PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/415,749
Filing Date: 17 May 2019
Appellant(s): Lin et al.



__________________
Gayatry S. Nair Registration No. 70,812
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed March 11, 2021 appealing from the Office action mailed August 14, 2020.

(1) Grounds of Rejection to be Reviewed on Appeal

Every ground of rejection set forth in the Office action dated 08/14/2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”



Allowable Subject Matter
1.1	Claims 4, 10, and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.



Double Patenting Rejection
1.2	Claims 1-4, 7-10, 13-16 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-4 and 11-15 of Patent 10313375 (application 15/160158).  

Claims 1-4, 7-10, and 13-16:
Claims 1-4, 7-10, 13-16 have similar limitations as in claims 1-4 and 11-15 of Patent (10313375, application 15/160158).  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications 

This is an obviousness-type double patenting rejection because the conflicting claims have in fact been patented.


1.3	Claims 1-3, 5-9, 11-15, 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Onoda (US2013/0254891 A1, (publish date 09/26/2013) in view of Narayanaswamy et al. (EP2293513A1, publish date 03/09/2011) further in view of Lehane et al. (GB2418563A, publish date 03/28/2006).

With respect to claims 1, 7, 13, Onoda discloses a malicious attack detection method/apparatus/system applied in a software-defined network (SDN), comprising;
a memory configured to store instructions; and a processor coupled to the memory and configured to execute the instructions to cause the processor (a program stored in a storage device and executed by a computer, 0021) to be configured to:
a switch; and a controller coupled to the switch " (See Abstract and Claim 1 as “a controller switch configured to execute the received packet”) and comprising:
performed by a controller " (See Abstract and Claim 1 as “a controller switch configured to execute the received packet”) of a software-defined network (SDN), comprising:

data transfer protocol may be set as the rule");
determine/ing that a destination host of the data packet does not exist in the SDN (The address spoofing detecting section 21 uses the received transmission source address information 60 (the combination of the MAC address and the IP address) … If the address spoofing detecting section 21 cannot specify the virtual machine 31 corresponding to the received transmission source address information 60 as the result of the retrieval of the VM database 24, namely, if the interface information (the MAC address 122 and the IP address 123) coincident with the combination of the transmission source MAC address 61 and the target IP address 62 (the transmission source IP address 65) does not exist in the VM database 24, the address is judged to be spoofed … instructs the flow controlling section 22 to discard the packet coincident with the header information of the first packet, which is judged to be the address spoofing, without allowing the packet transfer, 0064);  
receiver (receive/ing) a triggering indicating a quantity of times that the abnormal flow entry is triggered from the switch (See Para [0164] as “obtain information of the virtual machine (the transmission source information 7) with the PacketIN as a trigger”) (0098-0100, “the address spoofing detecting section 21 obtains the VM name 71: "VM-B (UUID-B)", the interface name: "IP-c", the MAC address 72: "MAC-c", and the port name 73: "Port-C"… The address spoofing detecting section 21, since judging that there is no spoofing as the result of all of the address spoofing verifications, judges that 

Onoda does not disclose receiver (receive/ing) a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch; determine/ing whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count as claimed.

However, Narayanaswamy et al. teaches Any network security device may be configured to implement the techniques of this disclosure, (0008), 
receiver (receive/ing) a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch (See Claim 1 as “determining that a parameter associated with the monitored network connections exceeds a connection threshold") (0087, “Attack detection module 52 compares active connections and/or connection requests for each of nodes 8 to connections threshold 54 (102) to determine whether the number of connections and/or rate at which connection requests are received for a particular one of nodes 8, such as node 8A, exceed limits defined by connections 
determine/ing whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count (See Claim 4 as “one datagram to identify a traffic pattern or flow state indicative of the malicious attack”).

Onoda and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of packet switch network connections.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Narayanaswamy et al. in Onoda for receiver (receive/ing) a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch; determine/ing whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count as claimed for purposes of improving the network switch system of Onoda by enhancing prevention of attacks in computer networks (see Narayanaswamy et al. 0001).  

Neither Onoda nor Narayanaswamy et al. discloses send/ing an abnormal flow entry comprising a source host identifier of the data packet to the switch as claimed.

