Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 2/24/2021.
The examiner has considered the applicants’ arguments but they are moot in view of the new grounds of rejection presented below, further in view of Mitchell.
All objections and rejections not set forth below have been withdrawn.
Claims 1-14, and 16-20 have been examined.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims  1, 3-5, 7-10, 12-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Seufert (“Machine Learning for Automatic Defense against Distributed Denial of Service Attacks”), and further in view of Mitchell (US Patent Number 8,881,281).
Regarding claim 1, Seufert taught a method for DDoS defence in a packet-switched network, the method being performed by a network system the method comprising: measuring a plurality of network parameters in incoming network traffic (Seufert Section IV A 2 for example); ranking the plurality of measured network parameters based on machine learning (Seufert Section IV A 3, Section V A 1 and 2 for example); measuring a subset of the plurality of 
Seufert did not explicitly teach determining a flash crowd event based at least on external media data, the flash crowd event indicating a sudden surge in incoming requests from legitimate users for a predetermined period of time, the flash crowd event having at least one characteristic, or that the determining whether an incoming packet is part of a DDoS attack is also based on the at least one characteristic of the flash crowd event.
Mitchell taught that machine learning systems should take into account many different factors when trying to determine potential abuse, and that external threat feeds, including news and social media sources, can be analyzed to identify waves of legitimate traffic caused by real-world events, and that their geographic area can be used in the weighted determinations of potential abuse (Mitchell Col. 9 Line 48 – Col. 10 Line 41 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Mitchell in the machine learning threat detection system of Seufert by utilizing external threat feed data in analyzing the traffic for DDoS attacks.  This would have been obvious because the person having ordinary skill in the art would have been motivated to reduce false positives based on traffic spikes from major events.
Regarding claim 10, Seufert disclosed a network system for DDoS defence in a packet-switched network, the network system comprising: a processor; and a computer storage medium 
Seufert did not explicitly teach determining a flash crowd event based at least on external media data, the flash crowd event indicating a sudden surge in incoming requests from legitimate users for a predetermined period of time, the flash crowd event having at least one characteristic, or that the determining whether an incoming packet is part of a DDoS attack is also based on the at least one characteristic of the flash crowd event.
Mitchell taught that machine learning systems should take into account many different factors when trying to determine potential abuse, and that external threat feeds, including news and social media sources, can be analyzed to identify waves of legitimate traffic caused by real-world events, and that their geographic area can be used in the weighted determinations of potential abuse (Mitchell Col. 9 Line 48 – Col. 10 Line 41 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Mitchell in the machine learning threat detection system of Seufert by utilizing external threat feed data in analyzing the traffic for DDoS attacks.  This would have been obvious because the person having ordinary skill 

Regarding claim 19, Seufert disclosed a network system for DDoS defence in a packet-switched network, the network system comprising: a measurement manager configured to measure a plurality of network parameters in incoming network traffic, and to measure a subset of the plurality of network parameters in incoming network traffic (Seufert Section IV 2-4); a ranking manager configured to rank the plurality of measured network parameters based on machine learning (Seufert Section IV A 3, Section V A 1 and 2 for example); a determination manager configured to determine whether an incoming network packet is part of a DDoS attack by machine learning of the subset of the plurality of network parameters (Seufert Section IV A 3-4 for example); and a traffic manager configured to block an incoming network packet when the incoming network packet is determined to be part of a DDoS attack (Seufert Section IV A 3-4 for example). 
Seufert did not explicitly teach determining a flash crowd event based at least on external media data, the flash crowd event indicating a sudden surge in incoming requests from legitimate users for a predetermined period of time, the flash crowd event having at least one characteristic, or that the determining whether an incoming packet is part of a DDoS attack is also based on the at least one characteristic of the flash crowd event.
Mitchell taught that machine learning systems should take into account many different factors when trying to determine potential abuse, and that external threat feeds, including news and social media sources, can be analyzed to identify waves of legitimate traffic caused by real-
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Mitchell in the machine learning threat detection system of Seufert by utilizing external threat feed data in analyzing the traffic for DDoS attacks.  This would have been obvious because the person having ordinary skill in the art would have been motivated to reduce false positives based on traffic spikes from major events.

