DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on 08/02/2022 and the supplemental amendment dated on 08/16/2022.
Claims 1, 5-7 and 9-10 have been amended and all other claims are previously presented.
Claims 1-7 and 9-10 are submitted for examination.
Claims 1-7 and 9-10 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments
Applicant’s amendment filed on August 2, 2022 has claims 1, and 5-7 and 9-10 in the supplemental amendment, all other claims are previously presented. Amended claims 1, 9 and 10 are independent ones, and thus, the amendment necessitates a new ground of rejection.
Applicant’s remark, filed on August 2, 2022 at pages 9-12, indicates, “Claims 5-7 are objected to. Applicant has amended and requests that the objections be withdrawn.”
Applicant’s argument has been considered and is found persuasive. Therefore, the objection to claims 5-7 have been withdrawn.
Applicant’s remark, filed on August 8, 2022 at pages 9-12, indicates, “The Office Action interprets "a system configuration detector", "an air gap path detector", and "a security assessment unit" of claim 1 as invoking § 112(f) Applicant has amended claim 1. Claim 1 includes structure for realizing the claimed functions. Claim 1 does not invoke § 112(f). Exemplary support for the amendment is provided below. Claim 1 is rejected under § 112(b). Structure for the features of claim 1 is provided by, as a non-limiting example, Spec. [0028], [0032], [0117], [0118] and FIG. 10 ("security assessment system 1001"). The hosts 211 to 213 and 221 to 223 are typically computers such as a PC and a server or network devices such as a firewall and a switch but are not limited to them, and may be peripheral devices such as a printer and a mouse or industrial control devices. The air gap path component 203 is typically a storage medium such as a USB memory but is not limited to this. Spec. [0028](emphasis added). The system configuration detector 301 is implemented by various implementation methods but can typically be implemented by introducing agent software (not shown) into each host. The agent software installed in each host notifies the security assessment system 300 of information of the host and its adjacent host with which the host can communicate. Although not shown in Fig. 3, an interface that allows the user to input a system configuration may be provided. Furthermore, it is possible to obtain information from an existing configuration management system. Spec. [0032](emphasis added).  To prevent such attack, when obtaining information from the air gap path information collection client 1002, one-way communication can be performed. For example, by using a data diode, it is possible to send data from the air gap path information collection client 1002 to the security assessment server 1001. In this case, it is possible to prevent data (malware or the like) from being transmitted from the computer mounted with the security assessment server 1001 to the host in which the air gap path information collection client 1002 is installed. The present invention is not limited to the data diode, and any mechanism for allowing information to be transmitted only in one way is used. A similar problem may arise in information collection in the system configuration detector 301. In this case as well, it is possible to prevent a situation, in which an attack is made via a computer mounted with a security assessment system, by using a similar mechanism for allowing only one-way communication in information collection for implementing the processing of the system configuration detector 301. Spec. [0117]-[0118](emphasis added). The § 112(b) rejection is based on the § 112(f) characterization. Because claim 1 does not invoke § 112(f), the § 112(b) rejection is moot. Applicant respectfully requests that the Examiner withdraw the § 112(b) rejection.”
 Applicant’s argument has been considered and is found persuasive. Therefore, the 112(b) rejection have been withdrawn.
Applicant’s remark, filed on August 8, 2022 at pages 9-12, indicates, “The Office Action has not established that Chaskar modified by Young would practice claim 1. The Office Action bears the burden of establishing a prima facie case of obviousness. The Examiner interprets the antivirus appliances 100 of Young as disclosing "an air gap path detector that detects, among the at least two hosts, a pair of hosts between which there is no communication link but data movement can occur." Office Action at page 9. …  However, the references are silent as to "an air gap path detector implemented by the host computer, wherein the air gap path detector is configured to detect, among the at least one pair of two hosts included in the system, a pair of hosts throughout which there is no regular communication link but between which data movement can occur; and a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path." Chaskar is directed to determining if a guest device can be admitted to a network. …  There is no recognition of an air gap based attack in Chaskar or Young and a combination cannot be expected to detect such an attack path. Rather, the combination of these references would produce a sniffer which makes network logs using either a direct connection or a USB-type connection. The combination would not detect an air-gap based attack path. Thus the combination would not practice the claim 1 features "an air gap path detector implemented by the host computer, wherein the air gap path detector is configured to detect, among the at least one pair of two hosts included in the system, a pair of hosts throughout which there is no regular communication link but between which data movement can occur; and a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path." Claims 9 and 10 recite "detecting a pair of hosts between which there is no communication link but data movement can occur" and "performing security assessment using a detection result obtained in the detecting the at least two hosts and a detection result obtained in the detecting the pair of hosts" and are patentable for the same reasons that claim 1 is patentable. Applicant respectfully requests that the Examiner reconsider and withdraw the § 103 rejection of claims 1, 9 and 10.”
