DETAILED ACTION
This office action is in response to the amendment filed on 2/25/2022.
Claims 1, 10 and 19 have been amended.
Claims 1-28 are being considered on the merits.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/25/2022 has been entered.

Response to Arguments
In view of the amendment of claim 10, the claim objection for that claim has been withdrawn.
Applicant's arguments filed on 2/25/2022 have been fully considered but they are not persuasive. 
Applicant argues on page 9 of the Remarks that Visbal does not teach a weighting system that aggregates machine-readable threat levels from the malicious activity sources to obtain an aggregate score for each of the plurality of addresses based on a predetermined relationship between importance levels of the machine-readable threat levels from the malicious activity detection systems for a particular address.  Examiner respectfully disagrees.  Visbal does teach the disputed limitation (Visbal, in Col. 5 L. 51-60, Col. 9 lines 51-60 and Col. 10 lines 39-50, “The process 500 then proceeds to block 530 wherein the IP reputation system 150 calculates threat reputation scores for respective IP addresses. In some embodiments, the threat reputation score for an IP address may be calculated based on a probability of a given IP address being involved in an actual threat based on the historical accuracy of threat data sources that the IP address appears in. For example, each data source is associated with a weight, which can be an estimated percentage of its IP addresses that were actually involved in a threat. If an IP addresses is reported by multiple data sources, the probabilities may be combined to produce a final score.”).  Therefore, the arguments are not found to be persuasive.
Applicant argues on page 10 of the Remarks that Maestas does not disclose or suggest deriving scores for particular network addresses using an address proximity engine responsive to a source of malicious activity data that is configured to determine both measures of logical and physical proximity between addresses for accessing content on the network.  Examiner respectfully disagrees.  Examiner notes, the terms “logical and physical proximity” do not clearly define what they mean in the applicant’s disclosure.  Therefore, the terms are interpreted as best understood.  According to page 7 of applicant’s disclosure, the physical or logical proximity is based on distance between IP addresses or URLs or AS numbers or IDN name.  The Maestas modified by Zimmermann does teach the disputed limitations of claim 10.  Maestas in Para. [0029] discloses using the geographic (i.e. physical) proximity with the weighted threat score to create a risk score (i.e. deriving a score based on physical proximity).  Zimmermann discloses determining both measures of logical and physical proximity between addresses (Para. [0114, 0264, 0409 and 0554],  “The anomaly detection engine 6550 may then use a scoring system for outlier ranking based on average distances… attributes may be classified to set of features that are mapped to specific cyber security use cases (i.e., the features that are more likely to present anomalies in the data based on the particular use case involved). Each set of features may be computed independently from the others to increase the accuracy of the anomaly detection”… “including content analysis services 110 and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights”).  The Examiner respectfully submits that the reference does provide for deriving a threat score based on physical and logical proximity, thus the arguments are not found to be persuasive.
Applicant argues on page 10 of the Remarks that Bingham fails to teach applying a trained predictive model to information from detection subsystems that extract and analyze meaning information from the language content of textual sources using addresses on the public wide area network over a period of time.  Examiner respectfully disagrees.  Bingham does teach the disputed limitation (Bingham, in Para. [0031-0032 and 0034-0035], discloses a processing cluster (i.e. threat prediction subsystem) which uses a machine learning system (i.e. trained predictive model) to process security data (i.e. analyzed, extracted information) to generate a reputation score for each IP address which represents a confidence level (i.e. threat level)).  Therefore, the arguments are not found to be persuasive
Applicant’s arguments with respect to claim(s) 1-28 have been considered but are moot.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claim 1 recites computer-implemented functions including, among other limitations, “derive different machine-readable threat levels in a first threat category corresponding to each of at least some addresses”, “derive further different machine-readable threat levels in each of one or more further threat categories corresponding to each of at least some addresses”; and “derive aggregated, weighted machine-readable threat score for each of the plurality of the addresses”.
Claim 10 recites computer-implemented functions including, among other limitations, “derive a machine-readable logical proximity score for particular addresses”.
Applicant is respectfully reminded, for computer-implemented features, “examiners should determine whether the specification discloses the computer and the algorithm (e.g., the necessary steps and/or flowcharts) that perform the claimed function in sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor invented the claimed subject matter.” MPEP § 2161.01(I).
