DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 09/14/2020 has been entered.



Response to Amendments
This communication is in response to the amendments filed on 14 September 2020:	Claims 1, 17 and 19 are amended.
	Claims 1-20 are pending.


Response to Arguments
In response to Applicant’s remarks filed on 14 September 2020:
a.	Applicant’s arguments that the Examiner failed to state a prima facie case of obviousness has been fully considered but is deemed not persuasive. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).
b.	Applicant’s arguments that Smith fails to teach or suggest, at the least the following elements of independent claim 1: “determining whether the denial of service mitigation rule is permitted to be implemented on the provider edge device according to the service level agreement” has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action.
c.	Applicant’s arguments that Smith fails to teach or suggest: “implementing, when the denial of service mitigation rule is permitted according to the service level agreement, the distributed denial of service mitigation rule, locally on the provider edge device of the telecommunications network…” has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action.
d.	Applicant’s arguments that Smith fails to teach or suggest: “preventing a broadcasting of the distributed denial of service mitigation rule in the telecommunications network beyond the provider edge device” has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the 


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6, 9-10, 12-13 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over SMITH (U.S. PGPub. 2015/0326589), hereinafter Smith, in view of Radlein et al. (U.S. PGPub. 2018/0109553), hereinafter Radlein. 

	Regarding claim 1, Smith teaches A method for mitigating network threats, the method comprising:
	
	configuring a provider edge device of the telecommunications network to accept distributed denial of service mitigation rule propagation from a customer edge device of the customer network in communication with the provider edge device (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information…The Regional Neighbor Clusters may redistribute the security event information to other Regional Neighbor Clusters, as part of a peer network. Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant ;
	receiving a distributed denial of service mitigation rule for the customer network at the provider edge device from the customer edge device (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information…Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant activity directed towards the original destination”, where the provider edge device (Regional Neighbor Cluster) receives the DDoS mitigation rule (e.g., security event information) from the customer edge device (Service Devices) and implements the DDoS mitigation rule locally on the provider edge device) (Smith, Figure 2, see “Regional Neighbor Cluster 200” and “Policy Agents 202, 204, 206, 208”, where “Regional Neighbor Cluster 200” is being read as a provider edge device and where “Policy Agents 202, 204, 206, 208” are being read as the mitigation rule received by the provider edge device being implemented locally, where “locally” is being read as with reference to a particular area or neighborhood), the distributed denial of service mitigation rule including one or more routing parameters and a mitigation action (Smith, Paragraph [0089], see “the Security Service System(s) may be configured to receive and analyze the metadata provided by the routing and switching devices on a Service Providers network…a specific protocol may be enabled on the network routing and switching devices to enable source identification of directly attached and infected attack vector devices…information regarding the infected devices is sent to the Security Service System(s), and in response the participating policy agents are instructed to configure the local Service Provider’s routing and switching devices and processes to block access to the Internet”, where “Security Service System(s)” is being read as the provider edge devices, due to Smith disclosing that “Security Service System(s)” can be interpreted as “Regional Neighbor Clusters”) (Smith, Paragraph [0093], see “This can be accomplished when a Service Provider Device has been configured by the policy agent to control/respond to a security event by dropping or re-routing network packets that are identified/characterized by the information contained in the security event information”, where “security event information” is being read ;
	
	implementing, (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information…Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant activity directed towards the original destination”, where the first edge device (Regional Neighbor Cluster) receives the DDoS mitigation rule (e.g., security event information) from the second edge device (Service Devices) and implements the DDoS mitigation rule locally on the first edge device) (Smith, Figure 2, see “Regional Neighbor Cluster 200” and “Policy Agents 202, 204, 206, 208”, where “Regional Neighbor Cluster 200” is being read as a first edge device and where “Policy Agents 202, 204, 206, 208” are being read as the mitigation rule received by the first edge device being implemented locally, where “locally” is being read as with reference to a particular area or neighborhood);
	
