Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The instant office action is in response to communication filed on 05/12/2017.

Claims 1-20 are pending of which claims 1, 11 and 17 are independent.

Internet Communications

Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http://www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
5.	Claims 1-3,5,9-18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over AL-Shaer et al (US 2017/0324757 A1) in view of Rogas (US2018/0108015 A1).

AL-Shaer provides the method enables realizing source verification that is intrusive, thus reducing application productivity. The method enables utilizing detector and mitigation composition to be robust and resilient than existing approaches in defending low and slow DDoS attacks while considering attack features and mitigation techniques simultaneously and applying formal method based approaches to minimize false negative/positive and maximize benefits. 

Rogas relate to Internet traffic. More specifically, the disclosed embodiments relate to methods of evaluating the trustworthiness of Internet traffic.

As per claim 1, AL-Shaer discloses a system, comprising: memory storing executable instructions for determining a clean profile indicative of human web traffic from web traffic received (para. 0005-0010  discloses a traffic feature is a distinctive attribute or aspect of the traffic information that can be extracted from the web logs or traces, for example) at a  plurality of server locations (fig. 2 depicted that or more servers 100 may be used in conjunction with the methods and systems, for example); and one or more processors programmed to: access traffic distributions associated with the web traffic received at the plurality of server locations (para. 0013 discloses the preference detector is based on one or more of location and time and is obtained from a web log), the traffic distributions comprising a representation of one or more traffic parameters associated with the web traffic (para. 0005-0010 discloses following features are selected in some exemplary embodiments of the detectors described herein: client Geo IP,  request time (i.e., the time when the request is made), response size (i.e., the size of the server response packets, response time (i.e., the time or the server to respond the request), user preference (i.e., the web page requested), or user ISP, for example) and generate the clean profile for human web traffic based on similarities of the at least two of the compared traffic distributions for use in determining whether bot traffic is being received at the server locations (para. 0022 discloses for the current traffic, we also calculate the Entropy of user Geo IP based on time, preference, or ISP, and  para.0023 discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).

AL-Shaer fails to explicitly disclose compare at least two of the traffic distributions from different server locations.

However, Rogas discloses compare at least two of the traffic distributions from different server locations (para. 0025 discloses The DNS resolver server may further receive a direct communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, furthermore claim 17 discloses the DNS resolver server receives a communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, for example). 

AL-Shaer and Rogas are analogous art because they both are directed to methods of evaluating the trustworthiness of Internet traffic and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of AL-Shaer with the specified features of Rogas because they are from the same field of endeavor.

In view of the above, having the system of AL-Shaer and then given the well- established teaching of Rogas, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Rogas with the teachings of AL-Shaer in order for evaluating the trustworthiness of Internet traffic (Rogas: Paragraph 0002). 


claim 2, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, wherein the web traffic comprises hypertext transfer protocol (HTTP) requests (Para. 0010 of AL-Shaer discloses user preference (i.e., the web page requested), for example). 

Regarding claim 3, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, wherein the one or more traffic parameters comprise at least one of a user agent, time of day, or geographic location (para. 0006-0011 discloses client Geo IP, request time (i.e., the time when the request is made), response size (i.e., the size of the server response packets), response time (i.e., the time or the server to respond the request), user preference (i.e., the web page requested), or user ISP, for example). 

Regarding claim 5, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, wherein the one or more processors are further programmed to compare first web traffic received at a first of the plurality of server locations to the clean profile to determine a quantity of bot traffic in the first web traffic at the first of the plurality of server locations (para. 0018 discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).


Regarding claim 9, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, wherein the similarities used to generate the clean profile comprise the at least two of the traffic distributions having a common traffic parameter within at least 10% of each other (para. 0016 of Rogas discloses the method may also set elements in the document object model where the feedback from the at least one sensor is evaluated and compared to expected values based on the setting elements step, for example). 

Regarding claim 10, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, wherein the similarities used to generate the clean profile comprise the at least two of the traffic distributions having a same traffic (para.0023 of AL-Shaer discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).

