Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks, filed 04-29-2021, with respect to claim objection have been fully considered and are persuasive in light of new amendments.  The objection is withdrawn. 
Applicant’s arguments states that “proposes to defer resolution of the non-statutory double patenting rejection until the patentable subject matter has been agreed upon”, therefore the rejection is maintained.
Applicant’s arguments with respect to claim(s) under 35 USC 102 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Also, the arguments are primarily based on the new amendments that have been made. With respect to claim 5 and 17 where the client argues that “Leon discusses identifying an IP address from which attacks have originated. As would be apparent to a person of ordinary skill in the art, an IP address is not necessarily useful in identifying a particular network device due, for example, to network address translation. Leon does not, however, disclose or suggest "identifying at least one of the one or more networked devices that are sending the malicious traffic and are potentially infected by the malicious bot. Thus, Leon does not disclose or suggest "identifying at least one of the one or more networked devices that are sending the malicious traffic and are potentially infected by the malicious bot," as recited by Claims 5 and 17, as amended. " The [0033] the nodes independently identifies Internet Protocol (IP) addresses from which one or more attacks on the respective node or attempted intrusions into the respective node have originated, [0063] SIEM identifies rogue wireless devices and detects attack attempts and potential compromises / breaches to the information system. Further, [0038] the lists are in the form of a routing table (an internal address resolution protocol (ARP) routing table i.e., prior translation address is obtained) that the active threat detector uses to compare with the source and/or destination address of incoming packets. The active threat detector is automatically updated each time the third party threat data is received from external sources. The active threat detector is updated once the received third party threat data is approved for use by an administrator. The nodes share such received third party threat data via the private network. Thus, if access to the external sources is severed for one node, that node receives the third party threat data from another node instead (MPEP 2141.02 VI). Irrespective of the usefulness or utility of a concept, the aim of the prosecution is to teach a disclosure of the claimed concept. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. Therefore all the rejections are maintained.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or 
Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 – 12, 14, 15, 17 – 19 and 20 of U.S. Application No. 16416000 in view of Bahl; Pradeep (US Pub. #: 20080189788), hereafter Bahl. 
Instant App. 16235499
Pending App. 16416000
1. A method for detecting and mitigating a malicious bot, comprising the operations of: obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; inspecting network traffic originating on a networked device in search of packets that correspond to the obtained address information; performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information; and responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic.
2. The method of claim 1, wherein the managed router service is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information.
3. The method of claim 1, further comprising generating statistical data and metrics related to the malicious network traffic.
4. The method of claim 3, wherein the generating the statistical data and metrics comprises logging a time of an inspection of the given one of the searched packets, a packet type, a destination address, and a source address.
5. The method of claim 1, further comprising identifying one or more networked devices that are sending the malicious traffic and are potentially infected by the malicious bot.
6. The method of claim 1, further comprising notifying a user associated with the one or more identified devices of the malicious network traffic and a potential existence of the malicious bot.
7. The method of claim 1, wherein a list of malicious addresses is maintained by the managed router service.
8. The method of claim 1, wherein the third-party threat intelligence provider is periodically queried to obtain the address information.
9. The method of claim 1, wherein the address information comprises one or more of a source internet protocol (IP) address and a destination internet protocol (IP) address.
10. The method of claim 1, wherein the managed router service is connected to a cable modem at a customer premises and wherein the inspecting is carried out at the customer premises.
11. The method of claim 1, wherein additional address information is obtained from an owner or user of the networked device or a customer of an internet service provider.
12. The method of claim 1, further comprising soliciting a user associated with the networked device to review and approve a mitigation action before the mitigation action is initiated.
13. The method of claim 1, further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious.
14. The method of claim 13, wherein the deep packet inspection device blocks the given one of the searched packets in response to determining that the packet is malicious.
15. A managed router service system comprising: a memory; and at least one processor coupled to said memory; wherein said managed router service system is configured to perform operations comprising: obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; inspecting network traffic originating on a networked device in search of packets that correspond to the obtained address information; performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information; and responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service, provided by the system, to mitigate the malicious network traffic.
16. The managed router service system of claim 15, wherein the managed router service system is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information.
17. The managed router service system of claim 15, the operations further comprising identifying one or more networked devices that are sending the malicious traffic and are potentially infected by the malicious bot.
18. The managed router service system of claim 15, the operations further comprising notifying a user associated with the one or more identified devices of the malicious network traffic and a potential existence of the malicious bot.
19. The managed router service system of claim 15, the operations further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious.
