DETAILED ACTION

1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/12/2021 has been entered.
 
2.	Claims 1-28 are pending.  Claims 1 and 2 are independent and currently amended.  Claims 27 and 28 are new.  Amendments to the claims are accepted.

Allowable Subject Matter
3.	The amended claim 6 is allowed.

Response to Arguments

4.	Applicant's arguments filed on 7/6/2020 have been fully considered; however, they are not persuasive.  
In responding to Applicant's argument that "[Doron] does not show that there are a plurality of cloud computing platforms or that any particular cloud-hosted application is hosted in a plurality of cloud computing platforms" (p. 9 of Applicant's Remarks), Examiners respectfully disagree. As being discussed in the previous Final Rejection, Doron teaches or discloses collecting DoS attack data from the VMs of physical machines 130-m [para. 22 and 33-35]. Doron also teaches or discloses that applications are hosted on the VMs of the physical a plurality of cloud computing platforms”. Therefore, Doron's applications hosted in different network infrastructures (e.g. datacenters, private cloud, public cloud, etc.) are the same as “cloud-hosted applications that are hosted in a plurality of cloud computing platforms”. 

Regarding Applicant's argument "[Doron does not show] that at least two of the cloud computing platforms of the plurality of cloud computing platforms are each provided by a different provider", Examiners respectfully disagree. In the previous Final Rejection, Examiners have acknowledged that Doron does not explicitly disclose this claim limitation. However, Oliveira discloses it as it will be discussed below. 

Regarding Applicant's argument "There is no showing that any application is run across two clouds of different providers which is the net effect of the claim language of the cloud-hosted application is hosted in a plurality of cloud computing platforms taken together with at least two of the cloud computing platforms of the plurality of cloud computing platforms are each provided by a different provider. In other words, while Oliveira mentions multiple cloud providers, they are all independent and provide only their own respective applications to their own respective clients" (p. 10 of Applicant's Remarks), Examiners respectfully disagree. The claim limitation "the cloud-hosted application is hosted in a plurality of cloud computing platforms" only requires that the application is hosted in a cloud in which includes a plurality of computer platforms. As being discussed previously, Doron's applications hosted in different network infrastructures (e.g. datacenters, private cloud, public cloud, etc.) are the same as cloud-hosted applications that are hosted in a plurality of cloud computing platforms. Doron does not explicitly teach that at least two of the plurality platforms in the cloud are each provided by a different provider. Oliveira teaches a network cloud including a plurality of computing platforms each of which is provided by a different provider [col. 1 lines 48-50, col. 3 lines 42-44, col. 4 lines 54-58]. Therefore, Doron's teachings of applications hosted in a cloud including different network infrastructures or "computing platforms" when combined with Oliveira's teachings of a plurality of cloud computing platforms each of which is provided by a different providers effectively reads on the claim language of the cloud-hosted application is hosted in a plurality of cloud computing platforms taken together with at least two of the cloud computing platforms of the plurality of cloud computing platforms are each provided by a different provider, as recited in claim 1. 

Applicant also alleged that "telemetry is metrics and not the actual traffic" (p. 11 of Applicant's Remarks). As acknowledged by the Applicants, “the detection tool 160 and/or the controller 101 monitors traffic and detects attacks addressed to the VMs hosted in the physical machines”. In other words, the detection tool 160 and/or the controller 101 detects attacks based on the monitored traffic. Thus, the monitored traffic includes metrics data or "telemetries" that are related to the network's health. Therefore, the traffic being collected for monitoring DoS attacks is “telemetries”, as recited the amended claim 1. 

In responding to Applicant's argument "the telemetries must be from a plurality of sources deployed in the plurality of cloud computing platforms wherein the collected telemetries relate to behavior of the cloud-hosted application. Doron does not teach or suggest such a plurality as called for in the claim," Examiners respectfully disagree. As being acknowledged by Applicant, Doron's monitored traffic "is from the network elements 102" (p. 12 of Applicant's Remarks). As being discussed previously, datacenters or network infrastructures, e.g. private cloud and public cloud, would be construed as computing platforms. Thus, the network elements being deployed in the private cloud or public cloud are the same as "plurality of sources deployed in the plurality of cloud computing platforms". 