	Smith does not teach the following limitation(s) as taught by Radlein: determining a service level agreement between a customer network and a telecommunications network;
	determining whether the denial of service mitigation rule is permitted to be implemented on the provider edge device according to the service level agreement;
	implementing, when the denial of service mitigation rule is permitted according to the service level agreement, the distributed denial of service mitigation rule, locally on the provider edge device of the telecommunications network, to apply to network traffic being sent to the provider edge device and destined for the customer edge device; and
	preventing a broadcasting of the distributed denial of service mitigation rule in the telecommunications network beyond the provider edge device. 
	(Radlein, Paragraph [0092], see “automatic changes of configuration of the POP 114A or the number of service level agreement (SLA) violations by the POP 114A (where the SLA indicates, for example, standards for assessing the time taken by the POP 114A to service a client request)”, where “SLA” is analogous to determining a service level agreement between a customer network and a telecommunications network) (Radlein, Paragraph [0108], see “where a network attack is directed to a POP 114 not executing DDoS protection software and is causing a threshold number of SLA violations on the POP 114, a rule maintained by the mitigation service 118 may indicate that the attack should be redirected to a POP 114 executing DDoS protection software”, where “may indicate that the attack should be redirected to a POP 114 executing DDoS protection software” is analogous to preventing a broadcasting of the DDoS mitigation rule beyond the provider edge device) (Radlein, Paragraph [0110], see “where the updated attack impact information indicates that an attacked distribution continues to experience a threshold number of SLA violations even after redirecting traffic of that distribution to a POP 114 executing DDoS protection software, a rule maintained by the mitigation service 118 may indicate that traffic of that distribution be redirected to multiple POPs 114 via anycast network addresses. Thereafter, the routine 900 returns to block 906, when resolution records of the content delivery system 110 are modified to implement the additional or alternative mitigation technique”, where “implement the additional or alternative mitigation technique” is analogous to implementing, when the DDoS mitigation rule is permitted according to the SLA, the DDoS mitigation rule to apply to network traffic being sent to the provider edge device and destined for the customer edge device).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, by implementing techniques for mitigating network attacks, comprising of determining a service level agreement between a customer 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of preventing a broadcasting of certain files (i.e. comprising of the DDoS mitigation rule) beyond the intended recipient (i.e. provider edge device). This allows for a more efficient and effective method of mitigating local DDoS attacks through the reduction of traffic congestion throughout the network by preventing the mitigation rule from being broadcasted to anyone but the necessary recipient (Radlein, Paragraph [0108]). 

Regarding claim 2, Smith as modified by Radlein teaches The method of claim 1, wherein configuration of the provider edge device to accept distributed denial of service mitigation rule propagation includes storing at least one known Internet Protocol address associated with the customer network (Smith, Paragraph [0094], see “A signed packet may have the following representation in the C programming language, and may include additional information…Source IP Address…Destination IP Address… regarding the sent and received packets on the port of each infected device to either the local policy agent and/or Regional Neighbor Clusters. The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored”, where “Source IP Address…Destination IP Address” is being read as at least one known Internet Protocol address associated with the customer network, which is then tagged with a security event ID and stored by the Regional Neighbor Clusters (provider edge device)).

Regarding claim 3, Smith as modified by Radlein teaches The method of claim 2, wherein the one or more routing parameters includes the at least one known Internet Protocol address as a destination Internet Protocol address routing parameter (Smith, Paragraph [0077], see “the target SP A 102 identifies the destination address of the attack by analyzing NetFlow, SFlow, or IPFIX data. The SP then null routes the destination IP prefix by adding a tag (e.g. “666”) to the routing tables of the routers of the SP that causes messages with the destination prefix and tag “666” to be routed to a null address, effectively “dropping” the packets”, where “routing tables” is being read as comprising the one or more routing parameters, which includes at least the destination IP address).

	Regarding claim 4, Smith as modified by Radlein teaches The method of claim 3, further comprising:
	receiving a communications packet of a potential distributed denial of service attack at the provider edge device, the communications packet including a destination Internet Protocol address matching the destination Internet Protocol address routing parameter (Smith, Paragraph [0094], see “The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored. Security Event Reports may be compared against the stored data to identify attack vectors and devices which have participated in a security event”, where “Security Event Reports” is being read as comprising the source and destination IP address, which are correspondingly matched with the destination IP address routing parameter and where “Security Event Reports” are received at the provider edge device (Regional Neighbor Clusters)); and
	executing the mitigation action of the communications packet at the provider edge device (Smith, Paragraph [0095], see “The resulting sub-reports may be presented to the Service Providers, and the Service Providers requested to operate to disable or restrict the level of network communications to what is needed to facilitate the elimination of the threat of further deviant behavior (as that behavior may be propagated by the attack vector or device listed in the Attack Vector Report)”, where the “Signed Packet Metadata Stream Protocol information” is being read as the communications packet, which is received by the Regional Neighbor Clusters (Provider Edge Device), wherein based on the comparison against the security event report and the stored data (i.e., comparison of destination IP addresses’), the provider edge device executes the mitigation action of the communications packet (e.g. by disabling or restricting the level of network communications to what is needed to facilitate the elimination of the threat of further deviant behavior)).

