DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4 - 6, 11 – 13 and  18 - 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 4, it is rejected as indefinite.  The phrase "the anomalous traffic pattern is not related to the second user equipment” contradicts the preceding statement that states otherwise.  The proceeding statement recites “generating a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern.”  How is it possible when a second filtering rule is generated in connection with source and second user equipment and based on determining anomalous traffic pattern, yet the anomalous traffic is not related to second user equipment?  
Regarding claim 5, it is rejected as indefinite.  The phrase "the anomalous traffic pattern is not related to the second user equipment” contradicts the preceding statement that states otherwise.  The proceeding statement recites “generating the filtering rule in connection with the source, the first user equipment, and the second user equipment based on determining the anomalous traffic pattern, wherein the (anomalous traffic pattern is not related) to the second user equipment” How is it possible when the filtering rule is generated in connection with source, the first and second user equipment, and based on determining anomalous traffic pattern, yet the anomalous traffic is not related to second user equipment?  The phrase makes the claim unclear and not possible to determine the scope of the claim. Therefore this the claim is rejected as indefinite. 
Regarding to claim 6, it’s rejected as indefinite because it is unclear how the second traffic pattern of the user equipment can be further defined when the pattern is not positively required in parent claim 1, thus making the scope of the claim unclear. 
Regarding to claims 11 and 18, they are rejected on same rational as claim 4.
Regarding to claims 12 and 19, they are rejected on same rational as claim 5.
Regarding to claims 13 and 20, they are rejected on same rational as claim 6.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 3 - 5, 7, 8, 10 - 12, 14, 15, 17 – 19 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Lee et al. (US 20180351993 A1, hereinafter, Lee).
Regarding to claim 1,   Lee teaches a method comprising: processing, by a device, a communication between a source and user equipment, wherein the user equipment is one of a plurality of user equipment connected to a network, wherein the user equipment is associated with an entity; (0009,] discloses a router as device that process incoming traffic. A source as any external computer that generates a traffic directed to an entity’s user equipment connected to a network. The router uses ACE engine filter rules to process incoming traffic. [0023] discloses a user equipment as protected resources which include customer servers, such as those hosting public or private websites, web applications, or enterprise resources (i.e. plurality of user equipment connected to a network).  [0025, 0026, 0028, 0032] discloses an entity as private or public customer that owns and manages its router or firewall, etc… associated with its user equipment, or  alternatively, a customer that use a multi-tenant based security service center (SOC) to protects its user equipment) determining, by the device, that the communication is associated with an anomalous traffic pattern, wherein the anomalous traffic pattern is at least one of: a first traffic pattern of the source, or a second traffic pattern of the user equipment; ([0036] discloses the system determines which customer host, or preferably destination IP address, that the traffic is addressed to. (i.e. device determining first traffic pattern associated with anomalous traffic of the source.)implementing, by the device, a provisional blocking of traffic between the source and the plurality of user equipment connected to the network based on determining the anomalous traffic pattern; ([0009] discloses implementing a device automatically generate recommendations for network router access control entity (ACE) rules that can be used to filter internet traffic (i.e. first traffic pattern between source and user plurality of equipment) and more specifically to block malicious traffic.  [0027] … if an attack is detected, one or more these ACEs can be deployed to filter out the traffic so that the downstream protected resources (i.e. plurality of user equipment) 102 are not burdened by high volumes of attack traffic. (i.e. implementing blocking of first traffic pattern between a source and plurality of user equipment.)generating, by the device, a filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern, wherein the filtering rule prescribes that traffic between the source and the user equipment is to be blocked; ([0009] discloses router (i.e. device) generating an ACE (i.e. a filtering rule) for determining and anomalous traffic that can be implemented for blocking malicious (i.e. anomalous traffic between a source and user equipment) [0049] Discloses determining an anomalous traffic and creation of filtering rule. [0050] FIG. 6 illustrates the operation of the Traffic Modeler 204 in one embodiment. The Traffic Modeler 204 preferably operates on an attack traffic profile to produce a model of the traffic to be blocked.)transmitting, by the device, a notification to the entity associated with the user equipment, wherein the notification requests that the entity affirm the filtering rule; and ([0010, [0032] discloses the ACE(s) (filtering rules) then can be deployed automatically or alternatively sent to (i.e. transmitted) system personnel for review and confirmation. //Examiner remark: system personnel is individual who performs security tasks behalf of an entity.)
blocking, by the device, traffic between the source and the user equipment based on the entity affirming the filtering rule.  ([0009, 0032] discloses based on entity affirming the filtering rule the internet traffic between source and user equipment is blocked traffic is blocked.