The pending claims 1 and 10 do not disclose how “the different machine-readable threat levels; the further different machine-readable threat levels; the aggregated, weighted machine-readable threat score; and the machine-readable logical proximity score” themselves are “derive[d]” and so do not provide the necessary written description support for pending claims 1 and 10. Accord Ariad, 598 F.3d at 1349 (indicating original claim language does not necessarily satisfy the written description requirement for the claimed subject matter).  That is to say, pending claims 1 and 10 itself do not provide an algorithm that performs the function “derive the different machine-readable threat levels/the further different machine-readable threat levels/the aggregated, weighted machine-readable threat score/the machine-readable logical proximity score” in sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor invented the claimed subject matter.
Furthermore, Applicant’s specification does not describe an algorithm that performs the function “derive the different machine-readable threat levels/the further different machine-readable threat levels/the aggregated, weighted machine-readable threat score/ machine-readable logical proximity score” in sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor invented the claimed subject matter. For example, Applicant’s specification discloses “The text analysis subsystem extracts meaning information from the collected textual information, such as by using natural language processing techniques. This extracted meaning information is stored, such as in a database 20. ….” Spec., page 5]. 
However, such disclosure is not an algorithm (e.g., the necessary steps and/or flowcharts) that performs the claimed function in sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor invented the claimed subject matter.
Applicant is also reminded, “[i]f the specification does not provide a disclosure of the computer and algorithm in sufficient detail to demonstrate to one of ordinary skill in the art that the inventor possessed the invention including how to program the disclosed computer to perform the claimed function, a rejection under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, for lack of written description must be made.” MPEP § 2161.01(I).
Therefore, because an algorithm for the function “derive the different machine-readable threat levels/the further different machine-readable threat levels/the aggregated, weighted machine-readable threat score/ machine-readable logical proximity score” is not disclosed in sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor invented the claimed subject matter, and in accordance with MPEP § 2161.01, claims 1 and 10 are rejected for lack of written description.
Dependent claims 2-9 and 11-18 fail to cure this deficiency of independent claims 1 and 10 (set forth directly above) and are rejected accordingly.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-28 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 1 and 19, 
these claims recite the limitation "the language content of textual sources".  There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 1, 
claim 1 recites the limitation “a scoring subsystem … configured to derive an aggregated, weighted machine-readable threat score for each of the plurality of the addresses”.  It is unclear if the aggregate score from the weighting subsystem is used to derive the aggregated, weighted machine-readable threat score, or the threat levels are used to derive the aggregated, weighted machine-readable threat score.  According to Applicant’s specification, the aggregated threat scores are derived from more than one sour of information (see page 6 of the applicant filed specification, “The aggregated threat scores are derived from more than one source of information in a process that can assign different importance levels to different threat sources”).  Therefore, this limitation is indefinite in the claim.
Claim 1 further recites the limitation “extract meaning information from the language content of textual sources accessed using addressed”.  The use of the term "meaning information" renders the claim indefinite because it contains a subjective term.  The specification does not provide a standard for what it means. While a broad claim may be permissible, a claim with uncertain boundaries is not.  Applicant may overcome this rejection by amending the claim to remove the subjective term, or by providing evidence that the meaning of the term can be ascertained by one of ordinary skill in the art when reading the disclosure. See Ex parte Anderson, 21 USPQ2d 1241 (Bd. Pat. App. & Inter. 1991)
Regarding claim 10, claim 10 recites the limitation “to derive a machine-readable logical proximity score for particular addresses”.  It is unclear if one score is derived for particular addresses or each score is derived for a particular address.  Appropriate correction is required.
Dependent claims 2-9, 11-18 and 20-28 fail to cure this deficiency of independent claims 1, 10 and 19 (set forth directly above) and are rejected accordingly.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1-3 and 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Visbal (US 8832832 B1) in view of Zimmermann et al. (US 20180027006) (hereinafter Zimmermann) .

