DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 2/24/2020.
Claims 1-30 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The abstract of the disclosure is objected to because line 14 recites “local notes” which appears to be typos.  Correction is required.  See MPEP § 608.01(b).
The disclosure is objected to because of the following informalities:
Para. [4], [32], [33], [43] recite “local notes” which appear to be typos.  
Appropriate correction is required.
Claim Objections
Claims 1-30 are objected to because of the following informalities:  
Claim 1 line 17 (similarly claim 29 line 21, claim 30 line 20) recites “the local notes”, which may read as “the local nodes”.
Claim 1 line 16, similarly claim 29 line 20, and claim 30 line 19, recites “so as to …” which is intended use. 
Claims use phrase “so as to” which may be interpreted as “in order to”, rendering the claim limitation(s) following “so as to” as intended use. Example claims 
Dependent claims (for instance, claims 2-7, 9-19, 24-28) recite “The method according to claim 1, and comprising…” may read “The method according to claim 1, further comprising…”.
Claim 12 line 8, “the computed volume” may read “the computed total volume”.
Claim 17 line 5, “destination IP” may read “destination IP address”.
Claim 20 lines 3-4, “a notification from a firewall …” may read “a notification from the firewall …”.
Claim 30 preamble line 4, “which instructions” is confusing. Applicant appears to say: … the product comprising a non-transitory computer-readable medium storing program instructions, when read by a computer, cause the computer…
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-14, 16-17, 19, 23, 25-26 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and 
Claim 7 line 5, similarly claim 9 line 4, recites “the determined count …”. There is insufficient antecedent basis for this limitation in the claim. 
Claim 8 line 3 recites “the corresponding remote node”. There is insufficient antecedent basis for this limitation in the claim.
Claim 9 line 2, similarly claim 10 line 2, claim 11 line 2, claim 19 lines 4-5, recites based on “the times”. There is insufficient antecedent basis for this limitation “the times” in the claim. It appears “the times” should be recited as “the respective times”.
Claim 12 line 5 recites “the computed count”. There is insufficient antecedent basis for this limitation in the claim.
Claim 1 recites “detected transmissions” and “identified transmissions”. However, in the following dependent claims it is not clear “the transmissions” is referring to which transmissions.
Claim 2 line 9; claim 3 line 5; claim 4 line 4; claim 5 line 7; claim 6 line 8; claim 7 lines 6-7; claim 8 line 6 and line 9; claim 9 line 6; claim 10 line 10; claim 11 line 6; claim 12 line 4; claim 13 line 3; claim 14 line 5; claim 16 line 4; claim 17 line 4; claim 19 line 3; claim 26 line 3;
Claim 23 line 5, 9 recites “the given transmissions”. It appears “the given transmissions” should be “the given transmission”.
Claim 25 line 2 recites “the given source node”. There is insufficient antecedent basis for this limitation in the claim.

