DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 4-14 and 16-21 are pending in this application.
Claims 1, 14 and 20 are currently amended.
Claims 2-3 and 15 were cancelled.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/13/2020 has been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claims 1, 14 and 20 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, for inadequate written description for a computer-implemented functional claim limitation; see MPEP 2161.01(I).
In particular, claims 1, 14 and 20 recite to “detect a man-in-the-middle attacker on the network based on at least a portion of the second set of network settings information not matching the first set of network settings information” which would mean when all the setting information of the second set of network settings information matches with all the setting information of the first set of network setting information then there is no main-in-the-middle attack. Applicant’s specification mentioned “network settings information such as the MAC address” (para 52). Applicant’s specification didn’t adequately describe the scope of “the network settings information”. For instance, some network setting information between two packets would never match (i.e. TCP sequence number for each packet which is also part of network setting but will never have the same sequence number for two packets). Sequence number is just one example, there may be other examples of network settings that may differ between two packets without having any man-in-the-middle attack. Thus, applicant’s claim encompasses embodiments not adequately described by the Specification for detection of man-in-the-middle attacks.
The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-12, 14 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (US 2015/0264081 A1) in view of Wallace et al. (US 9,680,860 B1) (hereinafter, “Wallace”) in view of Keeni (US 2010/0242084 A1) and further in view of Shen et al. (US 2011/0099370 A1) (hereinafter, “Shen”).

As to claim 1, Lee discloses an apparatus comprising: 
a processor (Fig. 2, [0011]-a processor 111); a memory that stores code executable by the processor (Fig. 2,[0011]-storage system 109) to: 
check a first set of previously stored network settings information associated with a network router, the network router configured to transmit data packets between devices within a network ([0010]-[0012]; herein, the recording module 101 records the IP addresses and the MAC addresses of the plurality of CPEs 201, 202, 203 connected with the network device 10; the network device 10 connects with a plurality of customer premise equipment (CPEs) 201, 202, 203, the network 
send a spoof request, to the network router, for a second set of network settings information, the spoof request ….sent from the dummy MAC address, the second set of network settings information corresponding to the first set of network settings information ([0012]; herein, ARP requests are sent from a dummy MAC addresses; the transceiver module 103 sends first ARP request packets to the CPEs 201, 202, 203 according to the IP addresses in the address mapping table; the CPEs 201, 202, 203 have received the ARP request packets, they will reply with their address information by sending first ARP response packets to the transceiver module 103. The transceiver module 103 receives the first ARP response packets, and the first ARP response packets comprises the MAC addresses of the CPEs 201, 202, 203); 
detect a … attacker on the network based on at least a portion of the second set of network settings information not matching the first set of network settings information in response to comparing the second set of network -2-settings information with the first set of network settings information ([0014], [0017]; herein, the identity module 105 compares the MAC addresses in the first ARP response packets with the corresponding MAC addresses in the address mapping table to identify unusual MAC addresses; A MAC address is unusual upon condition that the MAC addresses in the first ARP response packets are not the same as the corresponding MAC addresses in the address mapping table, the identity module 105 compares the 
trigger a countermeasure action related to the … attacker ([0018]; herein, the blocking module 107 blocks the packets transmission according to the MAC address of the hacker. After the hackers have been identified, the blocking module 107 blocks the packets transmission corresponding to the unusual MAC address to avoid ARP attacks).
Lee may not explicitly disclose generate a dummy media access control ("MAC") address that impersonates a device connecting to the network router; the spoof request comprising a spoof dynamic configuration host protocol ("DHCP") request; detect a man-in-the-middle attacker on the network;
However, in an analogous art, Wallace discloses to detect a man in the middle attacker on a network in response to comparing a portion of a network settings information with a second set of network settings information (Abstract; col. 9, line 45 to col. 10. Lines 1-10; herein, different man-in-the-middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception; MITM detection tests can detect Address Resolution Protocol (ARP) cache deviations; duplication of MAC to IP address association can indicate ARP cache poisoning).
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the application to combine the network device taught by Lee with the man in the middle attack testing taught by Wallace since doing so would accurately and 
Neither Lee nor Wallace explicitly disclose generating a dummy media access control (“MAC”) address that impersonate a device connecting to the network router; the spoof request comprising a spoof dynamic configuration host protocol ("DHCP") request;