	Regarding claim 5, Smith as modified by Radlein teaches The method of claim 1, wherein configuration of the provider edge device to accept distributed denial of service mitigation rule propagation includes establishing a Border Gateway Protocol session between the customer edge device and the provider edge device (Smith, Paragraph [0098], see “the null-routing request containing the target destination prefix is distributed using the Border Gateway Protocol version 4 (BGPv4), which permits routing information to be exchanged between autonomous systems (such as SPs) on the Internet (note that BGP is the protocol that is used to route communications information between SPs over the Internet). In some .

	Regarding claim 6, Smith as modified by Radlein teaches The method of claim 1, wherein configuration of the provider edge device to accept distributed denial of service mitigation rule propagation includes applying a service level agreement parameter to the provider edge device for validating a distributed denial of service mitigation rule type for the customer network (Smith, Claim 9, see “wherein a parameter of at least one rule may be customized by a network manager associated with a corresponding service provider device”, where “parameter” is being read as being a customized parameter comprising a service level agreement) (Smith, Paragraph [0022], see “The rules may specify a threshold value, which when matched or exceeded, causes a notification to be sent to the appropriate Security Service System(s). The notification may contain information or data regarding the threat or attack in the form of (attack) vector data, which is typically a destination IP address or IP prefix”, where “Security Service System(s)” is being read as the provider edge devices, due to Smith disclosing that Security Service System(s) can be read as Regional Neighbor Clusters, where “threshold value” is being read as a service level agreement parameter) (Smith, Paragraph [0124], see “a single centralized cluster or one of a limited number of “super-regional” clusters may generate threat detection and/or assessment rules used at lower levels of the hierarchy by SP servers or devices and make them available to those lower level devices, elements, processes, etc.”, where “assessment rules” can also be read as comprising a service level agreement parameter for validating a DDoS mitigation rule type for the customer network).

	Regarding claim 9, Smith as modified by Radlein teaches The method of claim 1, wherein the one or more routing parameters includes at least one of: a destination Internet Protocol address of a targeted device of the customer network; a source Internet Protocol address within a detected range; a source port, a destination port, a communication protocol, or a parameter defining a communications packet of a distributed denial of service attack (Smith, Paragraph [0077], see “the target SP A 102 identifies the destination address of the attack by analyzing NetFlow, SFlow or IPFIX data. The SP then null routes the destination IP prefix by adding a tag (e.g. “666”) to the routing tables of the routers of the SP that causes messages with the destination prefix and tag “666” to be routed to a null address…”) (Smith, Paragraph [0078], .

	Regarding claim 10, Smith as modified by Radlein teaches The method of claim 1, wherein the mitigation action includes at least one of: rerouting a communications packet matching the one or more routing parameters to a scrubbing device of the customer network; dropping a communications packet matching the one or more routing parameters; or rate throttling a communications packet matching the one or more routing parameters (Smith, Paragraph [0077], see “The SP then null routes the destination IP prefix by adding a tag (e.g. “666”) to the routing tables of the routers of the SP that causes messages with the destination prefix and tag “666” to be routed to a null address, effectively “dropping” the packets”, where if the destination prefix and tag matches the one or more routing parameters, the mitigation action comprises the packet being effectively dropped).

	Regarding claim 12, Smith as modified by Radlein teaches The method of claim 1, wherein implementation of the distributed denial of service mitigation rule locally on the provider edge device includes limiting implementation of the distributed denial of service mitigation rule to traffic transmitted through an interface of the provider edge device associated with the customer network (Smith, Paragraph [0119], see “one or more reports are being sent by the Regional Neighbor Clusters to the participating SPs, identifying the infected attack vectors on those SPs…A report may include, for example, the agent identifier for the route or switching device originating the traffic (agent_id) and the interface identifier (iface_id) which identifies the port through which the traffic is received…Further, the SP may put the node into a virtual “jail” in which communications are restricted, so that the node can only communicate with the security service. The operator of the node may be required to provide proof that the affected node has been cleansed and is therefore suitable to be placed back on the network again”, where “the SP may put the node into a virtual “jail” in which communications are restricted” is being read as limiting implementation of the distributed denial of service mitigation rule to traffic transmitted through an interface of the Regional Neighbor Clusters (provider .