20. A non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform operations comprising: obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; inspecting network traffic originating on a networked device in search of packets that correspond to the obtained address information; performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information; and responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic.
1. A method for detecting and mitigating a malicious bot, comprising the operations of: obtaining threat information, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic; generating a control list (CL) corresponding to the threat information, the CL describing rules for identifying network flows to be logged in a network log; obtaining the network log identifying the network flows; identifying a suspect network flow identified by both the threat information and the network log; identifying an address corresponding to the suspect network flow; correlating the address with a user identifier; and issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.
3. The method of claim 1, further comprising obtaining the threat information from a third-party threat intelligence provider.
4. The method of claim 1, wherein the threat information comprises one or more of an address, a source or destination port, a protocol, a payload type, a payload size, contents of a payload, identification of a network traffic pattern, a match of the network traffic pattern with known threat signatures, headers or header metadata, a protocol type, a file analysis, frequency of beaconing, and a hash value.
5. The method of claim 4, wherein the address is one of a destination IP address, a source IP address, a command and control IP address, an IP address for a phishing website, a domain name, and a packet signature.
6. The method of claim 1, wherein metadata associated with the processed network traffic is logged in an incident and event reporting system by a cable-modem termination system.
7. The method of claim 1, wherein the notification is issued via an email, postal mail, or an in-browser notification.
8. The method of claim 1, wherein the threat information is a blacklist of IP addresses known or suspected to correspond to malicious network traffic.
9. The method of claim 1, further comprising comparing the threat information and a white list, and removing addresses that are on the white list from the threat information.
10. The method of claim 1, further comprising identifying one or more networked devices that are sending the suspect network flow and are potentially infected by the malicious bot.
11. The method of claim 1, further comprising performing a deep packet inspection on the suspect network flow, identifying one or more corresponding indicators of compromise, and determining if the suspect network flow matches known threat detection signatures.
12. The method of claim 1, further comprising configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the suspect network flow to a deep packet inspection device.
14. The method of claim 1, further comprising soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated. 
15. The method of claim 1, further comprising generating statistical data and metrics related to network traffic that is identified as malicious.
17. The method of claim 1, further comprising rerouting a packet to a deep packet inspection device to determine if the packet is malicious. 
18. The method of claim 17, wherein the deep packet inspection device blocks the packet in response to determining that the packet is malicious.
19. A non-transitory computer readable medium comprising computer executable instructions which when executed by a computer performing electronic design analysis cause the computer to perform a method which improves the performance of the computer, the method comprising operations of: obtaining threat information, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic; generating a control list (CL) corresponding to the threat information, the CL describing rules for identifying network flows to be logged in a network log; obtaining the network log identifying the network flows; identifying a suspect network flow identified by both the threat information and the network log; identifying an address corresponding to the suspect network flow; correlating the address with a user identifier; and issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot. 
20. A system for botnet detection and mitigation comprising: a memory; and at least one processor, coupled to said memory, and operative to perform operations comprising: obtaining threat information, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic; generating a control list (CL) corresponding to the threat information, the CL describing rules for identifying network flows to be logged in a network log; obtaining the network log identifying the network flows; identifying a suspect network flow identified by both the threat information and the network log; identifying an address corresponding to the suspect network flow; correlating the address with a user identifier; and issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.


The pending application 16416000 reads on the instant application 16235499 but is silent on generating a control list (CL) corresponding to the threat information, the CL describing rules for identifying network flows to be logged in a network log.
However, the analogous art Bahl teaches generating a control list (CL) corresponding to the threat information, the CL describing rules for identifying network flows to be logged in a network log. ([0032] The network risk level determined dynamically from events and risk scores generated by machines and network infrastructure components that are collected and analyzed at a central server such as a Network Vulnerability Assessment (VA) server; [0073] Access Control Lists (ACLs) with an associated condition of "principal's risk score <=X" where X is a certain value may not work for individuals whose risk score >X; [0092] establishing of a rule from policy on an operating system. A policy is stored in an Active Protective System (APS) service. The APS service creates one or a series of rules based on the policy).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Leon to include the idea of obtaining the user’s approval for a response as taught by Bahl so that the machine self-learns and improves the risk assessment over time as the machine processes more history of actions and subsequent results ([0029]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date 
Claims 1 – 11 and 13 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leon, John (US Pub. #: 20170111328), hereafter Leon and Konda et al (US 20200067974), hereafter Konda.
