P05receiving event vectors from the plurality of compute instances at the threat management facility through the first interface (Mahaffey on [0144-0146] teaches The local security component 105 sends the security event information to the information gathering component 107 that quantifies the security events and the severity of the security events. For example, the information gathering component 107 processes the detected security events and produces security state assessment results for the mobile device 101. See on [0156] teaches the remote security component may receive information about both security event and non-security -event data received by the mobile device (i.e. receiving event from plurality of compute instance e.g. local security component and mobile device));
storing the event vectors in an event store for the threat management facility, wherein the security data controllably exposed to the one or more resources outside the enterprise network through the third (Mahaffey on [0148] teaches the security component produces an event log that is stored and updated as new events (i.e. event vector interpreted as group of events in view of [00163] of instant application). See also on [0189] teaches Server 911 may also store a database of security events. Further teaches the local security component analyzes the cumulative security events and the non-security event data to determine an overall security status for the mobile device 219. This security assessment is based upon the type, severity and quantity of the security events, their associated data, and the non-security events and data that are received and processed by the mobile device 101 (i.e. exposing stored event vector)).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mahaffey into the teaching of Ray by exposing data and configuration information to a remote user. One would be motivated to do so in order to maintain security of device based on configuration information by granting or denying access (Mahaffey on [0009-0011]).
Although the combination teaches receiving event vector, storing the event vector in a database and charging fee for service (i.e. metering facility), but the combination fails to teach providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store, and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the compute instances, however Fang from analogous art teaches controllably expose a programmatic interface for configuration of the local security agents by the one or more resources outside the enterprise network using the programmatic interface (Fang on [0093-0094] teaches the dispute interface module 850 (i.e. programmatic interface interpreted in view of [00145] of instant application as an interface for submitting updates) may provide a portal and/or user interface to the RU record tracking component 220 via which a client may select to dispute one or more RUs. Further teaches when an RU is disputed (e.g., by a client via the dispute interface module 850), the RU record status updating module 860 may update the RU status (i.e. configuration of local security agent). See also on [0081] teaches the RU record tracking component 220 may and/or modify status codes in stored within an RU record);
providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).
and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Fang into the combined teaching of Ray and Mahaffey by having metered access for third-party resources. One would be motivated to do so in order to manage third party security resources (Fang on [0004-0005]).

Regarding claims 2 and 11 the combination of Ray, Mahaffey and Fang teaches all the limitations of claims 1 and 10 respectively, Ray further teaches  wherein the third party security resources include a cloud service (Ray on [0177] teaches a remote user, a remote processing resource (e.g., a server or cloud computer)).
3 and 12 the combination of Ray, Mahaffey and Fang teaches all the limitations of claims 2 and 11 respectively, Mahaffey further teaches wherein the cloud service includes a human resources system provider for the enterprise network (Mahaffey on [00492] teaches information provided by human analysis of the data object, trust data associated with the data object, information about the geographic distribution of the data object. See on [0521] teaches human analysis system for assessment).
Regarding claim 4 and 13 the combination of Ray, Mahaffey and Fang teaches all the limitations of claims 1 and 10 respectively, Ray further teaches wherein the threat management facility includes an authentication facility for controlling access to the enterprise network by a remote user (Ray on [0037] teaches the threat management facility 100 may provide policy management (i.e. authentication facility) that may be able to control legitimate applications, such as VoIP, instant messaging, peer-to-peer file-sharing, and the like, that may undermine productivity and network performance within the enterprise facility 102).

Regarding claim 5 and 14 the combination of Ray, Mahaffey and Fang teaches all the limitations of claims 4 and 13 respectively, Mahaffey further teaches wherein the authentication facility is a multifactor authentication facility requiring two or more factors for authentication of the remote user (Mahaffey on [0899] teaches performing second factor authentication in a multi-factor authentication).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mahaffey into the teaching of Ray by using multi-factor authentication for authenticating. One would be motivated to do so in order to maintain security of device based on configuration information by granting or denying access (Mahaffey on [0009-0011]).

