DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 43-63 are pending.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

2.	Claim(s) 60-62 is/are rejected under 35 U.S.C. 102a as being Gertner, et al. [9,503,470].
Claim 60:	Gertner teaches a method of predicting network threats, the method comprising: 
receiving at a computing device a request associated with an online element; [Gertner: col.5, lines 33-55, col.20, line65-col.21, line 5]
determining the online element having a malicious reputation based on reputation data in a reputation database; [Gertner: col.10, lines 45-67 and col.21, lines 15-55; Whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Explicit whitelisting where a user is granted permissions to access certain servers or files or where they are considered safe individuals, machines, servers or code may, however, be used along with (or alternatively to) implicit whitelisting where such whitelisting functions are provided by SDI-SCAM based upon a probability distribution curve of safety or appropriateness of access]
sending by the computing device a response indicating that the online element has a malicious reputation as an identified network threat; [Gertner: col.10, lines 45-63 and col.12, lines 27-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. It may recommend or in some cases even implement responses to detected threats (col.20, lines 10-18)]
receiving at the computing device a request for relationship information associated with the online element; [Gertner: col.10, lines45-67; relationship data can be given the broadest and reasonable interpretation (BRI) as data related to the predictive threats (can also be in a form of signature pattern) previously observed as attacks or data for comparison process per se. Another example, can be information associated to threat vectors which in Gertner can be a form of an attack or virus records where the SDI-SCAM monitors all processes for behavior consistent with viral infection of the network traffic (i.e. relationship between the online objects)] 
identifying a first online object, based on the relationship information, also having a malicious reputation, using the computing device, wherein there is a first association between the online element and the first online object; and [Gertner: col.10, lines 45-67 and col.21, lines 12-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. The model provides access to the reasoning behind its inferences. It may recommend or in some cases even implement responses to detected threats (See also col.20, lines 10-18)]
sending from the computing device one or more identifiers for the first online object as a predictive network threat. [Gertner: col.3, line 55-col.4, line 10] 
Gertner discloses systems and methods are provided for detecting the state of a computer network by providing a plurality of distributed agents disposed in the computer network to passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network. Counter-offensive measures are generated where unauthorized access to a program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure [Gertner: col.3, line 55-col.4, line 10].  
Claim 61: See Gertner: col.10, lines 44-62; discussing the method of claim 60, wherein the online element and online object are each one of: an internet protocol address, a file, a uniform resource locator, and a software application.
Claim 62: See Gertner: col.24, lines 1-37; discussing the method of claim 60, wherein determining the online element having a malicious reputation comprises: receiving network activity log event data including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 43-59 and 63 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gertner, et al. [9,503,470] in view of Watters, et al. [US 2012/0233698].
Claim 43:	Gertner teaches a method of predicting network threats, the method comprising:
identifying a first online element as a threat vector from network activity log data based on reputation information of online elements using one or more computing devices; [Gertner: col.10, lines 45-67 and col.21, lines 15-55; Whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Explicit whitelisting where a user is granted permissions to access certain servers or files or where they are considered safe individuals, machines, servers or code may, however, be used along with (or alternatively to) implicit whitelisting where such whitelisting functions are provided by SDI-SCAM based upon a probability distribution curve of safety or appropriateness of access]
analyzing relationship data for the threat vector, wherein the relationship data identifies associations between the threat vector and other online elements; [Gertner: col.10, lines 45-67; relationship data can be given the broadest and reasonable interpretation (BRI) as data related to the predictive threats (can also be in a form of signature pattern) previously observed as attacks or data for comparison process per se. Another example, can be information associated to threat vectors which in Gertner can be a form of an attack or virus records where the SDI-SCAM monitors all processes for behavior consistent with viral infection of the network traffic (i.e. relationship between the online objects)]
identifying one or more online elements as a predictive network threat based at least upon an association between the threat vector and the respective online element; and [Gertner: col.10, lines 45-67 and col.21, lines 12-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. The model provides access to the reasoning behind its inferences. It may recommend or in some cases even implement responses to detected threats (See also col.20, lines 10-18)]
providing data regarding the threat vector and the one or more online elements [Gertner: col.8, lines 30-67 and col.14, lines 45-67] **to a firewall device using the one or more computing devices, wherein the firewall blocks network activity [**rejected under secondary prior art, explain below] associated with the threat vector and the one or more online elements. [Gertner: col.3, line 55-col.4, line 10] 
Gertner discusses firewalls and the distributed agents suggests the similar functions that of a firewall [col.5, line 25-col.6, line 25]. Gertner discloses whitelist where whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Gertner also discloses non-whitelist where non-whitelisted item would traditionally be “unknown” with the possibility of being unsafe or part of a black list in contrast to what is possible through the newly proposed paradigm in which what is not whitelisted has a very high probability of being unsafe. [Gertner: col.21, line 13-60].  However, Gertner did not clearly teach wherein the firewall blocks network activity associated with network threat.