Claim 1: Leon teaches method for detecting and mitigating a malicious bot, comprising the operations of (Summary): obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; ([0038]  the active threat detector receives third party threat data from external sources comprising updated lists or ranges of Internet Protocol (IP) addresses that have been identified as suspicious or from which malicious activity has originated);
accessing network traffic originating on a networked device of one or more networked devices [prior to performance of network address translation] in search of packets that correspond to the obtained address information; ([0091-93] the security information and event management (SIEM) inspects outbound data packets, data packets originating from the node to see if the packets contain malicious IP address);
performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information; ([0089] the third party threat data includes lists or ranges of suspicious or malicious IP addresses and the SIEM compares the inbound data packets with these IP addresses to identify suspicious data packets (the SIEM analyzes header of an inbound data packet to see if the header includes a malicious IP address…) and/or checks the threat signatures of packets);
([0062, 89] If a match is found between the inspected IP address and the information received from the third party, the corresponding data packet or packets are dropped and blocked from further entry into the node [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address (i.e., mitigation)).
Leon is silent accessing originating traffic prior to performance of network address translation; on the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices;
However, the analogous art Konda teaches accessing originating traffic prior to performance of network address translation; on the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices; ([0114] the first information identifies a first public network address from which the network traffic associated with the first distributed denial of service attack originates and the identifying of the first device includes accessing an address mapping table to identify, based on the first public network address, a first private network address of the first device, the address mapping table mapping private network addresses of devices connected to the local network to respective public network address associated with the devices, [0057-58] the threat signaling server of the local router uses the received data tuple details to find (look-up) the private (pre-NAT, i.e., prior to translation) source IP address of the infected device in the address translation table of the local router, in NAT flow logs maintained by local router; performs address resolution protocol (ARP) cache lookup using the private (pre-NAT) source IP address of the infected device found using the received data tuple information as input to find the medium access control (MAC) address of the infected device, the threat signaling server of the local router also conveys the DDoS attack details received from the ISP network to the router management cloud service).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Leon to include the idea of accessing pre-NAT traffic and finding MAC address using IP address of infected device as taught by Konda so this helps prevent the DOTS server implemented by the threat signaling server of the local router from being subjected to other DDoS attacks itself ([0046]).
Claim 15: Leon teaches a managed router service system comprising: a memory; and at least one processor coupled to said memory; wherein said managed router service system is configured to perform operations comprising (Summary): obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; accessing network traffic originating on a networked device of one or more networked devices [prior to performance of network address translation] performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information; and responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service, provided by the system, to mitigate the malicious network traffic. ([0038]  the active threat detector receives third party threat data from external sources comprising updated lists or ranges of Internet Protocol (IP) addresses that have been identified as suspicious or from which malicious activity has originated; [0091-93] the security information and event management (SIEM) inspects outbound data packets, data packets originating from the node to see if the packets contain malicious IP address; [0089] the third party threat data includes lists or ranges of suspicious or malicious IP addresses and the SIEM compares the inbound data packets with these IP addresses to identify suspicious data packets (the SIEM analyzes the header of an inbound data packet to see if the header includes a malicious IP address as a source address or destination address) and/or checks the threat signatures of data packets; ([0062, 89] If a match is found between the inspected IP address and the information received from the third party, the corresponding data packet or packets are dropped and blocked from further entry into the node [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address).
Leon is silent accessing originating traffic prior to performance of network address translation; the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices;
However, the analogous art Konda teaches accessing originating traffic prior to performance of network address translation; the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices; ([0114] the first information identifies a first public network address from which the network traffic associated with the first distributed denial of service attack originates and the identifying of the first device includes accessing an address mapping table to identify, based on the first public network address, a first private network address of the first device, the address mapping table mapping private network addresses of devices connected to the local network to respective public network address associated with the devices, [0057-58] the threat signaling server of the local router uses the received data tuple details to find (look-up) the private (pre-NAT, i.e., prior to translation) source IP address of the infected device in the address translation table of the local router, in NAT flow logs maintained by local router; performs address resolution protocol (ARP) cache lookup using the private (pre-NAT) source IP address of the infected device found using the received data tuple information as input to find the medium access control (MAC) address of the infected device, the threat signaling server of the local router also conveys the DDoS attack details received from the ISP network to the router management cloud service).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Leon to include the idea of accessing pre-NAT traffic and finding MAC address using IP address of infected device as taught by Konda so this helps prevent the DOTS server implemented by the threat signaling server of the local router from being subjected to other DDoS attacks itself ([0046]).
