DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating  obviousness or nonobviousness.
5.	Claims 22, 24, 25, 27, 28, 30, 32, 33, 35 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Broda et al. (US 2018/0191768 A1, hereinafter “Broda”) in view of Watkins et al. (US 2016/0078382 A1, hereinafter “Watkins”).
	Regarding claims 22, 24, 30 and 32, Broda teaches a method for inferring a relationship between two entities (figs. 2-5), the method comprising the steps of: receiving at a server, from a network device, composite flow information corresponding to a plurality of flows (fig. 5, ¶ [0049], The captured traffic information collected at the monitoring devices 504 may be transmitted to flow processing functionality 506 that can be implemented by one or more CTI servers, such as servers of the CTI processing infrastructure, ¶ [0050]), wherein each individual flow information comprises a source network identifier and a destination network identifier (figs. 2, 5, ¶ [0036], NetFlow record may include start and end times of the flow, source IP address and port information as well as destination IP address and port information. ¶ [0050]); determining that for a subset of the plurality of flows: (1) the source network identifier in each flow in the subset belongs to a first set of network identifiers, each of which being associated with a first entity, and (ii) the destination network identifier in each flow in the subset belongs to a second set of network identifiers, each of which being associated with a second entity (figs. 2, 5, ¶ [0036], The enrichment may include adding organization information based on the IP addresses, whether the source or destination IP address. IP addresses may be assigned to an organization, either statically or dynamically, and so the IP address may be correlated to the organization, as well as to a country or location. ¶ [0037]- ¶ [0040], ¶ [0050], The flow data capture functionality 508 ingests the flow data and flow enrichment functionality 510 processes the data to enrich the captured flow data, which may include various enrichments, including for example adding additional information from enrichment data 512, such as an organization associated with an IP address, location information for the IP address, as well as other possible data that may be provided based on the data flow information. ¶ [0051], The summarized flow information may include aggregate information of each individual flow, including for example, a date, a client IP address, the client organization associated with the IP address, the client industry and country the organization operates in, a server IP for the flows being summarized, an organization associated with the server IP address, an industry the server organization operates in as well as a country of the server organization, the transport protocol of the flow, the service port of the flow as well as a direction of the flow); and determining that a relationship exists between the first entity and the second entity based on a port associated with the flows in the subset and a determination that one or more of: (i) a total number of flows in the subset, (ii) a frequency of the flows in the subset, (iii) a total size of the flows in the subset (¶ [0021], suppliers of services to the organization are determined from the summarised network data based on a service port of one or more communication flows associated with a supplier of a service, a transport protocol of the one or more communication flows associated with the supplier of the service and an amount of traffic transmitted between the supplier of the service and the organization. ¶ [0052], supplier relationships may be identified based on an amount of traffic to and/or from a particular IP address or organization, a number of days the connection has been active, an average duration of the connections, the number of sessions or connections as well as a volume of data between the two organizations. ¶ [0031], ¶ [0039], and ¶ [0045]).
	Broda does not explicitly teach determining that a relationship exists between the first entity and the second entity based on a port associated with the flows in the subset and a determination that one or more of: (i) a total number of flows in the subset is at least equal to a specified flow-count threshold, (ii) a frequency of the flows in the subset is at least equal to a specified flow-frequency threshold, (iii) a total size of the flows in the subset is at least equal to a specified flow-size threshold.
 	In other words, Broda does not explicitly teach determining that the amount/volume of data transmitted between the entities at least meets/equals a threshold.
	However, it is well known in the art to compare the amount/size of data/flow with a threshold, based on a size an entity, to determine whether the total size meets the threshold as evidenced by ¶ [0048], ¶ [0055] and ¶ [0070] of Watkins.
