DETAILED ACTION
This Office Action is in response to the communication filed on 01/07/2021. 
Claims 1-17 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's Remarks filed on 01/07/2021 have been fully considered.
The objections to claims 1-2, 5, 7-12, and 14-17 presented in the previous Office action have been withdrawn in view of amendments of the claims. However, note that new issues have been raised in view of the amendments of the claims, see objections and rejections presented below.  
The rejections of claims 1-17 under 35 U.S.C. 101 as directed to a judicial exception without significantly more have been withdrawn upon further consideration of the claims. 
In response to Applicant's arguments on pages 8-10 of Remarks that Marck does not teach the newly added limitation of mitigating at least the DDoS attack in the at least one DDoS attack campaign based on the generated insights information and that Marck teaches away from the invention as claimed, 
In response to Applicant's arguments on page 11 of Remarks regarding claim 14, Examiner respectfully disagrees. In response to Applicant's argument that the references fail to show certain features of Applicant's invention, it is noted that the features upon which Applicant relies (i.e. predicting a subsequent step in a sequence of DDoS attacks) are not recited in the rejected claim. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). That is, the claim does not require "a DDoS attack campaign" to be a sequence of DDoS attacks, in fact, the claim has not provided any special definition for the term "a DDoS attack campaign," thus, using the broadest reasonable interpretation, "a DDoS attack campaign" can be interpreted as an organized DDoS attack. Nevertheless, in view of the amendments of claim 1 which changed the scopes of the claims, this argument is moot in view of the new grounds of rejection presented below. In response to 
Claim Objections
Claims 1, 8, 12, are 14-17 are objected to because of the following informalities:  
"at least the DDoS attack in the at least one DDoS attack campaign" as recited in claims 1, and 16-17 should read "at least the DDoS attack that is part of the at least one DDoS attack campaign."
"the threat insights information include" as recited in claim 8 should read "the threat insights information includes."

"wherein a data source of the plurality data source from which is collected supplementary enrichment data" as recited in claim 12 should read "wherein the at least one of the plurality of data sources."
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
It's unclear whether "the DDoS attack campaign" as recited in claim 2 refers to "at least one DDoS attack campaign" as recited in claim 1, "a past DDoS attack campaign" as recited in claim 2, or some other DDoS attack campaign. For the 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-13, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Marck (US 2016/0205120) in view of Doctor et al. (US 2014/0096251).
Claim 1, Marck teaches: 
A method for generating insights on distributed denial of service (DDoS) attacks, comprising: (e.g. [0016], [0055], [0059], [0008], "FIG. 1 is a flowchart of a method 100 for providing notifications of a DDoS attack to a customer according to embodiments of the present invention")
receiving a plurality of data feeds from a plurality of data sources; (e.g. [0017], "At block 110, a computer system receives an indication that one or more network resources of a customer are under attack. The indication can come from one or more mitigation devices that can provide their data to the system, e.g., in 
processing the plurality of received data feeds to generate data sets; (e.g. [0019], "At block 120, the rate of the attack is monitored to obtain one or more measured rates concerning the attack. For example, the data from the one or more mitigation devices can be parsed and analyzed to find out rates of attack…The data could be transmitted from mitigation devices in a variety of formats. For example, the data could be sent in a variety of formats including XML-based, or in other easily parsed formats")
analyzing the data sets to generate insights information for a DDoS attack that is part of at least one DDoS attack campaign; and (e.g. [0019], "At block 120, the rate of the attack is monitored to obtain one or more measured rates concerning the attack. For example, the data from the one or more mitigation devices can be parsed and analyzed to find out rates of attack" [0020], "At block 130, a quantity is calculated from the one or more measured rates…the quantity is results from a statistical analysis or other computation involving the one or 
based on the generated insights information, causing a mitigator to perform mitigation of at least the DDoS attack in the at least one DDoS attack campaign. (e.g. [0016], "Method 100 can be performed by a mitigation system" [0023], "At block 160, a notification is provided to the customer, where the 
Marck teaches generating data sets and analyzing the data sets (see above) and does not explicitly teach but Doctor teaches generating enriched data sets (e.g. [0031]-[0033], "As data is retrieved by the data retrieval system 310 from the sources, a data formatting system 320 may filter and package the data into a uniform record format for storage. This may be accomplished by passing the received data through a filtering system 321 configured to remove any unwanted enriched data sets (e.g. [0034], "The database 330 may be accessed and modified by a machine learning analysis system 340 …The feature weighting system 342 is configured to assign a weight to each feature in a record that corresponds to a threat associated with that feature (operation 460). [0035], "The reputation algorithm 343 may parse through the weighted features to generate a risk score for each IP address and domain. The reputation algorithm 343 evaluates the features and also may compare new activity to past activity, determining whether a system fits a profile for a malicious IP address or domain").
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Doctor into the invention of Marck. The motivation for such an implementation would be for the purpose of removing an unwanted, malformed, 
Claim 2, Marck-Doctor combination teaches: 
wherein the at least one DDoS attack campaign is any one of: a past DDoS attack campaign, an on-going attack campaign, and a future DDoS attack within the DDoS attack campaign. (e.g. Marck [0017]-[0018], [0022])
Claim 3, Marck-Doctor combination teaches: 
The method of claim 1, wherein the insights information further includes: attack insights providing information about the DDoS attack, wherein the attack insights include attack status indications, attack attributes, and attack attributions. (e.g. Marck [0019]-[0022])
Claim 4, Marck-Doctor combination teaches: 
wherein an attack status indication includes any one of: an attack type, an attack duration, an attack bandwidth, and attack trends over time. (e.g. Marck [0019]-[0022])
Claim 5, Marck-Doctor combination teaches: 
wherein an attack attribute includes any one of: an attack destination, an attack signature, an origin of the DDoS attack within a network, a geographical 
Claim 6, Marck-Doctor combination teaches: 
wherein an attack attribution indicates information about an identity of an attacker executing the DDoS attack. (e.g. Marck [0019]-[0022])
Claim 7, Marck-Doctor combination teaches: 
wherein the insights information further includes: threat insights information about each of the at least one DDoS attack campaign. (e.g. Doctor [0021]-[0023], [0025]).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Doctor into the invention of Marck. The motivation for such an implementation would be for the purpose of identifying infected or distributing computers and taking steps to eliminate, reduce or otherwise mitigate the bad actions (Doctor [0024]).
Claim 9, Marck-Doctor combination teaches: 
the insights information further includes: environment insights providing information about a DDoS attack in an environment perspective. (e.g. Doctor fig. 1, [0012], [0021]-[0023], [0025]).  

