DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 09/03/2021 has been fully considered. 
Applicant’s arguments with respect to claim(s) 1 – 22 have been considered but are moot because the new ground of rejection does not rely on all of the previously references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below. 
The examiner will answer all other remarks that do not concern the prior art rejections, if any, in the office action below. 
Applicant’s states on page[s] 8 and 9 of the remarks as filed: “The Office Action conceded that Bush fails to teach or suggest the aforementioned elements, and cited to Singh to address the deficiencies of Bush. First, the rejection alleged that the intercept layer 112 of the routing engine 102 on the network device 202 teaches or suggests the claimed destination controller. Second, the rejection alleged that the intercept layer 112 of the routing engine 102 on the network device 202 identifying an egress interface
index teaches or suggests the claimed validation of the security control device. Third, the rejection alleged that the network layer filter 114 of the routing engine 102 on the network device 202 applying at least one firewall rule based at least in part on the egress interface index teaches or suggests the claimed network device changing a destination network identifier.

	However, the destination controller, network device, and security control device are distinct components because the destination controller receives the test traffic forwarded by the network device, which itself is configured to receive the test traffic from the security control device.
	Therefore, the rejection is improper for conflating the functionality of the claimed destination controller, network device, and security control device to apply the rejection based on components of the network device 202. Moreover, Singh cannot be combined with Bush to cure these deficiencies because Bush merely recites attack handlers and attack masters, but fails to teach or suggest each and every feature of at least the following claimed components: (i) source controller, (11) destination controller, (iii) network device, and (iv) security control device. 
	Therefore, Singh and Bush, in combination, fail to teach or suggest each and every features of the claimed (i) source controller, (ii) destination controller, (iii) network device, and (iv) security control device. Accordingly, Bush and Singh, alone or in combination, fail to teach or suggest each and every limitation of independent claims 1 and 12.”

	In response the examiner isn’t persuaded, the examiner points out that just because “the destination controller receives the test traffic forwarded by the network device, which itself is configured to receive the test traffic from the security control device” [as argued by applicant – emphasis added], does not rule out the embodiment 
***The examiner response above equally applies to the same or similar remarks regarding base claim[s] 1, 12, in the remarks as filed. 

***Regarding dependent claim[s] 7, 10, 11, 18, 19, 21, 22, applicant didn’t make any specific remarks regarding such claims, therefore, the office has NO comment at this time. 

