DETAILED ACTION
This office action is in response to the application filed on 6/26/2019.  Claim(s) 1-39 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 12/20/2019 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Claim Objections
Claim(s) 12, 17, 22, and 26-27 is/are objected to because of the following informalities: The examiner suggests the following corrections:Claims 12 and 22:
Replacement of "the" with "a" in the phrase "the false positive detection rate".
Claim 17 and 27:
Replacement of "the" with "a" in the phrase "the mitigation resource".
Claim 26:
Replacement of "long baseline" with "long-term baseline".


Claim Rejections - 35 USC § 112

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim(s) 1-39  is/are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Regarding claim(s) 1, 20, and 21, the phrase “the at least HTTPS traffic” makes the claims ambiguous and therefore indefinite.  Because the claim fails to sufficiently relate the phrase to the other claim features, the claim is amenable of multiple plausible constructions (i.e., HTTPS traffic introduced earlier in the related to measuring baseline behavior.  The second recitation of “the at least HTTPS” refers to later traffic that is being tested for attacks.  However, this claim term draws its antecedence from the previous term), leaving a person having ordinary skill in the art unable to determine what the Applicant does and does not regard as the invention.  See Ex parte Kenichi Miyazaki, 89 U.S.P.Q. 2d 1207, *11 (BPAI 2008).
	Dependent claim(s) 2-19 and 22-39 is/are rejected for the reasons presented above with respect to rejected claim(s) 1 and 21 in view of their dependence thereon.
	Claims 15 and 25 have this problem as well, but should be rectified by simply clarifying the parent claims.

Regarding claim(s) 11-12 and 32-33, the phrase “the threshold” makes the claims indefinite and unclear in that it lacks antecedent basis.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 5-7, 10-15, 17-18, 20-23, 25-27, 30-35, and 37-38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla (US 2008/0086434 A1), in view of Anderson et al. (US 2019/0245866 A1). 
Regarding claims 1, 20, and 21, Chesla teaches:
“A method for detecting hypertext transfer protocol (HTTP) flood denial- of-service (DDoS) attacks (Chesla, ¶ 505 discloses an implementation of a detection device implemented using a non-transitory computer readable medium which is executed on a computer which necessarily has a processor and a memory.  Chesla, ¶ 63-66 discloses an HTTP flood DDoS attack), comprising: 	estimating traffic telemetries of at least ingress traffic directed to a protected entity (Chesla, ¶ 68-76 teaches measuring the inbound and outbound traffic characteristics to a protected web server); 	providing at least one rate-base feature and at least one rate-invariant feature based on the estimated traffic telemetries (Chesla, ¶ 71-76 gives examples of rate based features such as HTTP requests per second, and rate invariant features such as the HTTP request URL size distribution), wherein the rate-base feature and the rate- invariant feature demonstrate a normal behavior of HTTPS traffic directed to the protected entity (Chesla, ¶ 80-85 the aforementioned featured are observed for an appropriate period of time to establish typical operating conditions when not under attack); 	evaluating the at least one rate-base feature and the at least one rate-invariant feature with respect to at least one baseline to determine whether the behavior of the at least HTTPS traffic indicates a potential HTTPS flood DDoS attack (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring); and 	causing execution of a mitigation action when an indication of a potential HTTPS flood DDoS attack is determined (Chesla, ¶ 99-102 discloses performing a mitigation action against the potential attack)”.
	Chesla does teach a detection and mitigation strategy that would work on HTTPS traffic since the HTTP information would be encrypted using a TLS or SSL handshake.  
	However, in related art, Anderson teaches:
	estimating telemetries of “HTTPS traffic (Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data)” and detecting a “potential HTTPS” denial of service attack (Anderson, ¶ 34, ¶ 36, and ¶ 44-46 teaches using a machine learning classifier on encrypted traffic to determine if HTTP connections are maliciously engaged in denial of service attack)”.
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla and Anderson, to modify the HTTP flood DDOS detection and mitigation system of Chesla to include the method to infer HTTP information in HTTPS connections secured with TLS to detect malicious activity as taught in Anderson.  The motivation to do so would be, as stated by , ¶ 82, would be to thwart attackers who attempt to obfuscate their malicious behavior by encrypting their attacks, thus making the network behavior of their attacks undetectable. 

Regarding claims 2 and 22, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein estimating traffic telemetries further comprises: 	estimating traffic telemetries of at least egress traffic from the protected entity (Chesla, ¶ 68-76 teaches measuring the inbound and outbound traffic characteristics to a protected web server)”.

Regarding claims 3 and 23, Chesla in view of Anderson teaches:
“The method of claim 2 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein evaluating the at least one rate-base feature and the at least one rate-invariant is performed without decrypting any of the ingress traffic and the egress traffic (Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data.  Chesla, ¶ 71-76 gives examples of rate based features such as HTTP requests per second, and rate invariant features such as the HTTP request URL size distribution which can be accomplished used the telemetry measuring technique provided in Anderson)”.

