Remarks
Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 7/28/2022 have been fully considered but they are not persuasive.
Applicant summarizes Applicant’s understanding of a portion of the rejection, provides Applicant’s understanding of a portion of Rieke, and alleges “However, nowhere does Reike teach or suggest processing the enriched network reporting information of enhanced records stored in the enhanced record message queue by one or more real time threat analysis components to identify potential security vulnerabilities.”  To the contrary, Rieke discloses processing by one or more real time threat analysis components, the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers by applying one or more threat detection models to identify the potential security vulnerabilities in Rieke’s disclosure of detecting vulnerabilities using models, such as graphs, lists, or other data structures, for example.  
Applicant then provides Applicant’s understanding of a portion of the rejection and alleges “However, in paragraphs [0109]-[0132], Rieke merely discloses that ‘a report may be created to detail the detected vulnerabilities of all assets in a TrustZone or a particular asset.’”  To the contrary, paragraphs 109-132 disclose much more than this.  
Applicant then alleges “that Rieke does not teach one or more real time threat analysis components that process the enriched network reporting information by applying one or more threat detection models to identify potential security threats.”  Applicant continues by alleging “In particular, Rieke does not teach that the ‘created graph’ or ‘filtered data’ (i.e. the alleged enriched network reporting information) is processed by one or more real time threat analysis components by applying the one or more threat detection models.  Instead, Rieke merely teaches that a user can view and manipulate the graph, and that the collected data may be analyzed.  There is no teaching or suggestion of processing the ‘created graph’ or ‘filtered data’ by one or more real time threat analysis components by applying one or more threat detection models to identify potential security threats.”  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  With respect to Applicant’s erroneous allegation that “Rieke merely teaches that a user can view and manipulate the graph, and that the collected data may be analyzed”, Rieke teaches much more than this.  For example, Rieke discloses processing by one or more real time threat analysis components, the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers by applying one or more threat detection models to identify the potential security vulnerabilities in Rieke’s disclosure of detecting vulnerabilities using models, such as graphs, lists, or other data structures, for example.  
Applicant then alleges that Rieke does not teach or suggest the updating limitation, provides Applicant’s understanding of a portion of the rejection, alleges that “the updating of Rieke does not teach or suggest the updating of the presently claimed invention”, provides Applicant’s understanding of portions of Rieke, and alleges “However, Rieke does not teach or suggest any threat detection models used by real time threat analysis components that are updated using the ‘created graph’ or ‘filtered data’ (i.e. the alleged enriched network reporting information).  Instead, Rieke merely teaches that updated data is collected and is used to update the created flow information graph.”  The Examiner thanks Applicant for admitting that Rieke discloses updating the graph, which corresponds, in at least some interpretations, to the threat detection model of the claim.  This clearly shows updating of the model in updating of the graph.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 8-15, 18, 19, and 22-28 are rejected under 35 U.S.C. 103 as being unpatentable over Rieke (U.S. Patent Application Publication 2016/0072831) in view of Rueff (U.S. Patent Application Publication 2012/0304130).
Regarding Claim 1,
Rieke discloses a CTI infrastructure comprising:
A plurality of network devices each collecting network reporting information (Exemplary Citations: for example, Paragraphs 109-114, 130-132, and associated figures; sources from which data is received, collected, entities receiving/collecting data, or the like, as examples);
A collection of at least one CTI server, the collection configured for (Exemplary Citations: for example, Paragraphs 109-132 and associated figures):
Receiving the network reporting information collected by the plurality of network devices, the network reporting information comprising a plurality of records each comprising an indication of a source and destination of network traffic (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; receiving/collecting data , source and destination IP addresses and ports, flow directions are identified, for example);
Storing the received plurality of records in a record message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; received/collected information and flows, record list, database, listing on an interface, or the like, as examples);
Enriching the network reporting information with enrichment data by adding one or more tags of enrichment data to records of the network reporting information comprising, for each of the records of the network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; enriching the data in any fashion, such as by creating a graph, filtering the data, highlighting information, highlighting graph portions, bolding data, coloring graph portions, updating data and/or graphs with additional information collected data, associating scan data with network flows, associating with a TrustZone, identifying channels, identifying characteristics, or the like, as examples):
Identifying each of a source and a destination of the respective record retrieved from the message queue based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; source and destination IP addresses and ports, for example);
Tagging the respective record by adding an indication of the source and destination (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; as above, for example); and
Storing the enhanced record with the tagged source and destination in an enhanced message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; creating graph or other data structure using the above, updating the above described queue with additional updated information (e.g., from additional flows or updated flows, as in paragraph 130, for example), etc., for example);
Processing by one or more real time threat analysis components, the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers by applying one or more threat detection models to identify the potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; detecting vulnerabilities using models, such as graphs, lists, or other data structures, for example);
Updating the one or more threat detection models used by the one or more real time threat analysis components to process the enriched network reporting information using the enriched network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; updating models, such as graphs, lists, or other data structures, for example);
Providing the identified potential security vulnerabilities to an alert component (Exemplary Citations: for example, Paragraphs 109-133 and associated figures; alert or report generated by whatever component does such processing (e.g., whatever piece of code, API, or the like, performs the processing), for example);
Transmitting from the alert component one or more alerts based on at least one identified potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 109-133 and associated figures; alert or report generated by whatever component does such processing (e.g., whatever piece of code, API, or the like, performs the processing), for example);
Processing the enriched network reporting information by running one or more scripts or queries against the enriched network reporting information (Exemplary Citations: for example, Paragraphs 56, 109-133, 146, and associated figures; query/script against updated model, which includes the enriched network reporting information, as described above, further analysis being performed after exporting of the information, querying of TrustZones, information assets within TrustZones, security policies, and the like, as examples); and
Configuring one or more network devices comprising at least one of a firewall and a router based on the results of the one or more scripts or queries (Exemplary Citations: for example, Paragraphs 53-56, 88, 96, 109-133, 146, and associated figures; configuring devices with policies based on the above, for example);
But does not explicitly disclose that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a client or a server, that the tagging the respective record adds an indication of whether the source and destination is identified as the client or server, and that the sources and destinations are tagged as either clients or servers.  
