DETAILED ACTION

Currently pending claims are 1 – 20.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/17/2022 has been entered.

Response to Arguments

Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.
As per claim 1, Applicant asserts Nakata does not teach:
(a) “predicting a likelihood of a future attack, nor of constructing a blacklist of network address predicted likely to be a source of a future attack” because Nakata itself describes an "Advantageous Effects of Invention" as "a blacklist causing less false detection and having extensive coverage of malware" (column 3, lines 28-32 of Nakata) as such a reason - i.e., maintaining a blacklist causing less false detection of malware. That is a relevant reason for maintaining a blacklist that does not require generating a score indicative of a predicted likelihood of a future attack (Remarks: Page 7 – 9); and
(b) another reason for maintaining a blacklist may be to assemble statistics on the number of potentially malware-infected or threatening sites are in existence. That is another relevant reason for maintaining a blacklist that does not require generating a score indicative of a predicted likelihood of a future attack (Remarks: Page 9).
Examiner respectfully disagrees because:
(a) First of all, Examiner notes it would be irrelevantt to establish one of well-known anomany protection metrics such as internet blacklist in the security fields if the blacklist is not meant to be utilized for predicting malicious URLs which are likely to be one potential sources of future attacks for filtering and securely protecting the access of network resources – In light of that, Nakata teaches (i) collecting malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein (ii) malicious data includes (e.g.) network URL address, IP address and etc. and (iii) a blacklist generating entity collecting a list of malicious communication log including a timestamp (FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51)) (Nakata: Figure 12 & Figure 1 / E-300, E-307 Figure 2, Col. 1 Line 1 – 35, Col. 12 Line 20 – 24, Col. 9 Line 39 – 42, Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51).   and accordingly,
Regarding Argument - (a), reducing the likelihood of false detection does not mean there is absolutely NO likelihood of false detection and accordingly, a person of ordinary skill in the art would be motivated to establish identify a likelihood value / coefficient (i.e. score) to improve the accuracy of malware classification, which is taught by Hass as follows – (Haas: Figure 4 / E-414 and Para [0044] Line 14 – 25 and Para [0042] Last sentence: processing a blacklist by applying a logistic regression algorithm using historical operation data with weighting factors to identify a likelihood value / coefficient (i.e. a score) to improve the accuracy of classification) within the Nakata’s system of repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity and generating a blacklist from the collected malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein the malicious data includes (e.g.) network URL address, IP address and etc. (Nakata: see above).
Likewise, Regarding Argument - (b), assembling statistics on the number of potentially malware-infected or threatening sites are in existence does not mean there is absolutely NO likelihood of false detection and accordingly, a person of ordinary skill in the art would be motivated to establish identify a likelihood value / coefficient (i.e. score) to improve the accuracy of malware classification, which is taught by Hass as follows – (Haas: Figure 4 / E-414 and Para [0044] Line 14 – 25 and Para [0042] Last sentence: processing a blacklist by applying a logistic regression algorithm using historical operation data with weighting factors to identify a likelihood value / coefficient (i.e. a score) to improve the accuracy of classification) within the Nakata’s system of repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity and generating a blacklist from the collected malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein the malicious data includes (e.g.) network URL address, IP address and etc. (Nakata: see above).
As such Applicant's arguments are respectfully traversed.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 2, 5 – 11, 14 – 18 & 20 are rejected under 35 U.S.C.103 as being unpatentable over Nakata et al. (U.S. Patent 10,516,671), in view of Van Nee et al. (U.S. Patent 9,577,728), and in view of Haas et al. (U.S. Patent 2020/0175085).               


As per claim 1, 11 & 16, Nakata teaches a method of generating a network address blacklist, comprising: 
collecting activity data in a plurality of honeypots comprising network address of attacks and time of attacks (Nakata: Figure 12 & Figure 1 / E-300, E-307 Figure 2, Col. 1 Line 1 – 35, Col. 12 Line 20 – 24, Col. 9 Line 39 – 42, Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51: (a) collecting malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein (b) malicious data includes (e.g.) network URL address, IP address and etc. and (c) a blacklist generating entity collecting a list of malicious communication log including a timestamp (FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51)); 
analyzing activity data from plurality of honeypots to generate a score indicative (see below – Hass’s ref) of a predicted likelihood of future attack from network addresses in the activity data (Nakata: see above & Col. 1 Line 30 – 35, Col. 12 Line 20 – 24 / Line 33 – 37); and 
constructing a network address blacklist including network addresses predicted likely to be a source of a future attack (see below):
(a) Examiner notes it would be irrelevantt to establish one of well-known anomany protection metrics such as internet blacklist in the security fields if the blacklist is not meant to be utilized for predicting malicious URLs which are likely to be one potential sources of future attacks for filtering and securely protecting the access of network resources.
(b) In light of that as in (a), Nakata teaches (b-1) collecting malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein (b-2) malicious data includes (e.g.) network URL address, IP address and etc. and (b-3) a blacklist generating entity collecting a list of malicious communication log including a timestamp (FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51)) (Nakata: Figure 12 & Figure 1 / E-300, E-307 Figure 2, Col. 1 Line 1 – 35, Col. 12 Line 20 – 24, Col. 9 Line 39 – 42, Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51).  However, Nakata does not disclose expressly network addresses with no recent honeypot attack activity are removed from the blacklist. 
            However, Nakata does not disclose expressly generating a score indicative of a predicted likelihood of future attack from network addresses in the activity data.
           Hass (& Nakata) teaches generating a score indicative of a predicted likelihood of future attack from network addresses in the activity data (Haas: Figure 4 / E-414 and Para [0044] Line 14 – 25 and Para [0042] Last sentence: processing a blacklist by applying a logistic regression algorithm using historical operation data with weighting factors to identify a likelihood value/coefficient to improve the accuracy of classification) || (Nakata: see above).  
	        It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating a score indicative of a predicted likelihood of future attack from network addresses in the activity data because even though Nakata teaches maintaining a blacklist causing less false detection of malware (Nakata: see above & Col. 3 Line 28 – 32) – However, reducing the likelihood of false detection does not mean there is absolutely NO likelihood of false detection and accordingly, a person of ordinary skill in the art would be motivated to establish identify a likelihood value / coefficient (i.e. score) to improve the accuracy of malware classification, as taught by Hass (see above), within the Nakata’s system of repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity and generating a blacklist from the collected malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein the malicious data includes (e.g.) network URL address, IP address and etc. (see above); Besides,
Van Nee (& Nakata) teaches wherein the collecting, analyzing, and constructing are repeated over time such that the score indicative of a predicted likelihood of future attack is updated over time and such that network addresses with no recent honeypot attack activity are removed from the blacklist based on the qenerated score (Nakata: FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51: repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity) || (Van Nee: Col. 9 Line 29 – 34: a blacklist can be maintained through a least-recently-used algorithm to remove certain blacklists based on the timing order of entries or after a certain period of time).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of removing network addresses with no recent honeypot attack activity from the blacklist because Van Nee teaches to effectively and securely maintain a blacklist through a least-recently-used algorithm to remove certain blacklists based on the timing order of entries or after a certain period of time (see above) within the Nakata’s system of repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity and generating a blacklist from the collected malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein the malicious data includes (e.g.) network URL address, IP address and etc. (see above). 

