DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/05/2021 has been entered.
 
This Office action is in response to RCE filed on 08/05/2021. Claims 2 and 9 have been canceled, and new claims 22-26 have been added.

Claims 1, 3-8 and 10-26 are presented for examination.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 04/19/2021 and 04/19/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8 and 10-26 are rejected under 35 U.S.C. 103 as being unpatentable over Jonathan Chao et al. (US 2005/0111367), in view of Burnham et al. (US 2015/0047034).

As to claim 1, Jonathan Chao discloses the invention as claimed, including a method of operating a communications network comprising: 
receiving a plurality of network operational data items relating to the operation of said communications network (¶0008, “aggregating packet attribute distribution frequencies for incoming victim related packets”; ¶0058, “collects local packet attribute traffic distributions for all incoming packets…collect local packet attribute information”), each of those network operational data items comprising one or more attributes, each attribute comprising a value for that attribute (¶0059, “IP protocol-type, packet size, source/destination port numbers, source/destination IP prefixes, Time-; 
classifying said network operational data items using type-specific processing which depends upon whether the automatically found statistical data type of said attribute is nominal, ordinal or quantitative (¶0018, “The score-based approach also enables the prioritization of different types of suspicious packets”; ¶0053, “comparing the measured attribute values to the nominal attribute values. If the measured attribute values exceed some predetermined threshold that may be equal or greater than the nominal attribute values, then the DCS 108 may conclude that the packets are suspect”); ¶0081, “performing statistical analysis…Attribute A may illustratively be the protocol-type, attribute B may illustratively be the packet-size, and attribute C may illustratively be the TTL values, and so forth”; ¶0082); and 
automatically operating the communications network to apply common class-specific treatment in response to network operational data items in one or more classes (434, 436, Fig. 4B; ¶0065, “UDP packets of size S and TTL value T destined to the DDoS victim 120 may be treated as prime suspects and given lower priority upon selective packet discarding during overload”; ¶0108, “determines whether the score of the incoming suspect packet is less than or equal to the CLP discarding threshold (Thd). If the determination is answered affirmatively, then the suspect packet is discarded, otherwise the packet is passed through for further routing”; ¶0109, “at 434, the incoming packet 202 is then discarded. Otherwise, if the query is answered negatively, then at 436, the incoming packet 202 is passed on for routing to its destination”).  
automatically finding a statistical data type (¶0010, “one or more behaviors or other characteristics may be identified (e.g., automatically) or observed (e.g., manually) in conjunction with the particular profile characteristics”; ¶0012, “identify or recognize particular characteristics, patterns, and the like of certain pieces (e.g., portions) or types of executable content indicative of a particular type of actor, organization, etc. (e.g., malicious, non-malicious, suspect, etc.) based upon personal knowledge, historical data, open-source information”; ¶0046; ¶0047). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Jonathan Chao to include automatically finding a statistical data type, as taught by Burnham because it would increase the capabilities of the server to automatically identify suspected malicious actors/organizations from the collected executable content and/or extracted characteristics (Burnham, ¶0046).

As to claim 3, Jonathan Chao discloses the method according to claim 1 further comprising comparing said plurality of values to one or more specialised patterns in order to find the type of the values of the attribute as being a specialist data type 

As to claim 4, Jonathan Chao discloses the method according to claim 3 further comprising receiving a specification of a specialised pattern for a specialist data type from a user (¶0008, “aggregating packet attribute distribution frequencies for incoming victim related packets”; ¶0058, “collects local packet attribute traffic distributions for all incoming packets…collect local packet attribute information”).  

As to claim 5, Jonathan Chao discloses the method according to claim 3 further comprising receiving a specification of one or more operations suitable for processing values matching said specialised pattern (¶0018, “The score-based approach also enables the prioritization of different types of suspicious packets”; ¶0066, “Profiling against relative frequency of different attribute values helps to alleviate the difficulties caused by the expected fluctuation of nominal traffic arrival rates due to time-of-the-day and day-of-the-week behavior”).  

