DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is in response to Applicant’s communication filed on 03/09/2022. Claims 1-20 have been examined.  Claims 13-20 are added. 

Response to Arguments
Applicant’s arguments, see Remarks Page 8-9  filed on 01/28/2022, with respect to the rejection of claims 5 ,11 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground of rejection is made in view of  Cheng. 
With regards to Drawing objection, Applicant amendment overcome the objection. Therefore, the objection is withdrawn. 

Applicant argument #1 : 
Applicant argues that Behrendt does not explicitly disclose “said emitter device sending information item representative of a prefix size of an IP address” as recited in claims 1,10. 
Examiner response to Applicant Argument #1:
 The examiner respectfully disagrees.  Behrendt teaches said emitter device sending to a receiver device  an information item  representative  of a prefix size of an IP address. Behrendt’s invention teaches sending, by each reputation device, instances of reputation information  to the reputation management system 124 each time it detects predefined suspicious  behavior in the network environment 116. Each reputation device can identify an entire subnet by specifying an identified mask such as by specifying the prefix of the subnet  The group of IP addresses which share the same prefix corresponds to a subnet. That is, each client in the subnet has the same IP prefix, but a different remaining address portion (¶0093, ¶0101, ¶0105 ¶114).
 Behrendt’s invention  further teaches the filtering logic 110 performs this role by comparing each instance of CEI with the rules in a rule set. Each rule in the rule set is associated with at least one client of interest. For example, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in  the IP prefix) (See ¶0050; ¶0105).
Therefore , based on the broadest reasonable interpretation of the claim language, the examiner interprets sending information item representative of a prefix size of an IP address as equivalent to sending by  a reputation device an instance of reputation information  to the reputation management system , the reputation information include the number of bit in the IP prefix (prefix size) associated with the client device.







Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) The claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1,3,10,15,16,19,20 are rejected under 35 U.S.C. 102 (a1) as being anticipated by Behrendt et al. Publication No. US 20140143825 A1 (Behrendt).

Regarding claim 1,

Behrendt teaches a method for sending an information item in a set of networks implementing a reputation management of IP resources and comprising at least a first network  and a second network (¶0060 -0063, ¶0093-0095), said method being implemented by a device of said first network, called "emitter device" , and comprising: 

said emitter device sending, to a device said second network, called "receiver device", an information item representative of a prefix size of an IP address assigned to an equipment item connected to said first network (¶ 0093- Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 (such as a client checking into a captured C & C site). More specifically, the reputation management system 124 can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet - A reputation set builder module 704 compiles a reputation data set based on the instances of reputation information that it receives from different reputation systems 126 – ¶ 0101 - The subnet assessment module 812 determines the subnet to which each identified client belongs (where the concept of a subnet is clarified below). If the subnet is populated with a significant number of other malicious clients, the subnet assessment module 812 can store the prefix of that subnet – ¶ 0105 - first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix – See ¶ 0114 - 0116).

		
Regarding claim 3,

Behrendt further teaches 
including said emitter device sending, to the receiver device, an information item representative of an identifier of an IP resource reputation server said first network, said server being configured to manage at least one list of IP resources associated with equipment items connected to the first network (¶ 0060, 0063 the reputation system 202 includes a site monitoring module 214 that monitors episodes in which any malicious client attempts to contact the new C & C site 210. The reputation system 202 formulates an instance of reputation information in response to this event. A feed formulation module 216 can then forward this instance of reputation information to the reputation management – ¶ 0092 -0095 - The reputation management system 124 includes an interface 702, such as an application programming interface (API), for receiving reputation information from the reputations systems 126. Each reputation system can interact with the reputation management system 124 via the interface 702 to perform various operations. For example, each reputation system can register itself as a reputation feed. Each reputation system is thereafter associated with an identifier, which it provides to the reputation management system 124. Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116).




