Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1 – 4, 6 – 11, 13, 14, 40 – 43 and 45 were considered under 35 USC 112 (b, f), 101 (abstract idea) and 103 for patentability over closest and analogous prior arts Compton (US Pub. #: 20190068626, Chesla, Avi (US Pub. #: 20150089566), hereafter Chesla and further in view of Park et al (US Pub. #: 20150113629), hereafter Park have been fully considered and are persuasive. Claims 5, 12, 15 – 39 and 44 are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 4, 6 – 11, 13, 14, 40 – 43 and 45 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with William Jacklin (attorney) for filed amended claims on 12-30-2020:

emulate a first threat signaling client, the first threat signaling client to transmit a request to a second threat signaling client of the Internet service provider to establish a secure connection; 	accept first incoming messages conveying information describing distributed denial of service attacks when the first incoming messages are received from the second threat signaling client of the Internet service provider; 	block second incoming messages conveying information describing distributed denial of service attacks when the second incoming messages are not received from the second threat signaling client of the Internet service provider; 	identify the first device based on first information reported in a message received from [[a]] the second threat signaling client of the Internet service provider, the reported first information describing the first distributed denial of service attack, the reported first information including a public Internet protocol address of a source device from which the network traffic associated with the first distributed denial of service attack originates, the source device different from the second threat signaling client of the Internet service provider;second threat signaling client of the Internet service provider to a private Internet protocol address of the first device connected to the local network to identify the first device; and 	transmit second information to notify the second threat signaling client of the Internet service provider when the network traffic associated with the first distributed denial of service attack has been mitigated, at least one of the mitigator or the threat signaling server implemented by circuitry.
2.	(Previously Presented)  The local network router of claim 1, wherein to mitigate the first distributed denial of service attack, the mitigator is to: 	perform deep packet inspection of the network traffic originating from the first device to confirm whether the network traffic is associated with the first distributed denial of service attack, the deep packet inspection based on attack characteristics included in the reported first information; and 	block the network traffic originating from the first device in response to the network traffic being confirmed by the deep packet inspection as being associated with the first distributed denial of service attack.

4.	(Currently Amended)  The local network router of claim 1, wherein the public Internet protocol address is a first public Internet protocol address, the private Internet protocol address is a first private Internet protocol address, and further including memory to store the address translation table, wherein the address translation table is to map, based on network address translation, private network addresses of respective devices connected to the local network to corresponding public network addresses determined for the respective devices connected to the local network, and the threat signaling server is to access the address translation table to identify, based on the first public Internet protocol address and an attack start time included in the reported first information, the first private Internet protocol address of the first device. 
5.	(Cancelled)  
[[5]] 1, wherein the threat signaling server is a first threat signaling server, the second threat signaling client of the Internet service provider is to emulate a second threat signaling server, and the request is to cause the second threat signaling client of the Internet service provider to switch from emulating the second threat signaling server to operating as the second threat signaling client relative to the first threat signaling server.
7.	(Original)  The local network router of claim 1, wherein the threat signaling server is further to report third information to a cloud service, the third information describing the first device and the first distributed denial of service attack.
8.	(Currently Amended)  A non-transitory computer readable storage medium comprising computer readable instructions that, when executed, cause one or more processors of a local network router to at least: 	emulate a first threat signaling client, the first threat signaling client to transmit a request to a second threat signaling client of an Internet service provider to establish a secure connection; 	switch from emulating the first threat signaling client to operating as a threat signaling server to:
accept first incoming messages conveying information describing distributed denial of service attacks when the first incoming messages are received from the second threat signaling client of the Internet service provider; 	block second incoming messages conveying information describing distributed denial of service attacks when the second incoming messages are not received from the second threat signaling client of the Internet service provider;
[[a]] the second threat signaling client of [[an]] the Internet service provider, a first device originating network traffic associated with a first distributed denial of service attack detected by the Internet service provider, the first device connected to a local network, the reported first information describing the first distributed denial of service attack, the reported first information including a public Internet protocol address of a source device from which the network traffic associated with the first distributed denial of service attack originates, the source device different from the second threat signaling client of the Internet service provider;  	access an address translation table to map the public Internet protocol address of the source device included in the reported first information of the message received from the second threat signaling client of the Internet service provider to a private Internet protocol address of the first device connected to the local network to identify the first device;  	mitigate the network traffic associated with the first distributed denial of service attack; and 	transmit second information to notify the second threat signaling client of the Internet service provider when the first distributed denial of service attack has been mitigated.