Applicant’s argument has been considered and is found persuasive. Therefore, Applicant’s amendment necessitates a new ground of rejection. Accordingly, a new ground of rejection based on the newly identified prior-art by Hamada et al. (JP 2017005422), has been applied to the amendment.
Specifically, Hamada discloses a detection system, detection method and detection program that comprises a relay unit, a selection unit, an extraction unit, and a detection unit. The relay unit relays data. The selection unit selects a predetermined connection from among connections through which data relayed by the relay unit passes. The extraction unit extracts data corresponding to the predetermined connection selected by the selection unit from among data relayed by the relay unit. The detection unit analyzes the data extracted by the extraction unit to detect a connection performing illegal communication. Thus, Examiner submits that Hamada teaches the amended feature limitation, “a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path ...” (See rejection below).
Finally, Examiner respectfully submits that previous applied references disclosed the additional claim limitations in independent claim 1.  Chaskar discloses a computer system that could include personal computing devices, servers or mainframes (i.e host); see parag. [0025-0026] and rejection below.
Young discloses an antivirus appliance used in an air gap environment, to monitor data transfer between two information systems. Thus, the combination of Chaskar, Young and Hamada disclose the feature limitations of independent claim 1.
Applicant further recites similar remarks as listed above for dependent claims 2-7. Please refer to the aforementioned response, which addresses how the new combination of prior-art references by Chaskar, Young and Hamada would render the claimed limitations obvious.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Chaskar et al. (US 2003/0007848), hereinafter referred to as Chaskar in view of Young et al. (US 2011/0197280), hereinafter referred to as Young, and further in view of Hamada et al. (JP 2017005422) hereinafter Hamada.
As per claim 1, Chaskar teaches an information processing apparatus implemented in a host computer, the information processing apparatus comprising: a system configuration detector implemented in the host computer, wherein the system configuration detector is configured to detect at least one pair of two hosts included in a system and a communication link between the at least one pair of two hosts (Chaskar, Fig. 1 and Parag. [0041]; “The security monitoring system (often called as wireless intrusion detection/prevention system) can include one or more RF sensor/detection devices (e.g., sensor devices 122A and 122B, each generically referenced herein as a sniffer 122) disposed within or in a vicinity of a selected geographic region comprising LAN. In an embodiment (shown in FIG. 1), sniffer 122 can be connected to LAN via a connection port (e.g., connection port 123 A/123B). In alternative embodiment, sniffer 122 can be connected to the LAN using a wireless connection.” … Parag. [0042]; “A sniffer 122 is able to monitor wireless activity in a subset of the selected geographic region. Wireless activity can include any transmission of control, management, or data packets between an AP and one or more wireless stations, or among one or more wireless stations. Wireless activity can even include communication for establishing a wireless connection between an AP and a wireless station (called "association").” … Parag. [0052]; “Sniffer 122 can also advantageously receive configuration information from server 124. This configuration information can include, for example, the operating system software code, the operation parameters (e.g. frequency spectrum and radio channels to be scanned), the types of wireless activities to be detected, and the identity information associated with any authorized wireless device.”);	 
Chaskar does not expressly teach following limitations: 
an air gap path detector implemented by the host computer, wherein the air gap path detector is configured to detect, among the at least one pair of two hosts included in the system, a pair of hosts throughout which there is no regular communication link but between which data movement can occur; and
a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path. 
