DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting


The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11102093. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims of patent application contain every element of claims above instant application or vice versa, and as such they anticipate or anticipated by Instant Application.
By way of illustration, consider the respective claim 1 from each disclosure:
Claim 1 of the instant application
Claim 1 of the Pat ‘093
1. A method comprising: assigning, to a device associated with an internet protocol (IP) address, one or more reputation scores associated with a communication policy, the one or more reputation scores being based on at least one of a determination that the device has been infected by malware, a determination that the IP address of the device has been used to communicate with a different device that is infected by malware, or network activity associated with the device; and based on the one or more reputation scores, modifying a group policy membership of the device from a policy group to an additional policy group associated with the one or more reputation scores. 
1. A method comprising: receiving network traffic from a device having an internet protocol (IP) address; assigning a first reputation score with a conditional communication policy to the device, the first reputation score being based on at least one of a first determination that the device has been infected by malware and a second determination that the IP address of the device has been used to communicate with a different device that is infected by malware, the conditional communication policy based on the first reputation score assigned to the device; assigning a second reputation score to the device based on network activity of the device, the second reputation score being different than the first reputation score; and in response to assigning the second reputation score to the device, modifying a group policy membership of the device from a first policy group associated with the first reputation score to a second policy group associated with the second reputation score, the second policy group being associated with one or more devices having the second reputation score.


As can be seen above, the claims are largely similar to the assigning reputation score…and modifying a group policy membership of the device from a first policy group associated with the first reputation score to a second policy group associated with the second reputation score step of the ‘093 patent.  Thus, the instant claims appear to be a particular species that is anticipated by the genus claims of the ‘093 patent, which would result in two patents on the same invention.
Independent claims 9 & 17 of the instant application are substantially similar to independent claims 10, 16 (respectively) of the 093 patent and are rejected for substantially similar reasons as discussed supra.  Likewise, dependent claims 2-8, 10-16, 18-20 of the instant application are substantially similar to dependent claims 1-9, 11-15, 17-20 (respectively) of the ‘093 patent and are rejected for substantially similar reasons as discussed supra.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-4, 8-12, 16-18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ardeli et al (Pub. No. US 2016/0036833).

As per claim 1, Ardeli discloses a method comprising: assigning, to a device associated with an internet protocol (IP) address, one or more reputation scores associated with a communication policy, the one or more reputation scores being based on at least one of a determination that the device has been infected by malware (…assign a reputation score to the client…the deep packet inspection module receives one or more data packets during a session when the client is browsing the internet…the deep packet inspection module analyzes the one or more data packets to retrieve URL…the local URL cache includes URLs on the internet, each assigned a reputation score…reflecting the current malicious state of the URL if any…see par. 38, 44), a determination that the IP address of the device has been used to communicate with a different device that is infected by malware, or network activity associated with the device (…the intrusion detection module…detects anomalies and malicious activities originated by the client and monitors the entire payload of inbound and outbound data packets being exchanged by the client during a session…to identity malicious incidents associated with the client in the session…see par. 47-48); and based on the one or more reputation scores, modifying a group policy membership of the device from a policy group to an additional policy group associated with the one or more reputation scores (…the different weights assigned to one or more activities of the client may affect how the base reputation score is modified for the client to determine a current reputation score…the reputation module modifies an existing reputation score proportionally to the weight associated with the one or more activities of the client…see par. 53-55…the reputation module sends instructions to the policy enforcement module to upgrade the client’s role to that of a more privileged role…the policy enforcement module assigns access privileges to the client corresponding to the current reputation score…see par. 59-61).


As per claim 9, Ardeli discloses a system comprising: one or more processors; and a computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the one or more processors to: assign, to a device associated with an internet protocol (IP) address, one or more reputation scores associated with a communication policy, the one or more reputation scores being based on at least one of a determination that the device has been infected by malware (…assign a reputation score to the client…the deep packet inspection module receives one or more data packets during a session when the client is browsing the internet…the deep packet inspection module analyzes the one or more data packets to retrieve URL…the local URL cache includes URLs on the internet, each assigned a reputation score…reflecting the current malicious state of the URL if any…see par. 38, 44), a determination that the IP address of the device has been used to communicate with a different device that is infected by malware, or network activity associated with the device (…the intrusion detection module…detects anomalies and malicious activities originated by the client and monitors the entire payload of inbound and outbound data packets being exchanged by the client during a session…to identity malicious incidents associated with the client in the session…see par. 47-48); and based on the one or more reputation scores, modify a group policy membership of the device from a policy group to an additional policy group associated with the one or more reputation scores (…the different weights assigned to one or more activities of the client may affect how the base reputation score is modified for the client to determine a current reputation score…the reputation module modifies an existing reputation score proportionally to the weight associated with the one or more activities of the client…see par. 53-55…the reputation module sends instructions to the policy enforcement module to upgrade the client’s role to that of a more privileged role…the policy enforcement module assigns access privileges to the client corresponding to the current reputation score…see par. 59-61).


