DETAILED ACTION
This office action is in response to the application filed on 08/09/2019. Claims 1-18 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151 , or in an application for patent published or deemed published under section 122(b) , in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-4, 6-8, 10-13 and 15-17, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Gordy et al. (U.S. Pub. No. 2004/0190547 A1 referred to as Gordy).

Regarding claims 1 and 10, Gordy teaches:
A system for defending a network against one or more cyber-threats (Fig. 1, Items 10, 22, 12; ¶ 0012; Fig. 2, Items 100, 108, 116;  ¶ 0045; ¶ 0053, “Generally, intrusion detection system 116 is programmed with various algorithms that enable it to detect certain intrusive activity. For example, intrusion detection system 116 may compare the source material and compare the signatures to a database of known ”, the system comprising: 
a network bus that includes a first node and a second node, such that network traffic flows from the first node to the second node (Fig. 2, Items 102, 111, 115; ¶ 0046; ¶ 0047, “Network cable 102 (bus) is connected to a firewall 108. Firewall 108 filters the data packets that are transmitted on communication lines 104 and 106, and controls the data that is permitted to pass between local area network 111 (a node from LAN end) and Internet 115 (a node from Internet end).”); 
an intrusion defense unit connected to the network bus, such that network traffic between the first node and the second node passes through the intrusion defense unit (Fig. 2, Items 102, 111, 115, (108 and 116) (an intrusion defense unit); ¶ 0047, “Network cable 102 is connected to a firewall 108. Firewall 108 filters the data packets that are transmitted on communication lines 104 and 106, and controls the data that is permitted to pass between local area network 111 and Internet 115.”; ¶ 0053, “Intrusion detection system 116 provides an example of when inserting data into the main communication cable 102 may be advantageous. Intrusion detection system monitors the traffic on network cable 102 and determines whether there are indicia indicating that an attempt to breach the security associate with local area network 111 is being made”), wherein when a potential cyber-threat is detected in the network traffic (¶ 0054, “When an intrusion is suspected, intrusion detection system 116 sends device data in the form of one or more data packets (referred herein 128, which are directed by routing node 120 into outgoing communication line 106 to firewall 108”), the intrusion defense unit is configured to engage an associated switch to filter the network traffic until the cyber-threat is neutralized (¶ 0054, “In one embodiment, the kill packets issue TCP session reset commands to the firewall and the server under attack. In another embodiment, the data packets instruct (i.e., reprogram) firewall 108 to place a filter on a specific IP address that appears to be associated with the potential intrusion. That is, the data packets sent from intrusion detection system 116 reprogram firewall 108 to prevent further passage of information coming from the suspected intrusive source (cyber-threat is neutralized)”).

Regarding claims 2 and 11, Gordy teaches all the features of claims 1 and 10, as outlined above.
Gordy further teaches:
wherein the intrusion defense unit is configured to passively monitor the network traffic before the cyber-threat is detected (Fig. 8A, Item 912; ¶ 0136- ¶ 0147, “it will be appreciated that network tap 900 can be operated in a completely passive manner.” “Thus, testing equipment 910 or intrusion detection system 912 may be connected to port 904C through a single cable to operate in a passive manner.”).

Regarding claims 3 and 12, Gordy teaches all the features of claims 1 and 10, as outlined above.
Gordy further teaches:
(Fig. 8A, Item 912; ¶ 0136- ¶ 0147, “it will be appreciated that network tap 900 can be operated in a completely passive manner.” “Thus, testing equipment 910 or intrusion detection system 912 may be connected to port 904C through a single cable to operate in a passive manner.”).

Regarding claims 4 and 13, Gordy teaches all the features of claims 1 and 10, as outlined above.
Gordy further teaches:
wherein the switch is engaged by at least one of a hardware device and computer-implemented instructions (¶ 0054, “When an intrusion is suspected, intrusion detection system 116 (a hardware device) sends device data in the form of one or more data packets (referred herein as “kill packets”) through communication line 128, which are directed by routing node 120 into outgoing communication line 106 to firewall 108”)

Regarding claims 6 and 15, Gordy teaches all the features of claims 1 and 10, as outlined above.
Gordy further teaches:
wherein the cyber-threat is detected based on an anomalous behavior of one or more nodes of the network (¶ 0010, “Intrusion detection systems are network security devices that identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise the network (an anomalous behavior of one or more nodes of the network)”).

Regarding claims 7 and 16, Gordy teaches all the features of claims 1 and 10, as outlined above.
Gordy further teaches:
wherein the cyber-threat is detected based on an anomalous behavior of the network traffic (¶ 0053, “For example, intrusion detection system 116 may compare the source material and compare the signatures to a database of known attack signatures, compare the traffic load to a baseline traffic load, raising a warning if the traffic load exceeds the baseline to indicate increased activity in the communication line, or detect for anomalies in the data flow, for network attacks, hacking, and the like (an anomalous behavior of the network traffic)”).

Regarding claims 8 and 17, Gordy teaches all the features of claims 7 and 16, as outlined above.
Gordy further teaches:
wherein the cyber-threat is detected based on a signature recognition of the anomalous behavior (¶ 0053, “For example, intrusion detection system 116 may compare the source material and compare the signatures to a database of known attack signatures (a signature recognition of the anomalous behavior)”).




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gordy in view of Edwards et al. (U.S Patent No. 8,874,926 B1, referred to as Edwards).

Regarding claims 5 and 14, Gordy teaches all the features of claims 4 and 13, as outlined above.
 Gordy does not explicitly disclose, however Edwards teaches:
whereinAttorney Docket No. Page 17 of 20 the hardware device comprises one or more MOSFETs (Edwards: Fig. 1, Items 133, 140, C3, ls 38- 52, “switch 133 is a P-channel metal-oxide-semiconductor field-effect transistor (“MOSFET”). The P-channel MOSFET may be a power-rated MOSFET that is turned ON when sending controller 110 applies a logic low to a gate of the P-channel MOSFET. Switching designs other than the illustrated P-channel MOSFET are possible. When sending controller 110 turns switch 133 ON (enabled), intrusion prevention circuit 140 becomes coupled to communication bus 130. When sending controller 110 turns switch 133 OFF (disabled), intrusion prevention circuit 140 becomes de-coupled to communication bus 130.”).
Gordy teaching by Edwards to have a system, which includes a sending control module, a communication bus, and a receiving control module, wherein communication bus is coupled between the sending control module and the receiving control module, in order for the sending control module  to send data on the communication bus, disable the communication bus when threats are detected to increase security. (Edwards: Abstract).

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gordy in view of Chesla et al. (U.S Pub No. 2004/0250124 A1, referred to as Chesla).

Regarding claims 9 and 18, Gordy teaches all the features of claims 7 and 16, as outlined above.
 Gordy does not explicitly disclose, however Chesla teaches:
wherein the anomalous behavior is detected by parsing one or more messages in the network traffic (Chesla: ¶ 0016- ¶ 0017, “In embodiments of the present invention, a dynamic network security system detects and filters malicious traffic entering a protected network.”; ¶ 0031, “For some applications, the traffic entering the network includes User Datagram Protocol (UDP) packets, and the traffic exiting the network includes Internet Control Message Protocol (ICMP) packets( messages in the network traffic)”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify Gordy teaching by Chesla to analyze a (Chesla: ¶ 0046).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408.  The examiner can normally be reached on Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/HASSAN SAADOUN/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435