Remarks
Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/31/2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 1/31/2022 have been fully considered but they are not persuasive.
Applicant notes a portion of the amendment and alleges “Applicant believes this language is fully supported by the specification as originally filed.  For example, FIG. 2 depicts real time threat analysis components 218 may include model based detection component 224.”  However, the claim does not include a real time threat analysis 
Applicant then quotes and highlights paragraph 47 of the specification.  However, again, this includes a real time threat analysis component, but not “real time threat detection models”.  The Examiner also notes that the application as originally filed does not include basis for any threat detection model actually processing anything.  The models appear to be simply data that are used by a component that does the actual processing.  
Applicant alleges “Claims 9 and 23 were rejected for referring to a second message queue even though two message queues had already been introduced.  The claims have been amended to refer to a third message queue.”  This is incorrect.  Both claim 9 and claim 23 refer to “a second message queue” still.  
With respect to the 103 rejections, Applicant alleges “the claim clarifies that the model processes the enriched network reporting information to identify the potential security vulnerabilities.  Applicant notes that a graph stored in memory cannot process data, or rather the enriched network reporting information, to identify security vulnerabilities.”  The instant application’s models do not process any enriched network reporting information.  This subject matter is met with a 112(a) rejection below as it does not have basis in the application as originally filed.  Therefore, Applicant’s allegation is moot.  Furthermore, despite not having basis in the application as filed, it would be the processing component of Rieke that processes the data with the graph/map/other data structure that would meet the now-claimed real time threat detection models that do not have basis in the application.  

Applicant then alleges “that the graphs/tables of Reike merely present information to a user and do not suggest the language of the amended independent claims.  Applicant submits with respect that the combined teachings of Rieke and Rueff fail to teach or suggest a system that processes network data using a model to identify possible security vulnerabilities.”  To the contrary, both Rieke and Rueff disclose a system that processes network data using a model to identify possible security vulnerabilities.  With respect to the currently amended limitation that does not have basis in the application as originally filed, Rieke discloses the following:

Additionally, Rueff discloses the following:
Processing by one or more real time threat detection models the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers to identify the potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; comparing data to current data, such as white lists, black lists, grey lists, fingerprints, connections, trees, and many other pieces of data and data structures, for example);
Therefore, both Rieke and Rueff disclose the argued subject matter.  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it 

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claim 1 states “processing by one or more real time threat detection models the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers to identify the potential security vulnerabilities”.  However, the application as originally filed does not have basis for this subject matter.  Indeed, no real time threat detection models are references therein.  
Furthermore, the application as originally filed does not mention any model that actually has processing power and processes the enriched network reporting information.  To the contrary, the models of the application are simply models and do not process data.  


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 9, 10, 23, and 24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  
Claim 9 attempts to refer to “a second message queue”.  However, there are already 2 message queues in claim 1: “a record message queue” and “an enhanced record message queue”.  Therefore, this third queue cannot be “a second message queue” since there already is a second message queue.  Claim 23 has the same issue and is rejected for the same reasons.  Claims 10 and 24 are rejected at least based on their dependencies.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are rejected under 35 U.S.C. 103 as being unpatentable over Rieke (U.S. Patent Application Publication 2016/0072831) in view of Rueff (U.S. Patent Application Publication 2012/0304130).
Regarding Claim 1,
Rieke discloses a CTI infrastructure comprising:
A plurality of network devices each collecting network reporting information (Exemplary Citations: for example, Paragraphs 109-114, 130-132, and associated figures; sources from which data is received, collected, entities receiving/collecting data, or the like, as examples);
A collection of at least one CTI server, the collection configured for (Exemplary Citations: for example, Paragraphs 109-132 and associated figures):
Receiving the network reporting information collected by the plurality of network devices, the network reporting information comprising a plurality of records each comprising an indication of a source and destination of network traffic (Exemplary Citations: for 
Storing the received plurality of records in a record message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; received/collected information and flows, record list, database, listing on an interface, or the like, as examples);
Enriching the network reporting information with enrichment data by adding one or more tags of enrichment data to records of the network reporting information comprising, for each of the records of the network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; enriching the data in any fashion, such as by creating a graph, filtering the data, highlighting information, highlighting graph portions, bolding data, coloring graph portions, updating data and/or graphs with additional information collected data, associating scan data with network flows, associating with a TrustZone, identifying channels, identifying characteristics, or the like, as examples):
Identifying each of a source and a destination of the respective record retrieved from the message queue based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a 
Tagging the respective record by adding an indication of the source and destination (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; as above, for example); and
Storing the enhanced record with the tagged source and destination in an enhanced message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; creating graph or other data structure using the above, updating the above described queue with additional updated information (e.g., from additional flows or updated flows, as in paragraph 130, for example), etc., for example);
Processing by one or more real time threat detection models the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers to identify the potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; detecting vulnerabilities using models, such as graphs, lists, or other data structures, for example);