	Thus, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the invention, to determine the existence of the relationship based 
on a port associated with the flows in the subset and a determination that one or more of: (i) a total number of flows in the subset is at least equal to a specified flow-count threshold, (ii) a frequency of the flows in the subset is at least equal to a specified flow-frequency threshold, (iii) a total size of the flows in the subset is at least equal to a specified flow-size threshold, wherein the flow-count threshold, the flow-frequency threshold, or the flow-size threshold is based on, at least in part, a size of the first entity or a size of the second entity in the system of Broda to utilize design methodologies well known in the art.

 	Regarding claims 25 and 33, Broda in view of Watkins teaches the method of claim 22, wherein determining the existence of the relationship comprises identifying a type of a port associated with the subset of flows (Broda: ¶ [0021], suppliers of services to the organization are determined from the summarised network data based on a service port of one or more communication flows associated with a supplier of a service, a transport protocol of the one or more communication flows associated with the supplier of the service and an amount of traffic transmitted between the supplier of the service and the organization. ¶ [0039]).
 	Regarding claims 27 and 35, Broda in view of Watkins teaches the method of claim 22, wherein the determination of existence of the relationship is based on, at least in part, an additional determination that one or more of the network identifiers in the second set are designated for an entity having a relationship with the second entity (Broda: ¶ [0019], ¶ [0036], adding organization information based on the IP addresses, whether the source or destination IP address. IP addresses may be assigned to an organization, either statically or dynamically, and so the IP address may be correlated to the organization, as well as to a country or location, ¶ [0040], ¶ [0050]-¶ [0052]).
 	Regarding claims 28 and 36, Broda in view of Watkins teaches the method of claim 22, wherein the network device is associated with an Internet service provider (ISP) or an Internet exchange point (IXP), the ISP or the IXP being different from the first entity and the second entity (Fig. 5, ¶ [0034], ¶ [0049], The network monitoring devices 504 may be located at distribution edges of an Internet Service Provider's (ISP) access network).
6.	Claims 26 and 34 rejected under 35 U.S.C. 103 as being unpatentable over Broda in view of Watkins  as applied to claim 25 or 33 above, and further in view of Braud et al. (US 2003/0074248 A1, hereinafter “Braud”).
 	Regarding claims 26 and 34. Broda in view of Watkins teaches the method of claim 1, wherein determining the existence of the relationship comprises identifying a type of a port associated with the subset of flows (Broda: ¶ [0021], suppliers of services to the organization are determined from the summarised network data based on a service port of one or more communication flows associated with a supplier of a service, a transport protocol of the one or more communication flows associated with the supplier of the service and an amount of traffic transmitted between the supplier of the service and the organization. ¶ [0039], ¶ [0044], the summary information may be aggregated over the monitoring time for various service ports that correspond to known ports. Potential supplier candidates may by identified as actual suppliers based on the service port information).
 	Broda does not explicitly teach  wherein the port type is a file transfer protocol (FTP) port, or a simple mail transfer protocol (SMTP) port.
 	However, FTP or SMTP ports are well-known ports, as evidenced by ¶ [0036] of Braud.
	Thus, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the invention, determine the existence of relationship based on identifying known service ports (e.g., FTP or SMTP) associated with the subset of flows in the system of Broad in view of Watkins to utilize conventional techniques in the art.
7.	Claims 29 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Broda in view of Watkins as applied to claim 22 above, and further in view of Don, Jr. et al. (2016/0014081 A1, hereinafter “Don”).
	Regarding claims 29 and 37, Broda in view of Watkins teaches the method of claim 1
Broda does not explicitly teach wherein: the network device comprises a domain name system (DNS) resolver; and a first individual flow information comprises a first source network identifier, a first destination network identifier, and a response from a reputation service corresponding to the first source network identifier.
However, Broda teaches the CTI processing infrastructure 126 may receive additional and/or alternative network data including, sFlow data, firewall information, IPFIX data, DNS data etc. (¶ [0035]), a first individual flow information comprises a first source network identifier, a first destination network identifier (¶ [0036] and ¶ [0050]).