Regarding claims 5 and 25, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), further comprising: 	computing the at least one baseline for each of the at least one rate-base feature and the at least one rate-invariant feature (Chesla, ¶ 9 and ¶ 15 teaches creating a baseline for the rate based and rate invariant features using the collected information)”.   

Regarding claims 6 and 26, Chesla in view of Anderson teaches:
“The method of claim 5 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the at least one baseline includes: 	a short-term baseline and a long-term baseline, wherein the short-term baseline characterizes short- term changes in the ingress traffic and the long-term baseline characterizes long-term changes in the ingress traffic (Chesla, ¶ 22-24, ¶ 26-28, ¶ 144-147, and ¶ 205 discuss establishing short term and long term baselines for real time and adaptive machine learning anomaly detection of traffic)”.

Regarding claims 7 and 27, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the at least one rate-base feature includes any one of: 	a number of HTTPS requests per second (RPS) (Chesla, ¶ 71-76 gives examples of rate based features such as HTTP requests per second.  Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data which correspondingly would allow the rate as measured by Chesla to be determined)”.

Regarding claims 10 and 30, Chesla in view of Anderson teaches:
The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein evaluating the at least one rate-base feature and the at least one rate-invariant feature with respect to at least one baseline further comprises: 	comparing real-time samples of the at least one rate-base feature and at least one rate-invariant feature to the at least one baseline (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring); and 	detecting an anomaly when at least one of: 	the at least one rate-base feature and at least one rate-invariant feature deviates from the at least one baseline, wherein the deviation from the at least one baseline is by a threshold (Chesla, ¶ 7 and ¶ 88-96 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring when values exceed a given threshold)”.

Regarding claims 11 and 31, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the threshold is dynamically updated based on real-time estimation of traffic telemetries (Chesla, ¶ 365-366 teaches dynamic threshold in the real-time detection system)”.

Regarding claims 12 and 32, Chesla in view of Anderson teaches:
“The method of claim 11 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the threshold is determined as follows: U(t) = Y(t) + maxDev; wherein U(t) is an anomaly threshold, Y(t) is a baseline, and maxDev is a maximal deviation of an observed traffic feature during peace time corresponding to a required value of the false positive detections rate of the observed traffic feature (Chesla, ¶ 246-254 and ¶ 304-306 teaches the equation to determine threshold for anomaly detection based on a deviation from peace time values)”.

Regarding claims 13 and 33, Chesla in view of Anderson teaches:
“The method of claim 10 (Chesla in view of Anderson teaches of the parent claims as discussed above), further comprising: 	detecting rate-invariant anomaly based on at least abnormal distribution of size of HTTPS requests and responses (Chesla, ¶ 7 and ¶ 88-96 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring when values exceed a given threshold)”.

Regarding claims 14 and 34, Chesla in view of Anderson teaches:
“The method of claim 10 (Chesla in view of Anderson teaches of the parent claims as discussed above), further comprising: 	detecting rate-base anomaly based on at least a total number of HTTPS requests and a total volume of HTTPS requests and responses (Chesla, ¶ 133-137 discusses measure the ratio of HTTP requests and responses.  Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data which correspondingly would allow the rate as measured by Chesla to be determined)”.

Regarding claims 15 and 35, Chesla in view of Anderson teaches:
The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the behavior of the at least HTTPS traffic indicates a potential HTTPS flood DDoS attack when anomalies are detected on at least one rate base feature and rate invariant feature (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring)”.

Regarding claims 17 and 37, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the method is performed by a defense system including at least a detector for detecting the potential HTTPS flood DDoS attack (Chesla, Fig. 1 depicts anomaly detection system) and the mitigation resource for performing the mitigating action (Chesla, Fig. 1 depicts mitigation mechanism)”.

Regarding claims 18 and 38, Chesla in view of Anderson teaches:
“The method of claim 17 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the defense system is deployed in-line of traffic between client devices accessing the protected entity (Chesla, Fig. 1 depicts the protection device in line with the protected server and the external data sources), wherein the protected entity is deployed in any one of: a cloud computing platform (Anderson, ¶ 26-27 teaches that servers are implanted in the cloud and defended by the inline protection device)”.