As per claim 11, AL-Shaer discloses a method, comprising: accessing traffic distributions associated with web traffic received (para. 0005-0010  discloses a traffic feature is a distinctive attribute or aspect of the traffic information that can be extracted from the web logs or traces, for example)  at a plurality of server locations (fig. 2 depicted that or more servers 100 may be used in conjunction with the methods and systems, for example), the traffic distributions comprising a representation of one or more traffic parameters associated with the web traffic received at the plurality of server locations (para. 0005-0010 discloses following features are selected in some exemplary embodiments of the detectors described herein: client Geo IP,  request time (i.e., the time when the request is made), response size (i.e., the size of the server response packets, response time (i.e., the time or the server to respond the request), user preference (i.e., the web page requested), or user ISP, for example); generating a clean profile for human web traffic based on similarities of the at least two of the compared traffic distributions for use in determining whether bot traffic is being received at the server locations; and comparing first web traffic received at a first of the plurality of server locations to the clean profile to determine a quantity of bot traffic in the first web traffic at the first of the plurality of server locations (para. 0022 discloses for the current traffic, we also calculate the Entropy of user Geo IP based on time, preference, or ISP, and  para.0023 discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).



However, Rogas discloses compare at least two of the traffic distributions from different server locations (para. 0025 discloses The DNS resolver server may further receive a direct communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, furthermore claim 17 discloses the DNS resolver server receives a communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, for example). 
AL-SHARE and Rogas are analogous art because they both are directed to methods of evaluating the trustworthiness of Internet traffic and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of AL-SHARE with the specified features of Rogas because they are from the same field of endeavor.
In view of the above, having the system of AL-SHARE and then given the well- established teaching of Rogas, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Rogas with the teachings of AL-SHARE in Rogas: Paragraph 0002). 
Regarding claim 12 the combination of AL-Shaer as modified by Rogas discloses wherein the similarities of the at least two of the compared traffic distributions having the same values for at least one of the one or more traffic parameter. (para. 0022 of AL-Shaer discloses for the current traffic, we also calculate the Entropy of user Geo IP based on time, preference, or ISP, and  para.0023 discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).

Regarding claim 13, the combination of AL-Shaer as modified by Rogas discloses wherein the one or more traffic parameters comprise at least one of a user agent, a time of day, and a geographic location associated with the web traffic (para. 0018 of Rogas discloses the DNS server upstream from the client device, and the DNS resolver server in a database. The method may also comprise receiving a communication from the user device and comparing an expected communication time based on the geographic location of the DNS resolver server and an actual communication time, for example). .

claim 14 the combination of AL-Shaer as modified by Rogas discloses the method according to claim 11, wherein the web traffic comprises Hypertext Transfer Protocol (HTTP) requests (Para. 0010 of AL-Shaer discloses user preference (i.e., the web page requested), for example).

Regarding claim 15 the combination of AL-Shaer as modified by Rogas discloses the method according to claim 11, wherein each of the plurality of server locations comprise one or more servers for processing the web traffic (para. 0005-0010 discloses a traffic feature is a distinctive attribute or aspect of the traffic information that can be extracted from the web logs or traces, for example).

Regarding claim 16 the combination of AL-Shaer as modified by Rogas discloses the method according to claim 11, blocking web traffic determined to be bot traffic (para. 0057 of Rogas discloses the correlations obtained may be combined with other data obtained to detect fraudulent Internet traffic, malware, and the like that are now known and may be later developed. Steps may be taken to disable access from the requesting devices determined to be fraudulent or bot sites or content providers may specify that they will not provide payment for access from these sites or devices, for example). 