Regarding claim 10,

Behrendt teaches a device, called "emitter device", of a first network said first network being capable of reaching a second network, and said emitter device (¶ 0060 -0063, ¶ 0093-0095), comprising: 
a processor; and a non-transitory computer-readable medium comprising instructions stored thereon which when executed by the processor configure the emitter device to: send, to a device said second network, an information item representative of a prefix size an IP address assigned to an equipment item connected to said first network(¶ 0093- Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 (such as a client checking into a captured C & C site). More specifically, the reputation management system 124 can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet - A reputation set builder module 704 compiles a reputation data set based on the instances of reputation information that it receives from different reputation systems 126 – ¶ 0101 - The subnet assessment module 812 determines the subnet to which each identified client belongs (where the concept of a subnet is clarified below). If the subnet is populated with a significant number of other malicious clients, the subnet assessment module 812 can store the prefix of that subnet – ¶ 0105 - first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix – See ¶ 0114 - 0116).


Regarding claim 15

Behrendt further teaches 
wherein the information item representative of the prefix size is the prefix size itself(¶0093, ¶0101, ¶0105 sending, by each reputation device, instances of reputation information  to the reputation management system 124 each time it detects predefined suspicious  behavior in the network environment 116. Each reputation device can identify an entire subnet by specifying an identified mask such as by specifying the prefix of the subnet). See ¶0050; ¶0105the filtering logic 110 performs this role by comparing each instance of CEI with the rules in a rule set. Each rule in the rule set is associated with at least one client of interest. For example, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in  the IP prefix –  Note: the prefix size is number of bit in the IP prefix identified in the reputation information)


Regarding claim 16

Behrendt further teaches 
wherein the information item representative of the prefix size is obtained by a processing carried out on the prefix size.¶0093, ¶0101, ¶0105 sending, by each reputation device, instances of reputation information  to the reputation management system 124 each time it detects predefined suspicious  behavior in the network environment 116. Each reputation device can identify an entire subnet by specifying an identified mask such as by specifying the prefix of the subnet). See ¶0050; ¶0105the filtering logic 110 performs this role by comparing each instance of CEI with the rules in a rule set. Each rule in the rule set is associated with at least one client of interest. For example, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in  the IP prefix –  Note: the prefix size is number of bit in the IP prefix identified in the reputation information – the processing carried is broadly interprets as processing of extracting the number of bit in the IP prefix in order to be compared to  the appropriate rule so that malicious client of interest can be identified).







Regarding claim 19

Behrendt further teaches 
wherein the information item representative of the prefix size is the prefix size itself(¶0093, ¶0101, ¶0105 sending, by each reputation device, instances of reputation information  to the reputation management system 124 each time it detects predefined suspicious  behavior in the network environment 116. Each reputation device can identify an entire subnet by specifying an identified mask such as by specifying the prefix of the subnet). See ¶0050; ¶0105the filtering logic 110 performs this role by comparing each instance of CEI with the rules in a rule set. Each rule in the rule set is associated with at least one client of interest. For example, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in  the IP prefix –  Note: the prefix size is number of bit in the IP prefix identified in the reputation information)
Regarding claim 20

Behrendt further teaches 
wherein the information item representative of the prefix size is obtained by a processing carried out on the prefix size.¶0093, ¶0101, ¶0105 sending, by each reputation device, instances of reputation information  to the reputation management system 124 each time it detects predefined suspicious  behavior in the network environment 116. Each reputation device can identify an entire subnet by specifying an identified mask such as by specifying the prefix of the subnet). See ¶0050; ¶0105the filtering logic 110 performs this role by comparing each instance of CEI with the rules in a rule set. Each rule in the rule set is associated with at least one client of interest. For example, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in  the IP prefix –  Note: the prefix size is number of bit in the IP prefix identified in the reputation information – the processing carried is broadly interprets as processing of extracting the number of bit in the IP prefix in order to be compared to  the appropriate rule so that malicious client of interest can be identified)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of Wei et al. Publication No. US 2018/0139685 A1 (Wei hereinafter). 
Regarding claim 2,

Behrendt does not explicitly teach 
including said emitter device sending, to the receiver device, an information item representative of a duration assignment of said prefix.  