Claim(s) 4 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Anderson in view of Be’ery et al. (US 2015/0207806 A1). 
Regarding claims 4 and 24, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above)”.
Chesla in view of Anderson does not, but in related art Be’ery teaches:	“wherein estimating traffic telemetries further comprises: 	analyzing transmission control protocol (TCP) packets headers received by the protected entity (Be’ery, ¶ 22 and ¶ 70 teaches analyzing TCP packet headers as part of a process to detect application layer malicious activity)”.
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Anderson, and Be’ery, to modify the HTTP flood DDOS detection and mitigation system of Chesla and Anderson to include the method to analyze TCP packet information in reference to DOS attacks as taught in Be’ery.  The motivation to do so constitutes applying a known technique (i.e., method to analyze TCP packet information in reference to DOS attacks) to known devices and/or methods (i.e., HTTP flood DDOS detection and mitigation system) ready for improvement to yield predictable results. 
Claim(s) 8-9 and 28-29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Anderson in view of Reddy et al. (US 2018/0007084 A1).
Regarding claims 8 and 28, Chesla in view of Anderson teaches:
“The method of claim 1 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein the at least one rate-invariant feature includes any one of: 	a distribution of HTTPS requests sizes (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring)”.
Chesla in view of Anderson does not, but in related art, Reddy teaches:
 “wherein the at least one rate-invariant feature distinguishes between a potential HTTPS flood DDoS attack and a flash crowd web activity (Reddy, ¶ 39 and ¶ 80-83 teaches distinguishing between a flash crowd activity and a DOS event based on the rate invariant metrics)”.
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Anderson, and Reddy, to modify the HTTP flood DDOS detection and mitigation system of Chesla and Anderson to include the method to distinguishing between a flash crowd activity and a DOS event based on the rate invariant metrics as taught in Reddy.  The motivation to do so constitutes applying a known technique (i.e., HTTP flood DDOS detection and mitigation system) to known devices and/or methods (i.e., distinguishing between a flash crowd activity and a DOS event based on the rate invariant metrics) ready for improvement to yield predictable results.
 
Regarding claims 9 and 29, Chesla in view of Anderson in view of Reddy teaches:
The method of claim 8 (Chesla in view of Anderson in view of Reddy teaches the limitations of the parent claims as discussed above), wherein the at least one rate-invariant feature further includes a relative variance of any one of: an ingress HTTPS request per second (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring), wherein the relative variance of a traffic feature is a rate- invariant criterion for distinguishing between a potential HTTPS flood DDoS attack and a flash crowd web activity (Reddy, ¶ 39 and ¶ 80-83 teaches distinguishing between a flash crowd activity and a DOS event based on the rate invariant metrics)”.
Claim(s) 16, 19, 36, and 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Anderson in view of Holloway et al. (US 2019/0158533 A1).
Regarding claims 16 and 36, Chesla in view of Anderson teaches:
“The method of claim 10 (Chesla in view of Anderson teaches of the parent claims as discussed above), wherein causing execution of a mitigation action further comprises: 	generating a suspect list including a list of source internet protocol (IP) addresses of client devices triggered the detected anomalies (Chesla, ¶ 92-93 teaches looking at the IP addresses for the requests)”.
	Chesla in view of Anderson does not, but in related art, Holloway teaches: 	“challenging each of the client devices in the suspect list (Holloway, ¶ 50 and ¶ 67-68 teaches cloud based proxy system which challenges visitors during a denial of service attack); and 	causing execution of the mitigation action on traffic originated from any device client that fails the challenge (Holloway, ¶ 67-68 and ¶ 71 teaches cloud based proxy system which blocks requests from clients with failed challenges)”.	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Anderson, and Holloway, to modify the HTTP flood DDOS detection and mitigation system of Chesla and Anderson to include the method to distinguishing between a flash crowd activity and a cloud based proxy system which blocks requests from clients with failed challenges as taught in Holloway.  The motivation to do so constitutes applying a known technique (i.e., HTTP flood DDOS detection and mitigation system) to known devices and/or methods (i.e., cloud based proxy system which blocks requests from clients with failed challenges) ready for improvement to yield predictable results.

Regarding claims 19 and 39, Chesla in view of Anderson teaches:
	“The method of claim 17 (Chesla in view of Anderson teaches of the parent claims as discussed above)”.
	Chesla in view of Anderson does not, but in related art, Holloway teaches: 	“wherein the defense system is installed in a cloud defense platform as an always-on deployment, wherein the cloud defense platform is deployed between client devices and the protected entity (Holloway, Fig. 1, ¶ 20-21 and ¶ 24 depict and describe cloud based proxy server which operate in line with the servers they protect against denial of service attacks)”.
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Anderson, and Holloway, distinguishing between a flash crowd activity and a cloud based proxy server which operate in line with the servers they protect against denial of service attacks as taught in Holloway.  The motivation to do so constitutes applying a known technique (i.e., HTTP flood DDOS detection and mitigation system) to known devices and/or methods (i.e., cloud based proxy server which operate in line with the servers they protect against denial of service attacks) ready for improvement to yield predictable results.
 
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 
/STEPHEN T GUNDRY/Examiner, Art Unit 2435