Watters, et al. discloses firewalls may execute software that analyzes network traffic that is addressed to points inside the firewall to reject traffic that fails security tests. Further, traffic that does provide appropriate security tokens may be rejected on the basis of a source address associated with the traffic, such as an internet protocol (IP) address that is known to pose a security threat or an internet protocol address of an IP address anonymizer. Likewise, automated tools for identifying the signs of electronic intrusions and coping with the intrusions after the fact may provide threat intelligence in the form of threat vectors. The sharing of threat information from these several sources in a coherent and consistent articulation may create a virtuous circle redounding to the benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary [Watters: 0025]. Thus, Watters obviously suggests determining, based at least upon relationship data, one or more related threat vectors having at least one known relationship to the threat vector wherein the relationship data identifies known relationships between online elements. Motivation for the firewall to block network activity associated with network threat, can benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Thus, Watters obviously suggests determining, based at least upon relationship data, one or more related threat vectors having at least one known relationship to the threat vector wherein the relationship data identifies known relationships between online elements. Motivation for the firewall to block network activity associated with network threat, can benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Gertner with Watters to teach wherein the firewall blocks network activity associated with network threat for the reason to benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Claim 44: See Gertner: col.10, lines 44-62; discussing the method of claim 43, wherein the threat vector and identified one or more online elements are each one of: an internet protocol address, a file, a uniform resource locator, and a software application.
Claim 45: See Gertner: col.24, lines 1-37; discussing the method of claim 43, wherein identifying the threat vector from network activity log data comprises: receiving network activity log event data including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat.
Claim 46: See Gertner: col.18, lines 5-38; discussing the method of claim 45, wherein the response from the reputation management system contains the results of an investigation conducted by the reputation management system to evaluate whether the network event is a threat.
Claim 47: See Gertner: col.8, lines 40-67 and col.10, lines 50-67; discussing the method of claim 43, wherein identifying one or more online elements comprises: sending a request to a relationship management system, the request identifying the threat vector; and receiving a response from the relationship management system identifying the respective online elements.
Claim 48: See Gertner: col.8, lines 40-67; discussing the method of claim 43, wherein identifying one or more online elements comprises identifying a first online element having a first type and a second online object having a second type, and wherein the relationship data identifies a first association between the first online object and the second online object.
Claim 49: See Gertner: col.8, lines 40-67 and col.10, lines 50-67; discussing the method of claim 48, wherein identifying the second online object comprises: sending a subsequent request to the relationship management system, the subsequent request identifying the first online object; and receiving a response from the relationship management system identifying the second online object.
Claim 50: See Gertner: col.6, lines 5-25; discussing the method of claim 48, wherein the second online object has no more than two degrees of separation from the threat vector.
Claim 51: See Gertner: col.21, lines 30-60 in view of Watters: para 0025 [suggesting “a block list of the firewall, and operating the firewall to block network traffic associated with block list”, under the same pretext and motivation as in claim 1]; discussing the method of claim 43, further comprising adding the threat vector and the one or more online elements to **a block list of the firewall, and operating the firewall to block network traffic associated with block list.
Claim 52:	 Gertner teaches a computing system comprising: 
at least one processing device; and [Gertner: col.4, line 35-36]
at least one computer readable storage device storing data instructions that, when executed by the at least one processing device [Gertner: col.4, line 37-40], cause the at least one processing device to: 
identifying a first online element as a threat vector from network activity log data based on an associated with a malicious reputation; [Gertner: col.10, lines 45-67 and col.21, lines 15-55; Whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Explicit whitelisting where a user is granted permissions to access certain servers or files or where they are considered safe individuals, machines, servers or code may, however, be used along with (or alternatively to) implicit whitelisting where such whitelisting functions are provided by SDI-SCAM based upon a probability distribution curve of safety or appropriateness of access]
analyzing relationship data for the threat vector, wherein the relationship data identifies associations between the threat vector and other online elements; [Gertner: col.10, lines 45-67; relationship data can be given the broadest and reasonable interpretation (BRI) as data related to the predictive threats (can also be in a form of signature pattern) previously observed as attacks or data for comparison process per se. Another example, can be information associated to threat vectors which in Gertner can be a form of an attack or virus records where the SDI-SCAM monitors all processes for behavior consistent with viral infection of the network traffic (i.e. relationship between the online objects)] 
identifying one or more online elements as a predictive network threat based at least upon an association between the threat vector and the respective online element; and  [Gertner: col.10, lines 45-67 and col.21, lines 12-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. The model provides access to the reasoning behind its inferences. It may recommend or in some cases even implement responses to detected threats (See also col.20, lines 10-18)]
providing data regarding the threat vector and the one or more online elements [**rejected under secondary prior art, explain below] **to a firewall device using the one or more computing devices, wherein the firewall blocks network activity [Gertner: col.8, lines 30-67 and col.14, lines 45-67] associated with the threat vector and the one or more online elements. [Gertner: col.3, line 55-col.4, line 10] 
Gertner discusses firewalls and the distributed agents suggests the similar functions that of a firewall [col.5, line 25-col.6, line 25]. Gertner discloses whitelist where whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Gertner also discloses non-whitelist where non-whitelisted item would traditionally be “unknown” with the possibility of being unsafe or part of a black list in contrast to what is possible through the newly proposed paradigm in which what is not whitelisted has a very high probability of being unsafe. [Gertner: col.21, line 13-60].  However, Gertner did not clearly teach wherein the firewall blocks network activity associated with network threat.
