Remarks
Claims 1, 2, 5-7, and 10 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 1/25/2021 have been fully considered but they are not persuasive.
Applicant alleges “that Jain does not disclose or suggest at least the following features of amended claim 1:” and copies in a large portion of the claim.  Applicant then provides Applicant’s understanding of a portion of Jain and alleges “However, Jain does not disclose obtaining such a traffic cyclic variation curve from only one period in which no DDoS attack has happened and that the traffic cyclic variation curve indicates a cyclic change pattern of the predicted traffic.”  Applicant fails to provide any reasons, however, to support this general allegation.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  
To the contrary, Jain performs all of the calculations in claim 1 which make up the traffic cyclic variation curve (e.g., under “wherein the traffic cyclic variation curve is obtained by:”) and this has not been argued by Applicant.  Whether or not the reference 
Applicant’s allegations regarding wild point removal are moot in view of the new ground(s) of rejection provided below.  It is noted that this is simply outlier removal using Tukey’s Box-and-Whiskers plot, which has been known since the 1970s.  
With respect to Applicant’s allegations in the second full paragraph on page 8 of the response, Applicant is incorrect.  Jain discloses calculating Di = |{Si – TEi}| by calculating |Dt-Ft| and then correcting the curve according to THi = TEi + MAX(Di) by changing predictions based on smoothing of the values using |Dt-Ft| which corresponds to MAX(Di) as well as smoothing coefficient y and the other values within the equation in paragraph 154, for example.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5-7, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Jain (U.S. Patent Application Publication 2004/0215976) in view of Stapel (Stapel, Elizabeth, “Box-and-Whisker Plots: Interquartile Ranges and Outliers”, Purplemath, 2/25/2012, pp. 1-3, obtained from https://web.archive.org/web/20120226010508/https://www.purplemath.com/modules/boxwhisk3.htm).
Regarding Claim 1,
Jain discloses a method for DDoS attack detection, comprising:
Obtaining a network traffic at a target moment within a first period by sampling (Exemplary Citations: for example, Abstract, Paragraphs 2, 41, 42, 130-156 and associated figures; obtaining traffic samples, for example);
Determining a predicted traffic at the target moment within the first period by querying a traffic cyclic variation curve, wherein network traffic used for obtaining the traffic cyclic variation curve merely comes from one 
Determining that a DDoS attack exists when the network traffic at the target moment obtained by sampling is greater than the determined predicted traffic (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; intrusive traffic/DDOS attack determined when actual traffic exceeds the estimated forecast, for example);
Determining that no DDoS attack exists when the network traffic at the target moment obtained by sampling is less than or equal to the determined predicted traffic (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; intrusive traffic/DDOS attack not determined when actual traffic does not exceed the estimated forecast, for example);

