Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	The instant application 16/277,122 is presented for examination by the examiner.  Claim amendments filed via the AFCP 2.0 request on 9/10/21 are not entered.  However, after speaking with Applicant’s representative, the claim set below is entered via Examiner’s amendment, placing the case into condition for allowance.



EXAMINER’S AMENDMENT

An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Edward Kim on 9/27/21.

  The application has been amended as follows:  


Examiner’s Amendment for filing
1.	(Currently Amended) A method comprising:
processing, by a device, a communication between a source and user equipment,
wherein the user equipment is one of a plurality of user equipment connected to a network,
wherein the user equipment is associated with an entity;
determining, by the device, that the communication is associated with an anomalous traffic pattern,
wherein the anomalous traffic pattern is determined based on at least one of:
a first traffic pattern of the source, or
a second traffic pattern of the user equipment; 
implementing, by the device, a provisional blocking of traffic between the source and the plurality of user equipment connected to the network based on determining the anomalous traffic pattern,
wherein the provisional blocking of traffic persists for a first time period;
generating, by the device, a filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern,
wherein the filtering rule prescribes that traffic between the source and the user equipment is to be blocked; 
transmitting, by the device, a first notification to the entity associated with the user equipment,
wherein the first notification requests that the entity affirm the filtering rule[[,]];

configuring, by the device, based on [[the ]]a response to the first notification, and based on the filtering rule, a filter[[.]];
monitoring, by the device, for a second time period to detect a communication attempt between the source and one of the plurality of user equipment;
transmitting, by the device and based on the communication attempt not being detected over the second time period, a second notification to the entity, 
wherein the second notification requests that the entity affirm that the filtering rule is to be removed; and
	allowing, by the device and based on receiving a response to the second notification affirming that the filtering rule is to be removed, traffic between the source and the user equipment.

2.	(Original) The method of claim 1, further comprising:
comparing information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources,
wherein the known source is identified as being a security threat,
wherein generating the filtering rule comprises:
generating the filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern and the match of the source and the known source.

3.	(Canceled Herein)

4.	(Currently Amended) The method of claim 1, wherein the user equipment is first user equipment, the entity is a first entity, 
wherein the method further comprises:
generating a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern,
wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the second filtering rule prescribes that traffic between the source and the second user equipment is to be blocked; 
transmitting a third notification to a second entity associated with the second user equipment,
		wherein the second entity is different from the first entity,
wherein the third notification requests that the second entity affirm the second filtering rule; and
blocking traffic between the source and the second user equipment based on the second entity affirming the second filtering rule.

5.	(Previously Presented) The method of claim 1, wherein the user equipment is first user equipment,

wherein generating the filtering rule comprises:
generating the filtering rule in connection with the source, the first user equipment, and the second user equipment based on determining the anomalous traffic pattern,
wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the filtering rule prescribes that traffic between the source and the first user equipment or the second user equipment is to be blocked.

6.	(Canceled Herein) 

7.	(Currently Amended) The method of claim 1, wherein the first notification further requests that the entity select an action that is one or more of:
reporting the source to a repository of known sources,
reporting the source to a law enforcement agency,
reporting the source to a web hosting service,
pausing the first notification, or
placing the source on a whitelist.

8.	(Currently Amended) A device, comprising:
one or more memories; and
one or more processors, communicatively coupled to the one or more memories, to:

wherein the user equipment is one of a plurality of user equipment connected to a network,
wherein the user equipment is associated with an entity;
determine that the communication is associated with an anomalous traffic pattern,
wherein the anomalous traffic pattern is determined based on at least one of:
a first traffic pattern of the source, or
a second traffic pattern of the user equipment; 
implement a provisional blocking of traffic between the source and the plurality of user equipment connected to the network based on determining the anomalous traffic pattern, 
wherein the provisional blocking of traffic persists for a first time period;
generate a filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern,
wherein the filtering rule prescribes that traffic between the source and the user equipment is to be blocked; 
transmit a first notification to the entity associated with the user equipment,
wherein the first notification requests that the entity affirm the filtering rule[[,]]; 

a response to the first notification, and based on the filtering rule, a filter[[.]];
monitor for a second time period to detect a communication attempt between the source and one of the plurality of user equipment;
transmit, based on the communication attempt not being detected over the second time period, a second notification to the entity, 
wherein the second notification requests that the entity affirm that the filtering rule is to be removed; and
allow, based on receiving a response to the second notification affirming that the filtering rule is to be removed, traffic between the source and the user equipment.

9.	(Original) The device of claim 8, wherein the one or more processors are further to:
compare information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources,
wherein the known source is identified as being a security threat,
wherein the one or more processors, when generating the filtering rule, are to:
generate the filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern and the match of the source and the known source.

10.	(Canceled Herein) 

11.	(Currently Amended) The device of claim 8, wherein the user equipment is first user equipment, the entity is a first entity, 
wherein the one or more processors are further to:
generate a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern,
wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the second filtering rule prescribes that traffic between the source and the second user equipment is to be blocked; 
transmit a third notification to a second entity associated with the second user equipment,
		wherein the second entity is different from the first entity,
wherein the third notification requests that the second entity affirm the second filtering rule; and
block traffic between the source and the second user equipment based on the second entity affirming the second filtering rule.

12.	(Original) The device of claim 8, wherein the user equipment is first user equipment,
wherein second user equipment, associated with the entity, is connected to the network,
wherein the one or more processors, when generating the filtering rule, are to:

wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the filtering rule prescribes that traffic between the source and the first user equipment or the second user equipment is to be blocked.