As regarding Applicant's argument “telemetries are not the particular telemetries expressly called for by the claim, namely, the collected telemetries related to behavior of cloud-hosted applications”, Examiners respectfully disagree. As being discussed in the Final Rejection, Doron discloses or teaches that the collected traffic being used for detecting attacks relates to VMs (notice that a VM is a software implementation of a computer [para. 20]. The VM software implementation reads on the claimed “application” which is defined as "software application or software resource executed by a server" (in paragraph 27 of Applicant’s specification) or the guaranteed services, e.g. email service using SMTP transport protocol, provided by the protected objects, e.g. “a VM or a group of VMs” [para. 26 and 52]. Furthermore, the traffic is also related to applications that are using TCP, HTTP, SMTP or ICMP protocol and deployed in the VMs [para. 2, 30 and 52]. Therefore, Doron’s collected traffic relate to the behavior of VMs or email service hosted on the cloud is the same as “the collected telemetries relate to behavior of the cloud-hosted application” as recited in the claim. 
Applicant's arguments with respect to dependent claims 2-5 and 7-26 are moot since Examiners has previously addressed all arguments with respect to claim 1 above. 

In responding to Applicant’s argument “the Office Action fails to identify all of the requirements added by claim 6”, Examiners admit that the previous Final Rejection did not address arguments and limitations recited in claim 6 because Applicant's argument has been found persuasive. Thus, dependent claim 6 would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

New dependent claim 27 is not allowable based on Doron.  As being previously discussed, Doron teaches or discloses that applications or network services are hosted on the VMs of the physical machines in a plurality of datacenters [FIG. 1, para. 2 and 21-22].  The applications or network services are provided to client 140 via cloud networks 100 and 150; therefore, Doron’s application or network services provided via two cloud networks is the same as “the cloud-hosted application is hosted in across a combination of at least two of the plurality of cloud computing platforms” as recited in the new dependent claim 27.

New dependent claim 28 is also not allowable based on Doron.  Doron discloses that suspicious traffic is passed through a scrubbing center, e.g. system 120, for producing ‘clean’ traffic and injecting the clean traffic back to the network [para. 27, 35 and 49].  Thus, the suspicious traffic includes DoS threats [para. 29] and legitimate network traffic; therefore, Doron’s DoS threats derived from the suspicious traffic is the same as “telemetries are only metric data derived from the incoming traffic of the cloud-hosted application but is not the incoming traffic itself” as recited in the new dependent claim 28.  

Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1, 2, 5, 7-11, 13, 15-18, 22, and 25-28 are rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414).
As regarding claim 1, Doron discloses A defense platform for protecting a cloud-hosted application against distributed denial-of-services (DDoS) attacks, wherein the defense platform is deployed out-of-path of incoming traffic of the cloud-hosted application, wherein the cloud-hosted application is hosted in a plurality of cloud computing platforms, comprising: 
a detector [para. 29-30]; 
a mitigator [para. 35 and 49]; and 
a controller [para. 29-30] communicatively connected to the detector and the mitigator; 
wherein the detector is configured to: 
receive telemetries from a plurality of sources deployed in the plurality of cloud computing platforms, wherein the collected telemetries related to behavior of the cloud-hosted application [para. 22 and 33-35; collecting DoS attack data from the VMs of physical machines 130-m]; and 
detect, based on the received telemetries, a potential DDoS attack against the cloud-hosted application [para. 27-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second]; 
wherein, the controller, upon detection of a potential DDoS attack against the cloud hosted application, is configured to: 
divert traffic directed to the cloud-hosted application to the mitigator [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic]; 
cause the mitigator to perform at least one mitigation action to remove malicious traffic from the diverted traffic [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic]; and 
cause injection of clean traffic to at least one of the plurality of cloud computing platforms hosting the cloud-hosted application [para. 27, 35, 44, 49 and 52; sending the cleaning the traffic back to the protected object].  
Doron does not explicitly disclose that at least two of the cloud computing platforms of the plurality of cloud computing platforms are each provided by a different provider; however, Oliveira discloses it [col. 1 lines 48-50 and col. 2 lines 42-44; the cloud providers manage infrastructure and platforms].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron’s cloud computing environment to further comprise at least two of the cloud computing platforms of the plurality of cloud computing platforms each of which is provided by a different provider, as disclosed by Oliveira, in order to provide different providers business opportunity for providing cloud computing services.

As regarding claim 2, Doron further discloses The defense platform of claim 1, wherein the detector is further configured to: 
provide a set of rate-based and rate-invariant features based on the collected telemetries [para. 29; determining average number of active connections or an average number of packets received per second based on the DoS attack data]; and 
evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate the potential DDoS attack against the cloud-hosted application [para. 31-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second].  

As regarding claim 5, Doron further discloses The defense platform of claim 1, further comprising: an application delivery controller (ADC), wherein the ADC is configured to inject the clean traffic back to the at least one of the plurality of cloud computing platforms [para. 27, 35, 44, 49 and 52; sending the cleaning the traffic back to the protected object].  

As regarding claim 7, Doron further discloses The defense platform of claim 1, wherein the telemetries received by the detector further include telemetries collected from at least one source deployed in an on-premises datacenter hosting at least one application [para. 3 and 21-22; the protected application VMs can be hosted in a datacenter in various network infrastructures including private and public networks].  