However, Young teaches:
an air gap path detector implemented by the host computer, wherein the air gap path detector is configured to detect, among the at least one pair of two hosts included in the system, a pair of hosts throughout which there is no regular communication link but between which data movement can occur (Young, Parag. [0003]; “When an air gap separates two computer networks, any data transfer between the computer networks requires a manual step in which a user transfers files from the first computer network onto a portable storage media (e.g., a USB thumb drive, a read/writable CD or DVD, etc.).  The portable storage media is then physical disconnected/removed from the first computer network, and physically connected to the second computer network to upload the transferred files. Thus, no direct communication link exists at any time between the computer networks, and all of the transferred data will reside on the portable media for a period of time during the transfer.” … Fig. 3A and Parag [0023]; “The network managed antivirus appliances 100 within the network 200, and the computers within the secure computer networks 210 and 220, may be configured to interact with the other devices in their respective networks. However, in certain embodiments, the networks 200, 210, and 220 may be isolated from one another and may have no digital communication links (e.g., all three networks may be separated by an `air gap`).”  … Parag. [0042]; “… In these examples, the appliance 100 may receive the files to be scanned from one of the secure networks via an electronic file transfer in step 420, without needing to use to a portable media to receive the files.”  Examiner submits the antivirus appliances 100 is an air gap path detector, and the appliances 100 is located in between networks 210 and 220, wherein there is no digital communication links yet data transfer is feasible); 
Chaskar and Young are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a sniffer could detect the wireless configurations which are connected to the networks. Young teaches data can be transferred between systems even with there is no connection to the network.   
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Young into the system and method of Chaskar to improve security in data movement between systems physically separated with an air gap, assuring that any virus within the data can only corrupt the standalone computer and will not spread to any larger network.
The combination of Chaskar and Young does not teach:
 a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path.
However, Hamada teaches:
a security assessment unit, implemented by the host computer, wherein the security assessment unit is configured to extract a path between the detected pair of hosts as an attack path (Hamada, Parag. [0008]; “The disclosed detection system, detection method, and detection program select a predetermined connection from among connections through which data to be relayed passes, extract data corresponding to the selected predetermined connection from among data to be relayed, and extract It is characterized by analyzing the data obtained and detecting connections that carry out unauthorized communication.” … Parag. [0011]; “Here, "connection" refers to a communication path established between predetermined devices. A communication path is, for example, a logical communication path. For example, a "connection" refers to a logical communication path established between multiple devices identified by a given IP address and port number.” … Parag. [0018]; “A connection to be monitored refers to a connection to be monitored, that is, analyzed by the analysis device 20 in order to detect data used for an attack or the like. When the selection unit 130 determines to select the extracted connection as a monitored connection, the selection unit 130 stores information about the connection in the storage unit 110 as monitored connection information.”).
Chaskar, Young and Hamada are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a device for transferring data between two or more galvanically or optically separated information systems. For the purposes of this invention a data switch is understood to be a device ensuring the transmission of data information between information systems, which are separated by an air gap. Young teaches data can be transferred between systems even with there is no connection to the network.  
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Hamada into the system and method of Chaskar-Young to improve security in data movement between systems physically separated or isolated with an air gap, by detecting a path or traffic route used by an attacker.
 
As per claim 2, the combination of Chaskar, Young and Hamada teach the information processing apparatus according to claim 1. Young further teaches wherein said air gap path detector includes an interface for inputting, by a user, information [concerning the pair of hosts] detected by said air gap path detector (Young, par 50, The second option 433b allows the user at the antivirus appliance 100 to select users and/or user groups that correspond to valid users on the destination network). 
Young does not expressly teach the information concerning the pair of hosts. 
However, Chaskar further teaches information concerning the pair of hosts (Chaskar, Fig. 1 and par 34, A subnet is typically identified by a network number (e.g., IP number and subnet mask) and the plurality of subnets are interconnected using router device(s). Notably, the plurality of the subnets of the LAN can be geographically distributed (e.g., in offices of a company in different geographic locations).  Chaskar, par 52, … the types of wireless activities to be detected, and the identity information associated with any authorized wireless device.  Chaskar, par 54, present invention facilitates detecting the smart mobile devices connecting into the enterprise network (e.g., over Wi-Fi) and enforcing the specified usage policy). 