However, Wei teaches 
including said emitter device sending, to the receiver device, an information item representative of a duration assignment of said prefix (¶ 0034 - sending, by the IP address anchor, an information storage request to the LM, where the information storage request carries the node identifier of the MN, the network identifier corresponding to the IP address anchor, the IP address prefix allocated by the IP address anchor, and a validity period of the IP address prefix allocated by the IP address anchor,

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Wei. The motivation for doing so is to allow system to determine that the prefix allocated is valid (¶ 0034 - Wei). 
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of Lund et al. Publication No. US 2007/0162587A1 (Lund hereinafter). 
Regarding claim 4,

Behrendt further teaches 
wherein said emitter and receiver devices [...] communicating according to one of the [...]  protocols and constructing a table including at least one information item representative of said prefix size (¶ 0092 -0095 - The reputation management system 124 includes an interface 702, such as an application programming interface (API), for receiving reputation information from the reputations systems 126. Each reputation system can interact with the reputation management system 124 via the interface 702 to perform various operations. For example, each reputation system can register itself as a reputation feed. Each reputation system is thereafter associated with an identifier, which it provides to the reputation management system 124. Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 more specifically, the reputation management system 124 can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet  - The reputation set builder module 704 stores the reputation data set in a data store 706. More specifically, the reputation set builder module 704 can store the reputation data set as a file in any format (such as SQL). The reputation set builder module 704 can also maintain a version of the reputation data set in memory to facilitate quick lookup. The reputation set builder module 704 can structure the reputation data set as a hash table, or in some other data structure –See ¶ 0159 for communication via different types of protocols). 
However, Behrendt does not explicitly teach 
emitter and receiver devices are routers communicating according to one of the BGP or BGPSEC protocols 
Lund teaches 

emitter and receiver devices are routers communicating according to one of the BGP or BGPSEC protocols (¶ 0116 - FIG. 12 shows a block diagram of an example of a customer router 107. The router 107 includes a routing table 212 and a peering table 214. The RTIN engine 108 can be configured to communicate using BGP protocol. So, once the peering table 214 is appropriately configured to include the RTIN engine 108 as a peer, the RTIN engine 108 can instruct the router 107 to update the routing table 212, and provide routing data to be stored in the routing table 212 according to information stored in the RTIN database 114- See ¶ 0117). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Lund. The motivation for doing so is to allow system to utilize  BGP protocol between routers because it  offers network stability that guarantees routers can quickly adapt to send packets through another reconnection if one internet path goes down. Also BGP makes routing decisions based on paths, rules or network policies configured by a network administrator.

Claims 5,6,9,11,12,14,18 are rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of Cheng et al. Publication No. CN 103117864 B ( Cheng hereinafter). 

Regarding claim 5,

Behrendt teaches a method for receiving an information item in a set of networks implementing a reputation management of IP resources and comprising at least a first network and a second network , said method being implemented by a device of said set of networks, called "receiver device"(¶ 0060 -0063, ¶ 0093-0095),  and comprising: 

