DETAILED ACTION
1.	This office action is in response to the communication filed on 06/04/2019.
2.	Claims 1-32 are pending.

Notice of Pre-AIA  or AIA  Status
3.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claim Objections
5.	Claim(s) 15-16 is/are objected to because of the following informalities:  
Regarding claims 15 and 16: the limitation “DRDoS” needed to be spelled out.
Appropriate correction(s) is/are required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Regarding claim 15: 
The claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because a “computer program product” is not a process, machine, manufacture or composition of matter.  The claimed element, instructions, is non-statutory subject matter.  The specification (e.g., US_PGPUB, para. 24) is silent regarding the meaning of a computer program product. Thus, applying the broadest reasonable interpretation, the claim as a whole permits non-statutory embodiment, i.e. software per se.  
If the written specification supports, amending the claim(s) to comprise a physical device would overcome the rejection.
Appropriate correction is required.

Regarding claims 16-32: 
The claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because a “system” is not a process, machine, manufacture or composition of matter. The claimed element(s), “network device”, “honeypot device”, “filtering module”/“firewall switch device”, and/or “DRDoS firewall module” is/are non-statutory subject matter.  In light of the specification (e.g., US_PGPUB, paras. 81-82), the claimed element(s) is/are hardware and/or software. Thus, applying the broadest reasonable interpretation in light . 
Amending the claim(s) to comprise a physical device would overcome the rejection.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


7.	Claim(s) 1-5, 7-26 and 28-32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla et al. (US 20040250124 A1).
Regarding claim 1:
Chesla discloses a computer-implemented method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack, the method comprising: 
receiving requests at a filtering module (see fig. 2 and para. 128 for a filtering module, e.g. filter 70, filters incoming packets (i.e. requests). Note: see para. 5 for illustration that packets are requests sent to a network); 
operating the filtering module in a normal mode in which the filtering module communicates the requests to a network device and [a honeypot device] in the computer network (see fig. 2 and paras. 120-121 and/or 205 where the filtering module communicates network traffic/packets to a protected network and a statistics module, e.g. stats 64, of a security system comprising several modules and a flood controller in normal operation, e.g. in a detection-only mode, wherein the security system is implemented using hardware and/or software; see para. 117 where a protected network comprises a network element (i.e. network device)); and 
inspecting the requests received at [the honeypot device] to determine if the requests comprise a plurality of attack requests that form part of a DRDoS attack  and, if the requests comprise a plurality of attack requests (see paras. 124-125 where traffic is analyzed and an attack is detected at the statistics module and a fuzzy logic inference (FIS) module; see para. 17 where an attack is a DoS/DDoS attack), configuring the filtering module to operate in a blocking mode in which the filtering module blocks further attack requests from being communicated to the network device while continuing to communicate the further attack requests to the honeypot device, such that the honeypot device can continue to monitor attack requests during the DRDoS attack (see paras. 135-137, 344).
Chesla does not explicitly disclose a honeypot device. However, it would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Chesla's invention by enhancing it for a honeypot device comprising a statistics module, a FIS module and/or a flood controller, in order to combine a statistics module, a FIS module and/or a flood controller into a honeypot device.

Regarding claims 15 and 16:
	See similar rejection to claim 1.

Regarding claims 2 and 23:
Chesla as modified discloses:    
determining if a plurality of requests received at the honeypot device are attack requests by identifying if the plurality of requests each comprise the same source IP address and the same destination port (see paras. 45-46, 73 for packets from a determined source IP address to a defined destination port).

Regarding claims 3 and 24:
Chesla as modified discloses:
grouping the attack requests which comprise the same source IP address and the same destination port into a flow group which corresponds to a DRDoS attack (see paras. 45-46, 264, 266, 280 where packets are grouped into a group of a signature type used for filtering packets participating in an attack based on a determined source IP address and a defined destination port; see para. 17 where an attack is a DoS/DDoS attack).

