Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/960,567 filed on 7/8/2020. Claims 1-20 are pending. This Office Action is Non-Final.


Information Disclosure Statement
The information disclosure statement (IDS), submitted on 7/8/2020, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Allowable Subject Matter
Claims 6-9 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.


Claim(s) 1, 2, 10-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharaya et al. (US 2017/0250989) in view of Memon et al (US 2010/0235915).

	As per claim 1, Bhattacharya teaches a system for generating a network whitelist, comprising: a first networked device in communication with a network; a second networked device in communication with the network (Bhattacharya, Paragraph 0057 recites “a set of client modules 630 that represent a set of users requesting to access various websites through one of the router modules 610;”);
	a networked collector device in communication with the network (Bhattacharya Paragraph 0033 recites “The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively.”); 
	and a computer system in communication with the network that provides a network service for the network and that (a) receives identifying information from the first networked device for a first user and verifies and registers the first user as a user of the network service, (b) receives identifying information from the second networked device for a second user and verifies and registers the second user as a user of the network service (Bhattacharya, Paragraph 0012 recites “Embodiments may include accessing or providing the profile, which may be a user profile, class-based profile where the class may be a department, group of employees, team members on a project, or another profile suitable to practicing the embodiments or subject matter as disclosed herein.”);
	(c) receives from the networked collector device for the first user a first set of data specifying one or more network parameters per network address that communicates with the first user of the first networked device, (d) receives from the networked collector device for the second user a second set of data specifying one or more network parameters per network address that communicates with the second user of the second networked device, (e) selects addresses from each of the first set and the second set where each of the one or more network parameters are above a first activity threshold level for that parameter, producing a first set of first level activity addresses and a second set of first level activity addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.).
	But fails to teach generates a whitelist for the first user from an intersection of the first set of first level activity addresses and the second set of first level activity addresses.
	However, in an analogous art Memon teaches generates a whitelist for the first user from an intersection of the first set of first level activity addresses and the second set of first level activity addresses (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 2, Bhattacharya in view of Memon teaches the system of claim 1, Memon further teaches wherein the computer system further selects the second set of first level activity addresses for intersection with the first set of first level activity addresses by receiving from the first networked device a relationship parameter that indicates a relationship between the first user and the second user (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 10, Bhattacharya in view of Memon teaches the system of claim 1, Bhattacharya further teaches wherein the computer system further selects addresses from each of the first set and the second set where each of the one or more network parameters are between the first activity threshold level for that parameter and a second lower activity threshold level for that parameter, producing a first set of second activity level addresses and a second set of second activity level addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.).

	As per claim 11, Bhattacharya in view of Memon teaches the system of claim 10, Bhattacharya further teaches wherein the computer system further selects addresses from each of the first set and the second set where each of the one or more network parameters are below the second lower activity threshold level for that parameter, producing a first set of third level activity addresses and a second set of third level activity addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.).
	As per claim 12, Bhattacharya in view of Memon teaches the system of claim 10, Memon further teaches wherein the computer system further selects addresses from the first set of second activity level addresses that have the same one or more network address classes as the intersection of the first set of first level activity addresses and the second set of first level activity addresses and adds the selected addresses to the whitelist (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 13, Bhattacharya in view of Memon teaches the system of claim 11, Memon further teaches wherein the computer system further selects addresses from the first set of third level activity addresses that have the same one or more network address classes as the intersection of the first set of first level activity addresses and the second set of first level activity addresses and adds the selected addresses to the whitelist (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 14, Bhattacharya in view of Memon teaches the system of claim 10, Memon further teaches wherein the computer system further selects addresses from the first set of first level activity addresses that do not intersect with the second set of first level activity and have the same one or more network address classes as the intersection of the first set of first level activity addresses and the second set of first level activity addresses and adds the selected addresses to the whitelist (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 15, Bhattacharya in view of Memon teaches the system of claim 10, Bhattacharya further teaches a third networked device in communication with the network, wherein the computer system further receives identifying information from the third networked device for a third user and verifies and registers the third user as a user of the network service (Bhattacharya, Paragraph 0012 recites “Embodiments may include accessing or providing the profile, which may be a user profile, class-based profile where the class may be a department, group of employees, team members on a project, or another profile suitable to practicing the embodiments or subject matter as disclosed herein.” If it could be done for multiple users than a third user would be included),
	 receives from the networked collector device for the third user a third set of data specifying one or more network parameters per network address that communicates with the third user of the third networked device, selects addresses from each of the first set, the second set, and the third set where each of the one or more network parameters are above a first activity threshold level for that parameter, producing the first set of first level activity addresses, the second set of first level activity addresses, a third set of first level activity addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.),
	and generates the whitelist for the first user from an intersection of the first set of first level activity addresses, the second set of first level activity addresses, and the third set of first level activity addresses (Memon, Paragraph 0108 recites “Over a period of time (e.g., a week), compute the reputation of monitored hosts based on the reputation of related hosts. Reputation of a monitored host might be a cumulative reputation of host IP addresses linked to (or more generally, related to) the host. At the end of each computation, extract hosts with unknown reputations (e.g., 0) in a two-state reputation system. All associated hosts with these hosts are included in the daily whitelist. Once a satisfactory number of such daily whitelists are determined, a final whitelist might be determined using the intersection of all the daily whitelists.” The claim is interpreted that a whitelist is made of a set of acceptable addresses that are common/in an intersection between multiple lists.  This is effectively what Memon is ding, where a final whitelist is made from an intersection of other whitelists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of find an intersection, is good to help find a commonality between multiple lists for analysis purposes.