6 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 1 above, Mahaffey further teaches wherein the threat management facility includes a metering facility (Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 7 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 6 above, Mahaffey further teaches wherein the metering facility supports payments by the third party security resources to the threat management facility for access to the enterprise network (Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 8 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 6 above, Mahaffey further teaches wherein the metering facility supports payments by the threat management facility to the  third party security resources for access to services of  the third party (Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 9 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 1 above, Ray further teaches wherein the threat management facility includes an event collection facility accessible to the third party security resources through the third interface (Ray on [0056-0057] teaches the network access rules 124 may provide an information store to be accessed by the network access control. The network access rules facility 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. The network access rule facility 124 may provide updated rules and policies to the enterprise facility 102).

Regarding claim 15 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 10 above, Mahaffey further teaches further comprising charging for services provided through the first interface, the second interface, and the third interface of the threat management facility with a metering facility of the threat management facility (Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 16 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 15 above, Mahaffey further teaches wherein the metering facility supports payments by the one or more resources outside the enterprise network to the threat management facility for access to the enterprise network (Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 17 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 15 above, Mahaffey further teaches wherein the metering facility supports payments by the threat management facility to the  third party security resources for access to services of  the third party security resources by the compute instances of the enterprise network Mahaffey on [0395] teaches the administrator may seek to start charging or impose additional costs for the use of those applications. See on [0661] teaches system charging the user for service. See on [0816] teaches an application developer may host or use an ad network with the application program. This allows the application developer to receive payment through the placement of advertisements in the application program. Typically, the ad network issues an account identifier to the developer which the developer can insert into the application. The account identifier allows the ad network to identify the developer who should receive payment when, for example, a user clicks on, views, or accesses an advertisement that is displayed with the application program).
Regarding claim 18 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 10 above, Mahaffey further teaches further comprising storing an event stream for the enterprise network by an event collection facility of the threat management facility (Ray on [0056-0057] teaches the network access rules 124 may provide an information store to be accessed by the network access control. The network access rules facility 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. The network access rule facility 124 may provide updated rules and policies to the enterprise facility 102).
Regarding claim 19 the combination of Ray, Mahaffey and Fang teaches all the limitations of claim 18 above, Mahaffey further teaches further comprising providing access to the event collection facility for remote resources through the third interface (Ray on [0056-0057] teaches the network access rules 124 may provide an information store to be accessed by the network access control. The network access rules facility 124 may include databases such as a block list, a black list, an allowed list, a white list, an unacceptable network site database, an acceptable network site database, a network site reputation database, or the like of network access locations that may or may not be accessed by the client facility. The network access rule facility 124 may provide updated rules and policies to the enterprise facility 102).