Providing the identified potential security vulnerabilities to an alert component (Exemplary Citations: for example, Paragraphs 109-133 and associated figures; alert or report generated by whatever component does such processing (e.g., whatever piece of code, API, or the like, performs the processing), for example);
Transmitting from the alert component one or more alerts based on at least one identified potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 109-133 and associated figures; alert or report generated by whatever component does such processing (e.g., whatever piece of code, API, or the like, performs the processing), for example);
Processing the enriched network reporting information by running one or more scripts or queries against the enriched network reporting information (Exemplary Citations: for example, Paragraphs 56, 109-133, 146, and associated figures; query/script against updated model, which includes the enriched network reporting information, as described above, further analysis being 
Configuring one or more network devices comprising at least one of a firewall and a router based on the results of the one or more scripts or queries (Exemplary Citations: for example, Paragraphs 53-56, 88, 96, 109-133, 146, and associated figures; configuring devices with policies based on the above, for example);
But does not explicitly disclose that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a client or a server, that the tagging the respective record adds an indication of whether the source and destination is identified as the client or server, and that the sources and destinations are tagged as either clients or servers.  
Rueff, however, discloses that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a 
That the tagging the respective record adds an indication of whether the source and destination is identified as the client or server (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example);
That the sources and destinations are tagged as either clients or servers (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example);
That the enhanced record includes the tagged client or server information (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures);
Processing by one or more real time threat detection models the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers to identify the potential security vulnerabilities (Exemplary Citations: for 
Updating the one or more threat detection models used to process the enriched network reporting information using the enriched network reporting information (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; updating the above data, for example);
Providing the identified potential security vulnerabilities to an alert component (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; getting vulnerabilities at whatever component generates/provides alerts, for example.  This could be grey list alerts, black list alerts, or any other alerts); and
Transmitting from the alert component one or more alerts based on at least one identified potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; the above component providing the alert, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the endpoint identification techniques of Rueff into the network analysis and reporting system of Rieke in order to allow the system to determine whether a source or destination is a 
Regarding Claim 15,
Claim 15 is a method claim that corresponds to infrastructure claim 1 and is rejected for the same reasons.  
Regarding Claim 4,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that adding one or more tags of the enrichment data further comprises:
Determining informational data associated with the portion of the network reporting information from the enrichment data (Exemplary Citations: for example, Paragraphs 109-132 and associated figures); and
Adding the determined informational data to the network reporting information as the one or more tags (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 18,
Claim 18 is a method claim that corresponds to infrastructure claim 4 and is rejected for the same reasons.  
Regarding Claim 5,
Rieke as modified by Rueff discloses the infrastructure of claim 4, in addition, Rieke discloses that one or more of the source IP address, 
Regarding Claim 19,
Claim 19 is a method claim that corresponds to infrastructure claim 5 and is rejected for the same reasons.  
Regarding Claim 8,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for:
Adding the received network reporting information to a first message queue, wherein enriching further comprises (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; received/collected information and flows, for example):
Retrieving network reporting information from the first message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; analyzing the above, for example).  
Regarding Claim 22,
Claim 22 is a method claim that corresponds to infrastructure claim 8 and is rejected for the same reasons.  
Regarding Claim 9,

Retrieving the enriched network reporting information from the enhanced record message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; retrieving the graph or other data structure, for example);
Further enriching the enriched network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; further enriching in any fashion as above, for example); and
Adding the further enriched network reporting information to a second message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; updated graph or other data structure, for example).  
Regarding Claim 23,
Claim 23 is a method claim that corresponds to infrastructure claim 9 and is rejected for the same reasons.  
Regarding Claim 10,
Rieke as modified by Rueff discloses the infrastructure of claim 9, in addition, Rieke discloses that the further enriching comprises one or more of informational data tagging, and dynamic information tagging (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  

Claim 24 is a method claim that corresponds to infrastructure claim 10 and is rejected for the same reasons.  
Regarding Claim 11,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for summarizing the enriched network reporting information for the processing step (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; graph or report, for example).  
Regarding Claim 25,
Claim 25 is a method claim that corresponds to infrastructure claim 11 and is rejected for the same reasons.  
Regarding Claim 12,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the enriched network reporting information is processed by threat analysis components (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 26,
Claim 26 is a method claim that corresponds to infrastructure claim 12 and is rejected for the same reasons.  
Regarding Claim 13,

Regarding Claim 27,
Claim 27 is a method claim that corresponds to infrastructure claim 13 and is rejected for the same reasons.  
Regarding Claim 14,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the network reporting information comprises one or more of NetFlow data, firewall information, IPFIX data, and DNS data (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 28,
Claim 28 is a method claim that corresponds to infrastructure claim 14 and is rejected for the same reasons.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432