Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received February 04, 2022.  Claims 1, 4, 8, 13, and 15 have been amended.  Therefore, claims 1-20 are pending and addressed below. 


Response to Arguments
Applicant’s arguments, see Pages 10-15, filed February 04, 2022, with respect to the rejection(s) of claim(s) 1-20 under 35 USC 103(a)  have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference, Thomson et al. (US9118714, patent date 08/25/2015).


Based on claims amendments, a new ground of rejection of claims 1-20 is set forth below.  



Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).




Claims 1, 8, 13, 15, and 20 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1, 8, 13, 15, and 17, of Patent 11303662 B2, application 15/561564).  

Claims 1, 8, 13, 15, and 20:
Claims 1, 8, 13, 15, and 20 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1, 8, 13, 15, and 17, of Patent 11303662 B2, application 15/561564).
  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim determining security indicator scores,  determining a total count of sightings, a potential security threat and determining reliability level including votes, determining a score of the security indicator.  Claims 1, 8, 13, 15, and 20 are rejected under the reasons as set forth above.  


This is a obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Alperovitvh et al. (US2015/0326614 A1, publish date 11/12/2015) (on applicants IDS filed 08/07/2018) in view of Visbal (US8832832 B1, patent date 09/09/2014) further in view of Thomson et al. (US9118714, patent date 08/25/2015).

Claims 1, 8, 13:
With respect to claims 1, 8, 13, Alperovitvh et al. discloses a method/system/non-transitory machine-readable storage medium storing instructions executable by a processor of a computing device (client entities of for generating security information based on execution activities, for acting upon the generated information or policies, and for sharing the generated information or policies with other client entities belonging to a same group, 0075) (Figures 1b and 6) comprising/to cause the processor to:
identifying, by a processor (Each client entity 104 may have one or more computing devices/mobile devices 208, and each computing device may have processor(s) 210, 0024), a security indicator that is originated from a first source entity of a plurality of source entities in a security information sharing platform (member client entities 104 of the group 108 may then have their security information automatically shared 110 with other member client entities 104 of the group 108, 0021, Figure 1b),
wherein the security indicator provides a warning of a potential security threat (security information may include one or more of threat information, … attack data,  vulnerability information, …  victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies, 0014);
determining, by the processor, a count of sightings of the potential security threat as observed by the plurality of source entities in the security information sharing platform (the security service 102 may determine the occurrence of a threat based on the security information, 0046) (the rating module 244 may be any one or more applications, processes, threads, algorithms or modules capable of being executed by a processor to associate a client entity 104 with one or both of a rating or a point currency.  The rating module 244 may provide the rating or point currency to the web server 228 for display to other client entities 104, enabling the other client entities 104 to affect the rating or point currency for the client entity 104.  For example, if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234 … the rating module 244 may increase a rating or point currency responsive to a client entity 104, 0057);
determining a reliability level of the first source entity based on a set of uses feedback information about the security indicator (the security information 234 may include user feedback, 0045) and the count of sightings of the potential security threat (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Alperovitvh et al. does not disclose security indicator specifies a particular address or domain name of the potential security threat; 
determining, a total count of sighting of the particular address or domain name of the potential security thread as observable observed by the plurality of source entities in the security information sharing platform;
determining the reliability level based on the set of user feedback information about the security indicator and the total count of sightings of the particular address or domain name of the potential security threat; 
determining a score of the security indicator based on the reliability level of the first source entity; and 
comparing the score of the security indicator to at least one threshold value to determine whether the identified security indicator is an actual security threat as claimed. 