Dependent claims that depend on the rejected claims are also rejected under the same rationale set forth above. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 29 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim is not statutory as they are drawn as a whole to a software per se. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim recites an apparatus comprising a network interface controller (NIC) and at least one processor where the NIC and processor under broadest reasonable interpretation can be software components. The specification of the instant application uses open language and does not specify that the NIC and processor(s) are hardware. Applicant is suggested to amend the claim to include at one hardware component, such as memory or hardware processor in the claim to make the claim eligible under 35 U.S.C. 101.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 7, 9-14, 25 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa et al (US20110302656A1, hereinafter, “El-Moussa”), in view of Dandliker et al (US20080082662A1, hereinafter, “Dandliker”).
Regarding claim 1, El-Moussa teaches:
A method for protecting a computer system (El-Moussa, [Abstract] A malicious behaviour detector (100) for detecting malicious behaviour on a network), comprising: 
collecting, by a processor (El-Moussa, Fig. 2 processor unit), information from data traffic transmitted (El-Moussa, referring to Fig.3 step S10, and [0047] The method commences and thereafter at steps S10 and S20 the MBD 100 monitors all traffic passing on the LAN 20 and awaits receipt of an Ethernet frame by looping through steps S10 and S20 until such a frame of data is received whereupon the method proceeds to step S30) between multiple local nodes on a private data network (El-Moussa, Fig. 1 LAN 20 (i.e. private network), Host A, B, etc. (local nodes)) and public Internet Protocol (IP) addresses corresponding to [multiple] remote nodes on a public data network (El-Moussa, Fig. 1 internet 40 (i.e. public data network), Attacker device 50 (i.e. remote node), and [0035] For example, it could try to instigate the blocking of all traffic coming from an IP address suspected of sending malicious packets of data (e.g. by sending a message to the gateway/router device 30 connecting the LAN 20 to the Internet 40 to not forward on any traffic coming from a specified external IP address (e.g. from the IP address associated with device 50)); 
detecting, in the collected information, Domain Name System (DNS) resolutions, each DNS resolution identifying a local node requesting the resolution with respect to a uniform resource identifier (URI) and a public IP address corresponding to the URI (El-Moussa, [Abstract] a Domain Name Service, DNS, request and/or response detection module (134) to monitor the requests made by hosts connected to the network and/or responses thereto. And [0033] Similarly, the DNS request detection module 134 inspects all Ethernet frames which contain a DNS query … Having identified a DNS request, the DNS module 134 checks to see if the address to be resolved is a known blacklisted name (or, in the case of a DNS response if the response includes a known blacklisted IP address … see for example the list of known malicious IP addresses contained at the following URL http://www.dshield.org/ sources.html) i.e. a domain name (or an IP address)); 
(El-Moussa, [0039] detecting a significant change in the number of DNS requests issued by a particular host (this can be monitored by keeping a record of the top n hosts in terms of the number of DNS requests they send and adding a small probability to any hosts which enter the top n list--preferably such evidence should time out if no further corroborative evidence is found within a certain period of time--e.g. within 4 hours) (i.e. respective times)); 
and initiating a protective action with respect to at least some of the identified transmissions (El-Moussa, Fig. 3A Step S50 Log packet and record source and destination addresses as suspicious, and Fig. 3B step S100 Send amassed evidence to administrator (i.e. protective action)).  
While El-Moussa teaches the main concept of invention, i.e. detection of malicious behavior of local devices to public device (attacker) by comparing signatures to the detected transmission, but does not expressly teach the multiple external devices and comparing DNS resolution to the detected transmission so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions, however in the same field of endeavor Dandliker teaches:
public Internet Protocol (IP) addresses corresponding to multiple remote nodes on a public data network (Dandliker, discloses controlling access to network resources based on reputation, see [Abstract]. And referring to Fig. 6, Network resources in public network (i.e. multiple remote nodes), and [0076] a URL domain name may be scored by association of the SMTP reputations of connecting IP addresses associated with that same domain),
(Dandliker, [0139] … such attempts (i.e. detected communications) are thwarted by intercepting, at traffic monitor 628, all DNS requests from the client 612 to resolve domains into IP addresses … When a DNS response is received, traffic monitor 628 locally caches the resolved IP address contained in the response. Thereafter, when viruses or malware on client 612 attempt to send packets to the resolved IP address, traffic monitor 628 intercepts the packets and can compare the cached IP address to database 624 to determine if the address has a good reputation (i.e. IP address resolved, i.e. DNS resolution). If not (i.e. not resolved), access can be blocked); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dandliker in the malicious behavior detection of El-Moussa by comparing IP address of intercepted packets to database to determine reputation of the IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated based on the reputation of IP address from DNS response to determine whether to allow or block access of client device to network resources (Dandliker, [Abstract]).

Regarding claim 29, El-Moussa/Dandliker combination teaches:
An apparatus (El-Moussa, Fig. 1 Malicious behaviour detector 100) for protecting a computer system, comprising: a network interface controller (NIC); and at least one processor (El-Moussa, Fig. 2 Interface 110, Processor unit 120) configured: to collect, via the NIC from (El-Moussa, [0057] The MBD 1100 comprises an interface 1110 for communicating with the LAN 20), information from data traffic transmitted between multiple local nodes on the private data network (El-Moussa, Fig. 1 LAN 20) and public Internet Protocol (IP) addresses corresponding to [multiple remote nodes] on a public data network (El-Moussa, Fig. 1 Internet 40), to perform steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 30, El-Moussa/Dandliker combination teaches:
A computer software product for protecting a computing system, the product comprising a non-transitory computer-readable medium, in which program instructions are stored (El-Moussa, [0027] The processor unit 120 co-operates with the memory 130 to perform processing functions based on computer program instructions stored in the memory), which instructions, when read by a computer, cause the computer: to perform steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 7, El-Moussa/Dandliker teaches:
The method according to claim 1, 
El-Moussa further teaches: and comprising computing, for a given public IP address, a count distinct local nodes that transmitted at least one given transmission to the given public IP address, comparing the determined count to a specified range, and refraining from the (El-Moussa, [0038] This in itself can be indicative of malicious behaviour because command and control servers for malicious computer worms and zombie botnets, etc. tend to frequently change their IP address to avoid having their IP address blackholed, thus frequent i.e. more than one per hour (i.e. computed count, specified threshold), DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour). Examiner further notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.

