DETAILED ACTION
This office action is in response to communication filed on 11/18/2020.
Claims 1-16 and 21-22 are being considered on the merits.
	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
	Response to Amendments
The amendment filed 11/18/2020 has been entered. Claims 1-16 and 21-22 remain pending in the application. 

	Response to Arguments
Regarding the rejection of claims 1 and 9 under 35 USC 103:
The Applicant submits on page 9-10 Doron (US 20160261628 A1) “ that the attack signal to the central security control system 150 or any selection of the selected protection resources 160, 170 includes a request is submitted for cloud-based threat mitigation for selected network traffic that is associated with only an identified target” and thus fails to meet the limitation “identify at least one target having a specified target type of the network attack, wherein the target type is at least one of an application and a network protocol ... submit the request to the cloud-based protection system to provide cloud-based threat mitigation for selected network traffic . . . , the selected network traffic being associated with only said at least one identified target,”.
The Examiner respectfully disagrees.
Further expanding on the arguments presented in the Non-Final Office Action of 8/18/2020, Doron teaches the limitation “identify at least one target having a specified target type of the network attack, wherein the target type is at least one of an application and a network protocol ... submit the request to the cloud-based protection system to provide cloud-based threat mitigation for selected  in Para. [0025] detecting and/or mitigating the attack at the application layer and/or network layer and in Para. [0030-0031] dynamic control is used to allow efficient detection and mitigation across tiers (i.e. application or network protocol) where traffic can be diverted to scrubbing centers (i.e. cloud-based protection system). The Examiner respectfully submits that the reference does provide for the target type being an application or network protocol and diverting the related traffic to mitigation services, thus the arguments are not found to be persuasive.
Claim Objections
Claim 21 is objected to because of the following informalities:  
Claim 21 is missing a word, “is” should be added before further similar to claim 22.  Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1-16 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Kustarz (US 2013005374 A1) in view of Akcin (US 20160352774 A1) in further view of Doron (US 20160261628 A1).
Regarding claim 1, Kustarz teaches a premises-based network protection system comprising: a memory configured to store instructions; a premises-based processor disposed in communication with the memory, wherein the processor upon execution of the instructions is configured to protect a premises-based network and a plurality of hosts coupled to the premises-based network, including to: (Kustarz, in Para. [0010], discloses an edge detection device (i.e. premises-based network protection system) located at the network edge (i.e. premises-based))
receive network traffic that enters the premises-based network via an upstream cloud-based protection system; (Kustarz, in Para. [0009], discloses all of the traffic passing through an upstream service provider which is associated with the mitigation system in a cloud service)
detect presence of a network attack in the network traffic received; (Kustarz, in Para. [0040 and 0042], discloses detecting an attack at the edge detection device based on the traffic)
determine whether a characteristic of the network exceeds a predetermined threshold; (Kustarz, in Para. [0041 and 0058-0059], discloses a predetermined threshold, where the trigger (i.e. detection) is based on the amount of traffic)
if the predetermined threshold is determined to be exceeded, generate a request; (Kustarz, in Para. [0058], discloses requesting mitigation assistance from the service provider mitigation system (i.e. cloud based protection system) when the threshold is exceeded)
submit the request to the cloud-based protection system to provide cloud-based threat mitigation for network traffic entering the cloud-based protection system before being received by the premises-based protection system (Kustarz, in Para. [0009-0010], discloses all the traffic passing through the service provider (i.e. cloud based protection system) which provides mitigation in response to a request).
While Kustarz teaches providing cloud based mitigation based on the detection of an attack and request by the on premises protection system, Kustarz fails to explicitly teach identifying a specific target.
However, Akcin from the analogous technical field teaches identify at least one target of the network attack; (Akcin, in Para. [0049], discloses the attack information including destination IP addresses)
determine whether a characteristic of the network traffic associated with said at least one identified target exceeds a predetermined threshold; (Akcin, in Para. [0032-0033], discloses determining if there is an abnormal traffic pattern (i.e. attack) if the amount of network traffic (i.e. characteristic) between exceeds a predefined threshold, where a characteristic can be a destination pattern).
generate a request that identifies said at least one identified target; (Kustarz, in Para. [0049], discloses the traffic information (i.e. request) received by the mitigation gateway (i.e. cloud protection system) including destination IP addresses)
submit the request to the cloud-based protection system to provide cloud-based threat mitigation for selected network traffic of network traffic having a destination to the premises-based network, the selected network traffic being associated with only said at least one identified target (Akcin, in Para. [0003 and 0032], discloses diverting a portion (i.e. selected) network traffic with the determined characteristics, such a destination patterns (i.e. at least one identified target), to the mitigation gateway (i.e. cloud-based protection system) to block, filter, reroute, and/or apply other mitigation techniques (i.e. threat mitigation)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kustarz to incorporate the teachings of Akcin, with the motivation to enhance security, performance and efficiency of the host location network by controlling traffic routing and mitigation (Akcin, Para. [0041]) and to be able to better mitigate volume based attacks (Akcin, Para. 0006).