Claim 20: Leon teaches a non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform operations comprising: obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic; accessing network traffic originating on a networked device of one or more networked devices [prior to performance of network address translation] in search of packets that correspond to the obtained address information; performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information, and responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic. ([0038]  the active threat detector receives third party threat data from external sources comprising updated lists or ranges of Internet Protocol (IP) addresses that have been identified as suspicious or from which malicious activity has originated; [0091-93] the security information and event management (SIEM) inspects outbound data packets, data packets originating from the node to see if the packets contain malicious IP address; [0089] the third party threat data includes lists or ranges of suspicious or malicious IP addresses and the SIEM compares the inbound data packets with these IP addresses to identify suspicious data packets (the SIEM analyzes the header of an inbound data packet to see if the header includes a malicious IP address as a source address or destination address) and/or checks the threat signatures of data packets; ([0062, 89] If a match is found between the inspected IP address and the information received from the third party, the corresponding data packet or packets are dropped and blocked from further entry into the node [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address).
traffic prior to performance of network address translation; the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices;
However, the analogous art Konda teaches accessing originating traffic prior to performance of network address translation; the performance of the check comprising correlating a source media access control address of the accessed network traffic to a specific networked device of the one or more networked devices; ([0114] the first information identifies a first public network address from which the network traffic associated with the first distributed denial of service attack originates and the identifying of the first device includes accessing an address mapping table to identify, based on the first public network address, a first private network address of the first device, the address mapping table mapping private network addresses of devices connected to the local network to respective public network address associated with the devices, [0057-58] the threat signaling server of the local router uses the received data tuple details to find (look-up) the private (pre-NAT, i.e., prior to translation) source IP address of the infected device in the address translation table of the local router, in NAT flow logs maintained by local router; performs address resolution protocol (ARP) cache lookup using the private (pre-NAT) source IP address of the infected device found using the received data tuple information as input to find the medium access control (MAC) address of the infected device, the threat signaling server of the local router also conveys the DDoS attack details received from the ISP network to the router management cloud service).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Leon to include the idea of accessing pre-NAT traffic and finding MAC address using IP address of infected device as taught by [0046]).
Claim 2: the combination of Leon and Konda teaches the method of claim 1, wherein the managed router service is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information. (Leon: [0095] a data packet selected for the first, second, and/or third type of analysis if data packets similar to a received or transmitted data packet were dropped or blocked in the past [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address).
Claim 3: the combination of Leon and Konda teaches the method of claim 1, further comprising generating statistical data and metrics related to the malicious network traffic. (Leon: [0043] the one or more processing servers perform analytics on user data. For example, the one or more processing servers tracks historical data, scheduling data, and/or the like and provide statistical information derived from such data).
Claim 4: the combination of Leon and Konda teaches the method of claim 3, wherein the generating the statistical data and metrics comprises logging a time of an inspection of the given one of the searched packets, a packet type, a destination address, and a source address. (Leon: [0038, 0043] the active threat detector uses the list containing source and/or destination address to compare with the addresses of incoming packets, [0062] The SIEM performs automatic logging of some or all security-related system events, including successful and/or unsuccessful account login events, account management events, object access, policy change, privilege functions, process tracking, and/or system events. The SIEM also performs automatic logging of some or all security-related web-application events, including some or all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, permission changes, remote connections to the SIEM, and/or some or all unauthorized access attempts within a predetermined period of time).
Claim 5: the combination of Leon and Konda teaches the method of claim 1, further comprising identifying at least one of the one or more networked devices that are sending the malicious traffic and are potentially infected by the malicious bot. (Leon: [0033] the nodes independently identifies Internet Protocol (IP) addresses from which one or more attacks on the respective node or attempted intrusions into the respective node have originated, [0063] SIEM identifies rogue wireless devices and detects attack attempts and potential compromises / breaches to the information system).
Claim 6: the combination of Leon and Konda teaches the method of claim [[1]] 5, further comprising notifying a user associated with the at least one of the one or more identified networked devices of the malicious network traffic and a potential existence of the malicious bot. (Leon: [0121] If the node polls the electronic devices directly and determines that an electronic device is operating outside of the defined device attributes and/or global parameters, the node generates an alert or notification to inform the user that the electronic device is operating incorrectly).
Claim 7: the combination of Leon and Konda teaches the method of claim 1, wherein a list of malicious addresses is maintained by the managed router service. (Leon: [0039] third party threat data is in the form of routing tables and/or lists or ranges of suspicious or malicious IP addresses).
Claim 8: the combination of Leon and Konda teaches the method of claim 1, wherein the third-party threat intelligence provider is periodically queried to obtain the address information. (Leon: [0038] the active threat detector periodically receives updated lists or ranges of Internet Protocol (IP) addresses that have been identified as suspicious or from which malicious activity has originated (by malware analysis software).
