DETAILED ACTION
This office action is in response to the application filed on 6/28/2019.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 1/20/2021 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 
Examiner’s Note – Allowable Subject Matter
Claims 6-7 and 16 overcome the prior art, yet remain dependent upon a rejected claim.  The claims would otherwise, be allowable by incorporating the claim limitations into the independent claims along with any intermediate claims as well as to overcome the non-statutory double patenting rejection below.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to:  
http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claim(s) 1-20 is/are rejected on the grounds of provisional nonstatutory double patenting as being unpatentable over claims 1-20 of claims 1-20 of US Application 16/457,734.
With regard to instant independent claim 1, 12 and 20, said claims are substantively the similar to the corresponding claims of US Application 16/457,734.  Instant independent claim 1, 12 and 20, do not, but in related art, Kwan et al. (US 2018/0084006 A1) ¶ 50-51, 90, 110, 113, 119-121, 125-127, and 129-130 teach calculating with specific granularity a rate limit based on an influx of requests for a given IP address with its user data and based on its geographic region. 
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of the instant claims and Kwan, to modify the dynamic threshold mitigation system of the instant claims to include the method to determine a distributed denial of attack based on their geographic region as taught in Kwan.  The motivation to do so constitutes applying a known technique (i.e., the dynamic threshold mitigation system) to known devices and/or methods (i.e., the method to determine a distributed denial of attack based on their geographic region) ready for improvement to yield predictable results.
Dependent claims are substantially similar to the dependent claims of US Application 16/457,734 as obvious of the instant claims in view of Kwan.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claim(s) 1-5, 8-16, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kwan et al. (US 2018/0084006 A1), in view of Wood (US 2016/0337313 A1). 
Regarding claims 1, 12, and 20, Kwan teaches:
“A method (Kwan, ¶ 71 teaches a processor, memory, and storage medium necessary for storing and executing instructions to perform the method steps), comprising: 	analyzing, by one or more computer systems, application layer data in historical traffic to an online system to determine a historical volume of traffic from an Internet Protocol (IP) address to the online system (Kwan, ¶ 115-116 teaches using historical traffic measurements described earlier in Kwan to determine various dynamic thresholds.  Kwan, ¶ 59-60 and 63 describe measuring application layer traffic where the specific application, user, and source IP address are identified.  Kwan, ¶ 79 gives an example where the targeted computer system are an DNS and HTTP servers, serving client computers); 	calculating, by the one or more computer systems, a rate limit for a set of requests from the IP address to the online system based on the historical volume of traffic from the IP address (Kwan, ¶ 50-51, 90, 110, 113, 119-121, 125-127, and 129-130 teach calculating with specific granularity a rate limit based on an influx of requests for a given IP address with its user data); and 	during a distributed denial-of-service (DDoS) attack, outputting the rate limit for use in blocking a subset of the requests from the IP address to the online system (Kwan, ¶ 52, 90, 93-95, 113, 134, 137, and 150, teaches mitigating a DDOS attack to block subsets of requests based on the granular historical measurements for a given IP address)”.
	Kwan does not, but in related art, Wood teaches:
	“member traffic is generated by members of the online system (Wood, ¶ 78, 81-83, 86, and 93 teach members of a traffic requester group which include a group of users from a given IP utilize a given DNS server)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Kwan and Wood, to modify the dynamic threshold mitigation system of Kwan to include the construct of representing some clients of a given server as a members of a group as taught in Wood.  The motivation to do so constitutes applying a known technique (i.e., the dynamic threshold mitigation system) to known devices and/or methods (i.e., construct of representing some clients of a given server as a members of a group) ready for improvement to yield predictable results. 
 
Regarding claims 2 and 13, Kwan in view of Wood teaches:
“The method of claim 1 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), further comprising: 
detecting the DDoS attack based on an increase in a query rate to the online system (Kwan, ¶ 90, 110 and 113 DNS query attack is detected by measuring the new connections per second to the protected system)”.

