DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see Remarks, filed 09/07/2022, with respect to the rejection(s) of independent claims 1 and 7 under 35 USC § 102, and the amendments to overcome the rejection(s), have been fully considered, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-12 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2012/0158626 A1 to Zhu et al. (hereinafter “Zhu”) and further in view of US-PGPUB No. 2006/0031314 A1 Brahms et al. (hereinafter “Brahms”) 
Regarding claim 1:
Zhu discloses:
A dynamic network feature processing device (See ¶36: “… server computing device 302 …”) comprising:  
a storage device (See Fig. 1, item 106, and ¶18: “… database 106 …”) configured to store a plurality of malicious feature groups (¶24: “… phishing URLs, spamming URLs, malware URLs, or multi-type attack URLs.”) (Zhu, ¶18: “… the system … stores the training URLs in a database 106 … The training data URLs include … a set of known malicious URLs. …”, ¶24: “… the known set of malicious URLs collected for the training data are already labeled as phishing URLs, spamming URLs, malware URLs, or multi-type attack URLs.”), wherein each of the malicious feature groups corresponds to a malicious feature of ¶65: “a … link ratio …”) (¶65-66: “… the link popularity feature extraction module 406 determines a phish link ratio, a spam link ratio and a malware link ratio using the separate lists of known phishing URLs, known spamming URLs and known malware URLs … the three separate ratios help identify the type of malicious URLs for categorization purposes.”), each of the malicious feature groups comprises a plurality of malicious network addresses (see Zhu, ¶18: “The training data URLs include … a set of known malicious URLs. … each known malicious URLs may also be labeled in accordance with a type of attack which it attempts to launch. … the type of attack may be a phishing attack, a spamming attack, a malware attack, or a multi-type attack which attempts to launch multiple different types of attacks (e.g., any combination of phishing, spamming, and malware attacks).”); and  
a processor (see ¶37: “… one or more processor(s) …”) coupled to the storage device, wherein the processor is configured to: 
acquire an unknown network address of an unknown packet (¶26-27: “… client computing device(s) … may attempt to access an unknown URL. … the system submits the unknown URL, and extracts URL features at 206.”); 
compare the unknown network address with the malicious feature of each of the malicious feature groups (see ¶57: “… the SLD for the received URL is compared separately to the URLs in each of the separate lists according to known phishing URLs, known spamming URLs and known malware URLs …”); 
filter the unknown packet when determining that the unknown network address matches at least one of the malicious feature of the plurality of malicious feature groups according to the weights (¶65: “…a phish link ratio, a spam link ratio and a malware link ratio …”) of the malicious feature groups (p-66: “… the three separate ratios help identify the type of malicious URLs for categorization purposes.”)”, ¶109: “If the URL is a malicious URL, at 610 the output module 418 indicates the URL is a malicious URL to the web user, and optionally labels the malicious URL as a phishing URL, a spamming URL, a malware URL, or any combination thereof (e.g., a multi-type attack URL). … the malicious URL detection and categorization module 314 may indicate that the web user is prevented from visiting the malicious URL …”).  
However, Zhu does not disclose the following limitation taught by Brahms:
Brahms ¶77-78: “… the first X significant bits of the IP address are compared to the first X significant bits of the IP address ranges in entries of the table, where X is the number of bits defined by the corresponding key …  of the bit length hash table 210. … in order to determine which lists contain the IP address, the steps above are performed for each individual list separately or all lists are checked at once.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Zhu, where each of the malicious feature groups correspond to a malicious feature of a link ratio (a weight), to incorporate the teachings of Brahms, where a network address bit segment is compared to the corresponding bit segments of the lists of malicious IP addresses to determine which of the lists contain the unknown malicious IP address, such modification would allow the system to minimize network resource usage by using bit segments than the entire IP address, and by categorizing IP addresses into feature groups using weights to get the expected result of efficiently filtering such malicious IP addresses before reaching their destination.
Regarding claim 2:
The combination of Zhu and Brahms discloses:
The dynamic network feature processing device of claim 1, wherein the processor is further configured to: 
read a blacklist, wherein the blacklist comprises the malicious network addresses (Zhu, ¶107: “… the feature extraction module … extracts features associated with the received unknown URL.”);
compute, for a plurality of bit values of the malicious network addresses, the malicious feature of the malicious feature groups according to a bit order (see Brahms ¶77-78: “… the first X significant bits of the IP address are compared to the first X significant bits of the IP address ranges in entries of the table, where X is the number of bits defined by the corresponding key …  of the bit length hash table 210. … in order to determine which lists contain the IP address, the steps above are performed for each individual list separately or all lists are checked at once.”).