Regarding claim 9, El-Moussa/Dandliker teaches:
The method according to claim 1, 
El-Moussa further teaches: and comprising computing, based on the times, a count of distinct days having at least one given transmission to a given public IP address, comparing the determined count to a specified threshold, and refraining from the protective action with respect to the transmissions to the identified given public IP addresses upon detecting that the computed count is less than the specified threshold (El-Moussa, [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). Examiner further notes El-Moussa teaches frequent DNS request for the same domain name can be evidence of  malicious behavior, therefore the less frequent request (i.e. computed count is less than the specified threshold) suggests less likely of malicious behavior, i.e. refraining from the protective action.

Regarding claim 10, El-Moussa/Dandliker teaches:
The method according to claim 1, 
Dandliker further teaches: and comprising computing, based on the times, a first count of distinct days having at least one given transmission from a given local node to a given public IP address, computing a second count of days having at least one given transmission from the given local node during at least a specified number of distinct hours, computing a ratio of the first count to the second count, comparing the ratio to a threshold, and refraining from the protective action with respect to the transmissions to the identified given 481188-2002 S4 public IP addresses upon detecting that the ratio is less than the specified threshold (Dandliker, [0080] In an embodiment, examining traffic for suspicious patterns may be performed. For instance, significant repeated activity to a URL during non-business hours may be indicative of a spyware program "phoning-home" data). Examiner notes that when suspicious traffic activity occurs during limited non-business hours, the number of days where this limited non-business hours is less than if the traffic activity occurs at business hours, therefore the ratio is more, which indicates suspicious activity. On another hand if traffic activity occurs in business hours, the ratio is less, indicating less chance of suspicious activity, therefore refraining protective action. Although Dandliker does not use ratio to express the determining, with the broadest reasonable interpretation, it is obvious to one ordinary skilled in the art that one can express the rational by using a mathematical ratio.

Regarding claim 11, El-Moussa/Dandliker teaches:
The method according to claim 1, 
El-Moussa further teaches: and comprising computing, based on the times, a count of distinct hours having at least one given transmission to a given public IP address, comparing the determined count to a specified threshold, and refraining from the protective action with respect to the transmissions to the identified given public IP addresses upon detecting that the computed count is less than the specified threshold (El-Moussa, [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). Examiner further notes El-Moussa teaches frequent DNS request for the same domain name can be evidence of  malicious behavior, therefore the less frequent request (i.e. computed count is less than the specified threshold) suggests less likely of malicious behavior, i.e. refraining from the protective action. A count of distinct days and a count of distinct hours are interpreted similarly, as count or frequency.

Regarding claim 12, El-Moussa/Dandliker teaches:
The method according to claim 1, 
(Dandliker, [0038] The approaches herein use reputation information to control requests to obtain network resources using HTTP and other web protocols. And [0074] The parameters can be used as indicators about a reputation of a URL.  … global traffic volume and changes in volume; Table shows example URL reputation scores, and [0095] (-7) IronPort SenderBase shows a sudden spike in volume of requests to URL, and URL is a typographical corruption of a popular domain). Examiner notes sudden spike in volume suggests suspicious activity, therefore less sudden spike or less computed volume suggests less chance of suspicious activity, therefore refraining protective action.