However, Visbal teaches an IP reputation system (Figure 1), security indicator specifies a particular address or domain name of the potential security threat; determining (the network server 250 and network access device 255 each maintain a log of historic network security events that are believed to be potentially noteworthy, the log may include information such as host IP address, Column 6, lines 16-38) (Figure 2), a total count of sighting of the particular address or domain name of the potential security thread as observable observed by the plurality of source entities in the security information sharing platform; determining the reliability level based on the set of user feedback information about the security indicator and the total count of sightings of the particular address or domain name of the potential security threat (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52); 
determining a score of the security indicator based on the reliability level of the first source entity (Threat Reputation Score (Threat Score): A score that represents the maliciousness of an IP address.  It can be a probability of an IP address being involved in an actual network security threat based on historical network security data.  The score may also be called an "threat score," and/or a "risk score, Column 3, lines 54-59); and 
comparing the score of the security indicator to at least one threshold value to determine whether the identified security indicator is an actual security threat
(table 430 one "bomb", Figure 4) (sort the scores and identify the IP addresses that are most dangerous or trustworthy, or most likely a candidate for false alarms (e.g., a score with high threat score and high usage score, etc.), Column 8, lines 26-55) (several IP addresses within a threat reputation scores and usage scores matrix, an IP address and its associated scores may be displayed in pop-up window 850, the scores could also mean that a hacker is posing as a trusted user and has been involved in actual threat events, Plotting the scores associated with a plurality of IP addresses can also demonstrate whether the scores of a particular IP address are high or low as compared to other scores, Column 15, lines 5-51) (Figure 8).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Visbal in Alperovitvh et al. for security indicator specifies a particular address or domain name of the potential security threat; determining, a total count of sighting of the particular address or domain name of the potential security thread as observable observed by the plurality of source entities in the security information sharing platform; determining the reliability level based on the set of user feedback information about the security indicator and the total count of sightings of the particular address or domain name of the potential security threat; determining a score of the security indicator based on the reliability level of the first source entity; and comparing the score of the security indicator to at least one threshold value to determine whether the identified security indicator is an actual security threat as claimed for purposes of enhancing the security service of Alperovitvh et al. by not classifying an IP address as a threat can mistakenly classify IP addresses of employees and authorized users as threats (see Visbal Column 1, lines 11-24)

Neither Alperovitvh et al. nor Visbal discloses the set of user feedback information including votes about accuracy of the security indicator, wherein a higher number of votes about the accuracy of the security indicator and a higher count of sightings of the particular address or domain name of the potential security threat result in a higher reliability level of the first source entity.

However, Thomson et al. teaches calculation of a threat indicator confidence score, receive a TIC score based on the average of the threat indicators from the IPs (e.g., traced back to 209a-d) attached to the indicator, (Column 7, lines 29-46), the set of user feedback information including votes about accuracy of the security indicator, wherein a higher number of votes about the accuracy of the security indicator and a higher count of sightings of the particular address or domain name of the potential security threat result in a higher reliability level of the first source entity (The cyber threat intelligence confidence rating visualization and editing user interface technology (hereinafter "TIC") provides a user interface that allows a user (e.g., a cyber threat analyst, etc.) to submit ratings for various characteristics associated with a cyber threat indicator", Abstract) (receive an indication representing the user-configured rating for the set of characteristics from the one or more characteristics via the user interface input element, Claim 8) ("FIG. 1A provides a schematic block diagram of a communication network system in which TIC aspects can be provided, according to an embodiment. A communication network system 100 can include one or more user devices or user equipment (UEs) 101, each equipped with at least a user interface (Ul) 107"; Col. 2, line 36-41) 
(The UEs 101 can be any of a variety of electronic devices that can be operatively coupled to communication network 105, Col. 4, line 9-11) (Thomson: Claim 8: "calculate a threat confidence score using the characteristic from the one or more characteristics rated by the user-configured ratings").

Alperovitvh et al., Visbal, and Thomson et al. are analogous art because they are from the same field of endeavor of shared platforms.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Thomson et al. in Alperovitvh et al. and Visbal for the set of user feedback information including votes about accuracy of the security indicator, wherein a higher number of votes about the accuracy of the security indicator and a higher count of sightings of the particular address or domain name of the potential security threat result in a higher reliability level of the first source entity as claimed for purposes of enhancing the security service of Alperovitvh et al. and Visbal by to provide more accurate risk score based on they cyber analyst inputs (see Thomson et al. Column 2, lines 30-34)

Claim 2:
With respect to claim 2, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: determining an authenticity level of the first source entity based on a type of the first source entity, wherein the type of the first source entity comprises: a non-trusted source type or a trusted source type (group information 232 may also include a view of security information 234 that is associated with a group of client entities 104, The group settings may also specify a member client entity 104 or member client entities 104 as a trusted moderator or group of moderators that has the power to control admission to the group, 0044).

Visbal teaches determining an authenticity level of the first source entity based on a type of the first source entity, wherein the type of the first source entity comprises: a non-trusted source type or a trusted source type (Risk assessment, Figures 3, 4).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 1.