While Kustarz as modified by Akcin teaches identifying a specific target, Kustarz as modified by Akcin fails to explicitly teach target type being an application or a network protocol.
However, Doron from the analogous technical field teaches identify at least one target having a specified target type of the network attack, wherein the target type is at least one of an application and a network protocol; (Doron, in Para. [0027], discloses detecting attacks at the application layer (i.e. application)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kustarz as modified by Akcin to incorporate the teachings of Doron, with the motivation to provide a reliable, robust, and scalable solution that efficiently and dynamically detects and mitigates cyber threats, including in the application layer (i.e. application}, and efficiently manage mitigation and detection resources in a centralized network-wide manner (Doron, Para. [0007 and 0026]). 
Regarding claim 21, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
While Kustarz as modified by Akcin and Doron teaches the elements of claim 1, Kustarz as modified by Akcin and Doron as applied above does not explicitly teach the target being a host.
However, Doron from the analogous technical field teaches wherein the target type further a host (Doron, in Para. [0026], discloses the protected entity (i.e. target) can be a tenant, computing infrastructure, server or groups of servers (i.e. subsets of hosts and plurality of hosts)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kustarz as modified by Akcin and Doron to further incorporate the teachings of Doron, with the motivation to provide a reliable, robust, and scalable solution that efficiently and dynamically detects and mitigates cyber threats, efficiently manage mitigation and detection resources in a centralized network-wide manner, and secure the protected entity (i.e. host of a plurality of hosts) (Doron, Para. [0007 and 0026]).
Regarding claim 2, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 21.
Doron further teaches wherein the target of the attack is at least one host that is a proper subset of the plurality of hosts, the plurality of hosts being coupled to a protected network, wherein the network traffic associated with said at least one host has a destination to said at least one host (Doron, in Para. [0026, 0035 and 0036], discloses an attack happening against a protected entity (i.e. target) where the protected entity can be a tenant, computing infrastructure, server or groups of servers (i.e. subsets of hosts and plurality of hosts) all connected to the backbone network (i.e. protected network)).
Regarding claim 3, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Doron further teaches wherein target of the attack is a specified application or a specified network protocol, wherein the network traffic associated with the specified network protocol uses the specified application or network protocol (Doron, in Para. [0027], discloses the low capacity protection resources can detect attacks at the application layer (i.e. application)).
Regarding claim 4, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Kustarz further teaches wherein the processor, upon execution of the instructions, is further configured to detect the characteristic of the network traffic using on-premises packet based inspection (Kustarz, in Para. [0017-0018], discloses determining a fingerprint of the attack which is based on packets).
Regarding claim 5, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Kustarz further teaches wherein the characteristic of network traffic includes a measurement of network traffic associated with said at least one identified target, wherein the measurement is at least one of traffic rate, volume, change in traffic rate, and change in volume (Kustarz, in Para. [0058-0059], discloses the triggers being based on changes in traffic level, traffic rates and amount of traffic).
Regarding claim 6, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Kustarz further teaches wherein the cloud- based protection system has the capacity to mitigate a higher attack volume than attack mitigation provided by the on-premises network protection system (Kustarz, in Para. [0009 and 0040], discloses using the cloud mitigation system when the size of the attack exceeds the capabilities of the edge mitigation device (i.e. on-premises protection system)).
Regarding claim 7, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Kustarz further teaches, wherein the notification is in response to at least one of an operator generated request and an automatically generated request for cloud-based threat mitigation of the network traffic associated with said at least one identified target (Kustarz, in Para. [0058-0059], discloses automatically requesting mitigation assistance or manually through the user interface).
Regarding claim 8, Kustarz as modified by Akcin and Doron teaches the premises-based network protection system of claim 1.
Kustarz further teaches wherein the predetermined threshold is user selected (Kustarz, in Para. [0073], discloses configuring and setting the threshold).
As per claims 9-16 and 22, these claims recite a token method to perform the steps as recited by the system of claims 1-8 and 21, and has limitations that are similar to those of claims 1-8 and 21, thus is rejected with the same rationale applied against claims 1-8 and 21.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208.  The examiner can normally be reached on M-Th 9:00-18:00 (Flex).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained 






/JESSICA J SOUTH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/TRANG T DOAN/Primary Examiner, Art Unit 2431