Claim 9: the combination of Leon and Konda teaches the method of claim 1, wherein the address information comprises one or more of a source internet protocol (IP) address and a destination internet protocol (IP) address. (Leon: [0038]  The lists are in the form of a routing table [0033] that includes the IP addresses identified as a threat, that the active threat detector uses to compare with the source and/or destination address of incoming packets).
Claim 10: the combination of Leon and Konda teaches the method of claim 1, wherein the managed router service is connected to a cable modem at a customer premises and wherein the accessing is carried out at the customer premises. (Leon: [0029-33, Fig. 1 and 6] The nodes 110A-N can be configured to control user devices, detect inconsistencies in the operation of one or more user devices, store user data, and/or protect stored user data from network-based attacks and can be in a home network. [0053-54] the nodes is/are located so that they are close (in either a geographical or networking sense) to groups of user devices. In such a configuration, a user device is provided access to the node to which it is closest and/or to the node that shares a geographic region with the user device).
Claim 11: the combination of Leon and Konda teaches the method of claim 1, wherein additional address information is obtained from an owner or user of the networked device or a Leon: [0033] A node, transmits a routing table that includes the IP addresses that the node has identified (i.e., additional address info.) as a threat to one or more of the other nodes so that the other nodes update their routing tables accordingly).
Claim 13: the combination of Leon and Konda teaches the method of claim 1, further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious. (Leon: [0092] the third type of analysis is a deeper, more granular analysis… [0095] the SIEM performs the third type of analysis on selected data packets. A data packet is selected for the third type of analysis based on a configuration of the active threat detector and/or the firewall (the components are configured to analyze certain types of data packets, data packets that have a certain source address, etc) based on a received threat alert).
Claim 14: the combination of Leon and Konda teaches the method of claim 13, wherein the deep packet inspection device blocks the given one of the searched packets in response to determining that the packet is malicious. (Leon: [0095] a data packet is selected for the third type of analysis if data packets similar to a received or transmitted data packet were dropped or blocked in the past, [0089] if a match is found, the corresponding data packet or packets are dropped and blocked from further entry into the node 110A).
Claim 16: the combination of Leon and Konda teaches the managed router service system of claim 15, wherein the managed router service system is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information. (Leon: [0095] a data packet selected for the first, second, and/or third type of analysis if data packets similar to a received or transmitted data packet were dropped or blocked in the past [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address).
Claim 17: the combination of Leon and Konda teaches the managed router service system of claim 15, the operations further comprising identifying at least one of the one or more networked devices that are sending the malicious traffic and are potentially infected by [[the]] a malicious bot. (Leon: [0033] the nodes independently identifies Internet Protocol (IP) addresses from which one or more attacks on the respective node or attempted intrusions into the respective node have originated, [0063] SIEM identifies rogue wireless devices and detects attack attempts and potential compromises / breaches to the information system).
Claim 18: the combination of Leon and Konda teaches the managed router service system of claim 15, the operations further comprising notifying a user associated with the at least one of the one or more identified networked devices of the malicious network traffic and a potential existence of the malicious bot. (Leon: [0121] If the node polls the electronic devices directly and determines that an electronic device is operating outside of the defined device attributes and/or global parameters, the node generates an alert or notification to inform the user that the electronic device is operating incorrectly).
Claim 19: the combination of Leon and Konda teaches the managed router service system of claim 15, the operations further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious. (Leon: [0092] the third type of analysis is a deeper, more granular analysis… [0095] the SIEM performs the third type of analysis on selected data packets. A data packet is selected for the third type of analysis based on a configuration of the active threat detector and/or the firewall (the components are configured to analyze certain types of data packets, data packets that have a certain source address, etc) based on a received threat alert).
Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leon and Konda as applied to claims above, and further in view of Bahl, Pradeep (US Pub. #: 20080189788), hereafter Bahl.
Claim 12: the combination of Leon and Konda teaches the method of claim 1, but is silent on further comprising soliciting a user associated with the networked device to review and approve a mitigation action before the mitigation action is initiated.
However, the analogous art Bahl teaches soliciting a user associated with the networked device to review and approve a mitigation action before the mitigation action is initiated. ([0067] In alerting the user, the machine informs the user of the new risk level and ask the user to confirm the triggering of specific mitigating actions).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Leon and Konda to include the idea of obtaining the user’s approval for a response as taught by Bahl so that the machine self-learns and improves the risk assessment over time as the machine processes more history of actions and subsequent results ([0029]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438