Regarding to claim 3, Lee teaches wherein the notification is a first notification, wherein the method further comprises: monitoring, over a time period, to detect a communication attempt between the source and one of the plurality of user equipment connected to the network; ([0037] At step 306, the parameters are added to the totals for the corresponding destination IP address (i.e. source). Preferably, the Network Traffic Collection component 200 aggregates packet statistics over time intervals. [0038] At step 308, the statistics for a given IP address and time period are stored in a database.)transmitting a second notification to the entity if the communication attempt is not detected over the time period, wherein the second notification requests that the entity affirm that the filtering rule is to be removed; ([0042] While the ACE Engine 104 uses packet statistics (i.e. packet statistics provides whether or not a communication attempts has occurred) to determine the appropriate ACE, in some cases, the ACE recommendation determination can be augmented referencing the attack signature identifier and/or confidence score of the signature identifier. Further, a human operator can use the attack signature information to confirm the choice of and allowing traffic between the source and the user equipment based on the entity affirming that the filtering rule is to be removed.  ([0009] In a semi-automated workflow, a security professional in the SOC (security operations centers) (i.e. entity affirming the filtering rule) 106 receives and evaluates the recommended ACE in correspondence with statistics from the traffic profiler and accepts/rejects/edits the recommended ACE before it is deployed. //Examiner remark: rejection of a filtering rule is deletion of a rule)
Regarding to claim 4, insofar as the claim language can be understood, Lee teaches, wherein the user equipment is first user equipment, the entity is a first entity, the notification is a first notification, and the filtering rule is a first filtering rule, ([0028] discloses as a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer (i.e. first entity). For example, each customer destination IP address may be associated with a set of ACEs (i.e. first filtering rule) that are active for that IP address (i.e. first user equipment).  [0010, 0032] discloses a first notification sent to first entity.) 
wherein the method further comprises: generating a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern, wherein the anomalous traffic pattern is not related to the second user equipment, ([0028] As a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer. For example, each customer destination IP address may be associated with a set of ACEs that are active for that IP address. In this document, the traffic destined to a particular customer, or particular destination IP address, or other defined category, is referred to as a wherein the second filtering rule prescribes that traffic between the source and the second user equipment is to be blocked; ([0009] The methods and systems described herein automatically generate recommendations for network router access control entity (ACE) rules that can be used to filter internet traffic and more specifically to block malicious traffic.)transmitting a second notification to a second entity associated with the second user equipment, wherein the second entity is different from the first entity, wherein the second notification requests that the second entity affirm the second filtering rule; (([0010, [0032] discloses the ACE(s) (filtering rules) then can be deployed automatically or alternatively sent to (i.e. transmitted) system personnel for review and confirmation. //Examiner remark: system personnel is individual who performs security tasks behalf of an entity.))and blocking traffic between the source and the second user equipment based on the second entity affirming the second filtering rule.  ([0030] The ACE Engine 104 can be used in a semi-automated workflow or a fully-automated workflow. In a semi-automated workflow, a security professional in the SOC (i.e. entity affirming the filtering rule) 106 receives and evaluates the 
Regarding to claim 5, insofar as the claim language can be understood, Lee teaches wherein the user equipment is first user equipment, wherein second user equipment, associated with the entity, is connected to the network, ([0028] discloses as a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer (i.e. first entity). For example, each customer destination IP address may be associated with a set of ACEs (i.e. first filtering rule) that are active for that IP address (i.e. first user equipment).  [0010, 0032] discloses a first notification sent to first entity. [0023] discloses a user equipment as protected resources which include customer servers, such as those hosting public or private websites, web applications, or enterprise resources (i.e. plurality of user equipment connected to a network).)
wherein generating the filtering rule comprises: generating the filtering rule in connection with the source, the first user equipment, and the second user equipment based on determining the anomalous traffic pattern, wherein the anomalous traffic pattern is not related to the second user equipment, ([0028] As a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer. For example, each customer destination IP address may be associated with a set of ACEs that are active for that IP address. In this document, the traffic destined to a particular customer, or particular destination IP address, or other defined category, is referred to as a “traffic category.”   [0009] The methods and systems described herein automatically generate wherein the filtering rule prescribes that traffic between the source and the first user equipment or the second user equipment is to be blocked.  ([0030] The ACE Engine 104 can be used in a semi-automated workflow or a fully-automated workflow. In a semi-automated workflow, a security professional in the SOC (i.e. entity affirming the filtering rule) 106 receives and evaluates the recommended ACE in correspondence with statistics from the traffic profiler and accepts/rejects/edits the recommended ACE before it is deployed. //Examiner remark: if entity accepts the ACE rule the traffic will be blocked))
Regarding to claim 7, Lee teaches wherein the notification further requests that the entity select an action that is one or more of: reporting the source to a repository of known sources, reporting the source to a law enforcement agency, reporting the source to a web hosting service, pausing the notification, or placing the source on a whitelist.  ([0023] Typically the protected resources 102 include customer servers, such as those hosting public or private websites, web applications, or enterprise resources (i.e. plurality of user equipment connected to a network). [0032] These recommended ACEs can be sent to the SOC 106 (e.g., to be displayed on a user interface and/or alert) so that personnel can review and approve before installing 
Regarding to claim 8, it is rejected on same rational as claim 1.