10.	(Original)  The storage medium of claim 8, wherein to mitigate the network traffic associated with the first distributed denial of service attack, the computer readable instructions, when executed, cause the one or more processors to: 	transmit a request to an administrative client for authorization to block the network traffic originating from the first device; and 	block the network traffic originating from the first device in response to receiving an authorization response from the administrative client.
translation table to identify, based on the first public Internet protocol address and an attack start time included in the reported first information, the first private Internet protocol address of the first device, the address translation table to map, based on network address translation, private network addresses of respective devices connected to the local network to corresponding public network addresses determined for the respective devices connected to the local network.
12.	(Cancelled)  
13.	(Currently Amended)  The storage medium of claim [[12]] 8, wherein the threat signaling server is a first threat signaling server, the second threat signaling client of the Internet service provider is to emulate a second threat signaling server, and the request is to cause the second threat signaling client of the Internet service provider to switch from emulating the second threat signaling server to operating as the second threat signaling client relative to the first threat signaling server.
14.	(Original)  The storage medium of claim 8, wherein the computer readable instructions, when executed, further cause the one or more processors to report third information to a cloud service, the third information describing the first device and the first distributed denial of service attack.
15-39.	(Cancelled) 
emulating, by executing an instruction with at least one processor of a local network router, a first threat signaling client to transmit a request to a second threat signaling client of an Internet service provider to establish a secure connection; 	switching, by executing an instruction with the at least one processor, from emulating the second threat signaling client to operating as a threat signaling server to perform operations including:
accepting first incoming messages conveying information describing distributed denial of service attacks when the first incoming messages are received from the second threat signaling client of the Internet service provider; and 	blocking second incoming messages conveying information describing distributed denial of service attacks when the second incoming messages are not received from the first threat signaling client of the Internet service provider;
identifying, by executing an instruction with the at least one processor [[an]] the Internet service provider, the first device connected to the local network, the identifying of the first device based on first information reported in a message received from [[a]] the second threat signaling client of the Internet service provider, the reported first information describing the first distributed denial of service attack, the reported first information including a public Internet protocol address of a source device from which the network traffic associated with the first distributed denial of service attack originates, the source second threat signaling client of the Internet service provider;  	accessing, by executing an instruction with the at least one processor, an address translation table to map the public Internet protocol address of the source device included in the reported first information of the message received from the second threat signaling client of the Internet service provider to a private Internet protocol address of the first device connected to the local network to identify the first device; 	mitigating, by executing an instruction with the at least one processor, the network traffic associated with the first distributed denial of service attack; and 	transmitting, by executing an instruction with the at least one processor, second information to notify the second threat signaling client of the Internet service provider when the first distributed denial of service attack has been mitigated.
41.	(Previously Presented)  The method of claim 40, wherein the mitigating of the network traffic associated with the first distributed denial of service attack includes: 	performing deep packet inspection of the network traffic originating from the first device to confirm whether the network traffic is associated with the first distributed denial of service attack, the deep packet inspection based on attack characteristics included in the reported first information; and 	blocking the network traffic originating from the first device in response to the network traffic being confirmed by the deep packet inspection as being associated with the first distributed denial of service attack.

43.	(Currently Amended)  The method of claim 40, wherein the public Internet protocol address is a first public Internet protocol address, the private Internet protocol address is a first private Internet protocol address, and the accessing of the address translation table includes accessing the address translation table to identify, based on the first public Internet protocol address and an attack start time included in the reported first information, the private Internet protocol address of the first device, the address translation table to map, based on network address translation, private network addresses of respective devices connected to the local network to corresponding public network addresses determined for the respective devices connected to the local network.
44.	(Cancelled)  
45.	(Currently Amended)  The method of claim [[44]] 40, wherein the threat signaling server is a first threat signaling server, the second threat signaling client of the Internet service provider is to emulate a second threat signaling server, and the request is to cause the second threat signaling client of the Internet service provider to switch from emulating the second threat signaling server to operating as the second threat signaling client relative to the first threat signaling server.


Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Compton teaches [0011, 0052] In an ISP network, the controller may incorporate a mitigation device or module. The controller may be configured to generate a mitigation output signal which is supplied to the peering router adapted to receive the output signal ([0007] indicative of a DDoS attack) from the controller and to perform one or more actions in response thereto for mitigating a (detected) DDoS attack; [0054] The controller, may utilize information ([0045] the ASN associated with the flagged source IP associating a specific ASN with one or more corresponding actions; [0034, Figs. 2 and 4] the detector, is configured to analyze the source IP addresses for the incoming traffic and determine what ASNs are associated with those source IP addresses; [0053] a second mitigation device may be included which is operatively coupled with the ISP network, is configured to receive one or more control signals from the controller, via the router, through the ISP network; [0036] the detector will generate an output indicative of a likelihood of a DDoS attack. This detector output is provided to the controller; ([0006, 0037] a signaling device is configured to identify the Autonomous System Number (ASNs), wherein the ASNs are associated with source IP address, the traffic is originating from the source IP address, sending malicious traffic; [0040] the controller, based on the output received from the detector, may determine that a DDoS attack is occurring and send a message or other control signal to the router instructing the router to handle all traffic from a specified ASN differently from the normal IP traffic, including, but not limited to, rate-limiting the traffic, diverting the traffic to a different path (e.g., by changing the target IP address) for performing DPI or another analysis mechanism on the malicious traffic, discarding  

Further, a second prior art of record Park teaches: [0081-0082] Address Mapping Table (AMT) stores information on a source address of a packet, a converted address of the packet… and associated registered user equipment in mapping relation. Router, by searching through AMT, detects a source address of the received packet, discover user equipment's address mapped to the detected source address. 

Further, a third prior art of record Chesla teaches: [0047, Fig. 3C, S306] traffic from the client is diverted to the security server through the peer and edge network elements respectively. The server performs a JS redirect challenge. An indication that the attack has been mitigated is received at the central controller.
Examiner’s Note: The “at least one of the mitigator or the threat signaling server implemented by circuitry” at the end of claim 1 overcomes the non-statutory issue as it provides hardware support. The “a mitigator to mitigate and a threat signaling server to” invoke the 112(f) and the claim language does have hardware support.
None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: the distributed DoS (DDoS) attacks are detected using an emulator or a honey pot. The traffic is obtained by a first device from the second device. The server detects a DDoS attack based on the information in the traffic 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claims 8 and 40 mutatis mutandis.  Claims 5, 12, 15 – 39 and 44 are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.