 
As per claim 3, the combination of Chaskar, Young and Hamada teach the information processing apparatus according to claim 1. Chaskar further teaches wherein [said air gap path detector] detects the pair of hosts detected [by said air gap path detector], based on information of a document concerning specifications of the system (Chaskar, par 89, the policy also can also facilitate specifying the types of the smart mobile devices for which the specific policies are to be applied. For example, by adding the type of the device from the panel 1208 into the boxes 1202, 1204 or 1206, the corresponding policy can be enforced on the selected device type ... As merely an example, the BlackBerry devices may be allowed to connect to the corporate Wi-Fi network (e.g., by adding BlackBerry type into box 1202), while iPhones and iPads may be disallowed to connect to the corporate Wi-Fi network but allowed to connect to the corporate guest network). 
In addition, 
Young further teaches said air gap path detector (Young, par 3, When an air gap separates two computer networks, any data transfer between the computer networks requires a manual step in which a user transfers files from the first computer network onto a portable storage media (e.g., a USB thumb drive, a read/writable CD or DVD, etc.).  The portable storage media is then physical disconnected/removed from the first computer network, and physically connected to the second computer network to upload the transferred files. Thus, no direct communication link exists at any time between the computer networks, and all of the transferred data will reside on the portable media for a period of time during the transfer. Young, Fig. 3A and par 23, The network managed antivirus appliances 100 within the network 200, and the computers within the secure computer networks 210 and 220, may be configured to interact with the other devices in their respective networks. However, in certain embodiments, the networks 200, 210, and 220 may be isolated from one another and may have no digital communication links (e.g., all three networks may be separated by an `air gap`).  Young, par 42, … In these examples, the appliance 100 may receive the files to be scanned from one of the secure networks via an electronic file transfer in step 420, without needing to use to a portable media to receive the files). 
 
As per claim 9, it is a method claim that encompasses limitations that are similar to those of the apparatus claim 1. Therefore, claim 9 is rejected with the motivation and rational as applied against claim 1 above. 
 
As per claim 10, it is a non-transitory computer readable medium claim that encompasses limitations that are similar to those of the apparatus claim 1. Therefore, claim 10 is rejected with the motivation and rational as applied against claim 1 above.


Claims 4-7 are rejected under 35 U.S.C. 103 as being unpatentable over Chaskar et al. (US 2013/0007848), hereinafter Chaskar, and in view of Young et al. (US 2011/0197280), hereinafter Young and Hamada et al. (JP 2017005422) hereinafter Hamada as applied to claim 1, and in further view of Nenov (US 9,692,784).
As per claim 4, the combination of Chaskar, Young and Hamada teaches the information processing apparatus according to claim 1.
The combination of Chaskar, Young and Hamada does not expressly teach:
wherein said air gap path detector detects the pair of hosts detected by said air gap path detector, based on information of an operation manual of the system.
However, Nenov teaches:
wherein said air gap path detector detects the pair of hosts detected by said air gap path detector, based on information of an operation manual of the system (Nenov, Col. 4 lines 5-12; “FIG. 1B, illustrated is an embodiment of mapping a packet (e.g. packet 114) to a region (e.g. filter region 116) for geoprocessing-based packet processing and network security. The filter region may represent a range of parameters, such as source IP addresses from a first value IP(1) to a second value IP(2), Such as ip from and ip to discussed above. A two-dimensional MBR may be defined with diagonally opposite corners based on the ip from and ip to values, e.g. from (-1, IP(1)) to (1, IP(2)) as shown. This makes it possible to search for an IP address in a spatial domain (e.g. a point at (0, source IP)), using geoprocessing based algorithms.” … “In some implementations, a security device 100 may maintain a log 220. Log 220 may comprise a database, flat file, or other type and form of data structure for recording packet parameters and applied filter actions. In some implementations, security device 100 may record actions with timestamps, device identifiers, or other distinguishing information.” … Col. 13, lines 44-50; “At step 318, the security device may send a notification. As discussed above in connection with step 312, sending a notification may comprise transmitting a notification to a computing device of an administrator on the local or external network (e.g. a smart phone, a desktop computer, a management service, etc.); recording a notification in a log of the security device” … Col. 14 lines 29-36; “The user or administrator may take steps to mitigate any attack, Such as creating a specific filter to match the attack parameters (e.g. payload type, contents, size, etc.; destination IP address and/or port; source address or addresses; etc.) and applying a blocking rule; or moving a filtering rule up in priority within a rule set so that it is processed and applied earlier.” Examiner submits that the administrator could use a log (document of events) to identify the pair of hosts sending packets by means of the IP address or port number.).