However, Lehane et al. teaches “the master 118 is also a networked computer, such as a PC. The master 118 executes a controlling software application that is capable of communicating with the first, second, third and fourth slave computers 110, 112, 114, 116 in order to control malicious attacks implemented by the slave computers 110, 112, 114, 116, for example the malicious attack on the target server 108” (0047), 
send/ing an abnormal flow entry comprising a source host identifier of the data packet to the switch (See Para [0062] as “the malicious packets sent from the slaves computers”) (detection of suspicious packet flows by the flow dynamics unit 310, 0066); 
receiver (receive/ing) a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch (malicious packets sent from the slaves computers …. Converge on the target server 108 … target-nearest routers 128, 130, 132 experience a higher level of received traffic that the source-nearest routers … routers 102 of differing distances from the target server 108 will respectively receive differing quantities of malicious packets. In this respect, a small number of suspicious packets received by a router 102 does not give a high degree of confidence that a malicious attack is in progress, whereas a much higher number of suspicious packets would be far more telling” (0062-0063).  

Onoda, Narayanaswamy et al., and Lehane et al. are analogous art because they are from the same field of endeavor of packet switch network connections.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Lehane et al. in Onoda and Narayanaswamy et al. for send/ing an abnormal flow entry comprising a source host identifier of the data packet to the switch; receiver (receive/ing) a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch as claimed for purposes of improving the network switch system of Onoda by enhancing the detection of malicious attacks in computer networks (see Lehane et al. 0001).  


With respect to claims 2, 8, 14, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claims 1, 7, 13, as addressed. 

Narayanaswamy et al. teaches wherein determining whether the malicious attack is initiated comprises determining whether the triggering count is greater than a count threshold, wherein the malicious attack is initiated from the source host in response to the triggering count being greater than the count threshold (For each client performing transactions of the type that exceeded the threshold in stage two, attack detection module 52 determines a number of and/or rate at which the client is performing the offending type of transaction. That is, each time the offending type of transaction is requested, attack detection module 52 identifies the IP address of the client performing the transaction and increments a corresponding counter for that client. T, 0067).

Onoda and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of packet switch network connections.

The motivation for combining Onoda and Narayanaswamy et al. is recited in claims 1, 7, 13. 


With respect to claims 3, 9, 15, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claims 1, 7, 13, as addressed. 

Onoda discloses further comprising: determining that a last flow table in the switch is a precise matching table comprising a source host identifier matching domain; and
sending a first instruction to the switch to instruct the switch to configure the precise matching table for matching only the source host identifier matching domain (a destination MAC address and a destination IP access) in the packet received from the host 103-1 and searches an entry, which coincides with the header information, from the flow table held inside the OFS 102-1., 0008).


With respect to claims 5, 11, 17, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claims 1, 7, 13, as addressed. 

Onoda discloses wherein a priority of the abnormal flow entry corresponds to a lowest priority among a plurality of flow entries stored at the switch (a priority order (VLAN Priority) may be assigned to the VLAN tag, 0055).


With respect to claims 6, 12, 18, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claims 1, 7, 13, as addressed. 

Narayanaswamy et al. teaches further comprising:
determining that the malicious attack is initiated from the source host indicated by the source host identifier based on the triggering count (For each client performing transactions of the type that exceeded the threshold in stage two, attack detection module 52 determines a number of and/or rate at which the client is performing the offending type of transaction. That is, each time the offending type of transaction is requested, attack detection module 52 identifies the IP address of the client performing the transaction and increments a corresponding counter for that client. T, 0067); and sending a third instruction to the switch to instruct the switch to suppress the data packet from the source host (the programmed response includes one or more of blocking network connections of the malicious clients, dropping packets of network connections associated with the malicious clients, blocking connection attempts originating from the malicious clients, advertising IP addresses of the malicious clients to another network device to cause the other network device to block network connections of the malicious clients, sending a close-session message to the malicious clients, rate limiting future sessions from the client, and sending a close-session message to a server in communication with the malicious clients, 0068).

Onoda and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of packet switch network connections.

The motivation for combining Onoda and Narayanaswamy et al. is recited in claims 1, 7, 13. 


With respect to claim 19, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claim 13, as addressed. 

Onoda discloses wherein the controller further comprises a memory coupled to the processor and configured to record the triggering count of the abnormal flow entry (The information of the virtual machine in the system may be held as a database.  Also, the OFCs 2 and 2' may transiently hold the information of the virtual machine (the transmission source information 7) obtained with the PacketIN as a trigger.  After that, it may be used in the address spoofing verification for the first packet reported from the OFVS 33 or OFS 4, 0164).