Regarding claim 1, Visbal teaches a network security system, comprising: a network interface configured to connect the system to a public wide area network that can be accessed with addresses, a first malicious activity detection subsystem operatively connected to the network interface and configured to extract [meaning information] from [the language content of] textual sources accessed using addresses on the network and analyze the extracted meaning information to derive different machine-readable threat levels in a [first threat category] corresponding to each of at least some addresses for accessing content on the wide area network, one or more further malicious activity detection subsystems operatively connected to the network interface and configured to extract [meaning information] from [the language content of] textual sources accessed using addresses on the network to derive further different machine-readable threat levels in each of one or more further [threat categories] corresponding to each of at least some addresses for accessing content on the wide area network (Visbal, in Col. 18 lines 50-63, Col. 1 lines 25-52, Col. 3 lines 24-26, Col. 7 L. 14-25, and Col. 9 L. 1-7, discloses a network link (i.e. interface) between the internet (i.e. public wide area network) and the IP reputation system (i.e. activity detection system), where one or more modules (i.e. an activity detection subsystem and one or more further activity detection subsystems) determine network threat events or occurrences (i.e. activity) using (i.e. analyzing) data sources including unstructured (i.e. textual) sources such as e-mail messages, news report or written paper of article, where the threat events and data have different severity or levels)
a weighting subsystem responsive to each of the first and further malicious activity detection subsystems and configured to provide weighted threat levels for each of a plurality of the addresses for accessing content on the wide area network for both the derived threat levels for the first and malicious activity detection subsystem and the derived threat levels for the further malicious activity detection subsystems (Visbal, in Col. 9 L. 20-50, discloses assigning different IP addresses high or low (i.e. levels) weighting, where one or more modules (i.e. an activity detection subsystem and one or more further activity detection subsystems) determine network threat events or occurrences (i.e. activity)), wherein the weighting system aggregates the machine-readable threat levels from each of the first and further malicious activity sources to obtain an aggregate score for reach of the plurality of addresses based on a predetermined relationship between an importance level of the machine-readable threat level from the first malicious activity detection system for that address and an importance level of the machine-readable threat level from the further malicious activity detection systems for that address (Visbal, in Col. 5 L. 51-60, Col. 9 lines 51-60 and Col. 10 lines 39-50, “The process 500 then proceeds to block 530 wherein the IP reputation system 150 calculates threat reputation scores for respective IP addresses. In some embodiments, the threat reputation score for an IP address may be calculated based on a probability of a given IP address being involved in an actual threat based on the historical accuracy of threat data sources that the IP address appears in. For example, each data source is associated with a weight, which can be an estimated percentage of its IP addresses that were actually involved in a threat. If an IP addresses is reported by multiple data sources, the probabilities may be combined to produce a final score.”), and 
and a scoring subsystem responsive to the weighting subsystem and configured to derive an aggregated, weighted machine-readable threat score for each of the plurality of the addresses for accessing content on the wide area network (Visbal, in Col. 10 L. 39-49, discloses calculating threat reputation scores (i.e. weighted threat score) for IP addresses (i.e. each network address) taking into account the weights).
While Visbal teaches weighing and generating score from textual sources, Visbal fails to explicitly teach generating meaning information from the language content of the text sources.
However, Zimmermann from the analogous technical field teaches: configured to extract meaning information from the language content of textual sources accessed using addresses on the network and analyze the extracted meaning to derive further different threat levels in each of one or more further threat categories (Zimmermann, in Para. [0097, 0170, 0378] “UBA may be performed in part by ingesting and analyzing event log data that may be sourced from the APIs of different service providers” and Para. [0168-0169, 0176, 0558-0561], “Stream processing 626 may include taking a raw stream 612, parsing the stream 632 and unifying it”… “The trust or risk score can be presented in a dashboard 8102 or other visual element, such as showing trends in the score over a time period 8104 as well as a risk time line 8108 that shows events and activities that impact, or that are derived from, the risk or trust score, such as the user being added to a watch list, activity with respect to suspicious IP addresses”… “the cyber intelligence platform 6500 can collect data, such as event data, across various platforms, such as Google™, SalesForce™, Octa™, and other systems. That data can be filtered, modeled, and used to create a native event format for the platform”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal to incorporate the teachings of Zimmermann, with a motivation to safe guard private or sensitive data of the enterprise (Zimmermann, in Para. [0003]).

