DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims Status
Claims 1-13 and 15-21 are pending; Claim 14 is cancelled; a new claim 21 is added; Claims 1, 6, 8, 13, 15 and 20 are amended per Applicant’s amendment filled on May 24, 2021.  Although claims 4 and 5 are shown as amended, they are not.  Claims 4 and 5 are objected to, see Claim Objections for details.
Response to Arguments
Claims 4 - 6, 11 – 13 and  18 - 21 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, has been withdrawn in view Applicant’s amendment filled on May 24, 2021,  See pages 15-16.   Amendments to respective claims overcome the rejection.
Applicant's argument, filed on May 24, 2021, regarding claims 1, 3-5, 7, 8, 10-12, 15, and 17-19  rejected under 35 USC 102 (a) (1)  have been fully considered but they are not persuasive. Applicant argues the prior art doesn’t teach "transmitting, by the device, a notification to the entity associated with the user equipment, wherein the notification requests that the entity affirm the filtering rule, and wherein the provisional blocking of traffic persists until a response to the notification is received; and configuring, by the device and based on the response, a traffic filter with the filtering rule," 
Lee teaches [0030] traffic filtering a semi-automated workflow or a fully-automated workflow. In a semi-automated workflow, a security professional in the SOC (security 

Claim Objections
Claims 4 is objected to because of the following informalities:  Although the claim is shown as “Currently amended”, no change was made per Applicant’s Amendment filed on May 24, 2021.  The underline term “determining”, which infers addition to the claim.  But no change was made to the claim and it is the same as the originally filled.  The underline term is present in the original claim.   Examiner treated claims 4 as original claim.  Appropriate correction is required.
Claim 5 is objected to on same rational as claim  4.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims
particularly pointing out and distinctly claiming the subject matter which the
inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out

invention.

Claims 21 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 21, it is rejected as indefinite because the limitation “ … implementing or discarding the filtering rule when the response is not received after a time period.” because it’s unclear whether an “implementing” or  a “discarding” action will be taken when the response is not received after a time period.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 3 - 5, 7, 8, 10 - 12, 15, 17 – 19 and 21 are rejected under 35 U.S.C. 102 (a) (1) anticipated by Lee et al. (US 20180351993 A1, hereinafter, Lee).
Regarding to claim 1,   Lee teaches a method comprising: processing, by a device, a communication between a source and user equipment, wherein the user equipment is one of a plurality of user equipment connected to a network, wherein the user equipment is associated with an entity; ([0009,] discloses a router as device that process incoming traffic. A source as any external computer that generates a traffic directed to an entity’s user equipment connected to a network. The router uses ACE engine filter rules to process incoming traffic. [0023] discloses a user equipment as protected resources which include customer servers, such as those hosting public or private websites, web applications, or enterprise resources (i.e. plurality of user equipment connected to a network).  [0025, 0026, 0028, 0032] discloses an entity as private or public customer that owns and manages its router or firewall, etc… associated with its user equipment, or  alternatively, a customer that use a multi-tenant based security service center (SOC) to protects its user equipment) determining, by the device, that the communication is associated with an anomalous traffic pattern, wherein the anomalous traffic pattern is determined based on at least one of: a first traffic pattern of the source, or a second traffic pattern of the user equipment; ([0036] discloses the system determines which customer host, or preferably destination IP address, that the traffic is addressed to. (i.e. device determining first traffic pattern associated with anomalous traffic of the source.)implementing, by the device, a provisional blocking of traffic between the source and the plurality of user equipment connected to the network based on determining the anomalous 
wherein the provisional blocking of traffic persists until a response to the notification is received; and ([0030] Hayton teaches that An ACE rule (filter) can be used in a semi-automated workflow or a fully-automated workflow. … In a fully automated system, the ACE Engine 104 can directly inject a recommended ACE (filtering rule) into the router or other data cleaning center equipment,…   [0010] …  the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack traffic.  //Examiner Remark: In a fully-automated workflow, the entity can evaluate the already deployed  filtering rule and may determine whether the filtering rule is properly blocking anomalous traffic.  Therefore, while the entity is determining the deployed filtering rule, blocking of traffic persists.  Therefore a fully-automated workflow provides substantially the same result as provisional blocking.)
configuring , based on the response, and based on the filtering rule,  