Claim 3:
With respect to claim 3, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 2, as addressed.  

Alperovitvh et al. discloses the authenticity level of the first source entity (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Visbal teaches wherein determining the score of the security indicator is further based on the authenticity level of the first source entity (Risk assessment, IP Risk Scores, Figures 3, 4).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claims 1, 13.

Claim 4:
With respect to claim 4, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses wherein the set of user feedback about the security indicator (the security information 234 may include user feedback, 0045) is provided by an external resource that is external to the security information sharing platform (The process 600 includes, at 602a and 602b, agents implemented on computing devices of multiple client entities generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075, Figure 6) (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Visbal teaches wherein the set of user feedback about the security indicator further includes information provided by an external resource that is external to the security information sharing platform (Figure 1 and 2) (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 1.

Claim 5:
With respect to claim 5, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: providing a survey to collect the set of user feedback information about the security indicator from users of the security information sharing platform (the security information 234 may include user feedback, 0045).

Visbal teaches further comprising: providing a survey to collect the set of user feedback information about the security indicator from users of the security information sharing platform (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 1.


Claim 6:
With respect to claim 6, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses further comprising: obtaining an article via a second source entity (the security service may enable a client entity to advertise security information for sharing in exchange for return security information from the receiving client entities, 0068);
determining whether the article includes information related to the security indicator; and
determining a reliability level of the second source entity based on the determination of whether the article includes the information related to of the security indicator (the security service may associate a rating with a client entity, the rating indicative of the client entity's participation in a group of client entities, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070).

Claim 7:
With respect to claim 7, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 1, as addressed.  

Alperovitvh et al. discloses wherein the information related to the security indicator comprises at least one of: a threat actor, a campaign, a technique/tactic/procedure (TIP), an organization, an industry sector, of a community (The security information may include one or more of threat information, remediation information, attack data, vulnerability information, reverse engineering information, packet data, network flow data, protocol descriptions, victim information, threat attribution information, incident information, proliferation data, user feedback, information on systems and software, or policies., 0014).

Claims 9, 14:
With respect to claims 9, 14, the combination of Alperovitvh et al. and Visbal discloses the limitations of claims 8, 13, as addressed.  

Alperovitvh et al. discloses wherein instructions are executed to cause the processor to: to identify a second security indicator that is originated from a second source entity of the plurality of source entities in the security information sharing platform (The agents may observe and act on execution activities of their respective computing devices and may generate security information based on the observed execution activities, 0014) (the security agent 216 may be a kernel-level security agent that observes and acts upon execution activities of its corresponding computing device/mobile device 208, 0033) (generating, in parallel, security information based at least in part on observing execution activities of their respective computing devices, 0075);
determine an authenticity level of the second source entity based on a type of the second source entity (group information 232 may also include a view of security information 234 that is associated with a group of client entities 104, The group settings may also specify a member client entity 104 or member client entities 104 as a trusted moderator or group of moderators that has the power to control admission to the group, 0044); and
determine an indicator score of the second security indicator based on the reliability level of the second source entity and the authenticity level of the second source entity (the security service may enable at least one client entity in  the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Visbal teaches an IP reputation system (Figure 1), the second security indicator comprises a second address or domain name of a second potential security threat (the network server 250 and network access device 255 each maintain a log of historic network security events that are believed to be potentially noteworthy, the log may include information such as host IP address, Column 6, lines 16-38) (Figure 2);
determining a reliability level based of the second source entity based on a total count of sightings of the second address or domain name of the second potential security threat as observed by the plurality of source entities in the security information sharing platform; determine an indicator score of the second security indicator based on the reliability level of the second source entity and the authenticity level of the second source entity  (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52);

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claims 8, 13.


Claim 10:
With respect to claim 10, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 8, as addressed.  