Regarding to claim 10, it is rejected on same rational as claim 3.
Regarding to claim 11, it is rejected on same rational as claim 4.
Regarding to claim 12, it is rejected on same rational as claim 5.
Regarding to claim 14, it is rejected on same rational as claim 7. 
Regarding to claim 15, it is rejected on same rational as claim 1. 
Regarding to claim 17, it is rejected on same rational as claim 3.
Regarding to claim 18, it is rejected on same rational as claim 4 
Regarding to claim 19, it is rejected on same rational as claim 5.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et Lee), and further in view of Jagger, et al. (US 7007302 B1, hereinafter, Jagger)
Regarding to claim 2, Lee teaches wherein generating the filtering rule comprises: generating the filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern and the match of the source and the known source.   ([0048] A Threat Detection component 510 periodically pulls records (i.e. known sources) from the database 508 and applies one more triggers or rules to detect threats (i.e. determining anomalous traffic pattern).  [0124 - 0150] discloses a similarity metrics and steps used to determine a match between source and known source in the database record record.)Lee doesn’t explicitly teach comparing information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources, wherein the known source is identified as being a security threat,Jagger from analogues endeavor teaches  comparing information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources, wherein the known source is identified as being a security threat,  ((Col  5 , lines 44 - 59] At 308, an attempt is made to identify the source of the attack and/or malicious code. If the source is identified, information (if any) about the source is retrieved from a database in operation 310. For example, the information can relate to whether the source is a known threat, i.e., is registered as having been a source of a prior attack.  In operation 312, information relating to the attack and/or malicious code is collected at the local location and stored in a database in operation 314. Such information 400 is shown 
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Jagger into the teachings of Lee because the unwanted event may be identified by recognizing a signature, file name, and/or checksum of the malicious code, by recognizing that code is being sent from a source already identified as a known threat, or in any other manner, as taught by Jagger [Col 5, lines 30 -33]. The combining of the teachings of Jagger and Lee would have yielded predictable results to one of ordinary skills in the art since it a well understood technique to use the information identifying known threat source to protect network from future attack.
Regarding to claims 9 and 16, they are rejected on same rational as claim 2.
Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 20180351993 A1, hereinafter, Lee), and further in view of Aziz et al. (US10511614, hereinafter, Aziz)
Regarding to claim 6, Lee teaches wherein the user equipment is first user equipment, wherein the first traffic pattern of the source includes a previous communication between the source and a second user equipment of the plurality of user equipment connected to the network, ([0041] In some cases, the Traffic Profiler 202 examines records from across multiple Lee doesn’t explicitly teach wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered.Aziz from analogues endeavor teaches wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered, ([Col 13, lines 47 -67, and Col 14, lines 1 - 23].  (//Examiner remark: discloses techniques to detect and mitigate anomalous behavior related to network IP address scanning by a source targeting a sequential number IP addresses assigned to use equipment.) In this way, an active computer worm using a random IP address scanning technique (e.g., a scan directed computer worm) can randomly select an address in the predetermined address space and can infect the computer worm sensor 105 based on the selected address (e.g., transmitting a network communication containing the computer worm to the selected address).  An active computer worm can select an address in the predetermined address space based on a previously generated list of target addresses (e.g., a hit-list directed computer worm) and can infect a computing system 120 located at the selected address.
Therefore, it would have been obvious to a person having ordinary skills in the art, Jagger and Lee would have yielded predictable results since the technique of preventing an outside source scanning network IP address to gain access for potential entry for malicious activity into enterprise network is widely used and well understood to one of ordinary skills in the art. Regarding to the limitation “wherein the second traffic pattern of the user equipment includes a plurality of previous communications that do not relate to the source” although considered, it is not examined on the merit because it’s directed to an optional step of claim 1, “pattern is at least one of: a first traffic pattern of the source, or a second traffic pattern of the user equipment” and thus is not positively required in order to meet claim 6 in view of the prior art.
 Regarding to claims 13 and 20, they are rejected on same rational as claim 6.









Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8230505 B1 - Method For Cooperative Intrusion Prevention Through Collaborative Inference
US 9015839 B2 - Identifying Malicious Devices Within A Computer Network
US 9967279 B2 - System And Method Thereof For Creating Programmable Security Decision Engines In A Cyber-security System
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SOLOMON AREGA whose telephone number is (571)272-0122. The examiner can normally be reached on Monday - Friday from 8:30 AM to 5:00 PM (EDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild, can be reached at telephone number (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).


/SOLOMON AREGA/Examiner, Art Unit 4164      
                                                                                                                                                                                                                                                                                                                                                                    /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431