Response to Amendment
Status of the instant application:
Claim[s] 1 – 22 are pending in the instant application. 
Regarding claim[s] 1 – 22 under the various obviousness rejections, applicant’s claim amendments have been inspected, and are not persuasive. The examiner has addressed such claim amendments in the office action below. 
Claim Objections
Regarding the objection to claim 19, applicant’s change to the dependency of the claim is noted, therefore, the objection is withdrawn. 
Claim Interpretation – 35 USC 112th 6th or F
Regarding claim 12 under the interpretation, applicant’s claim amendment of “one or more processors” has been inspected, therefore, the interpretation is withdrawn. 
Claim Rejections – 35 USC § 112
Regarding claim[s] 1, 12, under the rejection, applicant’s claim amendment has been inspected, therefore, the rejection is withdrawn. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1- 6, 8, 9, 12 -17, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bush et al. [US PAT # 7620985] in view of Singh et al. [US PGPUB # 10505899], further in view of WO 2019/036717, hereinafter as Mihal
As per claim 1. Bush does teach a method of testing known bad destinations while in a production network [col. 2, lines 31 – 38, the method and system for forecasting effects of flood attack on infrastructure assets of an information system and communication network], the method comprising:
(a) establishing, for a source controller and a destination controller in a production network [col. 2, lines 48 – 50, attack handlers on the active nodes [i.e. applicant’s source controller and destination controller]], a configuration of a predetermined set of one or more known bad external destinations to test a security control device of the production network intermediary to the source controller and the destination controller [col. 2, lines 50 – 61, The attack 
(b)    communicating, by the source controller, test traffic generated by the source controller directed to a known bad external destination of the one or more known bad external destinations [col. 2, lines 50 – 61, The attack handlers generate virtual messages that are sent and received to and from other attack handlers of other active nodes, that in turn send the virtual messages to a target node of a target service [applicant’s one or more known bad external destinations]], the test traffic passing through the security control device with a network identifier of the known bad external destination [col. 3, lines 38 – 42, the inserted attack model may contain information on various parameters……..source and destination of traffic flows and the like]. 
Bush does not teach clearly and (c) receiving, by the destination controller, the test traffic forwarded by one or more processors of a network device of the production network, the one or more processors of the network device configured to receive the test traffic from the security control device and to change a destination network identifier of the test traffic from the network identifier of the known bad external destination to a network identifier of the destination controller before the test traffic egresses from the production network, wherein the security control device is validated based at least on identifying whether or not the security control device applied security controls on the test traffic having the network identifier of the known bad external destination.
However, Singh does teach and (c) receiving, by the destination controller, the test traffic forwarded by one or more processors of a network device [col. 11, lines 61 – 64, Computing system 800 broadly represents any type or form of electrical load, including a single or multi-processor computing device or system capable of executing computer-readable instructions.] of the production network [col. 12, lines 63 – 67, col. 12, lines 1 – 11, network], the one or more processors of the network device configured to receive the test traffic from the security control device [col. 2, lines 3 – 12, Similarly, a system [i.e. applicant’s destination controller] that implements the above-described method may include (1) a socket-intercept layer [i.e. applicant’s network device], stored in kernel space on a physical routing engine [i.e. applicant’s security control device] of a network device, that (A) intercepts a packet that is destined for a remote device and (B) identifies, in response to intercepting the packet, an egress interface index that specifies an egress interface that (I) is external to kernel space and (II) is capable of forwarding the packet from the network device to the remote device.] and to change a destination network identifier of the test traffic from the network identifier of the known bad external destination to a network identifier of the destination controller before the test traffic egresses from the production network [Figure # 3 and col. 8, lines 35 – 44, Returning to FIG. 3, at step 330 one or more of the systems described herein may apply at least one firewall rule on the packet network-layer filter 114 may, as part of routing engine 102(1) on network device 202(1) in FIG. 2, apply at least one firewall rule based at least in part on the egress interface index. This firewall rule may be applied on the packet in kernel space before the packet egresses from routing engine 102(1).
Then at Figure # 3, and col. 9, lines 3 – 5, In a further example, the identified firewall rule may cause and/or direct network-layer filter 114 to redirect the packet through a different egress interface. Where at col. 3, lines 42 – 47, after the egress interface index has been identified, the network-layer filter may apply and/or enforce at least one firewall rule on the packet based at least in part on the egress interface index. For example, the network-layer filter may cause the packet to egress out of a different interface than the one identified by the egress interface index due to the firewall rule].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Bush and Singh in order for the monitoring by the attack master program of the simulation flood attack results of the target service on the target device of Bush to include monitoring the effects of the simulation flood attack in the kernel space of the target node of Singh. This would allow for the attack master program to determine if the target service has improved its security checking for reduced number of traffic bottlenecks to and thru the target node. See Singh, col. 4, lines 1 – 9 of Singh.
Bush and Singh do not teach clearly the claim limitation of: “wherein the security control device is validated based at least on identifying whether or not the security control device applied security controls on the test traffic having the network identifier of the known bad external destination.”
However, Mihal does teach wherein the security control device is validated based at least on identifying whether or not the security control device applied security controls on the test traffic having the network identifier of the known bad external destination [page[s] 2, paragraph: 0007, lines 27 – 32, and page[s] 3, lines 1- 6].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Bush as modified and Mihal in order for the monitoring by the attack master program of the simulation malware attack results data of the target service on the target device of Bush as modified to include monitoring for sensitive data and activity from certain communication ports of Mihal. This would allow for an improvement of network security for detection malware by monitoring specific input output port addresses and data packet payload attributes. See paragraph: 0003 of Mihal.
As per claim 2. Bush as modified does teach the method of claim 1, wherein the network identifier comprises an internet protocol (IP) address or a domain name [Singh, Figure # 3 and col. 8, lines 48 – 55, source IP address, destination IP address]. 
As per claim 3. Bush does teach the method of claim 1, wherein the test traffic is not communicated from the production network to the known bad external destination [Bush, col. 2, lines 50 – 61, The attack handlers generate virtual messages that are sent and received to and from other attack handlers of other active nodes, that in turn send the virtual messages to a target node of a target service].
As per claim 4. Bush as modified does teach the method of claim 1, further comprising generating, by the source controller, the test traffic using a source network identifier of the source controller and a destination network identifier of the known bad external destination [Singh, Figure # 3 and col. 8, lines 48 – 55, source IP address, destination IP address].
As per claim 5. Bush does teach the method of claim 1, wherein the network device comprises a proxy device configured with a rule to forward traffic from a network identifier of the source controller to the network address of the destination controller [Bush, col. 2, lines 50 – 61, The attack handlers of active nodes [i.e. applicant’s proxies] generate virtual messages that are sent and received to and from other attack handlers of other active nodes].
As per claim 6. Bush as modified does teach the method of claim 5, wherein the rule is configured to forward traffic to a proxy network identifier and port configured on the destination controller [Singh, col. 8, lines 48 – 55, source and destination IP address, source and destination port number].
As per claim 8. Bush as modified does teach the method of claim 1, wherein the network device comprises an egress device configured with a network address translation (NAT) rule to change a destination network identifier of traffic to the network identifier of the destination controller if the source network identifier of the traffic corresponds to the source controller [Singh, Figure # 3, and col. 9, lines 25 – 33, For example, in the event that the applied firewall rule forces the .].
As per claim 9. Bush as modified does teach the method of claim 1, wherein the network device is intermediary to the security control device and the destination controller [Singh, col. 2, lines 6 – 12, remote device [i.e. applicant’s network device]].
As per system claim 12 that includes claim limitations that are the same or similar to method claim[s] 1, and is similarly rejected. 

As per system claim 13 that includes claim limitations that are the same or similar to method claim[s] 2, and is similarly rejected.

As per system claim 14 that includes claim limitations that are the same or similar to method claim[s] 3, and is similarly rejected.