As per claim 2, Nakata as modified teaches wherein the network address comprises an Internet Protocol (IP) address (Nakata: see above & Col. 9 Line 39 – 42).

As per claim 5 and 14, Haas (& Nakata) teaches using a weighting of activity data in analyzing the activity data to generate the score indicative of a predicted likelihood of future attack is determined by logistic regression using historic data (Haas: Figure 4 / E-414 and Para [0044] Line 14 – 25 and Para [0042] Last sentence: processing a blacklist by applying a logistic regression algorithm using historical operation data with weighting factors to identify a likelihood value/coefficient to improve the accuracy of classification).  

As per claim 6, Haas (& Nakata) teaches wherein weighting of activity is performed by sorting activity data into a bin based on the activity data value (Haas: See above & Para [0026]: using a weighting factor relative to a classification on the activity data).  

As per claim 7 and 15, Nakata as modified teaches distributing the network address blacklist to one or more of a firewall, antivirus software, antimalware software, network security device, and a cloud security service (Nakata: see above & Col. 4 Line 34 – 36).

As per claim 8 – 9, Nakata as modified teaches the analyzed activity data comprises only data within a recent time period (Nakata: FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51: repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity) || (Van Nee: Col. 9 Line 29 – 34: (a) a blacklist can be maintained through a least-recently-used algorithm to remove certain blacklists based on the timing order of entries or after a certain period of time and as such, (b) the constructed network address blacklist is smaller than a list of attacker network addresses during the recent time period).  

As per claim 10 and 20, Nakata as modified teaches wherein the plurality of honeypots comprise honeypots in different locations on a public network (Nakata: see above & Figure 12: (a) collecting malicious data w.r.t. attacks from an internet (i.e. exposed to a (external) public network) using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.).

As per claim 17, Nakata as modified teaches to cause the computerized network honeypot system to report the collected activity data to a remote computerized security system executing the blacklist creation module (Nakata: see above & Figure 1 / E-101 & E-301). 

As per claim 18, Nakata as modified teaches to to repeat the collecting and reporting over time such that the remote computerized security system receives periodically updated data (Nakata: FIG. 2 & Col. 3 Line 7 – 9 and Col. 4 Line 49 – 51: repetitively collecting a list of malicious communication log over time including a field of timestamp, which is further analyzed by a blacklist generating entity) || (Van Nee: Col. 9 Line 29 – 34: a blacklist can be maintained through a least-recently-used algorithm to remove certain blacklists based on the timing order of entries or after a certain period of time).  


Claims 3 – 4, 12 – 13 and 19 are rejected under 35 U.S.C.103 as being unpatentable over Nakata et al. (U.S. Patent 10,516,671), in view of Van Nee et al. (U.S. Patent 9,577,728), and in view of Chen et al. (U.S. Patent 7,854,001).  

As per claim 3 and 12, Chen (& Nakata) teaches wherein the network address comprises a range of IP addresses in the same subnet (Chen: Col. 4 Line 1 – 8: analyzing an IP blacklist including a malicious network segment wherein an unduly high number of malicious IP addresses associated with a same subnet).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating a network address blacklist that comprises a range of IP addresses in the same subnet because Van Nee teaches to effectively and securely analyze an IP blacklist including a malicious network segment wherein an unduly high number of malicious IP addresses associated with a same subnet (see above) within the Nakata’s system of generating a blacklist from collecting malicious data w.r.t. attacks from the internet using a plurarlity of honeypots from various locations (e.g. web server honeypot, client honeypot and etc.), wherein the malicious data includes (e.g.) network URL address, IP address and etc. (see above). 

As per claim 4, 13 amd 19, Chen (& Nakata) teaches wherein activity data comprises number of honeypots attacked, time from first to last attack, time since last attack, mean time of attacks, and/or time from last attack from the same /24, ASN or other subnet (Nakata: see above& Figure 2 and Col. 3 Line 39 – 41 and Col. 4 Line 65 – 67: a blacklist log data including a timestamp) || (Chen: see above: a log of malicious attacks on a same subnet).  See the same rationale of combination applied herein as above in rejecting the claim 3.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2305 – 2022
---------------------------------------------------