Regarding claim 2, Visbal as modified by Zimmermann teaches the system of claim 1. 
Visbal further teaches further including a threat level quantizer responsive to the scoring subsystem and configured to quantize the weighted threat score for an address Visbal, in Col. 8 lines 5-43 and Fig. 4 elements 430, discloses the IP reputation system (i.e. encompasses the quantizer) considering the threat score when representing the risk level (i.e. threat level) as bombs (i.e. discreet)).

Regarding claim 3, Visbal as modified by Zimmermann teaches the system of claim 2. 
Visbal further teaches further including a user interface area responsive to the scoring subsystem and the quantizer and configured to display the quantized weighted threat score in a manner that also conveys one of the threat levels (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the numerical threat score and the risk level (i.e. threat level) as bombs).

Regarding claim 5, Visbal as modified by Zimmermann teaches the system of claim 1. 
Visbal further teaches further including a user interface area responsive to the scoring subsystem and configured to display the weighted threat score (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the threat score).

Regarding claim 6, Visbal as modified by Zimmermann teaches the system of claim 5. 
Visbal further teaches further including a further user interface area that is configured to display at least some of the different threat levels and further different threat levels from which the displayed weighted threat score was derived (Visbal, in Col. 8 lines 26-43 and Fig. 4 elements 430, discloses displaying the risk level (i.e. threat level) as bombs).

Regarding claim 7, Visbal as modified by Zimmermann teaches the system of claim 1. 
As detailed above Visbal further teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with an IP address (Visbal, in Col. 1 lines 25-30, discloses determining a threat score for an IP address).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Visbal in view of Zimmermann in further view of Roytman (US 20150237062 A1).

Regarding claim 4, Visbal as modified by Zimmermann teaches the system of claim 2. 
While Visbal as modified by Zimmermann teaches the elements of claim 1, Visbal as modified by Zimmermann fails to explicitly teach using color to display the threat score.
However, Roytman from the analogous technical field teaches further including a user interface area responsive to the scoring subsystem and the quantizer and configured to display the quantized weighted threat score in a color that also conveys one of the threat levels (Roytman, in Para. [0082], discloses displaying a color that corresponds to the criticality of the risk score (i.e. threat score)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Zimmermann to incorporate the teachings of Roytman, with a motivation to indicate the criticality of the risk score (i.e. threat score) to the customer (Roytman, Para. [0081]).

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Visbal in view of Zimmermann in further view of Xue (US 20140298460 A1).

Regarding claim 8, Visbal as modified by Zimmermann teaches the system of claim 10. 
While Visbal as modified by Zimmermann teaches the elements of claim 1, Visbal as modified by Zimmermann fails to explicitly teach detecting malicious activity associated with URLs.
However, Xue from the analogous technical field teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with a URL (Xue, in Para. [0006], discloses using classification models to detect malicious URLs).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Zimmermann to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).

Regarding claim 9, Visbal as modified by Zimmermann teaches the system of claim 1. 
While Visbal as modified by Zimmermann teaches the elements of claim 1, Visbal as modified by Zimmermann fails to explicitly teach detecting malicious activity associated with Internet Domain Names.
However, Xue from the analogous technical field teaches wherein the first and further malicious activity detection subsystems are configured to detect malicious activity associated with an Internet Domain Name (Xue, in Para. [0017], discloses using domain (i.e. Internet Domain Name) confidence level in detecting malicious features).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Visbal as modified by Zimmermann to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).

Claims 10-14, 16-18 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Maestas (US 20140283085 A1) in view of Zimmermann.