As per system claim 15 that includes claim limitations that are the same or similar to method claim[s] 4, and is similarly rejected.

As per system claim 16 that includes claim limitations that are the same or similar to method claim[s] 5, and is similarly rejected.

As per system claim 17 that includes claim limitations that are the same or similar to method claim[s] 6, and is similarly rejected.

As per system claim 20 that includes claim limitations that are the same or similar to method claim[s] 9, and is similarly rejected.

Claim[s] 7, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bush et al. [US PAT # 7620985] in view of Singh et al. [US PGPUB # 10505899] and  WO 2019/036717, hereinafter as Mihal, as applied to claim[s] 5 above, and further in view of Hwang et al. [US PGPUB # 2017/0078329]
As per claim 7. Bush and Singh and Mihal do teach what is taught in the rejection of claim 5 above. 
Bush and Singh and Mihal do not clearly teach the method of claim 5, further comprising testing, by the destination controller, configuration of the rule of the network before an action using a known good destination.
However, Hwang does teach the method of claim 5, further comprising testing, by the destination controller, configuration of the rule of the network before an action using a known good destination [Figure[s]: # 5A and 5B, and paragraph: 0045, lines 3 – 13, At 502, a request may be received by a computer processor, for example functioning as cloud management stack, for example, from a user, to provision a server with one or more firewall rules. At 504, the computer processor sends or transmits, for example, via a communication network or channel, the firewall rules to an ODM or the like for validation. As described above, the ODM may run on one or more computer processors. The ODM checks its validation rules table (e.g., having pre-defined rules), e.g., stored on a storage or memory device, and determines one or more approved and/or denied rules.].

As per system claim 18 that includes claim limitations that are the same or similar to method claim[s] 7, and is similarly rejected.

Claim[s] 10, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bush et al. [US PAT # 7620985] in view of Singh et al. [US PGPUB # 10505899] and WO 2019/036717, hereinafter as Mihal, as applied to claim[s] 1 above, and further in view of Steele [US PGPUB # 20170272465]
As per claim 10. Bush and Singh and Mihal do teach what is taught in the rejection of claim 1 above.
Bush and Singh and Mihal do not clearly teach the method of claim 1, further comprising obtaining, by the source controller and the destination controller, the predetermined set of one or more known bad external destinations from one of a packet capture (PCAP) source, a user input, or a system.
However, Steele does teach the method of claim 1, further comprising obtaining, by the source controller and the destination controller, the predetermined set of one or more known bad external destinations from one of a packet capture (PCAP) source, a user input, or a system [paragraph: 0009, lines 12 – 16, The processor determines a safe blacklist for each router based on the blacklist and the whitelist, and the processor sends the respective safe blacklist to each router, where legitimate users are not blocked from accessing the one or more servers]. 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Bush as modified and Steele in order for the monitoring by the attack master program of the simulation flood attack results of the target service on the target device of Bush as modified to include an automated attack detection system of Steele. This would allow for issuing an alert when a device is susceptible to the simulation flood attack. See paragraph: 0026, lines 1 – 6 of Steele. 
As per system claim 21 that includes claim limitations that are the same or similar to method claim[s] 10, and is similarly rejected.

Claim[s] 11, 19, 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bush et al. [US PAT # 7620985] in view of Singh et al. [US PGPUB # 10505899] and WO 2019/036717, hereinafter as Mihal, as applied to claim[s] 1 above, and further in view of Rajagopal et al. [US PGPUB # 2006/0095970]
As per claim 11. Bush and Singh and Mihal do teach what is taught in the rejection of claim 1 above.
Bush and Singh and Mihal do not clearly teach the method of claim 1, wherein the security control device is validated that the security control device applied the security control to the known-bad bad external destination.
However, Rajagopal does teach the method of claim 1, wherein the security control device is validated that the security control device applied the security control to the known-bad bad external destination [paragraph: 0030, lines 1 – 7, Periodically, the host validation agent 42 on the sideband processing elements 23 runs a risk assessment scan to check if the host resident security agents 16 are functioning properly. The validated host resident security agents 16 then proceed to validate whether the operating system 13 and other firewall software running on the host 12 is working correctly]. 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Bush as modified and Rajagopal in order for the monitoring by the attack master program of the simulation flood attack results of the target service on the target device of Bush as modified to include heuristics algorithms to test the target service of the target node of Rajagopal. This would allow for the attack master program to observe behavior of the target service node to newly found attack algorithms. See paragraph: 0023 of Rajagopal. 
As per claim 19. Bush as modified does teach the system of claim 11, wherein the network device comprises an egress device configured with a network address translation (NAT) rule to change a destination network identifier of traffic to the network identifier of the destination controller if the source network identifier of the traffic corresponds to the source controller [Singh, Figure # 3, and col. 9, lines 25 – 33, For example, in the event that the applied firewall rule forces the packet to egress out of a different interface than the one identified by the egress interface index, packet-forwarding engine 104(1) may ensure that the packet does not egress out of the egress interface identified by the egress interface index.].
As per system claim 22 that includes claim limitations that are the same or similar to method claim[s] 11, and is similarly rejected.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434