20 Ray teaches A system comprising (Ray on [0008] teaches a system);
a threat management facility for compute instances in an enterprise network (Ray Fig 1 block 100, 102 and text on [0035] teaches a threat management facility 100 for enterprise facility 102 may include administration 134, a firewall 138A, an appliance 140A, server 142A, network devices 148A-B, clients 144A-D (i.e. compute instance)Page 73 of 75EFS-WebPATENTS;SPHS-0132-P05
a first interface of the threat management facility for monitoring activity on the compute instances (Ray Fig 1 and text on [0059] teaches Threat management facility 100 includes The detection techniques facility 130 (i.e. first interface) for monitoring the enterprise facility 102 network (i.e. enterprise network) or end-point devices, such as by monitoring streaming data through the gateway, across the network, through routers and hubs, and the like. The detection techniques facility 130 may include monitoring activity and stored files on computing facilities, such as on server facilities 142 (i.e. plurality of computing instance in enterprise network 102 ), desktop computers, laptop computers, other mobile computing devices);
a second interface of the threat management facility for communications with local security agents on the compute instances that provide local security to the compute instances against malicious network activity (Ray on [0037-0038] teaches The enterprise facility 102 may include administration 134, a firewall 138A, an appliance 140A, server 142A, network devices 148A-B, clients 144A-D (i.e. compute instance) such as protected by computer security facilities 152 (i.e. local security agents). See on [0062-0063] teaches security facility 152, located on a computer's desktop, which may provide threat protection to a user, and associated enterprise facility 102. The end-point computer security facility 152 may be an application loaded onto the computer platform, the threat management facility 100, and associated end-point computer security facility 152, may provide seamless threat protection to the plurality of clients 144, and client facility types, across the enterprise facility 102. See on [0070-0071] teaches the threat management facility 100 to protect the out-of-enterprise facility 102 mobile client facility (e.g., the clients 144 D-F) that has an embedded end-point computer security facility 152, such as by providing URI filtering in personal routers, using a web appliance as a DNS proxy (i.e. interaction using second interface). The threat management facility interacts with network enterprise 102 through security facility 152. See on [0040-0042] teaches the security management facility 122 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources, including endpoint security and control, email security and control, web security and control, reputation-based filtering, control of unauthorized users, control of guest and non-compliant computers, and the like);
a third interface of the threat management facility providing programmatic access to the threat management facility by one or more resources outside the enterprise network (Ray on [0085] teaches the analysis facility 212 (i.e. third interface) may provide a remote processing resource for analyzing malicious activities and creating rules suitable for detecting drifts 210 or threats based on information received from the servers 202 (i.e. which is outside of enterprise network 102). The analysis facility 212 may be part of the threat management facility 204 as shown. The analysis facility 212 may include a variety of analysis tools such as machine interface for receiving information. See [0108-0111] teaches the analysis facility 506 (i.e. third interface) may also receive threat information from a third-party source 508 (i.e. outside of enterprise network) such as MITRE Corporation or any other public, private, educational or other organization that gathers information on network threats and provides analysis and threat detection information for use by others);
and a security system within the threat management facility (Ray Fig 1 block 100, 122 and text on [0038 and 0040-0041] teaches the security management facility 122 (i.e. security system) of threat management facility 11 may include a plurality of elements that provide protection from malware to enterprise facility 102 computer resources).
(Mahaffey on [0340] teaches Assessments may result from collecting and/or processing data by server 3551 (i.e. security system) and may be exposed by server 3551 to users (i.e. remote user as per para 0167 ) or other systems via an API, user interfaces. See on [0470] teaches server exposes trust data to third-parties via an API. See on [0571] teaches assessments for a group of devices are exposed by server 3551 in the form of an API for use by external services such as management consoles. For example, server 3551 may expose risk ratings for the group of devices to a centralized security reporting system via an HTTP API. See on [0153] teaches the server 111 can also transmit the security data to a remote client computer 233 through a client computer widget, a web site 235 or via e-mail 237);
and configure one or more of the plurality of compute instances of the enterprise network to use the one or more resources outside the enterprise network for enforcement of security policies of the enterprise network, wherein to configure is based on the security data available through the first interface that is controllably exposed to the remote user (Mahaffey on [0552-0553] teaches this assessment information (i.e. equivalent to security data) can be used to guide decisions regarding whether to download and install different types of data objects (i.e. third party resource). Such information can be useful to an individual user trying to decide whether to install a certain application (i.e. third-party resource) on his mobile communications device. Such information can also be useful to an IT administrator trying to decide whether to deploy a certain application to a plurality of mobile communications devices. In an embodiment, a user or IT administrator can use this assessment information for application policy enforcement. See on [0481] teaches an assessment indicates whether a data object is allowed to run on a device given policy set by an administrator. If multiple policies are configured on server 3551 and data storage 3511 stores which policy is to be applied to a device 3501, then a given data object may have multiple assessments that depend on the policy of the device querying for an assessment. For example, if a device with a strict privacy policy requests an assessment for an application that can share a user's location, server 3551 transmits an assessment indicating that the application is disallowed. If a device with a lenient privacy policy requests an assessment for the same application. See on [0586] teaches a mobile device deployment may already have a device management server or service in place, it may be desirable for server 3551 to supply data to a device management server that actually performs the policy enforcement. In an embodiment, server 3551 interfaces with a device management server to configure application policy on the device management server);