However, Keeni discloses generating a dummy media access control (“MAC”) address that impersonate a device connecting to the network router (“wherein the above-mentioned communication blocking unit, which blocks communication between nodes judged as "not permitted" based on the above-mentioned access policy, transmits ARP packets with a false MAC-address (FMAC), that is generated using a one-way function genFMAC with multiple input parameters, to these unauthorized nodes; and the above-mentioned access control unit extracts ARP packets containing a false MAC-address from ARP packets received by the above-mentioned packet monitor unit, judges the extracted ARP packets to be attack packets that illegally attempt to block communication if the MAC-address of the extracted ARP packets is not the same as the value of FMAC generated by the one-way function genFMAC, and generates an alarm to the effect that an attack packet attempting to block communication illegally has been detected.” –e.g. see, [0034]); Keeni further discloses sending spoof requests from the dummy MAC address ([0034]; herein, transmiting ARP packets with a false MAC-address (FMAC), that is generated using a one-way function genFMAC with multiple input parameters).

Neither Lee nor Wallace nor Keeni explicitly disclose the spoof request comprising a spoof dynamic configuration host protocol ("DHCP") request;
However, in an analogous art, Shen discloses a request comprising a spoof dynamic configuration host protocol ("DHCP") request (“…the source address of the DHCP message sender is a CGA; when the CGA is generated” –e.g. see, [0040], see also, [0050], [0051], [0009]; herein sender of DHCP message uses Cryptographically Generated Address (CGA) of the sender with the DHCP message which is then verified against an obtain results to identify the sender);
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the invention was made to modify the teaching of Lee, Wallace, Keeni and Shen in order to provide a requested IP address and/or configuration information to a requested network client in a sure manner.

As to claims 14 and 20, these are rejected using the similar rationale as for the rejection of claim 1.

As to claim 6, the combination of Lee, Wallace, Keeni and Shen disclose wherein the request for the second set of network settings information is sent at periodic intervals (Wallace: col. 9, lines 8-48). 
As to claim 7, the combination of Lee, Wallace, Keeni and Shen disclose wherein the first and second sets of network settings information for the network router comprises one or more of a media access control ("MAC") address and an internet protocol ("IP") address (Lee: Abstract, [0013]-[0016]). 
As to claim 8, the combination of Lee, Wallace, Keeni and Shen disclose wherein the code is further executable by the processor to determine the first set of network settings when the network router is first connected to the network (Lee: [0012]). 
As to claim 9, the combination of Lee, Wallace, Keeni and Shen disclose wherein the countermeasure action comprises one or more of: logging information associated with the man-in-the-middle attacker; and sending a notification to an administrator that indicates the presence of the man-in-the-middle attacker (Wallace: col. 9, lines 48 to col. 10, line 6; col. 11, lines 20-45). 
As to claim 10, the combination of Lee, Wallace, Keeni and Shen disclose wherein the logged information is backed-up to a cloud-based data store that is accessible using a web service (Wallace: col. 11, lines 1-3). 

As to claim 12, the combination of Lee, Wallace, Keeni and Shen disclose wherein the countermeasure action comprises poisoning the address resolution protocol ("ARP") cache of the man-in-the-middle attacker (Wallace: col. 9, line 45 to col. 10, lines 1-15). 
As to claim 17, the combination of Lee, Wallace and Keeni disclose wherein the countermeasure action comprises one or more of: logging information associated with the man-in-the-middle attacker; and sending a notification to an administrator that indicates the presence of the man-in-the-middle attacker (Wallace: col. 9, lines 48 to col. 10, lines 1-6; col. 11, lines 20-45). 
As to claim 18, the combination of Lee, Wallace and Keeni disclose wherein the countermeasure action comprises: broadcasting the logged information to other devices on the network; and updating a blacklist of man-in-the-middle devices based on the broadcasted logged information (Wallace: col. 11, lines 1-30). 
As to claim 19, the combination of Lee, Wallace and Keeni disclose wherein the countermeasure action comprises poisoning the address resolution protocol ("ARP") cache of the man-in-the-middle attacker (Wallace: col. 9, lines 45 to col. 10, lines 1-15). 
 
Claims 4 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Wallace in vew of Keeni in view of Shen and in further view of Nikravesh et al. (US 2018/0176248 A1) (hereinafter, “Nikravesh”).