Regarding to claim 3, Lee teaches wherein the notification is a first notification, wherein the method further comprises: monitoring, over a time period, to detect a communication 

Regarding to claim 4, insofar as the claim language can be understood, Lee teaches, 
wherein the method further comprises: generating a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern, wherein the anomalous traffic pattern is not related to the second user equipment, ([0028] As a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer. For example, each customer destination IP address may be associated with a set of ACEs that are active for that IP address. In this document, the traffic destined to a particular customer, or particular destination IP address, or other defined category, is referred to as a “traffic category.”   [0009] The methods and systems described herein automatically generate recommendations for network router access control entity (ACE) rules that can be used to filter internet traffic and more specifically to block malicious traffic.  //Examiner remark:   since ACE filtering rule can be generated per entity and per IP address, the device can generate first user equipment, second equipment and plurality equipment that belong to the first entity or second entity etc. to plurality of entities.  Also, as a multi-tenant infrastructure  anomalous  detection and mitigation system it inherently generate filtering rules to user equipment that is not directly targeted based on detected and determined traffic profile. )

Regarding to claim 5, Lee teaches wherein the user equipment is first user equipment, wherein second user equipment, associated with the entity, is connected to the network, ([0028] discloses as a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer (i.e. first entity). For example, each customer 
wherein generating the filtering rule comprises: generating the filtering rule in connection with the source, the first user equipment, and the second user equipment based on determining the anomalous traffic pattern, wherein the anomalous traffic pattern is not related to the second user equipment, ([0028] As a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer. For example, each customer destination IP address may be associated with a set of ACEs that are active for that IP address. In this document, the traffic destined to a particular customer, or particular destination IP address, or other defined category, is referred to as a “traffic category.”   [0009] The methods and systems described herein automatically generate recommendations for network router access control entity (ACE) rules that can be used to filter internet traffic and more specifically to block malicious traffic.  //Examiner remark:   since ACE filtering rule can be generated per entity and per IP address, the device can generate first user equipment, second equipment and plurality equipment that belong to the first entity or second entity etc. to plurality of entities.  Also, as a multi-tenant infrastructure  anomalous  detection and mitigation system it inherently generate filtering rules to user equipment that is not directly targeted based on detected and determined traffic profile.)wherein the filtering rule prescribes that traffic between the source and the first user 

Regarding to claim 7, Lee teaches wherein the notification further requests that the entity select an action that is one or more of: reporting the source to a repository of known sources, reporting the source to a law enforcement agency, reporting the source to a web hosting service, pausing the notification, or placing the source on a whitelist.  ([0023] Typically the protected resources 102 include customer servers, such as those hosting public or private websites, web applications, or enterprise resources (i.e. plurality of user equipment connected to a network). [0032] These recommended ACEs can be sent to the SOC 106 (e.g., to be displayed on a user interface and/or alert) so that personnel can review and approve before installing them in the data cleaning center 100. //Examiner remarks:  entities such as those hosting private and public websites in a multi-tenant environment are notified by security operation center (SOC) personnel.)
Regarding to claim 8 (Currently Amended), it is rejected on same rational as claim 1.
Regarding to claim 10, it is rejected on same rational as claim 3.
Regarding to claim 11, it is rejected on same rational as claim 4.
Regarding to claim 12, it is rejected on same rational as claim 5.
Regarding to claim 15 (Currently Amended), it is rejected on same rational as claim 1. 
Regarding to claim 17, it is rejected on same rational as claim 3.
Regarding to claim 18, it is rejected on same rational as claim 4 
Regarding to claim 19, it is rejected on same rational as claim 5.  
Regarding to claim  21, (New) The method of claim 1, Lee teaches wherein configuring the filter with the filtering rule comprises: implementing or discarding the filtering rule when the response is not received after a time period.  ([0030] discloses in a semi-automated workflow model for configuring the filter. In a semi-automated workflow, a security professional in the SOC 106 receives and evaluates the recommended ACE (filter) in correspondence with statistics from the traffic profiler and accepts/rejects/edits the recommended ACE before it is deployed.  //Examiner Remark:  The recommended ACE (filter) is generated by the system and transmitted to IT staff working in the SOC (entity). Therefore, unresponsive to recommended filter by the system by the IT staff is discarding the filter.)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in 

Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 20180351993 A1, hereinafter, Lee), and further in view of Jagger, et al. (US 7007302 B1, hereinafter, Jagger)
Regarding to claim 2, Lee teaches wherein generating the filtering rule comprises: generating the filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern and the match of the source and the known source.   ([0048] A Threat Detection component 510 periodically pulls records (i.e. known sources) from the database 508 and applies one more triggers or rules to detect threats (i.e. determining anomalous traffic pattern).  [0124 - 0150] discloses a similarity metrics and steps used to determine a match between source and known source in the database record record.)Lee doesn’t explicitly teach comparing information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources, wherein the known source is identified as being a security threat,Jagger from analogues endeavor teaches  comparing information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources, wherein the known source is identified as being a security threat,  ((Col  5 , lines 44 - 59] At 308, an attempt is made to identify the source of the attack and/or malicious code. If the source is identified, information (if any) about the source is retrieved from a database in operation 310. For example, the information 
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Jagger into the teachings of Lee because the unwanted event may be identified by recognizing a signature, file name, and/or checksum of the malicious code, by recognizing that code is being sent from a source already identified as a known threat, or in any other manner, as taught by Jagger [Col 5, lines 30 -33]. The combining of the teachings of Jagger and Lee would have yielded predictable results to one of ordinary skills in the art since it a well understood technique to use the information identifying known threat source to protect network from future attack.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 

Regarding to claims 9 and 16, they are rejected on same rational as claim 2.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 20180351993 A1, hereinafter, Lee), and further in view of Aziz et al. (US10511614, hereinafter, Aziz)
Regarding to claim 6 (Currently Amended), Lee teaches wherein the user equipment is first user equipment, wherein the first traffic pattern of the source includes a previous communication between the source and a second user equipment of the plurality of user equipment connected to the network, ([0041] In some cases, the Traffic Profiler 202 examines records from across multiple time intervals in order to make a determination of whether an attack is detected. (i.e. device have access traffic pattern from previous communication). [0028] As a multi-tenant infrastructure, the data cleaning center 100 can apply a custom set of ACEs for each customer. For example, each customer destination IP address may be associated with a set of ACEs that are active for that IP address. //Examiner remark: Since the device can support a multi-tenant architecture, traffic pattern records contain previous communication for plurality of user equipment connected in the network.)Lee doesn’t explicitly teach wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered.Aziz from analogues endeavor teaches wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered, ([Col 13, lines 47 -67, and Col 14, lines 1 - 23].  (//Examiner remark: discloses techniques to detect and mitigate anomalous behavior related to network IP address scanning by a source targeting a sequential number IP addresses assigned to use equipment. In this way, an active computer worm using a random IP address scanning technique (e.g., a scan directed computer worm) 
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Aziz into the teachings of Lee to improve the system so it can detect and mitigate pre-attack network IP address scanning, as taught by Aziz, [Col 13, lines 46 – 60]. The combining of the teachings of Jagger and Lee would have yielded predictable results since the technique of preventing an outside source scanning network IP address to gain access for potential entry for malicious activity into enterprise network is widely used and well understood to one of ordinary skills in the art. Regarding to the limitation “ or ” although considered, it is not examined on the merit because it’s directed to an optional step of claim 1, “pattern is at least one of: a first traffic pattern of the source, or a second traffic pattern of the user equipment” and thus is not positively required in order to meet claim 6 in view of the prior art.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 

 Regarding to claims 13 and 20, they are rejected on same rational as claim 6.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8230505 B1 - Method For Cooperative Intrusion Prevention Through Collaborative Inference
US 9015839 B2 - Identifying Malicious Devices Within A Computer Network
US 9967279 B2 - System And Method Thereof For Creating Programmable Security Decision Engines In A Cyber-security System

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
SOLOMON AREGA whose telephone number is (571)272-0122. The examiner can normally be reached on Monday - Friday from 8:30 AM to 5:00 PM (EDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild, can be reached at telephone number (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

/SOLOMON AREGA/Examiner, Art Unit 2431    
                                                                                                                                                                                                                                                                                                                                                                    /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431