Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 8-31-2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 10721244 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Amendments
The amended claims 1-5, 7-10, 12-14 and 16 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts have been fully considered and are persuasive. 

Allowable Subject Matter
1.	Amended claims 1-5, 7-10, 12-14 and 16 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. Claims 6, 11 and 15 are cancelled.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Laura Li (attorney) for filed amended claims:
1. (Currently Amended) A threat information extraction device comprising a processor; and a memory device storing instructions that, when executed by the processor, cause the processor to perform operations comprising: 
storing flow information; and extracting new threat information from acquired threat information using the flow information, wherein extracting the new threat information comprises: 
extracting a first Internet Protocol (IP) address from the acquired threat information, creating totalization information on the first IP address from the flow information;
estimating a feature value of communication associated with the first IP address from the totalization information, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address;
extracting zero or one or more other IP addresses that are similar to the first IP address at which communication is in progress using a clustering method based on the estimated feature value comprising the average bit rate and the average communication time of communication associated with each respective IP address, wherein the average bit rate is estimated by dividing a corrected communication amount of each host by a communication time of each host and the average communication time is estimated by dividing the communication time by a number of communication destinations;
determining one or more target IP addresses, included in the first IP address and the other IP addresses, whose respective number of the communication destinations is equal to or larger than a predetermined threshold for a number of communication destinations;
monitoring communications associated with the one or more target IP addresses to detect an abnormality based on the flow information at the one or more target IP addresses;
generating threat information for the one or more target IP addresses.
2. (Currently Amended) A threat information extraction device comprising a processor; and a memory device storing instructions that, when executed by the processor, cause the processor to perform operations comprising: storing query logs and flow information; and extracting new threat information from acquired threat information using the query logs and the flow information, wherein extracting the new threat information comprises: extracting a first IP address and a Fully Qualified Domain Name (FQDN) of a Command and Control (C2) server from the acquired threat information, extracting a second IP address sent back to the FQDN extracted from the query logs, creating totalization information on the first IP address and the second IP address from the flow information, estimating a feature value of communication associated with the first IP address and the second IP address from the totalization information, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address, and extracting zero or one or more other IP addresses that are similar to the first IP address and the second IP address at which communication is in progress using a clustering method based on the estimated feature value comprising the average bit rate and the average communication time of communication associated with each respective IP address, wherein the average bit rate is estimated by dividing a corrected communication amount of each host by a communication time of each host and the average communication time is estimated by dividing the communication time by a number of communication destinations; determining one or more target IP addresses, included in the first IP address, the second IP address, and the other IP addresses, whose respective number of communication destinations is equal to or larger than a predetermined threshold for a number of communication destinations, monitoring communications associated with the one or more target IP addresses to detect an abnormality based on the flow information at the one or more target IP addresses, and generating threat information for the one or more target IP addresses.
8. (Currently Amended) A threat information extraction system comprising: a threat information extraction device; and a threat information database (DB) configured to store threat information extracted by the threat information extraction device, wherein the threat information extraction device comprises a processor; and a memory device storing instructions that, when executed by the processor, cause the processor to perform operations comprising: storing flow information; and extracting new threat information from acquired threat information using the flow information, wherein extracting the new threat information comprises: extracting a first Internet Protocol (IP) address from the acquired threat information, creating totalization information on the first IP address from the flow information, estimating a feature value of communication associated with the first IP address from the totalization information, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address, and extracting zero or one or more other IP addresses that are similar to the first IP address at which communication is in progress using a clustering method based on the estimated feature value comprising the average bit rate and the average communication time of communication associated with each respective IP address, wherein the average bit rate is estimated by dividing a corrected communication amount of each host by a communication time of each host and the average communication time is estimated by dividing the communication time by a number of communication destinations;determining one or more target IP addresses, included in the first IP address and the other IP addresses, whose respective number of communication destinations is equal to or larger than a predetermined threshold for a number of communication destinations, monitoring communications associated with the one or more target IP addresses to detect an abnormality based on the flow information at the one or more target IP addresses, and generating threat information for the one or more target IP addresses.

Reasons for Allowance
None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: extending threat information and/or generating new threat information by analyzing packet headers flowing through a network using threat information obtained by analyzing malware behavior or the like. A threat information extraction device provided with a network information DB that stores flow information and a threat information extraction unit that extracts new threat information from acquired threat information using the flow information, in which the threat information extraction unit extracts a first IP address from the acquired threat information, creates totalization information on the first IP address from the flow information, estimates a feature value of communication associated with the first IP address from the totalization information, where an average bit rate is estimated by dividing a corrected communication amount of each host by a communication time of each host and an average communication time is estimated by dividing the communication time by a number of communication destinations, extracts zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 2 and 8 mutatis mutandis. Claims 6, 11 and 15 are cancelled. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ortiz-Criado Jorge can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/BADRINARAYANAN /P'Examiner, Art Unit 2496.