Chaskar, Young, Hamada and Nenov are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a sniffer could detect the wireless configurations which are connected to the networks. Young teaches data can be transferred between systems even with there is no connection to the network.
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Nenov into the system and method of Chaskar-Young-Hamada to improve methods for security management system by the use of a security appliance to monitor any network change in order to address attacks (Nenov, Abstract).

As per claim 5, the combination of Chaskar, Young and Hamada teaches the information processing apparatus according to claim 3.
The combination of Chaskar, Young and Hamada does not expressly teach: 
further comprising an interface for inputting an interpretation rule of a word or a text to extract, from the document or the operation manual, information of an element that can cause data movement to occur.
However, Nenov teaches further comprising an interface for inputting an interpretation rule of a word or a text to extract, from the document or the operation manual, information of an element that can cause data movement to occur (Nenov, Col. 6, lines 37-50; “FIG. 1E is an illustration of an embodiment of a rules database for distributed rule sets for network security appliances. Rules database 105 may be any type and form of database, including a flat file, array, relational database, or any other type of data format. In some implementations, rules database 105 may be a SQL database. As shown in FIG. 1D, in some implementations, rules database 105 may be stored on a storage device separate from a management server 105. Such as a storage array, network attached storage device, database server, storage server, or any other type and form of storage device or as part of a computing device. In other implementations, rules database 105 may be stored in storage of management device 105. Such as on a hard drive or drives, tape drive, flash drive, etc.” … Col. 6, lines 56-66; “For example, a set of rule identifiers 120 may be associated with a device identifier for a security device, indicating the rule set distributed to said security device. In another example, upon detection of an attempted attack that matches a rule, a security device may store a rule identifier 120 to a log and/or transmit an identification of the rule identifier 120 to the management server 105 to indicate that an attempted attack has been detected and potentially stopped. Each rule 122 may comprise one or more actions, one or more conditions, and one or more parameters.”).
Chaskar, Young, Hamada and Nenov are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a sniffer could detect the wireless configurations which are connected to the networks. Young teaches data can be transferred between systems even with there is no connection to the network.
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Nenov into the system and method of Chaskar-Young-Hamada to improve methods for security management system by the use of a security appliance to monitor any network change in order to address attacks (Nenov, Abstract).

As per claim 6, the combination of Chaskar, Young and Hamada teaches the information processing apparatus according to claim 1.
The combination of Chaskar, Young and Hamada does not expressly teach:
wherein information concerning a type of the element that can cause data movement to occur between the pair of hosts detected by said air gap path detector is collected.
However, Nenov teaches: 
wherein information concerning a type of the element that can cause data movement to occur between the pair of hosts detected by said air gap path detector is collected (Nenov, Col. 2, lines 63-65; “Security device 100 may comprise a gate way, firewall, Switch, hub, access point, modem, or any other Such device.” ... Col. 3, lines 5-16; “Additional devices not illustrated may be deployed on networks 106, including switches, gateways, routers, firewalls, or other such devices. Computing devices 102, 104 may comprise any type and form of computing device, including desktop computers, laptop computers, tablet computers, smart phones, smart televisions, game consoles, wearable computers, networked devices or appliances such as Internet of Things (IoT) devices, server computers, workstations, or any other type and form of networked computing device, and may be variously referred to as servers, clients, hosts, remote devices, local devices, or by any other such name.” … Col. 11, lines 7-16; “The new device may connect to the local network (e.g. via a WiFi connection) and may begin transmitting network packets (e.g. containing status information or requests for commands or other such data). The security device 100 may detect the new packets as being transmitted from an unknown device and may buffer the packets or block transmission of the packets to other devices on the local network and/or to servers or devices via the external network.” See Fig 1E that shows the type of devices that are identified and the action/rule applied based on the analysis of packet/data transmission.).