Regarding claim 3, Kwan in view of Wood teaches:
“The method of claim 2 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein detecting the DDoS attack comprises: 	estimating the query rate as a queries per second (QPS) for one or more services in the online system (Kwan, ¶ 90, 110 and 113 DNS query attack is detected by measuring the new connections per second to the protected system); and 	detecting the DDoS attack when the QPS exceeds a query rate threshold for the one or more services (Kwan, ¶ 90, 110 and 113 DNS query attack is detected by measuring the new connections per second to the protected system)”.

Regarding claim 4, Kwan in view of Wood teaches:
“The method of claim 2 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein detecting the DDoS attack further comprises: 	determining the query rate threshold based on one or more attributes associated with the one or more services (Kwan, ¶ 112 the bandwidth used in the DNS query attack is measured and it is determined if a threshold is exceeded)”.

Regarding claim 5, Kwan in view of Wood teaches:
“The method of claim 4 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein the one or more attributes comprise at least one of: 	a resource utilization (Kwan, ¶ 112 the bandwidth used in the DNS query attack is measured and it is determined if a threshold is exceeded)”.

Regarding claims 8 and 17, Kwan in view of Wood teaches:
“The method of claim 1 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein calculating the rate limit for the set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address comprises: 	updating the rate limit based on a query rate to the online system after the subset of the requests from the IP address to the online system have been blocked (Kwan, ¶ 83, 86, 150 and 152 discloses dynamically adjusting the mitigation strategy at all times based on changes in the network behavior which would include after a mitigation had been performed)”.

Regarding claims 9 and 18, Kwan in view of Wood teaches:
“The method of claim 1 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein calculating the rate limit for the set of requests from the IP address to the online system based on the historical volume of member traffic from the IP address comprises: 	when the IP address lacks the historical volume of requests from members of the online system, setting the rate limit to a default value (Kwan, ¶ 54, 80, and 168 teaches setting the mitigation strategy to a default value initially)”.

Regarding claims 10 and 19, Kwan in view of Wood teaches: 
The method of claim 1 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), further comprising: 	enforcing the rate limit by blocking the subset of the requests from the IP address at points of presence (PoPs) for the online system (Kwan, ¶ 94, the firewall protecting the protected device performs the mitigation strategy.  Kwan, ¶ 52, 90, 93-95, 113, 134, 137, and 150, teaches mitigating a DDOS attack to block subsets of requests based on the granular historical measurements for a given IP address)”.
Regarding claim 11, Kwan in view of Wood teaches:
“The method of claim 10 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein blocking the subset of requests from the IP address to the online system comprises: 	randomly selecting the subset of the requests from the IP address to the online system to block (Kwan, ¶ 94, the firewall protecting the protected device performs the mitigation strategy including random drop of packets which would necessarily lead to random drops in the higher layer queries.  Kwan, ¶ 52, 90, 93-95, 113, 134, 137, and 150, teaches mitigating a DDOS attack to block subsets of requests based on the granular historical measurements for a given IP address)”.

Regarding claim 14, Kwan in view of Wood teaches:
“The system of claim 13 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein detecting the DDoS attack comprises: estimating the query rate as a queries per second (QPS) for one or more services in the online system (Kwan, ¶ 90, 110 and 113 DNS query attack is detected by measuring the ); 	determining a query rate threshold for the query rate based on one or more attributes associated with the one or more services (Kwan, ¶ 112 the bandwidth used in the DNS query attack is measured and it is determined if a threshold is exceeded); and 	detecting the DDoS attack when the QPS exceeds a query rate threshold for the one or more services (Kwan, ¶ 90, 110 and 113 DNS query attack is detected by measuring the new connections per second to the protected system)”.

Regarding claim 15, Kwan in view of Wood teaches:
“The system of claim 14 (Kwan in view of Wood teaches the limitations of the parent claim as discussed above), wherein the one or more attributes comprise at least one of: a resource utilization (Kwan, ¶ 112 the bandwidth used in the DNS query attack is measured and it is determined if a threshold is exceeded)”.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.

	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435