Claim 10, Marck-Doctor combination teaches: 
wherein the environment insights include attack insights for attacks and threats with respect to network elements and regions within an environment, (e.g. Doctor [0021]-[0023], [0025]) wherein the environment includes any one of: a router, a switch, a mobile network, a subscriber network, an enterprise network, and a service provider network. (e.g. Doctor fig. 1, [0012]). Same motivation as in claim 9 would apply.
Claim 11, Marck-Doctor combination teaches: 
wherein the received plurality of data feeds include attack events data and supplementary enrichment data. (e.g. Marck [0017])
Claim 12, Marck-Doctor combination teaches: 
wherein the supplementary enrichment data is collected from at least one of the plurality data sources, wherein a data source of the plurality data source 
Claim 13, Marck-Doctor combination teaches: 
wherein the method is performed by an insight generator deployed in a network (e.g. Marck [0016]).
Marck teaches a network (see above) and does not explicitly teach but Doctor teaches a backbone network (e.g. figs. 1, 3, [0012]).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Doctor into the invention of Marck. The motivation for such an implementation would be for the purpose of identifying malicious network threats from backbone network traffic data (Doctor [0006]).
Claim 15, Marck-Doctor combination teaches: 
mitigating a next step of the DDoS attack in the DDoS attack campaign based on the generated insights information. (e.g. Marck [0016], [0023], [0034], [0046], [0048])

Claim 17, this claim is directed to a system containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claims 8, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Marck (US 2016/0205120) in view of Doctor et al. (US 2014/0096251) further in view of Mitomo et al. (US 2005/0091513).
Claim 8, Marck-Doctor combination teaches: 
wherein the threat insights information include a set of insights about a sequence of DDoS attacks within each of the at least one DDoS attack campaign, wherein the set of insights include attributes, statuses, attributions, associations, risks, mitigation responses, and combinations thereof. (e.g. Doctor [0021]-[0025], [0027]-[0028]). Same motivation as in claim 7 would apply.
Marck-Doctor combination teaches the DDoS attack campaign (see above) and does not explicitly teach but Mitomo teaches predicted future attacks in a DDoS attack campaign (e.g. [0223], [0225]-[0226]).

Claim 14, Marck-Doctor combination teaches predicting the DDoS attack in the DDoS attack campaign using the generated insights information (e.g. Marck [0012], [0023], [0042]; Doctor fig. 4, [0028], [0035]), and does not explicitly teach but Mitomo teaches predicting a next step of a DDoS attack in a DDoS attack campaign (e.g. [0223], [0225]-[0226]).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Mitomo into the invention of Marck-Doctor combination. The motivation for such an implementation would be for the purpose of enabling stepwise and flexible measures to be selected and taken to prevent the DDoS attacks (Mitomo [0223]).
Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752.  The examiner can normally be reached on M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.