Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAIL ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/2/2021 has been entered. Claims 1, 16, and 20 are amended. Claims 1-10 and 12-20 are pending.
Response to Arguments
Examiner Remark’s -35 USC § 103 – Independent claims 1, 16 and 20
The applicant has amended each independent claim to recite the feature of, “and send a network traffic log corresponding to a plurality of data packets to the central controller” and “initiating a mitigation action based on the network traffic log and one or more mitigation rules, wherein a determination of whether the received data packet is part of a DDoS attack is based on one or more detection rules.”. The examiner contends that applicant now alleges a deficiency on the part of the cited prior art. In view of the newly amended feature(s) the examiner introduces the teachings of prior art reference Gurvich et al. (US Patent Publication No. 2017/0339186) to the record. The examiner 
Examiner Remark’s -35 USC § 103 – Dependent claims 2-10, 12-15 and 17-19
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8, 10, 12, 13, 15-17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thiele et al. (US Patent Publication No. 2005/0050353 and Thiele hereinafter) in view of Aharoni et al. (US Patent No. 9,350,758 and Aharoni hereinafter) and further in view of Gurvich et al. (US Patent Publication No. 2017/0339186 and Gurvich hereinafter).

As to claims 1, 16 and 20, Thiele teaches a system for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system, the system comprising: 
in operative communication via a network with a central controller, implemented using a second computer system, in the networked computing system (see figure 1),
receive [[a]] one or more data packets from [[a]] the network (i.e., …teaches in figure 2 figure element 98 …receive packets), 

refrain from performing at least one action expected by the source of the data packet (i.e., …teaches in paragraph 0036 the following: “If the current packet matches any of the rules in list 53 (decision 702, yes branch) then program 30 proceeds to step 102 as described above. If not, then the packet is deemed an exploit candidate. Consequently, program 30 sends the current packet (or an identification of the current packet) as an alert to SOC 40 (step 704). SOC 40 can extract the TCP sequence number of the packet from the header (or the identification of the current packet can be the TCP sequence number”). 

Thiele does not expressly teach:

wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.
In this instance the examiner notes the teachings of prior art reference Aharoni. 
 	With regards to applicant’s claim limitation element of, “at least one DDoS honeypot, implemented using a first computer system”, teaches in column 4 lines 5-10 the following: “including computerized device 110 (target) acting as a honeypot.”.
	 With regards to applicant’s claim limitation element of, “wherein: the at least one DDoS honeypot is configured to impersonate a legitimate network- based device,”, teaches in column 5 lines 55-65 the following: “Actions at the honeypot (i.e., the computerized device 110 shown in FIGS. 1 and 2) may include at step 302, setting up a fake website to be attacked and connecting the fake website to the network 108 with an IP address”.
	With regards to applicant’s claim limitation element of, “wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rule”, teaches in column 5 lines 35-45 the following: “The packet sniffer may obtain the values of the parameters of the attack and send them to a memory location 226 for storage, and to a logic circuit 228 for analysis. The logic circuit 228 may search the memory to determine if the present attack is similar to a previously recorded attack, and may calculate countermeasures to prevent such an attack from occurring.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele with the teachings of Aharoni by including the feature of DDoS Honeypot. Utilizing DDoS Honeypot as taught by Aharoni above allows a system to provide comprehensive attack detection and therefore provides the motivation in this instance to 

The system of Thiele and Aharoni do not expressly teach:
and send a network traffic log corresponding to a plurality of data packets to the central controller; 
and the central controller is configured to initiate a mitigation action based on the network traffic log and one or more mitigation rules.
In this instance the examiner notes the teachings of prior art reference Gurvich. 
	With regards to applicant’s claim limitation element of, “and send a network traffic log corresponding to a plurality of data packets to the central controller”, Gurvich teaches in paragraph 0039 the following: “Processors 48 may extract from the monitored attack traffic various attack parameters, referred to as Indicators of Compromise (IOCs). Non-limiting examples of IOCs may comprise network IOCs (e.g., attacker IP address and attacker domain name) and attack-related files carried by the attack traffic. In some embodiments, processors 48 also generate attack reports and logs that record the attacks they have detected and analyzed. Processors 48 of honeypots 40 send the IOCs, logs and reports over network 36 to processor 60 of control server 52.”.
	With regards to applicant’s claim limitation element of, “and the central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules”, Gurvich teaches in paragraph 0042 the following: “processor 60 uses the IOCs to specify security rules and/or reporting rules. A typical blocking rule defines which network traffic should be blocked (e.g., because the traffic characteristics match the IOCs of a detected attack). A typical reporting rule defines which network traffic should be reported (e.g., because the traffic IOCs match the IOCs of a detected attack).”.