	Regarding claim 10, Maestas teaches a network security system, comprising: a source of malicious addresses that lists addresses for accessing content on the network associated with malicious activity (Maestas, in Para. [0021 and 0023], discloses acquiring (i.e. receiving) IP threat information (i.e. malicious addresses) from an Internet Risk Intelligence Provider (IRIP) (i.e. source) which includes potentially high risk IP addresses (i.e. network addresses)).
	Maestas further teaches an address proximity engine responsive to the source of malicious activity data that is both configured to determine measures of physical proximity between addresses for accessing content on the network (Maestas, in Para. [0029 and claim 9], discloses determining the geographic (i.e. physical) proximity characteristics associated with an IP address (i.e. network address) in relation to one or more other IP addresses (i.e. network addresses)),
	a threat scoring subsystem responsive to the address proximity engine and to the source of malicious addresses that is configured to derive a [logical] machine-readable proximity score for particular addresses for accessing content on the network based on the determined measure of [logical] proximity to at least one of the malicious addresses for accessing content on the network from the source of malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining the proximity of potentially high risk IP address (i.e. a particular network address) to one or a cluster of high risk addresses (i.e. malicious addresses) to determine the risk (i.e. score) for the IP address (i.e. particular network address).
While Maestas teaches determining physical proximity, Maestas fails to explicitly teach determining proximity not related to physical proximity.
However, Zimmermann from the analogous technical field teaches determine measures of logical proximity between addresses for accessing content on the network (Zimmermann: Para. [0114, 0264, 0409 and 0554], “including content analysis services 110 and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights”) , and the score is derived based on the determined measure of logical/physical proximity to at least one of the malicious addresses for accessing content on the network from the source of malicious addresses (Para. [0114, 0264, 0409 and 0554],  “The anomaly detection engine 6550 may then use a scoring system for outlier ranking based on average distances… attributes may be classified to set of features that are mapped to specific cyber security use cases (i.e., the features that are more likely to present anomalies in the data based on the particular use case involved). Each set of features may be computed independently from the others to increase the accuracy of the anomaly detection”… “including content analysis services 110 and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas to incorporate the teachings of Zimmermann, with a motivation for improved enterprise data security (Zimmermann, Para. [0001]).

	Regarding claim 11, Maestas as modified by Zimmermann teaches the system of claim 10. 
Maestas further teaches wherein the threat scoring subsystem is configured to derive a threat score based on threats from a plurality of different physically or logically proximate malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining a risk score (i.e. threat score) based on the proximity of the IP addresses to one or more IP addresses (i.e. plurality of different addresses) which are high risk (i.e. threat/malicious).

Regarding claim 12, Maestas as modified by Zimmermann teaches the system of claim 10. 
Maestas further teaches wherein the threat scoring subsystem includes weighted averaging logic configured to derive a weighted threat score based on a weighted average of threats from a plurality of malicious addresses at different degrees of proximity (Maestas, in Para. [0029], discloses combining the distance to the cluster (i.e. threats) with the weighted threat score of the cluster (i.e. threats) to determine the risk score (i.e. threat score)).

Regarding claim 13, Maestas as modified by Zimmermann teaches the system of claim 10. 
Maestas further teaches wherein the source of malicious addresses and the address proximity engine are configured on IP addresses (Maestas, in Para. [0021 and 0027], discloses providing IP addresses and determining distance based on IP addresses).

Regarding claim 14, Maestas as modified by Zimmermann teaches the system of claim 10. 
Xue further teaches wherein the source of malicious addresses and the address proximity engine are configured on URLs (Xue, in Para. [0053], discloses determining brand name edit distances for URLs and checking URLs against lists).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Xue to further incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).

Regarding claim 16, Maestas as modified by Zimmermann teaches the system of claim 10. 
While Maestas as modified by Xue teaches the elements of claim 10, Maestas as modified previously by Xue fails to explicitly teach determining proximity based on content on the network.
Zimmermann further teaches wherein the address proximity engine detects proximity at least in part based on associations extracted from content on the network (Zimmermann: Para. [0114, 0264, 0409 and 0554], “including content analysis services 110 and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Zimmermann to further incorporate the teachings of Zimmermann, with a motivation for improved enterprise data security (Zimmermann, Para. [0001]).

Regarding claim 17, Maestas as modified by Zimmermann teaches the system of claim 10. 
Zimmermann further teaches wherein the source of malicious addresses and the address proximity engine are configured on Internet Domain Names (Zimmermann: Para. [0114, 0264, 0409 and 0554], “including content analysis services 110 and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Zimmermann to further incorporate the teachings of Zimmermann, with a motivation for improved enterprise data security (Zimmermann, Para. [0001]).

Regarding claim 18, Maestas as modified by Zimmermann teaches the system of claim 10. 
While Maestas as modified by Zimmermann teaches the elements of claim 10, Maestas as previously modified by Zimmermann fails to explicitly teach operating on an autonomous system level.
Zimmermann further teaches wherein the source of malicious addresses and the address proximity engine are configured on an autonomous system level (Zimmermann, in Para. [0128, 0172, 0276 and 0285], “Various detection algorithms may include rules, detection of statistical anomalies and implementation of machine learning.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Zimmermann to further incorporate the teachings of Zimmermann, with a motivation for improved enterprise data security (Zimmermann, Para. [0001]).