Obtaining a network traffic Si at n moments within the second period prior to the first period, where i=1, 2, … n, n being a natural number (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures);
Performing a calculation according to equation TEi = αSi-1 + (1-α)TEi-1 to obtain the traffic cyclic variation curve {TEi | i = 1, 2, …, n}, wherein α is a predefined damping coefficient for smoothing in a range of 0 < α < 1, and TEi is the predicted traffic at an i-th moment (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; this equation may correspond to the equation after paragraph 135 in Jain, for example);
Performing a calculation according to equation Di = |{Si – TEi}| to obtain a residual error Di at the i-th moment (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; deviation including calculating |Dt-Ft|,  for example); and
Correcting the traffic cyclic variation curve according to equation THi = TEi + MAX(Di) to obtain a corrected traffic cyclic variation curve {THi | i = 1, 2, …, n},, wherein THi is a corrected predicted traffic at the i-th moment (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-
But does not explicitly disclose removing a wild point from the residual errors, wherein the removing a wild point from the residual errors comprises, determining a median Dmed according to Dmed = (Dmax - Dmin)/2, wherein Dmax represents a maximum residual error calculated, and Dmin represents a minimum residual error calculated, obtaining a lower quartile D1 = (Dmed - Dmin)/2, an upper quartile D2 = (Dmax - Dmed)/2, and an interquartile range (IQR) ΔQ = D2 - D1, determining the residual error Di to be a wild point if it falls outside of the range of [D1 – 1.5 ΔQ, D2 + 1.5 ΔQ ]; and removing the wild point from the residual errors.  
Stapel, however, discloses determining a wild point from the residual errors (Exemplary Citations: for example, Pages 1-2; determining outliers and extreme values, for example.  Jain already discusses that the points are residual errors);
Wherein the determining a wild point from the residual errors comprises (Exemplary Citations: for example, Pages 1-2; determining outliers and extreme values, for example):
Determining a median Dmed according to Dmed = (Dmax - Dmin)/2, wherein Dmax represents a maximum residual error calculated, and Dmin represents a minimum residual error calculated (Exemplary Citations: for example, Pages 1-2; median, for example);
D1 = (Dmed - Dmin)/2, an upper quartile D2 = (Dmax - Dmed)/2, and an interquartile range (IQR) ΔQ = D2 - D1 (Exemplary Citations: for example, Pages 1-2; Q1, Q3, IQR, for example); and
Determining the residual error Di to be a wild point if it falls outside of the range of [D1 – 1.5 ΔQ, D2 + 1.5 ΔQ] (Exemplary Citations: for example, Pages 1-2; outliers and extreme values outside of 1.5 x IQR from Q1 and Q3, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the outlier detection techniques of Stapel into the attack detection and prevention system of Jain in order to allow the system to use a well-known method by which to plot values and detect outliers, to ensure that the system adheres to a certain technique when detecting outliers, and/or to provide for additional mechanisms by which to plot and graph data.  
Poghosyan, however, discloses removing a wild point from the residual errors (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; remove outliers, for example.  Jain already discusses that the points are residual errors);
Wherein the removing a wild point from the residual errors comprises (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; remove outliers, for example):
Dmed (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; median, for example);
Obtaining a lower quartile D1 = (Dmed - Dmin)/2, an upper quartile D2 = (Dmax - Dmed)/2, and an interquartile range (IQR) ΔQ = D2 - D1 (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; q0.25 and q0.75, for example);
Determining the residual error Di to be a wild point if it falls outside of the range of [D1 – 1.5 ΔQ, D2 + 1.5 ΔQ] (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; outliers are data points greater than q0.75 + 1.5iqr and lower than q0.25 - 1.5iqr, for example); and
Removing the wild point from the residual errors (Exemplary Citations: for example, Paragraphs 58-67 and associated figures; remove outliers, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the outlier removal techniques of Poghosyan into the attack detection and prevention system of Jain as modified by Stapel in order to allow the system to remove outliers, to ensure that a data set includes only relevant data, and/or to allow for medians and averages to move in determining and removing outliers.  
Regarding Claim 6,

Regarding Claim 2,
Jain as modified by Stapel and Poghosyan discloses the method of claim 1, in addition, Jain discloses that, after the determining a predicted traffic at the moment within the first period by querying a traffic cyclic variation curve, the method further comprises:
Raising the determined predicted traffic when the first period is a traffic increasing period indicated by a predefined timing rule, and/or the target moment is a traffic moment indicated by the timing rule (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; changing thresholds and/or trends within the data, for example); and
Lowering the determined predicted traffic when the first period is a traffic decreasing period indicated by a predefined timing rule, and/or the target moment is a traffic decreasing moment indicated by the timing rule (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; changing thresholds and/or trends within the data, for example).  
Regarding Claim 7,
Claim 7 is an apparatus claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 5,

Determining that the predicted traffic THcur at the target moment tcur corresponds to the predicted traffic THj at the j-th moment in the second period, wherein j = [tcur%(G x n) / G] (Exemplary Citations: for example, Abstract, Paragraphs 2, 130-156 and associated figures; as can be best understood, this appears to simply set the value of cur based on itself (e.g., set as the number of moments in a certain period), for example).  
Regarding Claim 10,
Claim 10 is an apparatus claim that corresponds to method claim 5 and is rejected for the same reasons.  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432