As to claims 2 and 17, the system of Thiele teaches the use of a honeypot howerver Thiele does not expressly teach a system of claim 1, wherein the DDoS honeypot performs the determination of whether the one or more received data packets [[is]] are part of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Aharoni. 
Aharoni teaches in column 5 lines 35-45 the following: “The packet sniffer may obtain the values of the parameters of the attack and send them to a memory location 226 for storage, and to a logic circuit 228 for analysis. The logic circuit 228 may search the memory to determine if the present attack is similar to a previously recorded attack, and may calculate countermeasures to prevent such an attack from occurring.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele with the teachings of Aharoni by including the feature of DDoS Honeypot. Utilizing DDoS Honeypot as taught by Aharoni above allows a system to provide comprehensive attack detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Thiele's system will obtain the capability to provide enhanced network security. 

As to claim 3, the system of Thiele teaches the use of a honeypot howerver Thiele does not expressly teach a system of claim 1, wherein the central controller performs [[the]] an additional determination of whether the one or more received data packets are [[is]] part of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Aharoni. 
Aharoni teaches in column 5 lines 35-45 the following: “The packet sniffer may obtain the values of the parameters of the attack and send them to a memory location 226 for storage, and to a logic circuit 228 for analysis. The logic circuit 228 may search the memory to determine if the present attack is similar to a previously recorded attack, and may calculate countermeasures to prevent such an attack from occurring.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele with the teachings of Aharoni by including the feature of DDoS Honeypot. Utilizing DDoS Honeypot as taught by Aharoni above allows a system to provide comprehensive attack detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Thiele's system will obtain the capability to provide enhanced network security. 

As to claim 4, Thiele teaches a system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot is part of the DDoS attack (i.e,. …teaches in paragraph 0029 the following: “automatically disregard all the packets in the respective sequence of packets”.).

As to claim 5, the system of Thiele teaches the use of a honeypot howerver Thiele does not expressly teach a system of claim 1, wherein one of the one or more detection rules indicates that any 
In this instance the examiner notes the teachings of prior art reference Aharoni. 
Aharoni teaches in column 5 lines 1-12 the following: “five basic general types of DDoS attack, including consumption of resource attacks. This form of attack may include filling up available communications bandwidth, or filling up available memory space, or consuming processor time. A second general type of DDoS attack disrupts configuration information, such as by changing data packet routing values, which may result in misdirected data. A third general type of attack may disrupt what may be known as state information, such as resetting TCP sessions and losing existing calculation processes. A fourth general type of attack may disrupt some of the physical components of the network communications structure. A fifth general type of attack may obstruct network communications media..”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele with the teachings of Aharoni by including the feature of DDoS Honeypot. Utilizing DDoS Honeypot as taught by Aharoni above allows a system to provide comprehensive attack detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Thiele's system will obtain the capability to provide enhanced network security. 

As to claim 6, the system of Thiele teaches the use of a honeypot howerver Thiele does not expressly teach a system of claim I, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Aharoni. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele with the teachings of Aharoni by including the feature of DDoS Honeypot. Utilizing DDoS Honeypot as taught by Aharoni above allows a system to provide comprehensive attack detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Thiele's system will obtain the capability to provide enhanced network security. 

As to claims 8 and 19, Thiele teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the flagged determined source address is to be blocked, discarded, or both (i.e., …teaches in paragraph 0036 the following: “blocking its passage”.).

As to claim 10, Thiele teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that DPI is to be performed on the network traffic from the flagged determined source address (i.e., …teaches in paragraph 0024 the following: “accepts packets only from certain IP protocols, sends packets only to certain ports, accepts packets only from certain IP addresses, denies traffic from 

11. (Cancelled)

As to claim 12, Thiele teaches a system of claim 1, wherein the central controller is further configured to send at least one of the mitigation rules to at least one network device (i.e.,. …teaches in paragraph 0036 the following: “Then, SOC 40 will notify administrators of firewalls and servers of the new intrusion program and its signature.”.).