Chaskar, Young, Hamada and Nenov are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a sniffer could detect the wireless configurations which are connected to the networks. Young teaches data can be transferred between systems even with there is no connection to the network.
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Nenov into the system and method of Chaskar-Young-Hamada to improve methods for security management system by the use of a security appliance to monitor any network change in order to address attacks (Nenov, Abstract).

As per claim 7, the combination of Chaskar, Young and Hamada teach the information processing apparatus according to claim 1. Young teaches wherein information concerning a [frequency or a connection time] at which or during which the element that can cause data movement to occur between the pair of hosts detected by said air gap path detector is connected to the host or [information concerning both the frequency and the connection time is collected] (Young, Parag. [0003]; “When an air gap separates two computer networks, any data transfer between the computer networks requires a manual step in which a user transfers files from the first computer network onto a portable storage media (e.g., a USB thumb drive, a read/writable CD or DVD, etc.).  The portable storage media is then physical disconnected/removed from the first computer network, and physically connected to the second computer network to upload the transferred files. Thus, no direct communication link exists at any time between the computer networks, and all of the transferred data will reside on the portable media for a period of time during the transfer.” … Fig. 3A and Parag [0023]; “The network managed antivirus appliances 100 within the network 200, and the computers within the secure computer networks 210 and 220, may be configured to interact with the other devices in their respective networks. However, in certain embodiments, the networks 200, 210, and 220 may be isolated from one another and may have no digital communication links (e.g., all three networks may be separated by an `air gap`).”).
However, the combination of Chaskar, Young and Hamada does not expressly teach:
… a frequency or a connection time … or information concerning both the frequency and the connection time is collected.
But Nenov teach:
… a frequency or a connection time … or information concerning both the frequency and the connection time is collected (Nenov, Col. 12, lines 42-47; “At step 304, the security device may determine if the packet is part of an attack attempt or represents an attack attempt. In some implementations, packets may be identified as an attack attempt based on a rate of reception exceeding a predetermined threshold, indicating a potential denial of service or distributed denial of service attack.” ... Col. 12, lines 53-59; “Accordingly, the security device may determine if a packet is part of an attack or represents an attack attempt based on matching to one or more rules in a rules database, based on any information about the packet, including source, destination, protocol, type, QoS requirement, metadata, payload contents, payload size, frequency of reception, or any other such data” Examiner submits that the frequency of reception of packets represents the data movement or data transmission that is performed by the pair of hosts in an instant of time.).
Chaskar, Young, Hamada and Nenov are from a similar field of technology, respectively related to: (i) protecting systems or networks from malware and viruses; (ii) assessing security measurement for the connections between hosts and networks. Chaskar teaches a sniffer could detect the wireless configurations which are connected to the networks. Young teaches data can be transferred between systems even with there is no connection to the network.  
Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teachings of Nenov into the system and method of Chaskar-Young-Hamada to improve methods for security management system by the use of a security appliance to monitor any network change in order to address attacks (Nenov, Abstract).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kokana et al. (WO 2011/160605): A data switch for information systems separated by an air gap is provided with at least a first interface for data input and output for connecting it to a first information system (1) and with a second interface for data input and output for connecting to a second information system (2), where said first and the second interfaces are electrically or optically connectable to a memory unit (3), and that between said memory unit (3) and said first interface and between said memory unit (3) and said second interface there is provided an electro-mechanical or an opto-mechanical switch (4), adapted for switching of electrical or optical signal from said memory unit (3) to said second interface only after a complete electrical or optical signal isolation from said first interface and vice versa.
Ozgit (US 2010/0318785): This invention consists of a virtual air gap—VAG system developed in order to provide Internet and computer security. The virtual air gap system developed in this invention is characterized by the principal elements of: “Virtual air gap (14).” Internal security component (15), “External security component (16). Message transfer mechanism of the system components positioned between internal and external Security components (5, 6) and a shared memory (7), “Internal system (9) consisting of the internal security component and Such other components (11) contained in the system.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.D.C./Examiner, Art Unit 2498              

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498