As per claim 17, AL-Shaer discloses one or more computer storage media embodying computer-executable components, said components comprising: a profile learning module executable by at least one processor for (para. 0013 discloses a processor executing instructions to: compute the Entropy of a plurality of detectors, at least in part selected from a group Geo detector, a group response size detector, a group preference detector, and an individual client behavior detector, for example): accessing traffic distributions associated with web traffic received at a plurality of server locations (para. 0005-0010  discloses a traffic feature is a distinctive attribute or aspect of the traffic information that can be extracted from the web logs or traces, for example), identifying at least two of the traffic distributions from different server locations having similar quantities or percentages of the one or more traffic parameters (para. 0005-0010 discloses following features are selected in some exemplary embodiments of the detectors described herein: client Geo IP,  request time (i.e., the time when the request is made), response size (i.e., the size of the server response packets, response time (i.e., the time or the server to respond the request), user preference (i.e., the web page requested), or user ISP, for example), and generating a clean profile for identifying human web traffic based on the similarities of the at least two of the traffic distributions of the one or more traffic parameters (para. 0022 discloses for the current traffic, we also calculate the Entropy of user Geo IP based on time, preference, or ISP, and  para.0023 discloses compare the current traffic distribution and normal profile distribution by calculating the difference between them. If the difference is larger than the threshold, we trigger the alarm for possible attack, for example).

AL-SHAER fails to explicitly disclose the traffic distributions comprising one or more traffic parameters associated with the web traffic received at the plurality of server locations (para. 0025 discloses The DNS resolver server may further receive a direct communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, furthermore claim 17 discloses the DNS resolver server receives a communication from the client device and compares an expected communication time based on a reported geographic location of the IP address of the user device and an actual communication time, for example). 
AL-SHARE and Rogas are analogous art because they both are directed to methods of evaluating the trustworthiness of Internet traffic and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of AL-SHARE with the specified features of Rogas because they are from the same field of endeavor.
In view of the above, having the system of AL-SHARE and then given the well- established teaching of Rogas, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention Rogas: Paragraph 0002). 

Regarding claim18, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 17, wherein the similar quantities or percentages comprise the at least two of the traffic distributions being within at least 10% of each other (para. 0016 of Rogas discloses the method may also set elements in the document object model where the feedback from the at least one sensor is evaluated and compared to expected values based on the setting elements step, for example).

Regarding claim 20, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 17, a probability calculator executable by the at least one processor for: comparing the clean profile to a first set of the web traffic received at a first server location; determining a quantity of the first set of the web traffic as bot traffic using the clean profile (para. 0012 of AL-Shaer discloses the Geo detector comprises a normal traffic profile representing a conditional Entropy conditioned on one or more of time, preference, and ISP and a current traffic profile representing a conditional Entropy conditioned on one or more of time, preference, and ISP, for example); and generating a ratio of the clean traffic to the bot traffic in the first set of the web traffic based on the determined bot traffic (para. 0005-0010 of AL-Shaer discloses a traffic feature is a distinctive attribute or aspect of the traffic information that can be extracted from the web logs or traces, for example).

6.	Claims 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over AL-Shaer et al (US 2017/0324757 A1) in view of Rogas (US 2018/0108015 A1), further in view of McQueen et al. (US 2018/0343280 A1)

McQueen provides a system for identifying human users on a network; and a non-transitory computer-readable medium for storing instructions to be executed by a computer for identifying human users on a network.

As per claim 4, the combination of AL-Shaer as modified by Rogas discloses the system according to claim 1, discloses all claimed limitaions, except for wherein the user agent comprises a browser and a browser version of an hypertext transfer protocol (HTTP) request.

However, McQueen wherein the user agent comprises a browser and a browser version of an hypertext transfer protocol  (HTTP) request (para. 0055 discloses Bots might always claim to be using the exact same version of the exact same browser on the exact same device, or the claimed browser type, version number, and device might be different every time, for example). 

AL-SHARE as modified by Rogas and McQueen are analogous art because they both are directed to systems and methods for identifying human users in electronic networks and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of AL-SHARE with the specified features of Rogas because they are from the same field of endeavor.

In view of the above, having the system of AL-SHARE as modified by Rogas and then given the well- established teaching of McQueen, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of McQueen with the teachings of AL-SHARE as modified by Rogas in order for identifying human users in electronic networks (McQueen: Paragraph 0001). 