As regarding claim 8, Doron further discloses The defense platform of claim 7, wherein at least one of the plurality of cloud computing platforms is a datacenter [para. 3 and 21-22; the protected application VMs can be hosted in a datacenter in various network infrastructures including private networks].  

As regarding claim 9, Doron further discloses The defense platform of claim 1, wherein the defense platform is integrated in one of the plurality of cloud computing platforms [para. 21 and 27; the security system is deployed in the cloud network].
  
As regarding claim 10, Doron further discloses The defense platform of claim 1, wherein the defense platform is a stand-alone cloud computing platform that does not host the cloud-hosted application [para. 27; the security system is deployed out-of-path].  
As regarding claim 11, Doron further discloses The defense platform of claim 1, wherein the received telemetries include at least one of: a latency, a new transmission control protocol (TCP) connection count, an active TCP connection count, application-layer hypertext transfer protocol (HTTP) methods counts, application-layer verbs counts, application-layer request counts, memory usage, transaction volume, a connection size, a session size, an error rate, a number of HTTP methods requests originating from all end-user devices currently accessing the cloud- hosted application, and a number of processed bytes of HTTP traffic directed to the cloud- hosted application [para. 29; collecting traffic data including average number of active connections or an average number of packets received per second].  
As regarding claim 13, Doron further discloses The defense platform of claim 1, wherein the potential DDoS attack is any one of: a layer-7 flood DDoS attack, and a layer-3 to layer-4 flood DDoS attack [para. 52; the mitigation actions (i.e., traffic diversion and VMs migration) are performed for any type of application layer (e.g., HTTP, SIP, etc.)].  

As regarding claim 15, Doron further discloses The defense platform of claim 1, wherein the potential DDoS attack is a layer-7 slow application-layer DDoS attack [para. 52; the mitigation actions (i.e., traffic diversion and VMs migration) are performed for any type of application layer (e.g., HTTP, SIP, etc.)].  

As regarding claim 16, Doron further discloses The defense platform of claim 15, wherein the set of rate-based and rate-invariant features includes a number of new connections per second, a number of connections per second, and an average connection size [para. 29; average number of active connection].  

As regarding claim 17, Doron further discloses The defense platform of claim 1, wherein at least a portion of the telemetries are received from a plurality of content delivery networks (CDNs), wherein each CDN is Page 25 of 34RADW P0830 deployed in-path between one of the plurality of cloud computing platforms and a plurality of end user devices [FIG. 1 and para. 21, 36, and 49; data traffic is collected from network elements 102].  

As regarding claim 18, Doron further discloses The defense platform of claim 17, wherein the controller is further configured to: cause redirection of traffic directed at each CDN to the defense platform when a potential DDoS attack is determined [para. 27, 35, 36, 44, 49 and 52; diverting suspicious traffic, collected from network elements 102, to a scrubbing center, e.g. system 120, for cleaning the traffic].   

As regarding claim 22, Doron further discloses The defense platform of claim 1, wherein the controller is further configured to terminate the traffic diversion when the potential DDoS attack is terminated [para. 37].  

As regarding claim 25, Doron further discloses The defense platform of claim 1, wherein the defense platform is not among the plurality of cloud computing platforms [para. 27 and 35; the security system is deployed out-of-path].  

As regarding claim 26, Doron further discloses The defense platform of claim 1, wherein the plurality of sources from which the telemetries are received include at least one of: a cloud monitoring platform, an application performance monitoring system, and a source of operating system level telemetries [FIG. 1, para. 2 and 21-22].

As regarding claim 27, Doron further discloses The defense platform of claim 1, wherein the cloud-hosted application is hosted in across a combination of at least two of the plurality of cloud computing platforms [FIG. 1, para. 2 and 21-22; application or network services provided via two cloud networks 100 and 150].

As regarding claim 28, Doron further discloses The defense platform of claim 1, wherein telemetries are only metric data derived from the incoming traffic of the cloud-hosted application but is not the incoming traffic itself [para. 27, 29, 35 and 49; DoS threats derived from the suspicious traffic].

8.	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414) further in view of Xaypanya (US PG Pub. 2014/0215621).
As regarding claim 3, Doron and Oliveira do not disclose that the evaluation of each feature includes comparing a value of the feature to a learned baseline.  However, Xaypanya discloses it [para. 188].  
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s evaluation of each feature to further comprise comparing a value of the feature to a learned baseline, as disclosed by Xaypanya, in order to detect an attack that has historically been known.