Regarding claim 20, Seufert disclosed a computer storage device storing a computer program for DDoS defence in a packet-switched network, the computer program comprising computer program code which, when run on a processor of a network system in the packed-switched network, causes the network system to: measure a plurality of network parameters in incoming network traffic (Seufert Section IV 2); rank the plurality of measured network parameters based on machine learning (Seufert Section IV A 3, Section V A 1 and 2 for example); measure a subset of the plurality of network parameters in incoming network traffic(Seufert Section IV A 3-4 for example); determine whether an incoming network packet is part of a DDoS attack by machine learning of the subset of the plurality of network parameters (Seufert Section IV A 3-4 for example); and block an incoming network packet when the incoming network packet is determined to be part of a DDoS attack (Seufert Section IV A 3-4 for example).
Seufert did not explicitly teach determining a flash crowd event based at least on external media data, the flash crowd event indicating a sudden surge in incoming requests from legitimate 
Mitchell taught that machine learning systems should take into account many different factors when trying to determine potential abuse, and that external threat feeds, including news and social media sources, can be analyzed to identify waves of legitimate traffic caused by real-world events, and that their geographic area can be used in the weighted determinations of potential abuse (Mitchell Col. 9 Line 48 – Col. 10 Line 41 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Mitchell in the machine learning threat detection system of Seufert by utilizing external threat feed data in analyzing the traffic for DDoS attacks.  This would have been obvious because the person having ordinary skill in the art would have been motivated to reduce false positives based on traffic spikes from major events.


Regarding claims 3 and 12, Seufert and Mitchell taught building a model based on the external media data, wherein the measuring the plurality of network parameters in incoming network traffic further measures one or more external media data parameters, the measuring the subset of the plurality of network parameters in incoming network traffic further measures the one or more external media data parameters, and the determining further determines using the one or more external media data parameters (Seufert Section IV B 3 for example). 

Regarding claims 5 and 14, Seufert and Mitchell taught that the network system comprises an on-demand media platform (Seufert Section V A for example web sites). 
Regarding claims 7 and 16, Seufert and Mitchell taught that the ranking is based on a statistical method (Seufert IV B 2). 
Regarding claims 8 and 17, Seufert and Mitchell taught that the determining is based on rule-based machine learning (Seufert IV A 4). 
Regarding claims 9 and 18, Seufert and Mitchell taught building a model based on a subset of the plurality of network parameter history data and domain linguistic rules (Seufert Section IV B 3-4 for example). 



Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Seufert, and further in view of Barati (“Distributed Denial of Service Detection Using Hybrid Machine Learning Technique”).
Regarding claims 2 and 11, while Seufert and Mitchell taught extracting features from network data and using the features to create filters based on machine learning, Seufert did not explicitly teach evaluating a model based on the subset of the ranked plurality of measured network parameters, and repeating the step of ranking when confidence of performance is below a threshold. 

It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Barati in the machine learning system of Seufert and Mitchell by applying the proposed feature selection model to select the feature set for detecting the attack traffic.  This would have been obvious because the person having ordinary skill in the art would have been motivated to find the best feature set for detecting the attack traffic.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Seufert, and further in view of Lyon (US Patent Application Publication Number 2006/0075084).
While Seufert and Mitchell taught that the attack defense system can be used for protecting various network services, Seufert did not explicitly teach protecting an IPTV framework.
Lyon teaches that IPTV systems, which is an IP protocol system (note that Seufert disclosed specifically using the system for detecting anomalies at the IP level) can be targets of DDoS attacks (Lyon Paragraph 0182 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Lyon in the attack defense system of Seufert by applying the defense system to IPTV platforms.  This would have .

Conclusion
Claims 1-14, and 16-20 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
2005/0249214 taught a DDoS detection system which also would consider addresses of previous normal traffic when differentiating between DDoS traffic and Flash Crowd traffic.
2015/0047042 taught a DDoS detection system which would take into consideration popular/trending topics when differentiating between DDoS traffic and Flash Crowd traffic.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790.  The examiner can normally be reached on Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491