Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
Priority has been claimed to US Provisional application# 62/870,621, filed on 07/03/2019.

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors.  Applicant's cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 01/13/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Claim Objections
Claims  1, 3, 7-9, 12-14, 17-20 are objected to because of the following informalities:
For Claim 1 line 10 and line 12, Claim 3 line 2, Claim 7 line 1, Claim 8 line 1, Claim 9 line 1, Claim 12 line 1, Claim 13 line 7 and line 9, Claim 14 line 1, Claim 17 line 2, Claim 18 line 2, Claim 19 line 1, Claim 20 line 9 and line 11 -
“the threshold values” and “at least one of the threshold values” have insufficient antecedent basis, wherein “threshold values” is not defined, however, “one or more threshold values” is defined. For the purpose of examination, the terms will be interpreted as “the one or more threshold values” or “at least one of the one or more threshold values” as applicable. (The phrase “one or more of the threshold values” in claims 1, 13 and 20 may be changed to “at least one of the one or more threshold values”).




Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
For claims 1, 13 and 20, as to the limitation – “identifying the network node as a security threat; and taking one or more remedial actions to mitigate the security threat”, the node is identified as security threat. In other words, it is interpreted as a malicious node which is security threat to the environment. Hence the further action of “taking one or more remedial actions to mitigate the security threat” is vague and indefinite since “mitigation of the node” does not make sense. If a security threat was identified associated with the node due to other claimed preconditions, then mitigation could occur for that specific security threat posed by the node. Examiner suggests reconstructing the claim limitation to impart definiteness and clarity to the intended claim limitation in that matter. As such, the claims are rendered indefinite.
The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claims and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 9-13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vengalil et al. (US 2017/0026405 A1, hereinafter Vengalil), in view of Dolson et al. (US 2004/0006643 A1, Dolson hereinafter).
For claim 1, Vengalil teaches a network computing system, comprising: a network adapter that transmits and receives data via a transport protocol; a memory device that at least temporarily stores data received at the network adapter; a processor that processes at least some of the received data (Fig. 1; para 0015-0019, 0107-0111, 0150 – network components such as transceivers to send and receive packets using a network protocol, and system comprising processor as processing units and memory units to store data), including:
applying one or more transport protocol heuristics to selective acknowledgement (SACK) messages received at the network adapter from a network node, the transport protocol heuristics identifying one or more threshold values or other conditional values for operational functions that are performed when processing the SACK messages (para 0001, 0006, 0012 - detection and elimination of optimistic selective acknowledgement (SACK) spoofing based DoS and DDoS attacks, and heuristics or analysis is applied to SACK messages at the sender node; para 0123, 0129, 0141-0145, 0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence) for operational functions such as packet transmission, SACK generation, SCN increment etc.);
determining, by applying the one or more transport protocol heuristics to the SACK messages received from the network node, that the (one or more) threshold values or other conditional values for one or more of the transport protocol heuristics have been reached; and in response to determining that (the) one or more of the threshold values have been reached or value conditions met: identifying the network node as a security threat; and taking one or more remedial actions to mitigate the security threat (para 0012, 0035-0040, 0124, 0126, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values (such as checksum, payload essence or cumulative payload essence) for detection and mitigation of attack, and mitigation via remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.).
Although checking of various conditions associated with network data transmission and reception (as also disclosed by Vengalil above) including various attributes such as values, limits and thresholds for identification of transmission integrity and security is very well-known in the art, Vengalil does not appear to explicitly disclose, however Dolson discloses determining and utilizing thresholds to identify network security threats (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Therefore, based on Vengalil in view of Dolson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Dolson in the system of Vengalil, in order to incorporate techniques of attack detection based on processes that take into account many common factors such as data integrity check and checking limits on various network parameters in order to enhance the system’s attack detection and malicious entity detection capabilities, thereby making the system more extensible and secure.

For claim 2, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein applying the one or more transport protocol heuristics to the SACK messages includes incrementing one or more counters associated with the operational functions as the SACK messages are processed (para 0121, 0123, 0130, 0142, 0148 – a part of the process (operational function) increments the sequence number, or adds the payload essence value to an initial value for validation).

For claim 3, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the network computing system of claim 2, wherein the counters indicate when the limit or condition for one or more of the transport protocol heuristics have been reached (para 0121, 0123, 0130, 0142, 0148 – increments the sequence number, or adds the payload essence value to an initial value as part of count operation, for SACK validation). Vengalil does not appear to explicitly disclose, however Dolson discloses when the (one or more) threshold values for one or more of the heuristics have been reached (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).

For claim 4, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the network computing system of claim 2, wherein one or more of the counters are modified upon receiving an acknowledgement (ACK) message (para 0123, 0142, 0148 – increments the sequence number, or adds the payload essence value to an initial value as part of count operation when selective ACK message is received with TSN Ack).

For claim 5, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein the security threat comprises an attacking node that is carrying out an attack against the network computing system (para 0035-0040, 0052, 0126, 0141-0145 – receiving node as an attacker or malicious node).

For claim 6, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the one or more remedial actions used to mitigate the security threat comprises ignoring at least some of the SACK messages received from the network node (para 0035-0040, 0129, 0141-0145, 0150 – processing the SACK messages for detection and mitigation of attack, and mitigation via remedial actions such as discarding the spoofed SACK or accounting for only non-duplicate messages).