Regarding claims 4 and 25:
Chesla as modified discloses:
wherein if identifies attack requests having a plurality of different source IP addresses and a plurality of different destination ports, grouping the attack requests into a plurality of flow groups, and configuring the filtering module to operate in a separate blocking mode for each flow group to block the attack requests for each respective flow group from being communicated to the network device (see paras. 45-46, 73, 266, 280 where packets are grouped into several different groups, each group of a different signature type used for filtering packets participating in an attack based on a determined source IP address and a defined destination port; see para. 159 where the filtering module is directed to block packets having determined signature type or types).

Regarding claims 5 and 26:
Chesla as modified discloses:
identifying the subnet of each attack request (see paras. 45-46 where a packet is identified based on a source IP address (i.e. a subnet that sends a packet)) and, 
if identifies that there are a plurality of attack requests corresponding to the same subnetwork, configuring the filtering module to operate in the blocking mode to block all requests corresponding to that subnetwork and the same destination port from being communicated to the network device (see paras. 45-46, 73).

Regarding claims 7 and 28:
Chesla as modified discloses:
configuring the filtering module to operate in the blocking mode if the number of attack requests received at the honeypot device over a first predetermined period of time is above a first predetermined threshold (see paras. 32-33 where traffic/packets is/are blocked when a number of occurrences of the packets, within a certain period of time, is determined to exceed a threshold value).

Regarding claims 8 and 29:
Chesla as modified discloses: 
storing a packet timestamp of each attack request with the same source IP address and the same destination port in a queue (see paras. 45-46, 73 for packets from a determined source IP address to a defined destination port; see paras. 297, 300 for storing an arrival time of a packet in a buffer); 
computing the time difference between the earliest packet timestamp in the queue and the most recent packet timestamp added to the queue (see paras. 300-301 for comparing an arrival time with the previous arrival time stored in a buffer to determine a difference between these arrival times); 
comparing the time difference with the first predetermined period of time and, if the time difference is less than or equal to the first predetermined period of time, identifying the number of packet timestamps in the queue and comparing the number of packet timestamps with the first predetermined threshold (see paras. 297-302 where, when a packet is probably unrelated to an attack if the difference between these arrival times is greater than an oblivion value, i.e. a predetermined period of time, (i.e. a packet is probably related to an attack when the difference ; and 
configuring the filtering module to operate in the blocking mode if the number of packet timestamps is above the first predetermined threshold and the time difference is below the first predetermined period of time (see paras. 33, 297-302; see 329 where the filtering module is configured to block packets related to an attack).

Regarding claims 9 and 30:
Chesla as modified discloses:
monitoring the number of further attack requests received at the honeypot device over a second predetermined period of time and, if the number of further attack requests received at the honeypot device over the second predetermined period of time falls to below a second predetermined threshold, configuring the filtering module to return to the normal mode of operation (see paras. 33, 46 where a number of packets over a period of time is determined to exceed a threshold value, traffic is blocked based on an attack is detected; see paras. 172, 343 where controller transitions back to a detection/detection-only mode/state when an attack has not occurred for a certain period of time and/or a degree of attack is less than a threshold).

Regarding claims 10 and 31:

determining if a plurality of requests received at the honeypot device are attack requests by identifying if the plurality of requests each comprise the same source IP address and the same destination port (see paras. 45-46, 73 for packets from a determined source IP address to a defined destination port); and 
grouping the attack requests which comprise the same source IP address and the same destination port into a flow group which corresponds to a DRDoS attack, wherein if the honeypot device receives a request comprising a source IP address and a destination port matching a flow group (see paras. 45-46, 264, 266, 280 where packets are grouped into a group of a signature type used for filtering packets participating in an attack based on a determined source IP address and a defined destination port; see para. 17 where an attack is a DoS/DDoS attack), the method comprises: 
storing a packet timestamp of the request in a queue for the flow group (see paras. 45-46, 73 for packets from a determined source IP address to a defined destination port; see para. 297 for storing an arrival time of a packet); 
computing the time difference between the earliest packet timestamp in the queue and the most recent packet timestamp added to the queue (see paras. 300-301 for comparing an arrival time with the previous arrival time); 
comparing the time difference with the second predetermined period of time and, if the time difference is equal to or greater than the second predetermined period of time, identifying the number of packet timestamps in the queue and comparing the number of packet timestamps with the second predetermined threshold (see paras. 297-302 where, when a packet is probably unrelated to an attack if the difference between these arrival times is greater than an oblivion value (i.e. a second predetermined period of time), determining whether a counter of number of occurrences exceeds a threshold as a signature of an attack (i.e. when a counter of number of occurrences is below a threshold, a non-attack is indicated); see para. 33 where a number of occurrences of packets is counted within a period of time); and 
if the number of packet timestamps is below the second predetermined threshold and the time difference is above the second predetermined period of time, configuring the filtering module to return to the normal mode of operation (see paras. 33, 297-302; see paras. 172, 343 where controller transitions back to a detection/detection-only mode/state when an attack has not occurred for a certain period of time and/or a degree of attack is less than a threshold).