Regarding claim 28, Maestas as modified by Zimmermann teaches the system of claim 10. 
	Maestas further teaches an address proximity is further configured to determine a measure of physical proximity between network addresses (Maestas, in Para. [0029 and claim 9], discloses determining the geographic (i.e. physical) proximity characteristics associated with an IP address (i.e. network address) in relation to one or more other IP addresses (i.e. network addresses)),
	wherein the threat scoring subsystem is further configured to derive a score for a particular network address based on its proximity to at least one of the malicious addresses from the source of malicious addresses (Maestas, in Para. [0029 and claim 9], discloses determining the geographic proximity of potentially high risk IP address (i.e. a particular network address) to one or a cluster of high risk addresses (i.e. malicious addresses) to determine the risk (i.e. score) for the IP address (i.e. particular network address).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Maestas in view of Zimmermann, in further view of Coskun (US 20150163235 A1).
Regarding claim 15, Maestas as modified by Zimmermann teaches the system of claim 10. 
While Maestas as modified by Zimmermann teaches the elements of claim 10, Maestas as modified by Xue fails to explicitly teach determining proximity based on subnets.
However, Coskun from the analogous technical field teaches wherein the address proximity engine detects proximity at least in part based on membership in subnets (Coskun, in Para. [0013-0014], discloses determining proximity based on netblocks (i.e. groups of IP addresses) and portions thereof referred to as sub-netblocks (i.e. subnets)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Maestas as modified by Zimmermann to incorporate the teachings of Coskun, with a motivation to improve network safety through reducing ambiguity in malicious IP addresses identification (Coskun, Para. [0050]).

Claims 19, 21, 23, 25, and 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over  Bingham (US 20150215334 A1) in view of Zimmermann.
Regarding claim 19, Bingham teaches and a threat prediction subsystem responsive to each of the first and further activity detection subsystems and configured to predict future threat levels for each of a plurality of addresses on the public wide area network based on the application of a trained predictive model to the extracted and analyzed information from the first and further activity detection subsystems (Bingham, in Para. [0031-0032 and 0034-0035], discloses a processing cluster (i.e. threat prediction subsystem) which uses a machine learning system (i.e. trained predictive model) to process security data (i.e. analyzed, extracted information) to generate a reputation score for each IP address which represents a confidence level (i.e. threat level)).
While Bingham teaches detecting activity, Bingham fails to explicitly teach extracting information from textual sources on the public network.
However, Zimmermann from the analogous technical field teaches a network security system, comprising: a network interface configured to connect the system to a public wide area network, a first activity detection subsystem operatively connected to the network interface and configured to extract and analyze meaning information from the language content of textual sources accessed using addresses on the public wide area network over a period of time, one or more further activity detection subsystems operatively connected to the network interface and configured to extract and analyze meaning information from the language content of textual sources accessed using addresses on the public wide area network over a period of time; and to predict threat based on extracted and analyzed meaning information from the language content of textual sources (Zimmermann, in Fig. 5 and in Para. [0169, 0189, 0191, 0426, 0447, 0454, 0460, 0574], “IP/URL parsing”…“The probability or predictive score may be different from the base risk score for the application in the case of a particular enterprise, such as because the application is involved in a large number of requests for access (as in the case of LastPass™ in the report 3902)”… “extracting and analyzing text and other content in stored documents, then providing a set of results to or through the CSF 100 that indicate the likely nature of the types of content that are being stored, used or shared on or through a given cloud platform” … “”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham to incorporate the teachings of Zimmermann, with a motivation for improved enterprise data security (Zimmermann, in Para. [0001]).

Regarding claim 21, Bingham as modified by Zimmermann teaches the system of claim 19. 
Bingham further teaches wherein the prediction subsystem is responsive to an address proximity engine that is configured to determine a measure of physical or logical proximity between network addresses (Bingham, in Para. [0025 and 0051], discloses including in the security data geographical location of an IP address and determining proximity between IP addresses).