As to claims 4 and 16, neither Lee nor Wallace nor Keeni nor Shen explicitly disclose wherein the request for the second set of network settings information comprises sending a traceroute command to the network router, the second set of network settings information comprising a number of hops to the network router, wherein the man-in-the-middle attacker is detected in response to the number of hops to the network router being different than a previously determined number of hops to the network router.
However in an analogous art, Nikravesh discloses wherein the request for the second set of network settings information comprises sending a traceroute command to the network router, the second set of network settings information comprising a number of hops to the network router, wherein the man-in-the-middle attacker is detected in response to the number of hops to the network router being different than a previously determined number of hops to the network router (“In 455, in response to or based on the comparison at 450, the computing device 140 may determine or identify which (if any) of the hop counts of the first spoofed data query, the second spoofed data query, the third spoofed data query, or a combination thereof fail to match the known/stored hop counts of the first data query, the second data query, the third data query, or a combination thereof by more than the predetermined amount higher or lower. The predetermined amount may be, for example, +/1 hop, to account for ordinary variations the corresponding hop counts for the transmitting device 122A by more than the predetermined amount of +/-1 hop. This may indicate that the first spoofed data query, the second spoofed data query, the third spoofed data query, or a combination thereof are, in fact, from a spoofed IP address and/or are part of an attack or other harmful action.” –e.g. see, Nikravesh: [0048]).
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the invention was made to modify the teaching of Lee, Wallace, Keeni, Shen and Nikravesh in order to identify a spoofed IP address and/or an attack or other harmful action as suggested by Nikravesh (Spec: [0048]).


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Wallace in vew of Keeni in view of Shen and further in view of Claessens et al. (US 7,222,255 B1) (hereinafter, “Claessens”).


As to claim 5, neither Lee nor Wallace nor Keeni nor Shen explicitly disclose but in an analogous art Claessens discloses wherein the request for the second set of network settings information comprises: sending a first dummy data packet to a media access control ("MAC") address for a device connected to the network ; sending a second dummy data packet to an internet protocol ("IP") address for the device, the IP address associated with the MAC address; and receiving one or more of confirmation that the first and second dummy data packets were received at the device and confirmation that the MAC addresses of the first and second dummy data packets do not match (Claessens: col. 9, lines 25 to col. 10, lines 1-60. Col. 11, lines 10 to col 12, lines 1-25). Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of Lee, Wallace, Keeni and Shen with those of Claessens since doing so would test and verify the IP address and MAC binding. 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Wallace in view of Keeni in view of Shen and further in view of Velten et al. (US 2002/0129355 A1) (hereinafter, “Velten”).

As to claim 13, neither Lee nor Wallace nor Keeni nor Shen explicitly disclose wherein the countermeasure action comprises remotely shutting-down the device of the man-in-the-middle attacker. However, in an analogous art, Velten discloses wherein the countermeasure action comprises remotely shutting-down the device of the man-in-the-middle attacker (Venten: [0043]-[0045], [0052]-[0053]). Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of Lee, Wallace .

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Wallace in view of Keeni in view of Shen and further in view of Kanevsky (US 2017/0070412 A1).

As to claim 21, neither Lee nor Wallace nor Keeni explicitly disclose but in an analogous art, Kanevsky disclose periodically refresh the ARP caches of other devices on the network with actual network settings information for the network router; ARP spoofing other network devices with the correct network settings information; capturing an image of a user associated with the man-in-the-middle attacker device using a camera of the man-in-the-middle attacker device; and installing applications on the man-in-the-middle attacker device for tracking the network activity of the man-in-the-middle attacker device (Kanevsky: [0017], [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of Lee, Wallace and Keeni with those of Kanevsky since doing so would make it difficult for the attacker to guess the setting information.

Response to Arguments
Applicant has amended the independent claims 1, 14 and 20 which necessitated new ground of rejection, see rejection above.

Applicant has argued in page 12 of the remark regarding independent claims that: “Applicant has amended Claim 1 to recite "the spoof request comprising a spoof dynamic configuration host protocol ("DHCP") request sent from the dummy MAC address, the second set of network settings information corresponding to the first set of network settings information."….. none of the prior art references appear to teach the subject matter of the claim amendments. Accordingly, Applicant respectfully asserts that Lee in view of various combinations of Wallace, Keeni, Claessens, Velten, and Kanevsky fails to teach or disclose each element of the claimed invention -12-.”
In response to the amended limitations, Examiner has cited a new art, Shen which teaches request comprising a spoof dynamic configuration host protocol ("DHCP") request sent from the dummy MAC address (e.g. see, [0040], see also, [0050], [0051], [0009]; herein sender of DHCP message uses Cryptographically Generated Address (CGA) of the sender with the DHCP message which is then verified against an obtain results to identify the sender; the DHCP message carrying the signature is sent to the DHCP message receiver).

Conclusion



Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256.  The examiner can normally be reached on Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495      

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495