13.	(Previously Presented) The device of claim 8, wherein the user equipment is first user equipment,
wherein at least one of:
the first traffic pattern of the source includes a previous communication between the source and a second user equipment of the plurality of user equipment connected to the network,
wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered, or
the second traffic pattern of the user equipment includes a plurality of previous communications that do not relate to the source.

14.	(Canceled) 

15.	(Currently Amended) A non-transitory computer-readable medium storing instructions, the instructions comprising:

process a communication between a source and user equipment,
wherein the user equipment is one of a plurality of user equipment connected to a network,
wherein the user equipment is associated with an entity;
determine that the communication is associated with an anomalous traffic pattern,
wherein the anomalous traffic pattern is determined based on at least one of:
a first traffic pattern of the source, or
a second traffic pattern of the user equipment; 
implement a provisional blocking of traffic between the source and the plurality of user equipment connected to the network based on determining the anomalous traffic pattern,
wherein the provisional blocking of traffic persists for a first time period;
generate a filtering rule in connection with the source and the user equipment based on determining the anomalous traffic pattern,
wherein the filtering rule prescribes that traffic between the source and the user equipment is to be blocked; 
transmit a first notification to the entity associated with the user equipment,
wherein the first notification requests that the entity affirm the filtering rule[[,]]; 

configure, based on [[the ]]a response to the first notification, and based on the filtering rule, a filter[[.]];
monitor for a second time period to detect a communication attempt between the source and one of the plurality of user equipment;
transmit, based on the communication attempt not being detected over the second time period, a second notification to the entity, 
wherein the second notification requests that the entity affirm that the filtering rule is to be removed; and
allow, based on receiving a response to the second notification affirming that the filtering rule is to be removed, traffic between the source and the user equipment.

16.	(Original) The non-transitory computer-readable medium of claim 15, wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
compare information identifying the source to information identifying a plurality of known sources to determine a match of the source and a known source of the plurality of known sources,
wherein the known source is identified as being a security threat,
wherein the one or more instructions, that cause the one or more processors to generate the filtering rule, cause the one or more processors to:


17.	(Canceled Herein) 

18.	(Currently Amended) The non-transitory computer-readable medium of claim 15, wherein the user equipment is first user equipment, the entity is a first entity, 
wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
generate a second filtering rule in connection with the source and a second user equipment connected to the network based on determining the anomalous traffic pattern,
wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the second filtering rule prescribes that traffic between the source and the second user equipment is to be blocked; 
transmit a third notification to a second entity associated with the second user equipment,
		wherein the second entity is different from the first entity,
wherein the third notification requests that the second entity affirm the second filtering rule; and


19.	(Original) The non-transitory computer-readable medium of claim 15, wherein the user equipment is first user equipment,
wherein second user equipment, associated with the entity, is connected to the network,
wherein the one or more instructions, that cause the one or more processors to generate the filtering rule, cause the one or more processors to:
generate the filtering rule in connection with the source, the first user equipment, and the second user equipment based on determining the anomalous traffic pattern,
wherein the anomalous traffic pattern is not related to the second user equipment,
wherein the filtering rule prescribes that traffic between the source and the first user equipment or the second user equipment is to be blocked.

20.	(Previously Presented) The non-transitory computer-readable medium of claim 15, wherein the user equipment is first user equipment, 
wherein at least one of: 
the first traffic pattern of the source includes a previous communication between the source and a second user equipment of the plurality of user equipment connected to the network,
wherein a first address of the first user equipment and a second address of the second user equipment are sequentially numbered, or


	21. 	(Canceled Herein) 


22.	(New) The method of claim 1, wherein the first traffic pattern of the source is based on the source generating queries to sequentially numbered addresses of the network.

23.	(New) The method of claim 1, wherein the provisional blocking of traffic comprises:
blocking traffic for the plurality of user equipment connected to the network, or
blocking traffic for one or more of the plurality of user equipment, including the user equipment, associated with the entity.


24.	(New) The device of claim 8, wherein the first traffic pattern of the source is based on the source generating queries to sequentially numbered addresses of the network.

25.	(New) The device of claim 8, wherein the provisional blocking of traffic comprises:
blocking traffic for the plurality of user equipment connected to the network, or
blocking traffic for one or more of the plurality of user equipment, including the user equipment, associated with the entity.


26.	(New) The non-transitory computer-readable medium of claim 15, wherein the first traffic pattern of the source is based on the source generating queries to sequentially numbered addresses of the network.


Response to Amendment

	The present claim amendments overcome the previous claim rejections.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:  
The prior art is silent in explicitly teaching “monitoring, by the device, for a second time period to detect a communication attempt between the source and one of the plurality of user equipment; transmitting, by the device and based on the communication attempt not being detected over the second time period, a second notification to the entity, wherein the second notification requests that the entity affirm that the filtering rule is to be removed; and allowing, by the device and based on receiving a response to the second notification affirming that the filtering rule is to be removed, traffic between the source and the user equipment” in combination with all of the other claim requirements, particularly the provisional blocking of traffic persists for a first time period.  

Allowable Subject Matter
Claims 1, 2, 4, 5, 7-9, 11-13, 15, 16, 18-20, and 22-26 are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on M-F 8:30-5:00. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/Primary Examiner, Art Unit 2431                                                                                                                                                                                                        
MICHAEL R. VAUGHAN
Primary Examiner
Art Unit 2431