	As per claim 16, Bhattacharya in view of Memon teaches the system of claim 10, Memon further teaches wherein at each periodic time step over a period of time the computer system further receives from the networked collector device for the first user a first set of data specifying one or more network parameters per network address that communicates with the first user of the first networked device, receives from the networked collector device for the second user a second set of data specifying one or more network parameters per network address that communicates with the second user of the second networked device, and performs steps (e)-(f), producing an updated whitelist at each time step (Memon, Paragraph 0106 recites “ Referring back to block 540 of FIG. 5, assigned reputation values may be updated (e.g., periodically, and/or as more information becomes available). That is, as time goes by, reputations in the system should be adjusted to better reflect more current information about reputation. For example, new IP addresses and/or domain names might be assigned bad reputations as they appear in blacklists, while old IP addresses and/or domain names with bad reputations might be updated to reflect a better reputation. One way to maintain such a system is to let any entity assigned an explicit reputation, such as an IP address or domain name, adjust (e.g., slowly improve) their reputation using a decay function. An example of a simple decay function is an exponential decay function. Therefore, in a given update cycle, any entity assigned an explicit reputation might use a decay function to adjust (e.g., improve) its reputation as long as the entity is not assigned a reputation during the cycle. Such periodic updates to reputations permit bad hosts to improve their reputations (e.g., to a unknown reputation) if they are cured for a sufficient number of update cycles. Similarly, the reputation of a host may be a time-weighted combination of a current reputation and one or more past reputations (in which older reputations are weighted less.)”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Memon’s using host symptoms, host roles, and/or host reputation for detection of host infection with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of periodically updating helps to ensure an more accurate list.


	As per claim 17, Bhattacharya in view of Memon teaches the system of claim 10, Bhattacharya further teaches wherein the computer system further generates a graylist for the first user from an intersection of the first set of second activity level addresses and the second set of second activity level addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.).