As to claim 6, Jonathan Chao discloses the method according to claim 1 wherein said type-specific processing comprises computing a type-specific similarity or distance measure between two of the network operational data items (¶0018, “The 

As to claims 7-8, 10-11 and 18, they are rejected for the same reasons set forth in claims 1 and 7 above. In addition, Jonathan Chao discloses network control apparatus comprising: a computer system including a non-transitory computer readable medium for storing code and a computer hardware processor for executing the code such that the computer system is configured to at least perform (¶0003). 

As to claim 12, Jonathan Chao discloses the method according to claim 1 wherein the attributes of the network operational data items include data comprising a sequence of bytes representing a sequence of characters; and the processing of the network operational data items does not rely on the network operational data items being in accordance with a predetermined schema (¶0059, “IP protocol-type, packet size, source/destination port numbers, source/destination IP prefixes, Time-to-Live Live (TTL) values, IP/TCP header length, TCP flag combinations, and the like, as well as the arrival rates of suspicious traffic (e.g., bits/sec, packets/sec, and flow measurements)”).  

As to claim 13, Jonathan Chao discloses the network control apparatus according to claim 7 wherein the attributes of the network operational data items include data comprising a sequence of bytes representing a sequence of characters; and the computer system is not pre-configured with data representing a predetermined schema for the network operational data items (¶0059, “IP protocol-type, packet size, source/destination port numbers, source/destination IP prefixes, Time-to-Live Live (TTL) values, IP/TCP header length, TCP flag combinations, and the like, as well as the arrival rates of suspicious traffic (e.g., bits/sec, packets/sec, and flow measurements)”).  

As to claim 14, Jonathan Chao discloses the method according to claim 1 wherein automatically operating the communications network to apply the common class-specific treatment includes giving network traffic, represented by the network operational data items assigned to the same class, a same quality of service (434, 436, Fig. 4B; ¶0065, “UDP packets of size S and TTL value T destined to the DDoS victim 120 may be treated as prime suspects and given lower priority upon selective packet discarding during overload”; ¶0108, “determines whether the score of the incoming suspect packet is less than or equal to the CLP discarding threshold (Thd). If the determination is answered affirmatively, then the suspect packet is discarded, otherwise the packet is passed through for further routing”; ¶0109, “at 434, the incoming packet 202 is then discarded. Otherwise, if the query is answered negatively, then at 436, the incoming packet 202 is passed on for routing to its destination”).  

As to claim 15, Jonathan Chao discloses the network control apparatus according to claim 7 wherein automatically operating the communications network to apply in the network control the common class-specific treatment includes giving network traffic, represented by the network operational data items assigned to the same class, a same quality of service (434, 436, Fig. 4B; ¶0065, “UDP packets of size S and TTL value T destined to the DDoS victim 120 may be treated as prime suspects and given lower priority upon selective packet discarding during overload”; ¶0108, “determines whether the score of the incoming suspect packet is less than or equal to the CLP discarding threshold (Thd). If the determination is answered affirmatively, then the suspect packet is discarded, otherwise the packet is passed through for further routing”; ¶0109, “at 434, the incoming packet 202 is then discarded. Otherwise, if the query is answered negatively, then at 436, the incoming packet 202 is passed on for routing to its destination”).  

