Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received January 28, 2022.  Claims 6 and 13 have been canceled.  Claims 1, 7, 8, 14, 15, and 20 have been amended.  Therefore, claims 1-5, 7-12, 14-20 are pending and addressed below. 

Claim Objection
Applicant is advised that should claim 19 be found allowable, claim 20 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. 


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-5, 7-12, 14-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Moore et al. (US 2020/0287888 A1, file date 03/05/2019)

Claims 1, 8, 15:
With respect to claims 1, 8, 15, Moore et al. discloses a computer-implemented method for executing one or more security policies in a secured network/A system/A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer-executable instructions (determining packet filtering data associated with a packet for secured communications, 0017) (the threat data or combined threat data may be used by the packet filtering device to determine either rules to be applied to the packet or whether the packet should be filtered based on a risk score data associated with the packet, 0059) (Figure 3 Determine certificate risk, determine End user, Determine Threat Indicator risk), comprising/configured for:
one or more information handling systems (security policy 240 may include one or more rules specifying that packets having specified information should be forwarded to packet transformation function 226, while all other packets should be forwarded to packet transformation function 228, 0052), wherein the one or more information handling systems include:
a processor (processor 202 Figure2);
a data bus coupled to the processor (Bus 110, Figure 2); and
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium (computer-executable instructions may be stored on a computer-readable medium, 0125) being coupled to the data bus;
wherein the computer program code included in one or more of the information handling systems is executable by the processor of the information handling system so that the information handling system, alone or in combination with other information handling systems, executes operations comprising:
receiving a communication including an Internet protocol (IP) address and a digital certificate at a device within the secured network (packet filtering device may obtain or determine scaled risk scores that may be associated with at least one of a plurality of types of indicators.  The scaled scores may be associated with a plurality of indicators, including Internet Protocol (IP) address, a 5-tuple, a domain name or fully qualified domain name (FQDN), and a Uniform Resource Identifier (URI), a Certificate, a Certificate Authority (CA), and an end-user (identified by, for example, an endpoint address or identity), 0111); 
determining whether the IP address is identified as having a high-security risk level
(A security policy 240 may include rules that may filter packets based on 
IP addresses/5-tuples, domain names/FQDNs, and URIs associated with the packets, on a packet-by-packet basis, 0054); 
if the IP address has a high-security risk level, assigning a security risk level to the digital certificate based on the security risk level of the IP address; and using the security risk level for the digital certificate in executing the one or more security policies
(the packet filtering device may combine risk scores for certificate threat indicators and/or risk scores for certificate authority threat indicators with risk scores for conventional cyber threat intelligence (CTI) indicators (e.g. network addresses) to compute a risk score for the associated SSL/TLS-secured communication.  CTI may be assigned a threat risk score associated with each indicator (network addresses in the form of IP addresses, N-tuple, FQDN, URI), which may be used to compute a risk score for a communication that matches the CTI, 0040) (The CRL data may be combined with certificate and CA indicator threat intelligence data.  The CDC 140 may translate the certificates identified based on the CRLs into threat indicators.  The data to be collected may include all high-risk domain names and IP address indicators, associated with a threat, 0070) (may collect certificate information from a plurality of end points such as multiple IP addresses and multiple ports.  If there is an HTTPS service attached to the port 443, the responding server will provide the CDC 140 with a certificate, When sending requests to ports associated with known threats, the certificate and certificate authority associated with that port may also be associated, by the CDC 140, with that threat risk and determine a corresponding threat indicator. 0071); and 
(in step 326, may determine threat data, which may include a risk score, for the certificate authority associated with the packet.  The certificate determinations of steps 314 and 324 and certificate authority determinations of steps 316 and 326 may be repeated for each certificate in the chain of trust, 0057) (the packet filtering device 112 may perform analysis of a trust anchor, which may be a self-signed CA certificate at the beginning/root of the chain of trust. The trust anchor may be compared by the packet filtering device 112 to a set of trusted root CA certificates stored locally by the packet filtering device 112. If a match is not found, then the packet filtering device 112 may report, to a (threat) intelligence collector function such as CDC 140, the entire chain of trust, including WS's server certificate, as well as the identity of WS, and the identity of the endpoint (e.g., the IP address) hosting WB, and appropriate threat context information, 0117).

Claims 2, 9, 16:
With respect to claims 2, 9, 16, Moore et al. discloses wherein the security risk level for the IP address and the security risk level for the digital certificate are used in the execution of the one or more security policies (A packet filtering device 112 may receive, in step 720, threat intelligence in the form of certificate and certificate authority threat indicators supplied by one or more threat intelligence providers/services, including the CDC 140.  The packet filtering device 112 may determine, in step 740, at least one packet filtering rule, The rules may be determined by applying the packet filtering policy to translate the threat indicators and threat risk scores into packet filtering rules. 0094) (the packet filtering device 112 may filter in-transit packets, including tunnel setup messages and/or packets, based on certificate and certificate authority threat indicators. All types of indicators of compromise (IoCs), including certificate and certificate authority threat indicators with other types of threat indicators (e.g. network address, IP, domain name, or URI threat indicators) may be aggregated or combined, 0095).