	Regarding claim 13, Smith as modified by Radlein teaches The method of claim 1, further comprising:
	receiving a communications packet for routing to the customer network at the provider edge device, the communications packet including routing information (Smith, Paragraph [0094], see “The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored. Security Event Reports may be compared against the stored data to identify attack vectors and devices which have participated in a security event”, where “Security Event Reports” is being read as comprising the source and destination IP address (routing information) and where the “Security Event Reports” are received at the Regional Neighbor Clusters (provider edge device));
	comparing the routing information of the communications packet to the one or more routing parameters of the distributed denial of service mitigation rule (Smith, Paragraph [0094], see “The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored. Security Event Reports may be compared against the stored data to identify attack vectors and devices which have participated in a security event”, where “Security Event Reports” is being read as the communications packet comprising the destination IP address, which are compared against the stored data (e.g. one or more routing parameters of the DDoS mitigation rule)); and
	executing the mitigation action when the routing information of the communications packet matches the one or more routing parameters of the distributed denial of service mitigation rule (Smith, Paragraph [0095], see “The resulting sub-reports may be presented to the Service Providers, and the Service Providers requested to operate to disable or restrict the level of network communications to what is needed to facilitate the elimination of the threat of further deviant behavior (as that behavior may be propagated by the attack vector or device listed in the Attack Vector Report)”, where the “Signed Packet Metadata Stream Protocol information” is being read as the communications packet, which is received by the Regional Neighbor Clusters (provider edge device), wherein based on the comparison against the security event report and the . 

	Regarding claim 17, Smith teaches One or more non-transitory tangible computer-readable storage media storing computer-executable instructions for performing a computer process on a computing system, the computer process comprising (Smith, Paragraph [0131], see “The interconnection via the system bus 802 allows one or more processors 820 to communicate with each subsystem and to control the execution of instructions that may be stored in a system memory 822 and/or the fixed disk 808, as well as the exchange of information between subsystems. The system memory 822 and/or the fixed disk 808 may embody a tangible computer-readable medium”):
	
	configuring a first edge device of the first telecommunications network to accept distributed denial of service mitigation rule propagation from a second edge device of the second telecommunications network in communication with the first edge device (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information…The Regional Neighbor Clusters may redistribute the security event information to other Regional Neighbor Clusters, as part of a peer network. Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant network activity directed towards the original destination”, where “Service Devices” is being read as second edge devices, where “Regional Neighbor Clusters” is being read as first edge devices and where the first edge device is configured to accept DDoS mitigation rule propagation (through the security event information) from a second edge device);
	receiving a distributed denial of service mitigation rule for the second telecommunications network at the first edge device from the second edge device (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include , the distributed denial of service mitigation rule including one or more routing parameters and a mitigation action (Smith, Paragraph [0089], see “the Security Service System(s) may be configured to receive and analyze the metadata provided by the routing and switching devices on a Service Providers network…a specific protocol may be enabled on the network routing and switching devices to enable source identification of directly attached and infected attack vector devices…information regarding the infected devices is sent to the Security Service System(s), and in response the participating policy agents are instructed to configure the local Service Provider’s routing and switching devices and processes to block access to the Internet”, where “Security Service System(s)” is being read as the first edge device, due to Smith disclosing that “Security Service System(s)” can be interpreted as “Regional Neighbor Clusters”) (Smith, Paragraph [0093], see “This can be accomplished when a Service Provider Device has been configured by the policy agent to control/respond to a security event by dropping or re-routing network packets that are identified/characterized by the information contained in the security event information”, where “security event information” is being read as the DDoS mitigation rule and where the “security event information” comprises one or more routing parameters and mitigation actions (i.e., dropping or re-routing network packets));
	
	implementing, (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the ; 
	