Don teaches a first individual flow information comprises a first source network identifier, a first destination network identifier, and a response from a reputation service corresponding to the first source network identifier (¶ [0029], ¶ [0073], claim 9).
Thus, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the invention, to receive information from a DNS resolver and to store/use first individual flow information comprising a first source network identifier, a first destination network identifier, and a response from a reputation service corresponding to the first source network identifier in the system of Broad in view of Watkins to protect computer networks from potentially harmful infiltrations (¶ [0003] of Don).
Response to Arguments
8.	Applicant's arguments filed on October 3, 2022 have been fully considered but they are not persuasive. 
9.	On pages 5-8 of Arguments/Remarks, Applicant argues “…Broda fails to teach or suggest “determining that a relationship exists between the first entity and the second entity based on ... a determination that one or more of: (i) a total number of flows in the subset is at least equal to a specified flow-count threshold, (ii) a frequency of the flows in the subset is at least equal to a specified flow-frequency threshold, (iii) a total size of the flows in the subset is at least equal to a specified flow-size threshold” as recited in amended claim 22 for at least the reasons as admitted in the Office Action at page 7 with respect to previously pending claim 23… However, the cited paragraphs (and all other sections) of Watkins fail to teach or suggest “determining that a relationship exists between the first entity and the second entity based on ... a determination that one or more of: (i) a total number of flows in the subset is at least equal to a specified flow-count threshold, (ii) a frequency of the flows in the subset is at least equal to a specified flow-frequency threshold, (iii) a total size of the flows in the subset is at least equal to a specified flow-size threshold” as recited in amended claim 22…”
	Examiner respectfully disagrees and submits that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091,231 USPQ 375 (Fed. Cir. 1986).
	In this case: Broda teaches determining that a relationship exists between the first entity and the second entity based on a port associated with the flows in the subset and a determination that one or more of: (i) a total number of flows in the subset, (ii) a frequency of the flows in the subset, (iii) a total size of the flows in the subset (¶ [0021], suppliers of services to the organization are determined from the summarised network data based on a service port of one or more communication flows associated with a supplier of a service, a transport protocol of the one or more communication flows associated with the supplier of the service and an amount of traffic transmitted between the supplier of the service and the organization. ¶ [0052], supplier relationships may be identified based on an amount of traffic to and/or from a particular IP address or organization, a number of days the connection has been active, an average duration of the connections, the number of sessions or connections as well as a volume of data between the two organizations. ¶ [0031], ¶ [0039], and ¶ [0045]).
	Broda does not explicitly teach determining that a relationship exists between the first entity and the second entity based on a port associated with the flows in the subset and a determination that one or more of: (i) a total number of flows in the subset is at least equal to a specified flow-count threshold, (ii) a frequency of the flows in the subset is at least equal to a specified flow-frequency threshold, (iii) a total size of the flows in the subset is at least equal to a specified flow-size threshold.
 	In other words, Broda does not explicitly teach determining that the amount/volume of data transmitted between the entities at least meets/equals a threshold.
	However, it is well known in the art to compare the amount/size of data/flow with a threshold, based on a size an entity, to determine whether the total size meets the threshold as evidenced by ¶ [0048], ¶ [0055] and ¶ [0070] of Watkins.
	Thus, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the invention, to determine the existence of the relationship based 
on a port associated with the flows in the subset and a determination that a total size of the flows in the subset is at least equal to a specified flow-size threshold, wherein the flow-count threshold, the flow-frequency threshold, or the flow-size threshold is based on, at least in part, a size of the first entity or a size of the second entity in the system of Broda to utilize design methodologies well known in the art. 
Conclusion
10.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MANDISH RANDHAWA whose telephone number is (571)270-5650. The examiner can normally be reached Monday-Thursday (8 AM-6 PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chirag Shah can be reached on (571)272-3144. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MANDISH K RANDHAWA/Primary Examiner, Art Unit 2477