obtaining an information item representative of a prefix size an IP address assigned to an equipment item connected to said first network (¶ 0093- Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 (such as a client checking into a captured C & C site). More specifically, the reputation management system 124 can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet - A reputation set builder module 704 compiles a reputation data set based on the instances of reputation information that it receives from different reputation systems 126 – ¶ 0101 - The subnet assessment module 812 determines the subnet to which each identified client belongs (where the concept of a subnet is clarified below). If the subnet is populated with a significant number of other malicious clients, the subnet assessment module 812 can store the prefix of that subnet – ¶ 0105 - first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix – See ¶ 0114 - 0116); and 
executing an action defined depending on said size (Fig.19, ¶ 0052 - Upon classifying the instance of CEI, the filtering logic 110 then takes one or more actions on the CEI. For example, the filtering logic 110 can block the instance of the CEI, which prevents the instance of the CEI from reaching any target destination – ¶ 0105 - More specifically, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix –See ¶ 0152).
However, Behrendt does not explicitly teach that the address being an IPv6 type or Ipv4 type with a variable subnet mask . 
Cheng teaches 
address being an IPv6 type or Ipv4 type with a variable subnet mask (Page 5&6 -  CIDR (no category inter-domain route, RFC [950]) is one bit for interpreting, based on the prefix IP address standard, is based on a variable sub-blades subnet mask (Variable Length Subnet Mask, VLSM) for any length of prefix distribution. method of expressing the IPv4 CIDR address block of similar representation method and the IPv4 address is composed of the four parts of the point decimal address, then an inclined, finally is a number between 32 and 0 A.B.C.D/N. part point decimal and IPv4 address is divided into 32 bits binary number four octet group. an inclined lever is behind the digital prefix length. Therefore, /20 represents a prefix length is 20 CIDR address block. it can realize network through variable sub-blades subnet mask (VLSM) change CIDR is divided, according to the actual requirement of the network to distribute IP address. this division can be recursive, i.e. by increasing the mask bits to make a part of the address is continuously divided into smaller parts. the whole internet has used the CIDR/VLSM network address).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Cheng. The motivation for doing so is to allow system to utilize the VSLM in order to allow more efficient use of address and route summarization/aggregation. 
Regarding claim 6,

Behrendt further teaches
wherein said action is comprises at least one action from - an addition of an IP resource associated with said equipment item  to a blacklist or to a whitelist, said IP resource being said prefix or said IP address; - a removal of the IP resource associated with said equipment item from a blacklist or a whitelist; - a limitation of traffic exchanged with said equipment item; - a redirection of communications involving the IP resource associated with said equipment item  to a dedicated portal; and - an update of a routing or IP resource reputation table(Fig.19,  ¶ 0052 -  Upon classifying the instance of CEI, the filtering logic 110 then takes one or more actions on the CEI. For example, the filtering logic 110 can block the instance of the CEI, which prevents the instance of the CEI from reaching any target destination – ¶ 0105 - More specifically, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix –See Claim 12 blocking further propagation of the instance of client event information; routing the instance of client event information to at least one target destination; and tagging the instance of client event information with tagging information –See Also ¶ 004). 

Regarding claim 9,

Behrendt further teaches 
said receiver device obtaining at least one information item from: - said IP address of said equipment item  - an information item representative of a duration assignment of said prefix; - an identifier of an IP resource reputation server said first network, said server being configured to manage at least one list of IP resources associated with equipment items connected to said first network and identified by an IP resource reputation system  of said set of networks; - a code for identifying an action already performed  by another device; - a reason for said action already performed by another device; - a list of IP resources associated with a filter; and - a timestamp information item on the assignment of the IP address of said equipment item(¶ 0060, 0063. The reputation system 202 formulates an instance of reputation information in response to this event. A feed formulation module 216 can then forward this instance of reputation information to the reputation management – ¶ 0092 -0095 - Each reputation system can interact with the reputation management system 124 via the interface 702 to perform various operations. For example, each reputation system can register itself as a reputation feed. Each reputation system is thereafter associated with an identifier, which it provides to the reputation management system 124. Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 – See Para 0099this comparison may involve, for each instance of CEI, comparing a client identifier that has been extracted from the CEI with the known malicious clients identified in the reputation information). 





Regarding claim 11,

Behrendt teaches a device of a set of networks, called "receiver device", said set of networks comprising at least a first network and a second network, and said receiver device comprising:
 a processor; and a non-transitory computer-readable medium comprising instructions stored thereon which when executed by the processor configure the receiver device to: obtain an information item representative of a prefix size an IP address assigned to an equipment item connected to said first network (¶ 0093- Each reputation system can then send instances of reputation information to the reputation management system 124 each time it detects predefined suspicious behavior in the network environment 116 (such as a client checking into a captured C & C site). More specifically, the reputation management system 124 can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet - A reputation set builder module 704 compiles a reputation data set based on the instances of reputation information that it receives from different reputation systems 126 – ¶ 0101 - The subnet assessment module 812 determines the subnet to which each identified client belongs (where the concept of a subnet is clarified below). If the subnet is populated with a significant number of other malicious clients, the subnet assessment module 812 can store the prefix of that subnet – ¶ 0105 - first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix – See ¶ 0114 - 0116); and 