	Smith does not teach the following limitation(s) as taught by Radlein: determining a service level agreement between a first telecommunications network and a second telecommunications network;
	determining whether the denial of service mitigation rule is permitted to be implemented on the first edge device according to the service level agreement;
	implementing, when the denial of service mitigation rule is permitted according to the service level agreement, the distributed denial of service mitigation rule, locally on the first edge device of the first telecommunications network, to apply to network traffic being sent to the first edge device and destined for the second edge device; and
	preventing a broadcasting of the distributed denial of service mitigation rule in the first telecommunications network beyond the first edge device. 
	(Radlein, Paragraph [0092], see “automatic changes of configuration of the POP 114A or the number of service level agreement (SLA) violations by the POP 114A (where the SLA indicates, for example, standards for assessing the time taken by the POP 114A to service a client request)”, where “SLA” is analogous to determining a service level agreement between a customer network and a telecommunications network) (Radlein, Paragraph [0108], see “where a network attack is directed to a POP 114 not executing DDoS protection software and is causing a threshold number of SLA violations on the POP 114, a rule maintained by the mitigation service 118 may indicate that the attack should be 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, by implementing techniques for mitigating network attacks, comprising of determining a service level agreement between a customer network and a telecommunications network and preventing a broadcasting of the DDoS mitigation rule in the telecommunications network beyond the provider edge device, disclosed of Radlein.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of preventing a broadcasting of certain files (i.e. comprising of the DDoS mitigation rule) beyond the intended recipient (i.e. provider edge device). This allows for a more efficient and effective method of mitigating local DDoS attacks through the reduction of traffic congestion throughout the network by preventing the mitigation rule from being broadcasted to anyone but the necessary recipient (Radlein, Paragraph [0108]). 

Regarding claim 18, Smith as modified by Radlein teaches The one or more non-transitory computer-readable storage media of claim 17, further comprising:
receiving a communications packet for routing to the second telecommunications network at the first edge device, the communications packet including routing information (Smith, Paragraph [0094], see “The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored. Security Event Reports may be compared against the stored data to identify attack vectors and devices which have participated in a security event”, where “Security Event Reports” is being read as comprising the source and destination IP address (routing information) and where the “Security Event Reports” are received by the Regional Neighbor Clusters (first edge devices));
comparing the routing information of the communications packet to the one or more routing parameters of the distributed denial of service mitigation rule (Smith, Paragraph [0094], see “The Signed Packet Metadata Stream Protocol information is then tagged with a Security Event ID and stored. Security Event Reports may be compared against the stored data to identify attack vectors and devices which have participated in a security event”, where “Security Event Reports” is being read as the communications packet comprising the destination IP address, which are compared against the stored data (e.g. one or more routing parameters of the DDoS mitigation rule)); and
executing the mitigation action when the routing information of the communications packet matches the one or more routing parameters of the distributed denial of service mitigation rule (Smith, Paragraph [0095], see “The resulting sub-reports may be presented to the Service Providers, and the Service Providers requested to operate to disable or restrict the level of network communications to what is needed to facilitate the elimination of the threat of further deviant behavior (as that behavior may be propagated by the attack vector or device listed in the Attack Vector Report)”, where the “Signed Packet Metadata Stream Protocol information” is being read as the communications packet, which is received by the Regional Neighbor Clusters (first edge device), wherein based on the comparison against the security event report and the stored data (i.e., comparison of destination IP addresses’), the first edge device executes the mitigation action of the communications packet (e.g. by disabling or restricting the level of network communications to what is needed to facilitate the elimination of the threat of further deviant behavior)).

