Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This communication is in response to Applicant's Amendment filed 12/03/2020.  Applicant has amended claims 1-3, and 15-16 in an earlier claim amendment filed on 11/25/2020.  In the amendment filed on 12/03/2020, Applicant amended claims 2 and 16.  Currently, claims 1-20 are pending in the application.

Response to Amendments
Applicant’s amendments to claims 1 and 15 have been noted.  The claims have been reviewed, entered and found obviating to previously raised objections.  Objection to claims 1 and 15 is hereby withdrawn.
Applicant’s amendments to claim 15 has been noted.  The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 101.  Rejection under 35 USC 101 to claims 15-20 is hereby withdrawn.
Applicant’s amendments to claims 1-3 and 15-16 has been noted.  The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112(b).  Rejection under 35 USC 112(b) to claims 1-3 and 15-16 is hereby withdrawn.

Double Patenting
In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1, 15 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 19 of copending Application No. 16379028.  This is a provisional double patenting rejection since the conflicting claims have not in fact been patented.  Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn towards detecting patterns in network traffic by analyzing frequency of data within the packets and applying an encoding to the data and applying a bitwise operation to the encoded data and potential combinations that would yield in data results that are used by a mitigation device to determine an attack.

Instant Application
16379028
Notes:
1. A method of detecting patterns in network traffic, the method comprising: 

receiving a plurality of packets of network traffic, each packet having data associated with respective fields of a set of fields; 

performing a frequency analysis per field of the plurality of packets as a function of frequency of an occurrence of same data in a corresponding field;

 selecting top values which are values associated with each field of the set of fields that satisfy a 

assigning a bit encoding scheme that uses variable bit encoding to encode each of the top values for each field that has a top value;

 encoding into a single value each packet of the plurality of packets based on a bitfield representation that uses the encoding scheme for values associated with each field that has a top value; 





storing each potential combination of fields of the set of fields being processed, with all bits set per field when the field is an active field and no bits set when the field is inactive; 


performing a bitwise operation on each encoded packet with the stored potential combinations; 

sorting results of the bitwise operation based on a number of the active fields and a number of occurrences of each same result of the bitwise operation; and 






providing the results of the sorting to a mitigation device for determining whether an attack is underway or for filtering network traffic for mitigating an attack.


receiving a plurality of packets of network traffic, each packet having a payload populated with payload data; 

selecting payload lengths that occurred most frequently; 

for each of the selected payload lengths, generating a pattern template using characters per position of the payload that satisfy frequency criterion; 






assigning, a bit encoding scheme for each of the selected payload lengths and its associated pattern template; 

encoding into a single value each packet of the plurality of packets that has a payload length equal to any of the selected payload lengths and payload content that matches a pattern template generated for the payload, the single value using the bit encoding scheme for the payload length and the pattern template matched; 

storing each potential combination of fields representing the respective payload length and the pattern template, with either all bits set per field when the field is active or no bits set per field when the field is inactive; 

performing a bitwise operation on each encoded packet with the stored potential combinations; 

storing results of the bitwise operation in a sparse memory array; 

sorting the results of the sparse array based on a number of the active fields and a number of occurrences of the respective results of the bitwise operation; and 

providing the results of the sorting to a mitigation device as an indication of whether an attack is underway and/or what type of attack is underway.









Claim 19
Similar rationale as above





Allowable Subject Matter
Claims 1-20 would be allowable if it overcomes the nonstatutory obviousness type double patent rejection as is set forth in this office action.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is 571-272-37391787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-37393739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Lizbeth  Torres-Diaz/
Examiner, Art Unit 2495
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495                                                                                                                                                                                                        


March 6, 2021