9.	Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414) further in view of Dickerson (DOI: 10.1109/NAFIPS.2000.877441 - Source: IEEE Xplore).
As regarding claim 4, Doron and Oliveira disclose evaluat[ing] each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate the potential DDoS attack against the cloud-hosted application [Doron para. 31-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second].
Doron and Oliveira do not explicitly disclose that the detector includes a plurality of fuzzy logic inference system (FIS) engines configured to determine a potential DDoS attack based on outputs of the FIS engines.  However, Dickerson discloses it [see Introduction section-The Fuzzy Intrusion Recognition Engine (FIRE) is an IDS that uses fuzzy systems to identify malicious network activity, e.g. DDoS].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s detector to further include fuzzy systems, as disclosed by Dickerson, in order to effectively identify new network attacks [see Introduction section].

10.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414) and further in view of Christenson (US PG Pub. 2011/0010463).
As regarding claim 6, Doron and Oliveira disclose The defense platform of claim 5 as shown above.
Doron and Oliveira do not explicitly disclose that the controller is further configured to: configure the ADC to issue periodic domain name system queries to dynamically learn and update the Internet Protocol address of the cloud-hosted application.  However, Christenson discloses it [abstract para. 8-10 and 51].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s controller to further include the missing claim limitation, as disclosed by Christenson, in order to maintain updated IP addresses of the hosted applications to which clean traffic should be sent.

11.	Claims 12, 14 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414) and further in view of Holloway (US PG Pub. 2014/0109225).
As regarding claim 12, Doron and Oliveira do not explicitly disclose that the received telemetries include at least one of: transmission control protocol (TCP) byte count, TCP packet count, user datagram protocol (UDP) byte count, UDP packet count, Internet control message protocol (ICMP) byte count, ICMP packet count and number of SYN flags.  However, Holloway discloses traffic being monitored including at least UDP packet count [para. 76] and number of SYN [para. 61].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s telemetries to further include UDP packet count or number of SYN, as disclosed by Holloway, as ones of a plurality alternative parameters based on which DoS attacks are detected [Holloway para. 37].

As regarding claim 14, Doron further discloses the set of rate-based and rate-invariant features directed to the cloud-hosted application [para. 31-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second].  
Doron and Oliveira do not explicitly disclose a rate-based feature of a number of hypertext transfer protocol (HTTP) requests per second (RPS) and a rate-invariant feature of an average size of HTTP requests.  However, Holloway discloses a rate-based feature including a number of hypertext transfer protocol (HTTP) requests per second [para. 33-34; number of HTTP requests per second || para 70; client request metrics including number of GET/POST requests] and a rate-invariant feature including an average size of HTTP requests [para. 37; size of the request]
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s rate-based feature to further include a number of hypertext transfer protocol (HTTP) requests per second and Doron’s rate-invariant feature including an average size of HTTP requests, as disclosed by Holloway, as ones of a plurality alternative features based on which DoS attacks are detected [Holloway para. 37 and 70].

As regarding claim 19, Doron and Oliveira do not explicitly disclose that the traffic direction by the controller includes causing a domain name system (DNS) diversion to the defense platform.  However, Holloway discloses it [para. 31, 50, and 79; changing owner’s authoritative name server(s) to authoritative name server(s) of the protection service].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s controller to further include causing a DNS diversion to a defense data center, as disclosed by Holloway, so that the defense proxy server can provide protection service to registered users [Holloway para. 24 and 30].

As regarding claim 20, Holloway further discloses The defense platform of claim 19, wherein causing the DNS diversion includes dynamically updating at least one CNAME in at least one DNS server in order to redirect traffic to the defense platform [para. 31, 50, and 79; changing owner’s authoritative name server(s) to authoritative name server(s) of the protection service].  

As regarding claim 21, Holloway further discloses The defense platform of claim 19, wherein the controller is further configured to: signal a detected attack to the mitigator when a potential DDoS attack is detected [para. 74; control server 135 of a DoS attack].  



12.	Claims 23 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414) and further in view of Wong (US PG Pub. 2014/0331304).
As regarding claim 23, Doron and Oliveira do not explicitly disclose that the at least one mitigation action includes generating an access control list (ACL) and configuring at least one of the plurality of cloud computing platforms with the generated ACL.  However, Wong discloses it [para. 31; deriving and sending an ACL to the firewall to be used to mitigate malicious traffic].  
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron and Oliveira’s mitigation action to further include generating an ACL, as disclosed by Wong, in order to prevent attacks by blocking traffic from attackers and allowing traffic from legitimate sources [Wong para. 26-27].

As regarding claim 24, Wong further discloses The defense platform of claim 23, wherein the generated ACL only allows traffic from the defense platform [Wong para. 30 and 37; only traffic from the servers on the white list of the ACL is allowed to proceed].  







CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433   

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433