As to claim 16, Jonathan Chao discloses the method according to claim 1 further comprising determining that a network element or network traffic is malicious, wherein automatically operating the communications network to apply the common class-specific treatment includes handling the malicious network element network traffic with a same countermeasure (434, 436, Fig. 4B; ¶0065, “UDP packets of size S and TTL value T destined to the DDoS victim 120 may be treated as prime suspects and given lower priority upon selective packet discarding during overload”; ¶0108, “determines whether the score of the incoming suspect packet is less than or equal to the CLP discarding threshold (Thd). If the determination is answered affirmatively, then the suspect packet is discarded, otherwise the packet is passed through for further routing”; ¶0109, “at 434, the incoming packet 202 is then discarded. Otherwise, if the query is answered 

As to claim 17, Jonathan Chao discloses the network control apparatus according to claim 7 wherein the computer system is further configured to determine that a network element or network traffic is malicious, and automatically operating the communications network in the network control to apply the common class-specific treatment includes handling the malicious network element network traffic with a same countermeasure (434, 436, Fig. 4B; ¶0065, “UDP packets of size S and TTL value T destined to the DDoS victim 120 may be treated as prime suspects and given lower priority upon selective packet discarding during overload”; ¶0108, “determines whether the score of the incoming suspect packet is less than or equal to the CLP discarding threshold (Thd). If the determination is answered affirmatively, then the suspect packet is discarded, otherwise the packet is passed through for further routing”; ¶0109, “at 434, the incoming packet 202 is then discarded. Otherwise, if the query is answered negatively, then at 436, the incoming packet 202 is passed on for routing to its destination”).  

As to claim 19 and 20, Jonathan Chao discloses a method according to claim 1, wherein statistically analyzing the plurality of the values of at least one of said attributes comprises calculating one or -7-TURNER et al.Atty Docket No.: RYM-0036-2641Appl. No. 15/562,682more collective properties of the values, the one or more collective properties being selected from the group comprising: i) the number of unique values found in the plurality of values of the attribute; ii) the frequency distribution of the values of the attribute; and iii) the frequency distribution of the differences between the values of the attribute when ordered (¶0059, “IP protocol-type, packet size, source/destination port numbers, source/destination IP prefixes, Time-to-Live Live (TTL) values, IP/TCP header length, TCP flag combinations, and the like, as well as the arrival rates of suspicious traffic (e.g., bits/sec, packets/sec, and flow measurements)”).  

	As to claim 21, it is rejected for the same reasons set forth in claim 6 above.

As to claims 22, 24 and 26, Jonathan Chao discloses wherein the method further comprises: determining whether the values of the attribute are positive integers; and -8-TURNER et al.Atty Docket No.: RYM-0036-2641Appl. No. 15/562,682 using the statistically analysis of the values of the attribute to determine whether the positive integers are nominal, ordinal or quantitative (¶0018, “The score-based approach also enables the prioritization of different types of suspicious packets”; ¶0053, “comparing the measured attribute values to the nominal attribute values. If the measured attribute values exceed some predetermined threshold that may be equal or greater than the nominal attribute values, then the DCS 108 may conclude that the packets are suspect”); ¶0081, “performing statistical analysis…Attribute A may illustratively be the protocol-type, attribute B may illustratively be the packet-size, and attribute C may illustratively be the TTL values, and so forth”; ¶0082).  

As to claims 23 and 25, Jonathan Chao discloses wherein the computer system is further configured to perform: a determination of whether the values of the attribute are positive integers; and a determination of whether the positive integers are nominal, ordinal or quantitative using the statistically analysis of the values of the attribute (¶0059, “IP protocol-type, packet size, source/destination port numbers, source/destination IP prefixes, Time-to-Live Live (TTL) values, IP/TCP header length, TCP flag combinations, and the like, as well as the arrival rates of suspicious traffic (e.g., bits/sec, packets/sec, and flow measurements)”).  
	
Conclusion
Applicant’s arguments with respect to claims 1, 3-8 and 10-26 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hinz et al. (US 2013/0275576), Chao et al. (US 2007/0280114), Staniford (US 2016/0182542), Chesla et al. (US 2004/0250124), Pappu (US 2013/0304909) disclose providing a DDoS defense system that is flexible enough to cope with new and more sophisticated attacks in the future.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNGWON CHANG whose telephone number is (571)272-3960.  The examiner can normally be reached on 8:30-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on (571)272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JUNGWON CHANG/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        August 28, 2021