Regarding claim 23, Bingham as modified by Zimmermann further teaches 
wherein the activity detection subsystems are configured to detect activity from sources that include open web, social media, forums, paste sites, dark net sites including TOR/Onion sites (Zimmermann: Para.[0237, 0264-0266, 0424-0425, 0516, ], “categorizing the domain in which the application was discovered (e.g., in a category such as entertainment, social media, gaming, file management, or the like”… “resources used by developers (like github™) to store code files may be scanned for sensitive content during the software design process, conversations in forums like Slack™ can be scanned” … “a failed login attempt”… “a login to account from a location (for example a geoIP location, such as in a blacklist or not in a whitelist (for example, from China or Russia)), an activity in an account from two distant locations within a short timeframe (for example more than 500 miles apart with 1 hour), an activity from a tainted IP address (for example based on external IP reputation services),”… “such as for tainted IP address and clickstream analysis scenarios.”).

Regarding claim 25, Bingham as modified by Zimmermann further teaches 
wherein the activity detection subsystems are configured to detect activity associated with events including cyber attacks, exploits, and data leaks (Zimmermann: Para. [0004, 0139, 0238, 0417], “Enterprises want to prevent leaking or theft, whether inadvertent and malicious, and prevention of leaks can have very high stakes, including relating to data exposure, financial loss, and legal liability”, “The UBA platform 500 may be used in connection with ‘honey pots’ to detect attacks”, “There have been numerous documented attacks, as people exploit vulnerabilities in the security of these applications”).

Regarding claim 26, Bingham as modified by Zimmermann teaches the system of claim 19. 
Bingham further teaches wherein the threat prediction subsystem is configured to classify information according to ontologies (Bingham, in Para. [0017], discloses identifying threat attributes and creating a behavior profile (i.e. ontology)).

Regarding claim 27, Bingham as modified by Zimmermann teaches the system of claim 19. 
As detailed above Bingham further teaches wherein the threat prediction subsystem is configured to calculate a risk score (Bingham, in Para. [0017], discloses generating a reputation score (i.e. risk score) for an IP address.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Zimmermann in further view of Xue.
Regarding claim 20, Bingham as modified by Zimmermann teaches the system of claim 19. 
While Bingham as modified by Zimmermann teaches the elements of claim 19, Bingham as modified above by Zimmermann fails to explicitly teach using a Support Vector Machine (SMV).
However, Xue from the analogous technical field teaches wherein the threat prediction subsystem employs a Support Vector Machine supervised learning model (Xue, in Para. [0042], discloses using Support Vector Machine to train classification models (i.e. threat prediction subsystem)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Zimmermann to incorporate the teachings of Xue, with a motivation to protect a user from cyber attacks and security threats (Xue, Para. [0016]).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Zimmermann in further view of Visbal.
Regarding claim 22, Bingham as modified by Zimmermann teaches the system of claim 19. 
While Bingham as modified by Zimmermann teaches the elements of claim 19, Bingham as modified by Zimmermann above does not explicitly teach detecting non-malicious behavior from known bad actors.
However, Visbal from the analogous technical field teaches wherein the first activity detection subsystem detects non-malicious behavior of known bad actors (Visbal, in Col. 14 lines 51-61, discloses investigating whether an IP address with a high threat reputation score (i.e. known bad actor) is being used in a non-malicious way (i.e. non-malicious behavior)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Zimmermann to incorporate the teachings of Visbal, with a motivation to know if the threat is the IP address or a user account before blacklisting the IP address (Visbal, Col. 14 lines 51-61).

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Bingham in view of Zimmermann over in further view of Kotler (US 9473522 B1).
Regarding claim 24, Bingham as modified by Zimmermann teaches the system of claim 19. 
While Bingham as modified by Zimmermann teaches the elements of claim 19, Bingham as modified above by Zimmermann fails to explicitly teach detecting activity associated with hashes, file names, and malware.
However, Kotler from the analogous technical field teaches wherein the activity detection subsystems are configured to detect activity associated with technical entities including hashes, filenames and malware (Kotler, in Col. 10 lines 61-67, Col. 3 lines 3-4, and Col. 3 lines 35-40, discloses actions (i.e. activities) including malware and information including hash of data and filenames).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bingham as modified by Zimmermann to incorporate the teachings of Shaffer, with a motivation to protect systems against malicious actions by quantifying risk of malicious actions (Kotler, Col. 3 lines 41-48).  


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431