Regarding claim 3:
The combination of Zhu and Brahms discloses:
The dynamic network feature processing device of claim 1, wherein the malicious feature of each of the malicious feature groups is part of the malicious network addresses (see ¶18: “…  each known malicious URLs may also be labeled in accordance with a type of attack which it attempts to launch. For example, the type of attack may be a phishing attack, a spamming attack, a malware attack, or a multi-type attack which attempts to launch multiple different types of attacks (e.g., any combination of phishing, spamming, and malware attacks).”). 
Regarding claim 4:      
The combination of Zhu and Brahms discloses:
The dynamic network feature processing device of claim 1, wherein the plurality of malicious feature groups comprises a first group and a second group, and the malicious feature of the first group corresponds to a first network address bit segment, wherein the processor is further configured to: 
filter the unknown packet when determining that the unknown network address of the first network address bit segment matches the malicious feature of the first group (¶109: “If the URL is a malicious URL, … the output module 418 indicates the URL is a malicious URL to the web user, and optionally labels the malicious URL as a phishing URL, a spamming URL, a malware URL, or any combination thereof (e.g., a multi-type attack URL). … the malicious URL detection and categorization module 314 may indicate that the web user is prevented from visiting the malicious URL …”, See Fig. 6);
compare the malicious feature of the first group with the unknown network address of the first network address bit segment (Brahms ¶77: “… the first X significant bits of the IP address are compared to the first X significant bits of the IP address ranges in entries of the table …”, See FIG. 1, “Blacklist 160A” and “Blacklist 160B”). 
Regarding claim 5:
The combination of Zhu and Brahms discloses:
The dynamic network feature processing device of claim 4, wherein the malicious feature of the second group corresponds to a second network address bit segment, and the first network address bit segment is different from the second network address bit segment, wherein the processor is further configured to: 
filter the unknown packet when determining that the unknown network address of the second network address bit segment matches the malicious feature of the second group (Zhu ¶109: “If the URL is a malicious URL, at 610 the output module 418 indicates the URL is a malicious URL to the web user, and optionally labels the malicious URL as a phishing URL, a spamming URL, a malware URL, or any combination thereof (e.g., a multi-type attack URL). … the malicious URL detection and categorization module 314 may indicate that the web user is prevented from visiting the malicious URL …”, See Fig. 6);
compare the malicious feature of the second group with the unknown network address of the second network address bit segment when determining that the unknown network address of the first network address bit segment and the malicious feature of the first group are mismatched (Brahms ¶77-78: “… the first X significant bits of the IP address are compared to the first X significant bits of the IP address ranges in entries of the table … in order to determine which lists contain the IP address, the steps above are performed for each individual list separately or all lists are checked at once.” See also FIG. 1”).  
Regarding claim 6:
The combination of Zhu and Brahms discloses:
The dynamic network feature processing device of claim 5, wherein the processor is further configured to: 
output the unknown packet when determining that the unknown network address of the second network address bit segment and the malicious feature of the second group are mismatched (see ¶110: “If the URL is a benign URL, … the output module 418 retrieves and presents the URL to the web browser, search engine, web user, and the like.”). 
Regarding claims 7-12:
Claims 7- 12 substantially recite the same limitations as claims 1- 6, respectively, in the form of a device implementing the corresponding method, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Gurney, III (US-PGPUB No 20170208083-A1)- a device configured to compare the network layer source address of a packet of the network traffic received by the at least one ingress port to the blacklist and forward the packet to the at least one egress port only if the packet's source address is not included in the blacklist. 
Coskun (US-PPGPUB No 20180097828-A1)- disclosed systems and methods that provide a novel clustering framework which can be applied on datasets of network interactions to automatically identify IP clusters carrying out a specific task, or a collective grouping of tasks. 
 Akiyama et al. (US-PGPUB No. 20180145993 A1)-disclosed a URL matching apparatus that determines whether or not a destination URL matches any of a URL group (reference URLs) listed in URL blacklists.
Todd et al. (US-PGPUB No. 20070261112-A1)- disclosed network security device which acts as an "airlock" for traffic between a communications device and a network.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/M.H./Examiner, Art Unit 2491  

                                                                                                                                                                                                      /ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491