	As per claim 18, Bhattacharya in view of Memon teaches the system of claim 11, Bhattacharya further teaches wherein the computer system further generates a blacklist for the first user that includes a union of the first set of third level activity addresses and the second set of third level activity addresses (Bhattacharya, Paragraph 0033 recites “ The step of creating 105 a data repository may, as an example but not as a limitation, use whitelists/blacklists to identify safe/unsafe websites respectively. In an embodiment using a whitelist of known safe websites and blacklist of known unsafe websites, for example, a user always is allowed access to each whitelist website identified as safe, whereas the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website, if it is neither on the whitelist nor on the blacklist. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization. The step of creating a data repository 105 may further employ use of greylists, such as greylist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. As an example, but not as a limitation, the use of whitelists/blacklists/greylists and the categorization of websites as safe, unsafe or needing more analysis may be accomplished by comparing the safety rank of a particular website to a set of predetermined threshold safety rank values, a safe threshold safety rank and an unsafe threshold safety rank, where the safe threshold safety rank is equal or higher than the unsafe threshold safety rank. If the particular website safety rank is above the safe threshold safety rank value, it may be categorized as a safe website and may be included in a whitelist. If the particular website safety rank is below the unsafe threshold safety rank value, it may be categorized as an unsafe website and may be included in a blacklist. If the safety rank of the particular website falls in between the safe threshold safety rank and the unsafe threshold safety rank, it may be categorized as a website requiring further analysis prior to designating it as safe or unsafe and maybe included in a greylist. According to some embodiments, the safe and unsafe threshold safety rank values may be different depending upon user profile. In yet another embodiment, the safe and unsafe threshold safety rank values may be adjusted through machine learning techniques discussed below. In an embodiment, for example as shown in FIG. 6, may include accessing a cloud data repository such as data repository 640 (shown in FIG. 6). In an embodiment, a data repository 105 (as illustrated in FIG. 1) may, as an example but not as a limitation, may be stored in the local storage memory of the router, on a storage device on the local area network (LAN); on a wireless network; on an intranet; on the user's device 630 being used to access the website; or may be available by accessing a cloud storage device 605, or any combination thereof.” Bhattacharya, is teaching the ability of each user profile having a whitelist of network activity.  It even incorporates the use of a threshold to determine which list is best.).
 Regarding claims 19 and 20, claims 19 and 20 are directed to a method and a computer program product associated with the system of claim 1. Claims 19 and 20 are of similar scope to claim 1, and are therefore rejected under similar rationale.


Claim(s) 3 and 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharaya et al. (US 2017/0250989) and Memon et al (US 2010/0235915) and in further view of Cutler et al. (US 2013/0086237).

	As per claim 3, Bhattacharya in view of Memon teaches the system of claim 1, but fails to teach wherein the one or more network parameters comprise a number of sessions.
	However, in an analogous art Cutler teaches wherein the one or more network parameters comprise a number of sessions (Cutler, Paragraph 0056 recites “Threshold rules 340 may be dynamic attributes for determining actions by comparing a system parameter to a quota 315. Threshold rules 340 may include one or more threshold rules, each rule including conditions 342 and actions 344. Conditions 342 may include implicit conditions based on a percentage of a quota. For example, threshold rules for a usage management policy may be based on a system parameter of subscriber quota usage. Other types of policies may include threshold rules based on system parameters such as, for example, network congestion, available bandwidth, number of sessions, or other measurements of subscriber network”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Cutler’s rules engine evaluation for policy decisions with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of monitoring different network parameters will help in assessing network activity.

	As per claim 5, Bhattacharya in view of Memon teaches the system of claim 1, but fails to teach wherein the one or more network parameters comprise a number of bytes.
	However, in an analogous art Cutler teaches wherein the one or more network parameters comprise a number of bytes (Cutler, Paragraph 0056 recites “Threshold rules 340 may be dynamic attributes for determining actions by comparing a system parameter to a quota 315. Threshold rules 340 may include one or more threshold rules, each rule including conditions 342 and actions 344. Conditions 342 may include implicit conditions based on a percentage of a quota. For example, threshold rules for a usage management policy may be based on a system parameter of subscriber quota usage. Other types of policies may include threshold rules based on system parameters such as, for example, network congestion, available bandwidth, number of sessions, or other measurements of subscriber network”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Cutler’s rules engine evaluation for policy decisions with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of monitoring different network parameters will help in assessing network activity.


Claim(s) 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharaya et al. (US 2017/0250989) and Memon et al (US 2010/0235915) and in further view of Barzik et al. (US 2018/0357429).

	As per claim 4, Bhattacharya in view of Memon teaches the system of claim 1, but fails to teach wherein the one or more network parameters comprise a number of packets.
	However, in an analogous art Barzik teaches wherein the one or more network parameters comprise a number of packets (Barzik, Paragraph 0042 recites “In some embodiments, storage system 104 compares the analyzed packet parameters of the packet with the filter rules. The packet parameters are consistent with the filter if the parameters appear on a defined whitelist, if any is defined in the filter, and the parameters do not appear on a defined blacklist, if any is defined in the filter.”). 
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date, to use Barzik’s network security for data storage systems with Bhattacharya’s Method And System To Enable Controlled Safe Internet Browsing because the use of monitoring different network parameters will help in assessing network activity.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439