With respect to claim 20, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claim 13, as addressed. 

Narayanaswamy et al. teaches wherein the processor of the controller is further configured to determine that the abnormal flow entry times out (IDP lO counts the number of times each client performs the transactions of that type over a particular time period and compares the numbers for each client to a client-transaction threshold., 0031) (attack detection module 52 may determine to begin the second stage of analysis when attack detection module 52 receives a number of SYN packets over a period of time in excess of connections threshold 54, 0060) (When the difference between a current time and the period of time results in a time that is greater than the time stamp of the oldest element, 0061).

Onoda and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of packet switch network connections.

The motivation for combining Onoda and Narayanaswamy et al. is recited in claim 13. 

With respect to claim 21, the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses the limitations of claim 1, as addressed. 

Onoda discloses wherein receiving the triggering count comprises receiving a Flow-removed message from the switch, wherein the triggering count is carried in the Flow-removed message (0054,The flow controlling section 22 sets or deletes a flow entry (rule+action) to or from the switch (here, the OFS 4 or OFVS 33) based on the openflow protocol.  Consequently, the OFS 4 or the OFVS 33 executes an action (for example, relaying or discarding of packet data) corresponding to a rule based on header information of a received packet).










(2) Response to Argument

2.1	With respect to claims 1-3, 5-9, 11-15, and 17-21, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 7-8, are not persuasive.  Appellant argues that the combination of Onoda, Narayanaswamy, and Lehane does not disclose all the claims limitations to render obvious claims 1-21.  

In response to appellant’s arguments with respect to claim 1-3, 5-9, 11-15, and 17-21, Examiner respectfully disagrees.  Appellant made a blank statement that the combination of Onoda, Narayanaswamy, and Lehane does not disclose all the claims limitations to render obvious claims 1-21 however does not discuss/remark of how/why the prior arts do not teach the limitations of claims 1-21.  Examiner maintains claims 1-3, 5-9, 11-15 and 17-21 are rendered obvious under 35 U.S.C. § 103 as being unpatentable over U.S. Patent Application Publication 2013/0254891 (Onoda) in view of European Patent 2293513 (Narayanaswamy) and British Patent 2418563 (Lehane).


2.2	With respect to claims 1, 7, and 13, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 8-11, are not persuasive.  Appellant argues that the combination of Onoda, Narayanaswamy, and Lehane does not receive a triggering count indicating a quantity of times that abnormal flow entry is triggered from the switch.  Onoda does not receive a count of anything, based on a timing out of the abnormal flow entry or an aging time of the abnormal flow entry, a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch.  Narayanaswamy also does not disclose anything about a quantity of times that abnormal flow entry is triggered.  Lehane also does not disclose anything about a quantity of times that abnormal flow entry is triggered.   

In response to appellant’s arguments with respect to claim 1, 7, and 13, Examiner respectfully disagrees.  Narayanaswamy et al. teaches See Claim 1 as “determining that a parameter associated with the monitored network connections exceeds a connection threshold") (0087, “Attack detection module 52 compares active connections and/or connection requests for each of nodes 8 to connections threshold 54 (102) to determine whether the number of connections and/or rate at which connection requests are received for a particular one of nodes 8, such as node 8A, exceed limits defined by connections threshold 54”, “the IDP determines a number of requests from each client issuing a request for the type of transaction(s) determined in the second stage to be above the threshold.  That is, for a transaction type X, such as a protocol field or entry of the protocol field, requests for which the IDP determined exceeded a threshold for transaction type X, the IDP determines which clients are requesting transaction type X and how many requests for transaction type X each client issues.  When a number of requests for transaction type X by a particular client exceed a corresponding threshold, the IDP performs a programmed action with respect to the client.  For example, the IDP may be configured to perform one or more of the following actions: block further communications by the client, rate-limit communications by the client, broadcast the client's Internet protocol (IP) address to other devices, add the client's IP address to an access control list (ACL), send an alert including the client's IP address to an administrator, close the communication session for the client, send a close session message to the client, or other action” (0010).  
Lehane et al. teaches “malicious packets sent from the slaves computers …. Converge on the target server 108 … target-nearest routers 128, 130, 132 experience a higher level of received traffic that the source-nearest routers … routers 102 of differing distances from the target server 108 will respectively receive differing quantities of malicious packets. In this respect, a small number of suspicious packets received by a router 102 does not give a high degree of confidence that a malicious attack is in progress, whereas a much higher number of suspicious packets would be far more telling” (0062-0063).  Therefore Examiner maintains the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses “a triggering count indicating a quantity of times that abnormal flow entry is triggered from the switch” as claimed.  