For claim 9, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the condition values for operational functions that are performed when processing the SACK messages comprises an indication of how many SACK messages are received within a specified time period (para 0124-0125, 0132, 0134; Fig. 7; – time gap associated with flood rate indicating number of packets received in a specific time gap). Vengalil does not explicitly teach, however Dolson discloses threshold values when processing the SACK messages comprises an indication of how many SACK messages are received within a specified time period (para 0222, 0234, 0239-240).

For claim 10, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches filtering the SACK messages to remove previously received SACK messages (para 0116, 0134, 0150-0151 – removal or elimination of duplicate or previously received SACK messages).

For claim 11, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein filtering the SACK messages further comprises removing duplicate SACK messages (para 0116, 0134, 0150-0151 – removal or elimination of duplicate SACK messages).

For claim 12, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the threshold values for operational functions that are performed when processing the SACK messages comprises an indication of how many SACK messages were filtered within a specified time period (para 0116, 0125, 0130, 0134, 0150-0151 – filtering of SACK messages with respect to time intervals).

For claim 13, Vengalil teaches a computer-implemented method, comprising: applying one or more transport protocol heuristics to selective acknowledgement (SACK) messages received at a network adapter from a network node, the transport protocol heuristics identifying one or more threshold values or other conditional values for operational functions that are performed when processing the SACK messages (Fig. 1; para 0015-0019, 0107-0111, 0150 – network components such as transceivers to send and receive packets using a network protocol, and system comprising processor as processing units and memory units to store data; para 0001, 0006, 0012 - detection and elimination of optimistic selective acknowledgement (SACK) spoofing based DoS and DDoS attacks, and heuristics or analysis is applied to SACK messages at the sender node; para 0123, 0129, 0141-0145, 0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence) for operational functions such as packet transmission, SACK generation, SCN increment etc.);
determining, by applying the one or more transport protocol heuristics to the SACK messages received from the network node, that the (one or more) threshold values or other conditional values for one or more of the transport protocol heuristics have been reached; and in response to determining that (the) one or more of the threshold values have been reached or value conditions met: identifying the network node as a security threat; and taking one or more remedial actions to mitigate the security threat (para 0012, 0035-0040, 0124, 0126, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values (such as checksum, payload essence or cumulative payload essence) for detection and mitigation of attack, and mitigation via remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.).
Although checking of various conditions associated with network data transmission and reception (as also disclosed by Vengalil above) including various attributes such as values, limits and thresholds for identification of transmission integrity and security is very well-known in the art, Vengalil does not appear to explicitly disclose, however Dolson discloses determining and utilizing thresholds to identify network security threats (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Therefore, based on Vengalil in view of Dolson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Dolson in the system of Vengalil, in order to incorporate techniques of attack detection based on processes that take into account many common factors such as data integrity check and checking limits on various network parameters in order to enhance the system’s attack detection and malicious entity detection capabilities, thereby making the system more extensible and secure.

For claim 18, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the (one or more) threshold values for operational functions that are performed when processing the SACK messages is dynamically changed based on one or more current operating conditions at the network computing system (para 0123, 0125, 0129, 0141-0145, 0149-0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence) for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed based on the condition process).

For claim 19, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the (one or more)  threshold values for operational functions that are performed when processing the SACK messages is dynamically changed based on the occurrence of a specified trigger (para 0123, 0125, 0129, 0141-0145, 0149-0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence) for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed based on the condition such as flood forced upon by the malicious receiver).

For claim 20, Vengalil teaches a non-transitory computer-readable medium comprising one or more computer- executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: apply one or more transport protocol heuristics to selective acknowledgement (SACK) messages received at a network adapter from a network node, the transport protocol heuristics identifying one or more threshold values or other conditional values for operational functions that are performed when processing the SACK messages (Fig. 1; para 0015-0019, 0107-0111, 0150 – network components such as transceivers to send and receive packets using a network protocol, and system comprising processor as processing units and memory units to store data; para 0001, 0006, 0012 - detection and elimination of optimistic selective acknowledgement (SACK) spoofing based DoS and DDoS attacks, and heuristics or analysis is applied to SACK messages at the sender node; para 0123, 0129, 0141-0145, 0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values (such as checksum, payload essence or cumulative payload essence) for operational functions such as packet transmission, SACK generation, SCN increment etc.);
determine, by applying the one or more transport protocol heuristics to the SACK messages received from the network node, that the (one or more) threshold values or other conditional values for one or more of the transport protocol heuristics have been reached; and in response to determining that (the) one or more of the threshold values have been reached or value conditions met: identify the network node as a security threat; and take one or more remedial actions to mitigate the security threat (para 0012, 0035-0040, 0124, 0126, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence) for detection and mitigation of attack, and mitigation via remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.).
Although checking of various conditions associated with network data transmission and reception (as also disclosed by Vengalil above) including various attributes such as values, limits and thresholds for identification of transmission integrity and security is very well-known in the art, Vengalil does not appear to explicitly disclose, however Dolson discloses determining and utilizing thresholds to identify network security threats (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Therefore, based on Vengalil in view of Dolson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Dolson in the system of Vengalil, in order to incorporate techniques of attack detection based on processes that take into account many common factors such as data integrity check and checking limits on various network parameters in order to enhance the system’s attack detection and malicious entity detection capabilities, thereby making the system more extensible and secure.


Allowable Subject Matter
Claims 7-8 and 14-17 are objected to as being dependent upon their respective rejected base claims, but would be allowable if incorporated in the base claims 1 and 13 including all of the limitations of the base claims and any intervening claims, in addition to overcoming the above-mentioned objections and rejections associated with these and their parent claims.
   
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433