execute an action defined depending on said size (Fig.19, ¶ 0052 - Upon classifying the instance of CEI, the filtering logic 110 then takes one or more actions on the CEI. For example, the filtering logic 110 can block the instance of the CEI, which prevents the instance of the CEI from reaching any target destination – ¶ 0105 - More specifically, a first type of rule attempts to target a single malicious client. In one standard and protocol, such a rule identifies the client using a /32 match (where "32" indicates the number of bits in the IP prefix). A second type of rule attempts to target a grouping of clients by specifying a mask. For example, in one case, such a rule can identify a subnet having 255 potential clients using a /24 match (where "24" indicates the number of bits in the IP prefix –See ¶ 0152).
However, Behrendt does not explicitly teach that the address being an IPv6 type or Ipv4 type with a variable subnet mask . 
Cheng teaches 
address being an IPv6 type or Ipv4 type with a variable subnet mask (Page 5&6 -  CIDR (no category inter-domain route, RFC [950]) is one bit for interpreting, based on the prefix IP address standard, is based on a variable sub-blades subnet mask (Variable Length Subnet Mask, VLSM) for any length of prefix distribution. method of expressing the IPv4 CIDR address block of similar representation method and the IPv4 address is composed of the four parts of the point decimal address, then an inclined, finally is a number between 32 and 0 A.B.C.D/N. part point decimal and IPv4 address is divided into 32 bits binary number four octet group. an inclined lever is behind the digital prefix length. Therefore, /20 represents a prefix length is 20 CIDR address block. it can realize network through variable sub-blades subnet mask (VLSM) change CIDR is divided, according to the actual requirement of the network to distribute IP address. this division can be recursive, i.e. by increasing the mask bits to make a part of the address is continuously divided into smaller parts. the whole internet has used the CIDR/VLSM network address).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Cheng. The motivation for doing so is to allow system to utilize the VSLM in order to allow more efficient use of address and route summarization/aggregation. 

Regarding claim 12,
Behrendt further teaches 
wherein the device is selected from the group consisting of: a network equipment item said second network; a server of an IP resource reputation system of said set of networks or an IP resource reputation server said first network (Fig.1&2 ¶ 0009-0010, ¶ 0060).

Regarding claim 14,
Behrendt further teaches  the address being IPv6 type or Ipv4 type ( ¶ 0105; ¶ 115). However, Behrendt does not explicitly teach that the address being an IPv6 type or Ipv4 type with a variable subnet mask . 
Cheng teaches 
address being an IPv6 type or Ipv4 type with a variable subnet mask (Page 5&6 -  CIDR (no category inter-domain route, RFC [950]) is one bit for interpreting, based on the prefix IP address standard, is based on a variable sub-blades subnet mask (Variable Length Subnet Mask, VLSM) for any length of prefix distribution. method of expressing the IPv4 CIDR address block of similar representation method and the IPv4 address is composed of the four parts of the point decimal address, then an inclined, finally is a number between 32 and 0 A.B.C.D/N. part point decimal and IPv4 address is divided into 32 bits binary number four octet group. an inclined lever is behind the digital prefix length. Therefore, /20 represents a prefix length is 20 CIDR address block. it can realize network through variable sub-blades subnet mask (VLSM) change CIDR is divided, according to the actual requirement of the network to distribute IP address. this division can be recursive, i.e. by increasing the mask bits to make a part of the address is continuously divided into smaller parts. the whole internet has used the CIDR/VLSM network address).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Cheng. The motivation for doing so is to allow system to utilize the VSLM in order to allow more efficient use of address and route summarization/aggregation. 