Rueff, however, discloses that the identifying each of a source and destination of the respective record based at least in part on a portion of the network reporting information comprising one or more a source IP address, a destination IP address, a source port number, and a destination port number identifies each of the source and destination as a client or a server (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example); 
That the tagging the respective record adds an indication of whether the source and destination is identified as the client or server (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example);
That the sources and destinations are tagged as either clients or servers (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures; determining whether each of a source and destination are a client or server and tagging them as such in the records, for example);
That the enhanced record includes the tagged client or server information (Exemplary Citations: for example, Abstract, Paragraphs 62, 104, 122, 126-131, and associated figures);
Processing by one or more real time threat analysis components the enriched network reporting information of enhanced records stored in the enhanced record message queue comprising the plurality of records with respective sources and destinations tagged as either clients or servers by applying one or more threat detection models to identify the potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; comparing data to current data, such as white lists, black lists, grey lists, fingerprints, connections, trees, and many other pieces of data and data structures, for example);
Updating the one or more threat detection models used by the one or more real time threat analysis components to process the enriched network reporting information using the enriched network reporting information (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; updating the above data, for example);
Providing the identified potential security vulnerabilities to an alert component (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; getting vulnerabilities at whatever component generates/provides alerts, for example.  This could be grey list alerts, black list alerts, or any other alerts); and
Transmitting from the alert component one or more alerts based on at least one identified potential security vulnerabilities (Exemplary Citations: for example, Paragraphs 72, 77, 80-83, 88, 101-114, 118-124, and associated figures; the above component providing the alert, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the endpoint identification techniques of Rueff into the network analysis and reporting system of Rieke in order to allow the system to determine whether a source or destination is a client or server, to provide for better reporting and endpoint type estimation, to facilitate around-the-clock data collection regardless of maintenance cycles, to provide administrators with all relevant information, and/or to increase security in the system.  
Regarding Claim 15,
Claim 15 is a method claim that corresponds to infrastructure claim 1 and is rejected for the same reasons.  
Regarding Claim 4,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that adding one or more tags of the enrichment data further comprises:
Determining informational data associated with the portion of the network reporting information from the enrichment data (Exemplary Citations: for example, Paragraphs 109-132 and associated figures); and
Adding the determined informational data to the network reporting information as the one or more tags (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 18,
Claim 18 is a method claim that corresponds to infrastructure claim 4 and is rejected for the same reasons.  
Regarding Claim 5,
Rieke as modified by Rueff discloses the infrastructure of claim 4, in addition, Rieke discloses that one or more of the source IP address, and the destination IP address is determined dynamically (Exemplary Citations: for example, Paragraphs 80, 95, 109-132 and associated figures; changing IP addresses, and/or IP addresses set via DHCP, for example).  
Regarding Claim 19,
Claim 19 is a method claim that corresponds to infrastructure claim 5 and is rejected for the same reasons.  
Regarding Claim 8,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for:
Adding the received network reporting information to a first message queue, wherein enriching further comprises (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; received/collected information and flows, for example):
Retrieving network reporting information from the first message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; analyzing the above, for example).  
Regarding Claim 22,
Claim 22 is a method claim that corresponds to infrastructure claim 8 and is rejected for the same reasons.  
Regarding Claim 9,
Rieke as modified by Rueff discloses the infrastructure of claim 8, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for:
Retrieving the enriched network reporting information from the enhanced record message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; retrieving the graph or other data structure, for example);
Further enriching the enriched network reporting information (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; further enriching in any fashion as above, for example); and
Adding the further enriched network reporting information to a third message queue (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; updated graph or other data structure, for example).  
Regarding Claim 23,
Claim 23 is a method claim that corresponds to infrastructure claim 9 and is rejected for the same reasons.  
Regarding Claim 10,
Rieke as modified by Rueff discloses the infrastructure of claim 9, in addition, Rieke discloses that the further enriching comprises one or more of informational data tagging, and dynamic information tagging (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 24,
Claim 24 is a method claim that corresponds to infrastructure claim 10 and is rejected for the same reasons.  
Regarding Claim 11,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the collection of the at least one CTI server is further configured for summarizing the enriched network reporting information for the processing step (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; graph or report, for example).  
Regarding Claim 25,
Claim 25 is a method claim that corresponds to infrastructure claim 11 and is rejected for the same reasons.  
Regarding Claim 12,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the enriched network reporting information is processed by threat analysis components (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 26,
Claim 26 is a method claim that corresponds to infrastructure claim 12 and is rejected for the same reasons.  
Regarding Claim 13,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that one or more potential security vulnerabilities is retrieved by an alerts component that generates one or more alerts (Exemplary Citations: for example, Paragraphs 109-132 and associated figures; alert generating component, for example).  
Regarding Claim 27,
Claim 27 is a method claim that corresponds to infrastructure claim 13 and is rejected for the same reasons.  
Regarding Claim 14,
Rieke as modified by Rueff discloses the infrastructure of claim 1, in addition, Rieke discloses that the network reporting information comprises one or more of NetFlow data, firewall information, IPFIX data, and DNS data (Exemplary Citations: for example, Paragraphs 109-132 and associated figures).  
Regarding Claim 28,
Claim 28 is a method claim that corresponds to infrastructure claim 14 and is rejected for the same reasons.  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432