Regarding claim 19, Smith teaches Regarding claim 19, Smith teaches A system for mitigating network threats, the system comprising (Smith, Paragraph [0019], see “the invention is :
a customer edge device deployed in a customer network (Smith, Paragraph [0021], see “a system for controlling malicious or deviant network activity in a wide area network includes multiple Service Provider (SP) or Internet Service Provider (ISP) devices (such as network servers, gateways, routers, switches, or other forms of network elements) that are configured to provide communications service to and between attack vector devices (such as end user communications and computing devices)”, where “Service Provider (SP) or Internet Service Provider (ISP) devices” is being read as a customer edge device deployed in a customer network);
a distributed denial of service mitigator in communication with the customer edge device, the distributed denial of service mitigator broadcasting a distributed denial of service mitigation rule to the customer edge device in response to a distributed denial of service attack detected for targeting the customer network (Smith, Paragraph [0100], see “the policy agent in a SP associated with a targeted attack vector may respond to a rule that produces an output reaching the threshold value…by tagging a prefix with an identifier (e.g. “666”), which instructs participating devices to local null or “blackhole” route the destination prefix or subject of the attack…The update to the blackhole route map is distributed to the routers of the SP through internal BGP (iBGP) or other suitable protocol…Internal BGP is then used to “push” the updated tagged route to the routers in each SP or SP cluster”, where “policy agent” is being read as a distributed denial of service mitigator, which is in communication with the customer edge device (SP), where the DDoS mitigator (policy agent) broadcasts a DDoS mitigation rule to the customer edge device (SP) in response to a DDoS attack detected (i.e., associated with a targeted attack vector)); and
	a provider edge device deployed in a telecommunications network and in communication with the customer edge device (Smith, Figure 5, see “SP A 402” and “Regional Neighbor Cluster 420”, where “SP A 402” is being read as a customer edge device and where “Regional Neighbor Cluster 420” is being read as a provider edge device, which are in communication with one another) (Smith, Paragraph [0104], see “regional neighbor clusters 420 422 and 424 are in communication with one another as well as with their corresponding participating SPs”, where “regional neighbor clusters 420 422 and 424” is being read as provider edge devices and where “SPs” is being read as customer edge devices), the provider edge device configured to accept distributed denial of service mitigation propagation from the customer edge device (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information. The security event information may include data characterizing and/or permitting identification of malicious messages or data. The Regional Neighbor Clusters may redistribute the security event information to other Regional Neighbor Clusters, as part of a peer network. Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant network activity directed towards the original destination”, where “Service Devices” is being read as the customer edge devices, where “Regional Neighbor Clusters” is being read as the provider edge devices and where the provider edge device (Regional Neighbor Clusters) is configured to accept DDoS mitigation propagation (e.g., notifications/alerts containing security event information) from the customer edge device (Service Provider Devices)), the provider edge device receiving the distributed denial of service mitigation rule from the customer edge device, (Smith, Paragraph [0093], see “the configuration of Service Devices may include generating and transmitting notifications or alerts to neighboring Regional Neighbor Clusters of the intended target or destination, where the notifications/alerts may include security event information…Regional Neighbor Clusters in turn operate to propagate the specified security event information to policy agents at participating Service Providers, which in turn operate to configure Service Provider Devices to participate in inhibiting the spread of malicious/deviant activity directed towards the original destination”, where the provider edge device (Regional Neighbor Cluster) receives the DDoS mitigation rule (e.g., security event information) from the customer edge device (Service Devices) and implements the DDoS mitigation rule locally on the provider edge device) (Smith, Figure 2, see “Regional Neighbor Cluster 200” and “Policy Agents 202, 204, 206, 208”, where “Regional Neighbor Cluster 200” is being read as a provider edge device and where “Policy Agents 202, 204, 206, 208” are being read as the mitigation rule received by the provider edge device being implemented locally, where “locally” is being read as with reference to a particular area or neighborhood), 
	Smith does not teach the following limitation(s) as taught by Radlein: determining whether the denial of service mitigation rule is permitted to be implemented on the provider edge device according to a service level agreement, and implementing, when the denial of service mitigation rule is permitted according to the service level agreement, the distributed denial of service mitigation rule, locally on the provider edge device, to apply to network traffic being sent to the provider edge device and destined for the customer edge device, the distributed denial of service mitigation rule is prevented from being broadcasted in the telecommunications network beyond the provider edge device.
	(Radlein, Paragraph [0092], see “automatic changes of configuration of the POP 114A or the number of service level agreement (SLA) violations by the POP 114A (where the SLA indicates, for example, standards for assessing the time taken by the POP 114A to service a client request)”, where “SLA” is analogous to determining a service level agreement between a customer network and a telecommunications network) (Radlein, Paragraph [0108], see “where a network attack is directed to a POP 114 not executing DDoS protection software and is causing a threshold number of SLA violations on the POP 114, a rule maintained by the mitigation service 118 may indicate that the attack should be redirected to a POP 114 executing DDoS protection software”, where “may indicate that the attack should be redirected to a POP 114 executing DDoS protection software” is analogous to preventing a broadcasting of the DDoS mitigation rule beyond the provider edge device) (Radlein, Paragraph [0110], see “where the updated attack impact information indicates that an attacked distribution continues to experience a threshold number of SLA violations even after redirecting traffic of that distribution to a POP 114 executing DDoS protection software, a rule maintained by the mitigation service 118 may indicate that traffic of that distribution be redirected to multiple POPs 114 via anycast network addresses. Thereafter, the routine 900 returns to block 906, when resolution records of the content delivery system 110 are modified to implement the additional or alternative mitigation technique”, where “implement the additional or alternative mitigation technique” is analogous to implementing, when the DDoS mitigation rule is permitted according to the SLA, the DDoS mitigation rule to apply to network traffic being sent to the provider edge device and destined for the customer edge device).