Regarding claim 18,
Behrendt further teaches  the address being IPv6 type or Ipv4 type ( ¶ 0105; ¶ 115). However, Behrendt does not explicitly teach that the address being an IPv6 type or Ipv4 type with a variable subnet mask . 
Cheng teaches 
address being an IPv6 type or Ipv4 type with a variable subnet mask (Page 5&6 -  CIDR (no category inter-domain route, RFC [950]) is one bit for interpreting, based on the prefix IP address standard, is based on a variable sub-blades subnet mask (Variable Length Subnet Mask, VLSM) for any length of prefix distribution. method of expressing the IPv4 CIDR address block of similar representation method and the IPv4 address is composed of the four parts of the point decimal address, then an inclined, finally is a number between 32 and 0 A.B.C.D/N. part point decimal and IPv4 address is divided into 32 bits binary number four octet group. an inclined lever is behind the digital prefix length. Therefore, /20 represents a prefix length is 20 CIDR address block. it can realize network through variable sub-blades subnet mask (VLSM) change CIDR is divided, according to the actual requirement of the network to distribute IP address. this division can be recursive, i.e. by increasing the mask bits to make a part of the address is continuously divided into smaller parts. the whole internet has used the CIDR/VLSM network address).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Cheng. The motivation for doing so is to allow system to utilize the VSLM in order to allow more efficient use of address and route summarization/aggregation. 



Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of  Cheng further in view of Jayanti Venkata et al. Publication No. US 2016/0088021 (Jayanti Venkata hereinafter). 
Regarding claim 7,

Behrendt does not explicitly teach 
following executing the action cancelling the effect of said action the canceling being triggered upon expiration of a lifetime of said action or upon reception a request from a device configured for the reputation management of IP resources.  
However, Jayanti Venkata teaches 
following executing the action cancelling the  effect of said action  the canceling being triggered upon expiration of a lifetime of said action or upon reception a request from a device configured for the reputation management of IP resources (¶ 0065 - Upon expiration of a time period for remediation, device access management system 120 may perform one or more remedial actions. The remedial action performed after the expiration of the time period may be different from the remedial actions performed during the time period. After the expiration of the time period, a remedial action may include preventing access to enterprise computer system 150 entirely or preventing access to a resource. Other remedial actions may include instructing the remote device to automatically perform a remedial action).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Jayanti Venkata. The motivation for doing so is to allow system to remediate of non-compliances of remote devices accessing an enterprise system. Remediation may be controlled based on different levels of non-compliance (Jayanti Venkata – Abstract). 
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of Cheng further in view of Jayanti Venkata further in view of Serban et al. Publication No. US 2015/0047043 A1 (Serban hereinafter). 
Regarding claim 8,

Behrendt further teaches 
requesting and receiving at least one additional information item from said device configured for the reputation management of IP resources ( ¶ 0093 - the reputation management system can collect the reputation information from each reputation system on a push basis, a pull basis, and/or any other basis. Each reputation system can identify the client of interest by IP address, ASN, and/or any other designator. Each reputation system can also identify an entire subnet by specifying an identified mask, such as by specifying the prefix associated with the subnet - ¶ 0070 – This will enable the local analysis system 122 to receive updated reputation information from the global reputation management system 124 on a periodic, episodic, and/or any other basis, using a push and/or pull model to receive the reputation information).
However, Behrendt does not explicitly teach that the cancelling of said action is preceded by requesting and receiving at least one addition information item from device. 
Serban teaches 
cancelling of said action is preceded by requesting and receiving at least one addition information item from device (¶ 0025 - At 306, the monitoring service, such as monitoring service 220, can retrieve the security data from the cache server. The monitoring service can periodically poll the cache server to determine if new security data is available from the cache server – ¶ 0026 - At 3 08, the monitoring service can analyze the security data. For example, the monitoring service can compare the security data of a similar time period retrieved from different cache servers. – ¶ 0027 - At 310, the monitoring service can determine if an anomaly is detected. When an anomaly is detected, the monitoring service can send an alert such as to a system administrator or network security specialist, as shown at 312. The anomaly can include altered logs files, modified configuration files, changes in resource utilization outside of normal usage patterns, or the like. Additionally, the monitoring server may attempt to disconnect a compromised server from the network to prevent the attack from further compromising the system. The monitoring server can also activate logging hardware within the network to record network activity for further analysis. The monitoring service can continue to monitor the content server by retrieving additional security data, as illustrated at 306. Alternatively, when an anomaly is not detected, the monitoring service can, without sending an alert, retrieve additional security data from the cache servers, as illustrated at 306).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Serban. The motivation for doing so is to allow system to validate the action when receiving new additional data for enhancing security monitoring (¶ 0002, ¶ 0026-0027 – Serban). 
Claims 13,17 are rejected under 35 U.S.C. 103 as being unpatentable over Behrendt in view of Zhang et al. Publication No. US 2013/0177019 A1 ( Zhang hereinafter)