an event collection facility of the threat management facility, the event collection facility configured to receive event vectors from the plurality of compute instances at the threat management facility through the first interface (Mahaffey on [0144-0146] teaches The local security component 105 sends the security event information to the information gathering component 107 that quantifies the security events and the severity of the security events. For example, the information gathering component 107 processes the detected security events and produces security state assessment results for the mobile device 101. See on [0156] teaches the remote security component may receive information about both security event and non-security -event data received by the mobile device (i.e. receiving event from plurality of compute instance e.g. local security component and mobile device));
(Mahaffey on [0148] teaches the security component produces an event log that is stored and updated as new events (i.e. event vector interpreted as group of events in view of [00163] of instant application). See also on [0189] teaches Server 911 may also store a database of security events. Further teaches the local security component analyzes the cumulative security events and the non-security event data to determine an overall security status for the mobile device 219. This security assessment is based upon the type, severity and quantity of the security events, their associated data, and the non-security events and data that are received and processed by the mobile device 101 (i.e. exposing stored event vector)).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Mahaffey into the teaching of Ray by exposing data and configuration information to a remote user. One would be motivated to do so in order to maintain security of device based on configuration information by granting or denying access (Mahaffey on [0009-0011]).

Although the combination teaches receiving event vector, storing the event vector in a database and charging fee for service (i.e. metering facility), but the combination fails to teach providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store, and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the compute instances, however Fang from analogous art teaches controllably expose a programmatic (Fang on [0093-0094] teaches the dispute interface module 850 (i.e. programmatic interface interpreted in view of [00145] of instant application as an interface for submitting updates) may provide a portal and/or user interface to the RU record tracking component 220 via which a client may select to dispute one or more RUs. Further teaches when an RU is disputed (e.g., by a client via the dispute interface module 850), the RU record status updating module 860 may update the RU status (i.e. configuration of local security agent). See also on [0081] teaches the RU record tracking component 220 may and/or modify status codes in stored within an RU record);
providing metered access to the event store by the third party security resources to facilitate security services from the third party security resources for the enterprise network through the third interface, the metered access facilitating payment for access by the third party security resources to the event store (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).
and providing metered access to the third party security resources by the compute instances of the enterprise network to support configuring the one or more of the plurality of compute instances, the metered access facilitating payment for use of the security services from the third party security resources by the compute instances (Fang on [0031] providing access to metered RU record in which consumed service are tracked by computers for services consumed in a computing environment. Further teaches tracking a dispute for charges related to metered resources, wherein metered resource may relate to the consumption of computer resources (e.g., cloud-based resources) such as computing usage, network usage etc. See also Fig 4 and text on [0074-0077] teaches a provider services metering system may meter provider services 205 (step 1.1). For example, the provider services metering system 210 may track and meter provider services 205, such as telephone/remote support services, on-site support services, cloud-based computing services, etc. At step 1.2, a RU record tracking component 220 of a provider billing system 215 may receive meter service records including RU information. Further teaches the RU record tracking component 220 may qualify metered RUs for charging, generate a preliminary invoice with qualified RUs, and track the status of RUs in the billing/dispute lifecycle. For example, the RU record tracking component 220 may mark an RU with codes indicating how to treat the RU at the end of a billing cycle).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Fang into the combined teaching of Ray and Mahaffey by having metered access for third-party resources. One would be motivated to do so in order to manage third party security resources (Fang on [0004-0005]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 






/MOEEN KHAN/               Examiner, Art Unit 2436                                                                                                                                                                                         
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436