As to claim 13, Thiele teaches a system of claim 12, wherein the at least one network device is part of an internet service provider's infrastructure, a hosting provider's infrastructure, or an enterprise's infrastructure (See figure 1).

As to claim 15, Thiele teaches a system of claim 1, wherein the at least one DDoS honeypot is configured to send to the central controller application layer information from a payload of at least one of the data packets indicating a type of query that is being requested (i.e., …teaches in paragraph 0036 the following: “program 30 sends the current packet (or an identification of the current packet) as an alert to SOC 40 (step 704)”.).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Thiele and Aharoni in view of Gurvich as applied to claim 1 above and further in view of Cazares et al. (US Patent Publication No. 2008/0253380 and Cazares hereinafter).

As to claim 7, the system of Thiele, Aharoni and Gurvich teaches network security however neither reference expressly teach a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the flagged source address is to be rate limited.
In this instance the examiner notes the teachings of prior art reference Cazares.
Cazares teaches in paragraph 006 the following: “A known "Cisco Guard DDOS Mitigation Appliance" function in a router limited the rate of packets from a specific source IP address when that source IP address was thought to be conducting a denial of service attack. The router discarded packets above the specified limit rate. An administrator specified the limit to be applied during a presumed denial of service attack.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele, Aharoni and Gurvich with the teachings of Cazares by including the feature of rate limiting. Utilizing rate limiting as taught by Cazares above allows a system to provide comprehensive DDoS security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Thiele, Aharoni and Gurvich system will obtain the capability to provide enhanced DDoS network protection. 

Claims 9 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Thiele and Aharoni in view of Gurvich as applied to claim 1 above and further in view of Dousti et al. (US Patent Publication No. 2018/0084005 and Dousti hereinafter).

As to claim 9, the system of Thiele, Aharoni and Gurvich teaches network security however neither reference expressly teach a system of claim 1, wherein one of the one or more mitigation rules 
In this instance the examiner notes the teachings of prior art reference Dousti.
Dousti teaches in paragraph 0028 the following: “Mitigation server 114 filters network traffic directed to targeted computer system 108 when targeted computer system 108 is under a DDoS attack. In the case of a DDoS attack, MRI router 116 advertises a new route for network traffic directed to targeted computer system 108.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele, Aharoni and Gurvich with the teachings of Dousti by including the feature of rate limiting. Utilizing rate limiting as taught by Dousti above allows a system to provide comprehensive DDoS security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Thiele, Aharoni and Gurvich system will obtain the capability to provide enhanced DDoS network protection. 

As to claim 14, the system of Thiele, Aharoni and Gurvich teaches network security however neither reference expressly teach a system of claim 1, wherein the central controller is further configured to initiate a cancellation of the mitigation action in response to a cessation of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Dousti.
Dousti teaches in paragraph 0041 the following: “Network traffic determined to be associated with the DDoS attack is filtered and discarded. Network traffic determined to be legitimate is forwarded to a router. The router, in turn, forwards the legitimate network traffic to a router associated with the targeted computer system. After the DDoS attack is over, the router associated with the DDoS attack 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele, Aharoni and Gurvich with the teachings of Dousti by including the feature of rate limiting. Utilizing rate limiting as taught by Dousti above allows a system to provide comprehensive DDoS security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Thiele, Aharoni and Gurvich system will obtain the capability to provide enhanced DDoS network protection. 

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Thiele and Aharoni in view of Gurvich as applied to claim 16 above and further in view of Elrod et al. (US Patent No. 8,615,785 and Elrod hereinafter).

As to claim 18, the system of Thiele, Aharoni and Gurvich teaches network security however neither reference expressly teach a method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Elrod.
Elrod teaches as part of his claims 9 and claim 10 the following: “analyzing the mirrored traffic comprises: measuring a ratio of Transmission Control Protocol (TCP) SYN packets to TCP ACK packets in a network traffic stream; and comparing the measured ratio to a threshold.   10. The method of claim 1, 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thiele, Aharoni and Gurvich with the teachings of Elrod by including the feature of rate analysis. Utilizing rate analysis as taught by Elrod above allows a system to provide comprehensive DDoS security and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Thiele, Aharoni and Gurvich system will obtain the capability to provide enhanced network security. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/BRYAN F WRIGHT/               Examiner, Art Unit 2497