DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 43, 45-46, 48-52, 54-55, 57-60, and 62-63 are pending.

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/16/22 has been entered.

Allowable Subject Matter
3.	Claims 43, 45-46, 48-52, 54-55, 57-59 are allowed over prior art.
4.	The following is a statement of reasons for the indication of allowable subject matter:  The amendment submitted with the RCE has overcome the previous rejection over Gertner.  A further search was performed where as a result there are no prior art that teach and/or suggest the claimed invention as set forth in claims 43, 45-46, 48-52, 54-55, 57-59. Therefore, claims 43, 45-46, 48-52, 54-55, 57-59 are in condition for allowance.


 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
5.	Claim(s) 60, 62, and 63 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gertner, et al. [9,503,470] in view of Pandya [CN 101351784].
Claim 60:	Gertner teaches a method of predicting network threats, the method comprising:                                                                                                                                                                                                         
receiving at a computing device a request associated with an online element [Gertner: col.5, lines 33-55], wherein the online element comprises an internet protocol address;
determining the online element having a malicious reputation based on reputation data in a reputation database; [Gertner: col.10, lines 45-67 and col.21, lines 15-55; Whitelisting particularly in the context of SDI-SCAM's probabilistic assessment of individuals, code, servers and user machines is a form of reputation system. Explicit whitelisting where a user is granted permissions to access certain servers or files or where they are considered safe individuals, machines, servers or code may, however, be used along with (or alternatively to) implicit whitelisting where such whitelisting functions are provided by SDI-SCAM based upon a probability distribution curve of safety or appropriateness of access]
sending by the computing device a response indicating that the online element has a malicious reputation as an identified network threat; [Gertner: col.10, lines 45-63 and col.12, lines 27-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. It may recommend or in some cases even implement responses to detected threats (col.20, lines 10-18)] 
receiving at the computing device a request for relationship information associated with the online element; [Gertner: col.10, lines45-67; relationship data can be given the broadest and reasonable interpretation (BRI) as data related to the predictive threats (can also be in a form of signature pattern) previously observed as attacks or data for comparison process per se. Another example, can be information associated to threat vectors which in Gertner can be a form of an attack or virus records where the SDI-SCAM monitors all processes for behavior consistent with viral infection of the network traffic (i.e. relationship between the online objects)]
identifying a first online object of a plurality of online objects, based on the requested relationship information, also having a malicious reputation, using the computing device [Gertner: col.10, lines 45-67 and col.21, lines 12-67; Another example can be the Bayesian model is used to estimate likelihoods of various threat vectors. The model provides access to the reasoning behind its inferences. It may recommend or in some cases even implement responses to detected threats (See also col.20, lines 10-18)], wherein there is a first association between the online element and the first online object, wherein each of the plurality of online objects are one of: a file, a uniform resource locator, and a software application; and
sending from the computing device one or more identifiers for the first online object as a predictive network threat. [Gertner: col.3, line 55-col.4, line 10]
Gertner discloses systems and methods are provided for detecting the state of a computer network by providing a plurality of distributed agents disposed in the computer network to passively collect, monitor, and aggregate data representative of activities of respective nodes within said computer network. Counter-offensive measures are generated where unauthorized access to a program or file disabling an operating system with all associated applications of a computer in the computer network until/unless the presumed attacker is able to prove to the machine owner/victim that the presumed attacker had been authorized to access the target data or machine provoking the said counter offensive measure [Gertner: col.3, line 55-col.4, line 10].  
However, Gertner did not further include “the online element comprises an internet protocol address” and “a first association between the online element and the first online object, wherein each of the plurality of online objects are one of: a file, a uniform resource locator, and a software application”.
Pandya discloses the central manager/policy server and monitoring station (also called the central manager), includes security policy developer interface (block 5609), the IT manager using a security policy of the interface input. Security policy developer interface may be capable of describing the command line interface of language input security policy to security policy the IT manager, script tool, a graphical interface, or a combination thereof. Security policy developer interface cooperating with a set of rule module of the IT manager can efficiently input the organize strategy. Rule module can provide a rule template that can be filled by IT manager or may be easily input the rules of interaction tools. These modules to provide rules that may include source and destination IP address, source and destination L2 address, L2 payload type, buffer overflow, a type of service, connection priority, link use statistic information, etc. or combinations thereof. protocol/port level rules (block 5602) the security developer interface, then, rule types, templates, and so on [Pandya: see page 39, line 8 – Fig.56]. Accordingly, Pandya obviously suggest the online element may be source and destination IP address as part of the association where in this case is rule or policy based association. Further, Pandya discloses rule-based content (block 5604) the security developer interface provides rules, rule types, templates and to input rules related to the content. These rules can be other regular change along with time, to contain the threat of known or potential new threats and include various conditions, such as a social security number, a secret/private document, employee records, patient records, credit card numbers, intrusion URLs, known virus characteristic, buffer overflow conditions, long web address, intrusion language, obscene content, junk mail, etc., or combinations thereof. Also, an provide these rules, templates or rule type to the distributed security system manager with the chosen policy description language (s) for creating rules. Additionally, node capabilities and characteristics database comprises hardware security features or software security features or rules engine size or security engine (s) performance or quality of service characteristic or the host operating system or hosted application(s) or the line speed or host performance network connection, or a combination thereof. the information in these databases will be 4 0, J editor capable of accurately mapping the security policy to node specific rules [Pandya: see page 39, line 25 – Fig.56]. Thus, Pandya disclose the rule base content may include threats of known (also as reputation) or potential new threats that obviously includes association related to online elements such as records or document (i.e. file), URLs (i.e. a uniform resource locator), and software security features or rules engine size or security engine (s) performance or quality of service characteristic or the host operating system or hosted application (i.e. software application). As such, Pandya obvious suggests “the online element comprises an internet protocol address” and “a first association between the online element and the first online object, wherein each of the plurality of online objects are one of: a file, a uniform resource locator, and a software application” where motivation would be to provide searching capability based on rule/policy association to identify online objects and related information that contain the threat of known or potential new threats and include various conditions [Pandya: see page 39– pg.40, line 19].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Gertner with Pandya to teach “the online element comprises an internet protocol address” and “a first association between the online element and the first online object, wherein each of the plurality of online objects are one of: a file, a uniform resource locator, and a software application” for the reason to provide searching capability based on rule/policy association to identify online objects and related information containing threat of known or potential new threats and include various conditions [Pandya: see page 39– pg.40, line 19].
Claim 62: See Gertner: col.24, lines 1-37; discusses the method of claim 60, wherein determining the online element having a malicious reputation comprises: receiving network activity log event data including at least one network event; sending a request to a reputation management system; and receiving a response from the reputation management system indicating whether the network event is a threat.
Claim 63: See Gertner: col.21, lines 30-60; discusses the method of claim 60, further comprising adding the online element and online object to a block list of a firewall, and operating the firewall to block network traffic associated with block list.


Response to Arguments
6.	Applicant's arguments filed 9/16/22 have been fully considered but they are not persuasive.
	Claims 43, 45-46, 48-52, 54-55, 57-59 are allowed over prior art. Examiner note claim 60 did not recite all or similar features as in the independent claims 43 and 52. As such, by amending claim 60 to contain all the features as recited in claims 43 and 52 would place the application in condition for allowance. Another option would be to cancel claims 60, 62 and 63, which would then place the application in condition for allowance.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571)272-3851. The examiner can normally be reached Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

LEYNNA TRUVAN
Examiner
Art Unit 2435



/L.TT/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435