7.	Claims 6-8  and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over AL-Shaer et al (US 2017/0324757 A1) in view of Rogas (US 2018/0108015 A1), further in view of Bhargava et al. (US 2012/0030750 A1)

Regarding claims 6 and 19, the combination of AL-Shaer as modified by Rogas disclosed all claimed limitaions except for wherein the one or more processors are further programmed to determine a ratio of human traffic to bot 

However, Bhargava discloses wherein the one or more processors are further programmed to determine a ratio of human traffic to bot traffic in a set of web traffic at a first server location based on a comparison of traffic parameters of the set of web traffic in comparison to the clean profile (para. 0025  discloses  Bots are often designed to initiate communication with the command and control server and to masquerade as normal web browser traffic. Bots may be crafted with a command and control protocol that makes the bot appear to be making normal network connections to a web server. For example, a bot may use a port typically used to communicate with a web server. Such bots, therefore, may not be detected by existing technologies without performing more detailed packet inspection of the web traffic. Moreover, once a bot is discovered, the botnet operator may simply find another way to masquerade network traffic by the bot to continue to present as normal web traffic. More recently, botnet operators have crafted bots to use encryption protocols such as, for example, secure socket layer (SSL), thereby encrypting malicious network traffic. Such encrypted traffic may use a Hypertext Transfer Protocol Secure (HTTPS) port such that only the endpoints involved in the encrypted session can decrypt the data, for example). 


In view of the above, having the system of AL-Shaer as modified by Rogas and then given the well- established teaching of Bhargava, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Bhargava with the teachings of AL-Shaer as modified by Rogas in order to network level protection against malicious software (Bhargava: Paragraph 0002). 

Regarding claim 8, the combination of AL-Shaer as modified by Rogas, further modified by  disclosed Bhargava, wherein the one or more processors are further programmed to block or prioritize processing of the new web traffic at the first server based on the calculated probability that the new web traffic is human or bot traffic (para.0017 of Bhargava discloses evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and creating a restriction rule to block the network traffic if the network traffic is not permitted, for example). 

Pertinent Art 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Paruchuri et al.  (2020/0200555 A1) discloses The server 108 compares each permutation of partition of the maximum traffic flow capacity for the one or more active traffic flow routes and appending a validated traffic flow route from the source location to the destination location to the database. The server 108 generates one or more distributions of traffic flow across the one or more active traffic flow routes and controls concentration of vehicular pollution in a specific route by allowing one or more vehicles on different days, GaO et al. ( US 2016/0343249 A1) discloses methods and devices for processing traffic data. A method may include acquiring a current location of a traveling vehicle. A method may further include, when the current location is not an identified traffic impediment location, monitoring an amount of variation of an impediment parameter when the vehicle is in the current location. A method may further include, when the amount of variation of the impediment parameter exceeds a predetermined range, sending the current location and the amount of variation of the impediment parameter to a traffic data server. Through a method, drivers may in real time learn accurate information about traffic impediments ahead, and may preemptively respond by lowering traveling speeds or bypassing the location and Yuasa (US 2014/0207369 A1) discloses a remotely located server having a processor and a database of map data, the server in communication with the mobile communication device, the broadcast source of traffic information and the mobile network source of traffic information, the server further including a software program(s) adapted to perform route guidance calculations based on destination information and vehicle location information received from the mobile communication device, to compare traffic information from the broadcast source with traffic information from the mobile network source, to detect a difference there between, and to compare any detected difference to a predetermined difference value; wherein, upon receipt of an initial request for route guidance data, the server is adapted to calculate a route and to transmit the route to the vehicle via the mobile communication device; and wherein, upon receipt of a subsequent request for updated route guidance data from the mobile communication device, the server is adapted to transmit updated route guidance data to the mobile communication device only when a detected difference between traffic information from the broadcast source and traffic information from the mobile network source is determined to exceed the predetermined difference value.







Conclusion

8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932.  The examiner can normally be reached on Mon.-Fri. 9:00 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 






A.G.
February 13, 2021
/ABIY GETACHEW/Primary Examiner, Art Unit 2434