Regarding claims 11 and 32:
Chesla as modified discloses:
configuring the honeypot device to prevent the honeypot device from enacting attack requests received at the honeypot device when the filtering module is operating in the blocking mode (see fig. 2 and para. 136 where the flood controller directs the filtering module to block certain traffic/packets to a protected network, wherein the statistics module, the FIS module and/or the flood controller do/does not pass traffic/packets to the protected network).

Regarding claims 12 and 17:
Chesla as modified discloses:
generating a firewall rule which, when implemented, configures the filtering module to operate in the blocking mode (see paras. 127-128 where a trapping module (i.e. a DRDoS firewall module) generates a set of rule based on detected attack, wherein the filtering module filters incoming packets based on the generated rules; see para. 46 where filtering includes blocking the traffic participating in the attack).

Regarding claims 13 and 18:
Chesla as modified discloses:
wherein the firewall rule configures the filtering module to perform traffic shaping when the filtering module is operating in the blocking mode (see paras. 128, 136).

Regarding claims 14 and 19:
Chesla as modified discloses:
cancelling the firewall rule to configure the filtering module to return to the normal mode of operation (see para. 140 where the controller makes transitions between states according to predetermined rule(s); see para. 179 where the controller transitions back to detection state when the attack has ceased; see para. 205 where, in a detection mode/state as in normal operation, traffic is not filtered/blocked).


Regarding claim 20:
Chesla as modified discloses:
wherein the filtering module is a module in a software defined networking (SDN) network which comprises an SDN controller module which is coupled for communication with the filtering module (see fig. 2), 
the SDN controller module being operable to configure the filtering module according to firewall rules generated by the DRDoS firewall module (see para. 127 where a trapping module (i.e. a DRDoS firewall module) generates a set of rule based on detected attack; see para. 140 where a controller makes transitions between states according to predetermined rules; and see paras. 137, 149 where the controller directs the filtering module to filtering or stop filtering traffic/packets).

Regarding claim 21:
Chesla as modified discloses:
wherein the filtering module is a firewall switch device which is configured to operate in the blocking mode in response to firewall rules generated by the DRDoS firewall module (see paras. 127-128).

Regarding claim 22:
Chesla as modified discloses:
wherein the filtering module is provided at the edge of the computer network and configured to receive requests from outside the computer network and to communicate the requests to the network device and the honeypot device which are provided within the computer network (see fig. 2).

8.	Claim(s) 6 and 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Mushtaq et al. (US 9430646 B1).
Regarding claims 6 and 27:
Chesla discloses:
performing [deep packet inspection] to identify if the plurality of requests each comprise the same protocol command (see paras. 29, 32, where traffic/packets is/are analyzed based on a certain protocol type to determine a number of the packets of the certain protocol type 50, 59).
Chesla does not, but Mushtaq discloses:
deep packet inspection (see Mushtaq, abstract).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Chesla's invention by enhancing it for deep packet inspection, as taught by Mushtaq, in order to perform a deep packet inspection on a packet (see Mushtaq, abstract).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Ishikawa, US 20080270601 A1, System method and apparatus for service attack detection on a network.

Zhang, US 20160050132 A1, Method and system to dynamically collect statistics of traffic flows in a software-defined networking (sdn) system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID, can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2437