As per claim 17, Ardeli discloses a non-transitory computer-readable medium having stored thereon instructions which, when executed by one or more processors, cause the one or more processors to: assign, to a device associated with an internet protocol (IP) address, one or more reputation scores associated with a communication policy, the one or more reputation scores being based on at least one of a determination that the device has been infected by malware (…assign a reputation score to the client…the deep packet inspection module receives one or more data packets during a session when the client is browsing the internet…the deep packet inspection module analyzes the one or more data packets to retrieve URL…the local URL cache includes URLs on the internet, each assigned a reputation score…reflecting the current malicious state of the URL if any…see par. 38, 44), a determination that the IP address of the device has been used to communicate with a different device that is infected by malware, or network activity associated with the device (…the intrusion detection module…detects anomalies and malicious activities originated by the client and monitors the entire payload of inbound and outbound data packets being exchanged by the client during a session…to identity malicious incidents associated with the client in the session…see par. 47-48); and based on the one or more reputation scores, modify a group policy membership of the device from a policy group to an additional policy group associated with the one or more reputation scores (…the different weights assigned to one or more activities of the client may affect how the base reputation score is modified for the client to determine a current reputation score…the reputation module modifies an existing reputation score proportionally to the weight associated with the one or more activities of the client…see par. 53-55…the reputation module sends instructions to the policy enforcement module to upgrade the client’s role to that of a more privileged role…the policy enforcement module assigns access privileges to the client corresponding to the current reputation score…see par. 59-61).


As per claims 2, 10, Ardeli discloses wherein assigning one or more reputation scores comprises, after assigning a reputation score to the device, assigning a different reputation score to the device based on network activity associated with the device (see par. 38, 44).


As per claims 3, 11, Ardeli discloses wherein the different reputation score is a reduced reputation score relative to the reputation score (see par. 55).


As per claims 4, 12, 18, Ardeli discloses determining an effectiveness of the communication policy based on data from packet flows associated with devices assigned to at least one of the policy group or the additional policy group; and
determining an action based on the determined effectiveness of the communication policy (see par. 63-66).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5-7, 13-15, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ardeli et al (Pub. No. US 2016/0036833) in view of Carter, et al (Pub. No. US 2012/0102545).

As per claims 5, 13, 19, Ardeli does not explicitly disclose separating behavior identified as malicious from different behavior identified as non-malicious based on an indication from at least one of the determination that the device has been infected by malware or the determination that the IP address has been used to communicate with the different device that is infected by malware. However Carter discloses separating behavior identified as malicious from different behavior identified as non-malicious based on an indication from at least one of the determination that the device has been infected by malware or the determination that the IP address has been used to communicate with the different device that is infected by malware (a reputation score may indicate a quantitative rating of the soundness of the domain in terms of a lack of unwanted or malicious behavior…reputation score may be calculated and maintained by any acceptable means for determining the soundness of a domain in terms of a lack of unwanted or malicious behavior…see par. 39). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Carter in Ardeli for including the above limitations because one ordinary skill in the art would recognize it would further protect the computing system against unknown malicious activities by determining a reputation of a link that includes querying a database including reputation information associated with a plurality of link by a reputation server…see Carter, par. 4-7.


As per claims 6, 14, 20, the combination of Ardeli and Carter discloses identifying, based on a malware tracker, one or more IP addresses of devices that have been infected by malware, wherein the one or more reputation scores are further based on whether the one or more IP addresses include the IP address of the device or a different IP address of the different device (Carter: see par. 39).


As per claims 7, 15, the combination of Ardeli and Carter discloses wherein identifying the one or more IP addresses of devices that have been infected by malware comprises crawling multiple malware trackers (Carter: …reputation server may use the information associated with the link and any redirections to determine a policy intersection for the link that indicates whether the link is associated with a malicious activity…reputation server may determine based on the policy intersection whether it is safe to navigate to the link or whether the link is associated with a malicious activity…see par. 48-49).


As per claims 8, 16, the combination of Ardeli and Carter discloses wherein the assigning of the one or more reputation scores comprises: obtaining data associated with the device based on a query to a whois database; and determining whether a particular IP address has been allocated to an entity identified as real or legitimate based on the data obtained from the whois database (Carter: see par. 40-41).



Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to network analytics, and more specifically to a process of analyzing a malware tracker for IP addresses of hosts having been infected by malware.

Kapoor et al (Pub. No. US 2012/0240185); “Systems and Methods for Processing Data Flows”;
-Teaches the flow processing may receive data flows and test them for malicious and malformed IP packets…see par. 458-459.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499