2.3     With respect to claims 1, 7, and 13, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 11-14, are not persuasive.  Appellant argues that the combination of Onoda, Narayanaswamy, and Lehane does not determine that a destination host of the data packet does not exist in the SDN.
In rejecting the independent claims, the Office Action acknowledges that Onoda does not disclose this feature.  The Office Action alleges that Narayanaswamy’s disclosure of comparing active connections teaches determining that a destination host of the data packet does not exist in the SDN. See Office Action, p. 18. While Narayanaswamy discloses a method for detecting malicious attacks in a computer network, Narayanaswamy does not determine that a destination host of the data packet does not exist in the SDN.  

     In response to appellant’s arguments with respect to claim 1, 7, and 13, Examiner respectfully disagrees.  Appellant argues the combination of Onoda, Narayanaswamy, and Lehane does not determine that a destination host of the data packet does not exist in the SDN.  However, Onoda discloses “The address spoofing detecting section 21 uses the received transmission source address information 60 (the combination of the MAC address and the IP address) … If the address spoofing detecting section 21 cannot specify the virtual machine 31 corresponding to the received transmission source address information 60 as the result of the retrieval of the VM database 24, namely, if the interface information (the MAC address 122 and the IP address 123) coincident with the combination of the transmission source MAC address 61 and the target IP address 62 (the transmission source IP address 65) does not exist in the VM database 24, the address is judged to be spoofed … instructs the flow controlling section 22 to discard the packet coincident with the header information of the first packet, which is judged to be the address spoofing, without allowing the packet transfer” (0064).  Therefore Examiner maintains the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses “determining that a destination host of the data packet does not exist in the SDN” as claimed.  

2.4     With respect to claims 1, 7, and 13, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 14-16, are not persuasive.  Appellant argues that the combination of Onoda, Narayanaswamy, and Lehane does not send an abnormal flow entry comprising a source host identifier of the data packet to the switch.  While Lehane discloses detecting malicious activity, Lehane does not send an abnormal flow entry comprising a source host identifier of the data packet to the switch. Lehane’s malicious packets are not the same as the claimed flow entry because a flow entry is not the same as a data packet. Lehane is silent regarding any type of flow entry, much less an abnormal flow entry.  

     In response to appellant’s arguments with respect to claim 1, 7, and 13, Examiner respectfully disagrees.  Lehane et al. teaches “detection of suspicious packet flows by the flow dynamics unit 310” (0066), “the master 118 is also a networked computer, such as a PC. The master 118 executes a controlling software application that is capable of communicating with the first, second, third and fourth slave computers 110, 112, 114, 116 in order to control malicious attacks implemented by the slave computers 110, 112, 114, 116, for example the malicious attack on the target server 108” (0047), (See Para [0062] as “the malicious packets sent from the slaves computers”) (malicious packets sent from the slaves computers …. Converge on the target server 108 … target-nearest routers 128, 130, 132 experience a higher level of received traffic that the source-nearest routers … routers 102 of differing distances from the target server 108 will respectively receive differing quantities of malicious packets. In this respect, a small number of suspicious packets received by a router 102 does not give a high degree of confidence that a malicious attack is in progress, whereas a much higher number of suspicious packets would be far more telling” (0062-0063).   Lehane teaches abnormal type of flow entry, packets that come thru is an entry of flow.  Therefore Examiner maintains the combination of Onoda, Narayanaswamy et al., and Lehane et al. discloses “send an abnormal flow entry comprising a source host identifier of the data packet to the switch” as claimed.  


2.5     With respect to claims 4, 10, and 16, Appellant’s arguments with respect to the prior art rejection of claims 4, 10, and 16, see appeal brief pages 17-19, are persuasive.  Per interview summary (held 05/03/2021), Examiner reached out to appellant’s representative, Gayatry Nair, to purpose amending independent claims 1, 7, and 13 with dependent claims 4, 10, and 16.  No agreement was reached.  Accordingly claims 4, 10, and 16 are objected to (see above).   



For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

/HELAI SALEHI/
Examiner, Art Unit 2433
/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                             


Conferees: 

Brandon Hoffman 
/BRANDON S HOFFMAN/           Primary Examiner, Art Unit 2433                                                                                                                                                                                             

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                             

Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.