Claims 3, 10, 17:
With respect to claims 3, 10, 17, Moore et al. discloses the data to be collected may include all high-risk domain names and IP address indicators, associated with a threat, which may be supplied by a plurality of threat intelligence providers, (0070), further comprising: determining whether the IP address has a high-security risk includes determining whether the IP address is on a blacklist of IP addresses; and assigning a high-security risk level to the digital certificate if the IP address is on the blacklist of IP addresses (If any matches are found, then the matching rule's disposition (e.g. block and log/alert, allow and log/capture/alert, etc.) may be applied to the packet(s).  Also, if a match is found, then the identity (e.g., domain name, and/or IP address) of the WS that supplied the server certificate is recorded.  The match may trigger the generation of a message to report packet filtering event data to a threat intelligence collector.  The event data may be used by other network devices to generate new network rules or threat indicators.  That is, the packet filtering device 112 may function as a threat sensor that causes updates to other packet filtering devices within the protected network, 0115).

Claims 4, 11, 18:
With respect to claims 4, 11, 18, Moore et al. discloses further comprising: retrieving a user behavior security risk level corresponding to security risk presented by a user, wherein the user is an intended recipient of the communication; and using the security risk level for the IP address, the security risk level for the digital certificate, and the user behavior security risk level for the user to execute one or more security policies (The packet filtering device 112 or CDC 140 may collect statistics on endpoint actions, determine a risk score for an end user 150, and report a risky behavior to the endpoint, packet filtering device and/or to a system administrator, an end user 150 may be presented an indication that a certificate's risk score was determined to be high.  If the end user 150 chooses to proceed with the communication associated with the risky certificate or risky certificate authority, the packet filtering device 112 or CDC 140 may take remedial action to improve cybersecurity.  For example, the packet filtering device 112 or CDC 140 may increase a risk score associated with the end user, 0048) (packet filtering device 112 may monitor each user or endpoint device for actions associated with each end user 150.  Those actions may be logged in order to develop a model of user or endpoint behavior.  The packet filtering device may determine a risk score to be associated with a user or endpoint based on the monitored behavior, 0049).

Claims 5, 12, 19:
With respect to claims 5, 12, 19, Moore et al. discloses further comprising: increasing a security risk level of the IP address if the digital certificate has been previously used with one or more IP addresses presenting an elevated security risks (Certificates may be used to establish and secure SSL/TLS tunnels.  a risk score associated with the end user identifier may be increased based on the absence of a user or end point certificate in a SSL/TLS-secured communication, 0060) (As websites operating with or invoking revoked certificates are a known threat risk, the risk associated with those sites is increased, 0090) (For example, the packet filtering device 112 or CDC 140 may increase a risk score associated with the end user, 0048).

Claims 7, 14:
With respect to claims 7, 14, Moore et al. discloses further comprising: assigning an elevated security risk level to the other digital certificates having one or more of the same digital certificate characteristics (the CDC 140 may assign or update a risk score for an associated certificate indicator, 0072) (update certificate revocation data, Figure 8, 815).


Claim 20:
With respect to claim 20, Moore et al. discloses wherein the instructions are further configured for: increasing a security risk level of the IP address if the digital certificate has been previously used with one or more IP addresses presenting an elevated security risks (Certificates may be used to establish and secure SSL/TLS tunnels.  a risk score associated with the end user identifier may be increased based on the absence of a user or end point certificate in a SSL/TLS-secured communication, 0060) (As websites operating with or invoking revoked certificates are a known threat risk, the risk associated with those sites is increased, 0090) (For example, the packet filtering device 112 or CDC 140 may increase a risk score associated with the end user, 0048).



Response to Remarks/Arguments
Applicant's arguments filed on January 28, 2022 have been fully considered but they are not persuasive.  In the remarks, Applicant argues that:

Claims 1, 8, 15:
(1) It is respectfully submitted that nowhere in the cited portion of Moore (nor anywhere else in Moore) is there any disclosure or suggestion of analyzing other digital certificates to determine whether other digital certificates have one or more of the same digital certificate characteristics, as required by claims 1, 8 and 15.

Claims 7, 14, 20:
(2) It is respectfully submitted that nowhere within the cited portion of Moore (nor anywhere else in Moore) is there any disclosure or suggestion of assigning an elevated security risk level to the other digital certificates having one or more of the same digital certificate characteristics, as required by claims 7, 14 and 20.


In response to remark/arguments (1) and (2), Examiner respectfully disagrees.  Moore et al. discloses “in step 326, may determine threat data, which may include a risk score, for the certificate authority associated with the packet.  The certificate determinations of steps 314 and 324 and certificate authority determinations of steps 316 and 326 may be repeated for each certificate in the chain of trust” (0057).  “The packet filtering device 112 may perform analysis of a trust anchor, which may be a self-signed CA certificate at the beginning/root of the chain of trust. The trust anchor may be compared by the packet filtering device 112 to a set of trusted root CA certificates stored locally by the packet filtering device 112. If a match is not found, then the packet filtering device 112 may report, to a (threat) intelligence collector function such as CDC 140, the entire chain of trust, including WS's server certificate, as well as the identity of WS, and the identity of the endpoint (e.g., the IP address) hosting WB, and appropriate threat context information” (0117).  Moore et al. discloses “the packet filtering device 112 or CDC 140 may increase a risk score associated with the end user” (0048), “a risk score associated with the end user identifier may be increased based on the absence of a user or end point certificate in a SSL/TLS-secured communication” (0060), “As websites operating with or invoking revoked certificates are a known threat risk, the risk associated with those sites is increased” (0090).  Therefore Examiner holds that Moore et al. discloses these limitations.  


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433