One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of preventing a broadcasting of certain files (i.e. comprising of the DDoS mitigation rule) beyond the intended recipient (i.e. provider edge device). This allows for a more efficient and effective method of mitigating local DDoS attacks through the reduction of traffic congestion throughout the network by preventing the mitigation rule from being broadcasted to anyone but the necessary recipient (Radlein, Paragraph [0108]). 


Claims 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Smith, in view of Radlein, in further view of Jackson et al. (U.S. PGPub. 2013/0152214), hereinafter Jackson.

	Regarding claim 7, Smith as modified by Radlein do not teach the following limitation(s) as taught by Jackson: The method of claim 1, wherein the distributed denial of service mitigation rule is validated prior to implementation.
	(Jackson, Claim 12, see “further comprises an authentication header containing a cryptographic hash computed based on the denial-of-service attack mitigation rule”) (Jackson, Paragraph [0051], see “If the DoS header is authentic (block 280), the DoS attack mitigator 155 updates its local database 610 (FIG. 6) of DoS attack mitigation rules and/or filters”, where “If the DoS header is authentic” is analogous to validating the DDoS mitigation rule and where “updates its local database of DoS attack mitigation rules and/or filters” is analogous to validating the DDoS mitigation rule prior to implementing (updating) the rules and/or filters to be applied).

One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of validating the DDoS mitigation rule prior to implementation. Validating the DDoS mitigation rule prior to implementations allows for a more efficient and managed system by checking the mitigation rule and making sure there are no discrepancies before implementing the rule (Jackson, Paragraph [0051]). 

Regarding claim 8, Smith as modified by Radlein and further modified by Jackson teaches The method of claim 7, wherein validating the distributed denial of service mitigation rule includes at least one of: comparing a destination Internet Protocol address of the routing parameter to a known Internet Protocol address of the customer network; or determining whether the distributed denial of service mitigation rule is within a service level agreement between the customer network and the telecommunications network (Smith, Paragraph [0022], see “The rules may specify a threshold value, which when matched or exceeded, causes a notification to be sent to the appropriate Security Service System(s). The notification may contain information or data regarding the threat or attack in the form of (attack) vector data, which is typically a destination IP address or IP Prefix (i.e., a block of IP addresses)”, where “vector data” is being read as comprising the destination IP address of the routing parameter).


Claims 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith, in view of Radlein, in further view of Nicodemus et al. (U.S. PGPub. 2007/0143851), hereinafter Nicodemus.

Regarding claim 11, Smith as modified by Radlein do not teach the following limitation(s) as taught by Nicodemus: The method of claim 1, wherein the distributed denial of service mitigation rule is received and implemented automatically in response to a detected distributed denial of service attack associated with the customer network.
	(Nicodemus, Paragraph [1206], see “The next time the client (or any client in the same policy group) checks in with the server, it will automatically retrieve and apply the updated policy”, where “it will automatically retrieve and apply the updated policy” is analogous to receiving the DDoS mitigation rule and automatically implementing the rule and where “The next time the client (or any client in the same policy group) checks in with the server” is analogous to detecting a DDoS attack associated with the customer network, where the DDoS mitigation rule is received and implemented automatically in response to the client checking in with the server (e.g., detection of a DDoS attack associated with the customer network)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, and techniques disclosed of Radlein, by implementing techniques for controlling access to computing resources based on known security vulnerabilities, comprising of automatically implementing the mitigation rule once it is received, disclosed of Nicodemus. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of automatically implementing the mitigation rule once it is received. This allows for a more effective method of mitigating local DDoS attacks by minimizing the chance of a successful DDoS attack, due to the service providers automatically implementing measures to prevent their network elements and users from being used to implement a distributed denial-of-service (DDoS) type of attack (Nicodemus, Paragraph [1206]). 