Regarding claim 13,

Behrendt does not explicitly teach 
wherein the prefix of the IP address is extracted from a prefix of the first network.

However, Zhang teaches 

prefix of the IP address is extracted from a prefix of a first network (¶0015 - As shown, there are two VLANs, vlan 10 and vlan20. The vlan 10 may be assigned with subnet prefix 10.1.0.0/16, where the vlan 20 may be assigned with subnet prefix 10.2. 0.0/16.Adeviceprefix 10.2.2.0/24 is configured on switching device 3 (SD3) connecting to virtual machine 13 (VM-13) and virtual machine 14 (VM-14), as described below. An address range 10.2.2.0/24 is installed in FIB CAM on switching device 1 (SDI) and switching device 2 (SD2) – ¶005 -  there is provided a method comprising determining a subnet prefix from an IPv4 address range; determining a device index from the IPv4 address range; determining a device prefix by combining the subnet prefix and the device index – Para 0022 – 0023 - A Device Prefix associated with a VLAN interface on the device may be summarized by Subnet Prefix on the VLAN interface -All addresses assigned to hosts connected to the VLAN on the device are summarized by the same Device
Prefix configured on the VLAN of the device).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Zhang. The motivation for doing so is to allow system to utilize  device prefix instead of subnet prefix  in order to  support a large number of hosts while keeping the size of the FIB CAM low. Higher scalability may be achieved by consuming less FIB CAM space as hosts are added to a network (Zhang – ¶0004).
Regarding claim 17,
Behrendt does not explicitly teach 
wherein the prefix of the IP address is extracted from a prefix of the first network.

However, Zhang teaches 

prefix of the IP address is extracted from a prefix of a first network (¶0015 - As shown, there are two VLANs, vlan 10 and vlan20. The vlan 10 may be assigned with subnet prefix 10.1.0.0/16, where the vlan 20 may be assigned with subnet prefix 10.2. 0.0/16.Adeviceprefix 10.2.2.0/24 is configured on switching device 3 (SD3) connecting to virtual machine 13 (VM-13) and virtual machine 14 (VM-14), as described below. An address range 10.2.2.0/24 is installed in FIB CAM on switching device 1 (SDI) and switching device 2 (SD2) – ¶005 -  there is provided a method comprising determining a subnet prefix from an IPv4 address range; determining a device index from the IPv4 address range; determining a device prefix by combining the subnet prefix and the device index – Para 0022 – 0023 - A Device Prefix associated with a VLAN interface on the device may be summarized by Subnet Prefix on the VLAN interface [..] All addresses assigned to hosts connected to the VLAN on the device are summarized by the same Device
Prefix configured on the VLAN of the device.).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Behrendt to include the teachings of Zhang. The motivation for doing so is to allow system to utilize  device prefix instead of subnet prefix  in order to  support a large number of hosts while keeping the size of the FIB CAM low. Higher scalability may be achieved by consuming less FIB CAM space as hosts are added to a network (Zhang – ¶0004).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659.  The examiner can normally be reached on Monday - Friday 8:30 AM -5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/YOUNES NAJI/Primary Examiner, Art Unit 2445