Alperovitvh et al. discloses wherein the instructions are executable to cause the processor to: determine a number of security events that are created in the security information sharing platform, wherein the security events include the first security Indicator (Based on the observed execution activities, the security agents 216 may generate security information which the security agent 216 may act upon and provide to other security agents 216 of the same client entity 104 and of other client entities 104 in a group with the client entity 104 of the security agent 216, 0033); and
determine the reliability level of the first source entity based on the number of security events (the security service may enable at least one client entity in the group of client entities to affect a rating of another client entity.  At 312b, the security service may adjust the rating based on actions of the other client entity either taken or refrained from with respect to sharing security information with one or more client entities in the group of client entities, 0070) (if the rating is a number of stars (e.g., anywhere from zero to five), the rating module 244 may provide a current rating (e.g., four stars) and enable another client entity 104 to provide a rating (e.g., one star) that may be included in an operation that averages the ratings received from the other client entities 104, 0056) (the rating module 244 may add points to the point currency every time the client entity 104 provides security information 234 and may subtract from the point currency every time the client entity 104 consumes security information 234, 0057).

Visbal teaches an IP reputation system (Figure 1), determining the reliability level of the first source entity based on the number of security events, the first set of user feedback information about the first security indicator and the total count of sightings of the particular address or domain name of the first potential security threat (the network server 250 and network access device 255 each maintain a log of historic network security events that are believed to be potentially noteworthy, the log may include information such as host IP address, Column 6, lines 16-38) (Figure 2) (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52);.

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 8.

Claim 11:
With respect to claim 11, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 8, as addressed.  

Visbal teaches an IP reputation system (Figure 1), sighting of address or domain name of the potential security threat; determining (the network server 250 and network access device 255 each maintain a log of historic network security events that are believed to be potentially noteworthy, the log may include information such as host IP address, Column 6, lines 16-38) (Figure 2), wherein the instructions that cause the processor to determine the total count of sightings of the first address or domain name include instructions that cause the processor to: 
obtain, from a second source entity, a first sighting of the first address or domain name, the first sighting of the first address or domain name indicating that the first address or domain name has been observed by the second source entity; obtain, from a third source entity, a second sighting of the first address or domain name, the second sighting of the first address or domain name indicating that the first observable address or domain name has been observed by the third source entity; and determine the total count of sightings of the first address or domain name based on an addition of the first and second sightings of the first address or domain name (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 8.

Claim 12:
With respect to claim 12, the combination of Alperovitvh et al. and Visbal discloses the limitations of claim 8, as addressed.  

Visbal teaches wherein the instructions are executable to cause the processor to:

obtain the first set of user feedback information regarding the first security indicator from users of the security information sharing platform, and a second set of user feedback information regarding the first security indicator from external resources that are external to the security sharing information platform; compare the first set of user feedback information and the second set of user feedback information; and adjust the reliability level of the first source entity based on the comparison of the first set of user feedback information and the second set of user feedback information (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52);

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claim 8.

Claims 15, 18, 20:
With respect to claims 15, 18, 20, the combination of Alperovitvh et al. and Visbal discloses the limitations of claims 13, 17 and 8, as addressed.  

Visbal teaches in response to the determination that the security indicator is the actual security threat, blocking any event that matches the security indicator (an entity may transmit a request for a threat reputation score of an IP address that is requesting access to the entity's network, such as to gauge whether or not the IP address should be blocked from the network, Column 10, lines 50-58).

Claims 16, 17, 19:
With respect to claims 16, 17, 19, the combination of Alperovitvh et al. and Visbal discloses the limitations of claims 13, 1, and 8, as addressed.  

Visbal teaches wherein the instructions to compare the score of the security indicator to the at least one threshold value include instructions that cause the processor to:
compare the score of the security indicator to a first threshold value and a second threshold value; in response to a determination that the score of the security indicator is below the first threshold value, continue monitoring the security indicator; in response to a determination that the score of the security indicator is above the first threshold value but below the second threshold value, generate a recommendation to perform a further investigation on the security indicator; and in response to a determination that the score of the security indicator is above the second threshold value, determine that the security indicator is the actual security threat (Figures 6 and 7) (determine a quantity of occurrences of the IP address in the network alert dataset; determine a recency of each occurrence of the IP address in the network alert dataset, wherein recency is determined based on an amount of time between respective occurrences and a current time; determine a weighting factor for each of the data sources indicating expected accuracy of respective occurrences indicated in the network alert dataset of the data source; and determine the threat score for the IP address based at least on the determined quantity of occurrences, the recency of occurrences, and the weighting factor for each of the data sources, Column 1, lines 25-52).

Alperovitvh et al. and Visbal are analogous art because they are from the same field of endeavor of shared platforms.

The motivation for combining Alperovitvh et al. and Visbal is recited in claims 1, 8, and 13.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433