Regarding claim 20, Smith as modified by Radlein do not teach the following limitation(s) as taught by Nicodemus: The system of claim 19, wherein the provider edge device receives and implements the distributed denial of service mitigation rule automatically.
	(Nicodemus, Paragraph [1206], see “The next time the client (or any client in the same policy group) checks in with the server, it will automatically retrieve and apply the updated policy”, where “it will automatically 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, and techniques disclosed of Radlein, by implementing techniques for controlling access to computing resources based on known security vulnerabilities, comprising of automatically implementing the mitigation rule once it is received, disclosed of Nicodemus. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of automatically implementing the mitigation rule once it is received. This allows for a more effective method of mitigating local DDoS attacks by minimizing the chance of a successful DDoS attack, due to the service providers automatically implementing measures to prevent their network elements and users from being used to implement a distributed denial-of-service (DDoS) type of attack (Nicodemus, Paragraph [1206]). 


Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Smith, in view of Radlein, in further view of Lamas et al. (U.S. PGPub. 2016/0092485), hereinafter Lamas.

	Regarding claim 14, Smith as modified by Radlein do not teach the following limitation(s) as taught by Lamas: The method of claim 1, wherein the distributed denial of service mitigation rule is removed from the provider edge device in response to a removal request from the customer network.
	(Lamas, Paragraph [0031], see “a user may submit a search query, such as through use of one or more extraction rules as part of a late binding schema to view events having fields and corresponding values for those fields in a user interface”, where “search query” is analogous to a removal request from the customer 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, and techniques disclosed of Radlein,  by implementing techniques for event time selection output, comprising of removing the DDoS mitigation rule from the provider edge device in response to a removal request from the customer network, disclosed of Lamas. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of removing the DDoS mitigation rule from the provider edge device in response to a removal request from the customer network. This allows for a more advanced management in security, by minimizing the risk of the mitigation rule from being compromised by an unauthorized entity, through a removal request provided by the customer network (Lamas, Paragraph [0031]). 

	Regarding claim 15, Smith as modified by Radlein do not teach the following limitation(s) as taught by Lamas: The method of claim 14, wherein the removal request includes removal instructions received at the provider edge device from the customer edge device.
	(Lamas, Paragraph [0069], see “the query processor 404 can instruct field extractor 412 to apply the extraction rules to all the events in a data store 414, or to a subset of the events that have been filtered based on some criteria”, where “field extractor 412” is analogous to the provider edge device and where the provider edge device (field extractor) is instructed to apply the extraction rules (e.g., comprised within the removal request) received from the customer edge device (e.g., user)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, and techniques disclosed of Radlein, by implementing techniques for event time selection output, comprising of the removal request including removal instructions received at the provider edge device from the customer edge device, disclosed of Lamas. 
. 


Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Smith, in view of Radlein, in further view of Lamas, in further view of Asati et al. (U.S. PGPub. 2012/0134368), hereinafter Asati.

	Regarding claim 16, Smith as modified by Radlein and further modified by Lamas do not teach the following limitation(s) as taught by Asati: The method of claim 14, wherein the removal request includes a termination of a Border Gateway Protocol session between the customer edge device and the provider edge device.
	(Asati, Paragraph [0038], see “After the BGP session has been established between the routers 451 and 452, the router 452 can terminate or end the BGP session by transmitting a request to withdraw the BGP session in the form of a BGP update message”, where “router 451” is analogous to the provider edge device, where “router 452” is analogous to the customer edge device and where “router 452 can terminate or end the BGP session by transmitting a request to withdraw the BGP session” is analogous to the customer edge device transmitting a removal request which terminates the BGP session between the provider edge device (router 451) and the customer edge device (router 452)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for reducing impact of malicious activity on operations of a wide area network, disclosed of Smith, techniques disclosed of Radlein, and techniques for event time selection output, comprising of the removal request including removal instructions received at the provider edge device from the customer edge device, disclosed of Lamas, by implementing techniques for dynamic discovery mechanisms VIA inter-domain routing protocols, 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for local DDoS mitigation announcements in a telecommunications network, comprising of a customer edge device transmitting a request to terminate the BGP session between a provider edge device and the customer edge device. This allows for a better management of traffic flow by terminating any BGP sessions that are currently idle. When the customer edge device transmits the removal request to the provider edge device, the ongoing BGP session is subsequently terminated, in order to redirect the BGP link bandwidth to other resources still in communication (Asati, Paragraph [0038]). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433         

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433