Watters, et al. discloses firewalls may execute software that analyzes network traffic that is addressed to points inside the firewall to reject traffic that fails security tests. Further, traffic that does provide appropriate security tokens may be rejected on the basis of a source address associated with the traffic, such as an internet protocol (IP) address that is known to pose a security threat or an internet protocol address of an IP address anonymizer. Likewise, automated tools for identifying the signs of electronic intrusions and coping with the intrusions after the fact may provide threat intelligence in the form of threat vectors. The sharing of threat information from these several sources in a coherent and consistent articulation may create a virtuous circle redounding to the benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary [Watters: 0025]. Thus, Watters obviously suggests determining, based at least upon relationship data, one or more related threat vectors having at least one known relationship to the threat vector wherein the relationship data identifies known relationships between online elements. Motivation for the firewall to block network activity associated with network threat, can benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Thus, Watters obviously suggests determining, based at least upon relationship data, one or more related threat vectors having at least one known relationship to the threat vector wherein the relationship data identifies known relationships between online elements. Motivation for the firewall to block network activity associated with network threat, can benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Gertner with Watters to teach wherein the firewall blocks network activity associated with network threat for the reason to benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Claim 53: See Gertner: col.10, lines 44-62; discussing the computing system of claim 52, wherein the threat vector and identified one or more online elements are each one of: an internet protocol address, a file, a uniform resource locator, and a software application.
Claim 54: See Gertner: col.24, lines 1-37; discussing the computing system of claim 52, wherein determining that the threat vector is associated with the malicious reputation comprises: receiving the network activity including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat.
Claim 55: See Gertner: col.18, lines 5-38; discussing the computing system of claim 54, wherein the response from the reputation management system contains the results of an investigation conducted by the reputation management system to evaluate whether the network event is a threat.
Claim 56: See Gertner: col.8, lines 40-67 and col.10, lines 50-67; discussing the computing system of claim 52, wherein identifying one or more online elements comprises: sending a request to a relationship management system, the request identifying the threat vector; and receiving a response from the relationship management system identifying the respective online elements.
Claim 57: See Gertner: col.8, lines 40-67; discussing the computing system of claim 52, wherein the computer readable storage device storing data instructions that, when executed by the at least one processing device, cause the at least one processing device to: wherein identifying one or more online elements comprises identifying a first online element having a first type and a second online object having a second type, and wherein the relationship data identifies a first association between the first online object and the second online object.
Claim 58: See Gertner: col.8, lines 40-67 and col.10, lines 50-67; discussing the computing system of claim 57, wherein identifying the second online object comprises: sending a subsequent request to the relationship management system, the subsequent request identifying the second online object; and receiving a response from the relationship management system identifying the second online object.
Claim 59: See Gertner: col.6, lines 5-25; discussing the computing system of claim 56, wherein the second online object has no more than two degrees of separation from the threat vector.
Claim 63:  Gertner discussing the method of claim 60, further comprising adding the online element and online object to **a block list of a firewall, and operating the firewall to block network traffic associated with block list. 
Gertner discusses firewalls and the distributed agents suggests the similar functions that of a firewall [col.5, line 25-col.6, line 25]. Gertner discloses whitelist where whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Gertner also discloses non-whitelist where non-whitelisted item would traditionally be “unknown” with the possibility of being unsafe or part of a black list in contrast to what is possible through the newly proposed paradigm in which what is not whitelisted has a very high probability of being unsafe. [Gertner: col.21, line 13-60].  However, Gertner did not clearly teach a block list of a firewall, and operating the firewall to block network traffic associated with block list.
Watters, et al. discloses firewalls may execute software that analyzes network traffic that is addressed to points inside the firewall to reject traffic that fails security tests. Further, traffic that does provide appropriate security tokens may be rejected on the basis of a source address associated with the traffic, such as an internet protocol (IP) address that is known to pose a security threat or an internet protocol address of an IP address anonymizer. Likewise, automated tools for identifying the signs of electronic intrusions and coping with the intrusions after the fact may provide threat intelligence in the form of threat vectors. The sharing of threat information from these several sources in a coherent and consistent articulation may create a virtuous circle redounding to the benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary [Watters: 0025]. Thus, Watters obviously suggests determining, based at least upon relationship data, one or more related threat vectors having at least one known relationship to the threat vector wherein the relationship data identifies known relationships between online elements. Motivation for the firewall to block network activity associated with network threat, can benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Gertner with Watters to teach a block list of a firewall, and operating the firewall to block network traffic associated with block list for the reason to benefit of all the organizations sharing the subject threat intelligence, possibly mediated by the trusted intermediary by the ability to reject traffic that fails security tests or known to pose a security threat.

Response to Arguments
4.	Applicant’s arguments with respect to claim(s) 43-63 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
5.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571)272-3851.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


LEYNNA TRUVAN
Examiner
Art Unit 2435

/L.TT/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435