Regarding claim 13, El-Moussa/Dandliker teaches:
The method according to claim 1, 
Dandliker further teaches: and comprising determining a protocol of a given transmission to a given public IP address, computing a count of the transmissions in a session comprising the given transmission, comparing the computed count to a specified threshold for the determined protocol, and refraining from the protective action with respect to the given transmission upon detecting that the computed count is less than the specified threshold (Dandliker, [0153] In an embodiment, messaging gateway 608 also implements a proxy for file transfer protocol (FTP) requests of clients. An FTP session uses two TCP connections between the client and server: the Command connection, and the Data connection.  The FTP session is initiated by the client connecting to the server, establishing the Command connection). Examiner notes El-Moussa’s teaching of count of frequency of DNS request also apply to a session of Dandliker, therefore less frequent request (i.e. computed count is less than the specified threshold) suggests less likely of malicious behavior, i.e. refraining from the protective action. 

Regarding claim 14, El-Moussa/Dandliker teaches:
The method according to claim 1, 
El-Moussa further teaches: and comprising determining a protocol of a given transmission to a given public IP address, identifying the determined protocol in a specified list of non-periodic protocols, computing a count of the transmissions to the given public IP address 491188-2002 S4 and comprising the determined protocol, comparing the computed count to a specified range for the determined protocol, and refraining from the protective action with respect to the given transmission upon detecting that the computed count is within the specified range (El-Moussa, [0033] Similarly, the DNS request detection module 134 inspects all Ethernet frames which contain a DNS query (DNS queries are generally sent in a User Datagram Protocol (UDP) datagram encapsulated in an Internet Protocol (IP) packet(s). And [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). 

Regarding claim 25, El-Moussa/Dandliker teaches:
The method according to claim 1, 
El-Moussa further teaches: and comprising determining that the given source node is a proxy server, and refraining from the protective action with respect to the given transmission (El-Moussa, [0026] FIG. 1 illustrates a typical network architecture comprising a Local Area Network (LAN) 20 (e.g. an IEEE 802.3 Ethernet LAN) connected, via a gateway/ router device 30 (which also acts as a proxy DNS server).  

Claims 2, 4 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Neerdaels (US20090119397A1, hereinafter, “Neerdaels”).
Regarding claim 2, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the similar field of endeavor Neerdaels teaches:
and comprising: analyzing the detected transmissions so as to identify a subnet of the public data network containing a subset of the public IP addresses that were not resolved by the DNS resolutions but belong to a demilitarized zone (DMZ) subnet associated with the private data network; and refraining from the protective action with respect to the (Neerdaels, discloses using ECDN virtual zone as DMZ for enterprise content delivery, see [Abstract]. And [0025] From a security standpoint, the enterprise network manager roughly divides the world of the network into trusted and un-trusted, which usually corresponds to internal and external entities… More sophisticated systems usually create an security entity called a DMZ, which can be thought of as a set of two firewalls, with certain assets like email, DNS, web servers, etc. sitting between them.  Each firewall has a different set of filtering rules, with the innermost generally allowing valid traffic from a host within the DMZ to enter the enterprise. And [Claim 7] the ECDN virtual zone is resolved without reference to the public Internet DNS).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Neerdaels in the malicious behavior detection of El-Moussa/Dandliker by employing ECDN virtual zone as DMZ that is not resolved to public internet DNS. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the ECDN virtual zone as DMZ for content delivery within enterprise even without DNS resolution in an existing DNS infrastructure (Neerdaels, [0007-0009], [0025]).

Regarding claim 4, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the similar field of endeavor Neerdaels teaches:
(Neerdaels, discloses using ECDN virtual zone as DMZ for enterprise content delivery, see [Abstract]. And [0009] It is yet another general object of the invention to define and implement one or more so-called "virtual" zones within an enterprise namespace to facilitate content delivery behind a corporate firewall over an enterprise content delivery network (ECDN). And [Claim 1] building a list of one or more enterprise domains that are candidates for caching in the ECDN, wherein an enterprise domain that is a candidate for caching has associated therewith a set of one or more IP addresses associated with nearby content servers managed as part of an Internet content delivery network (ICDN)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Neerdaels in the malicious behavior detection of El-Moussa/Dandliker by employing ECDN virtual zone for enterprise content delivery. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the ECDN virtual zone as DMZ for content delivery within enterprise even without DNS resolution in an existing DNS infrastructure (Neerdaels, [0007-0009], [0025]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Dandliker combination as applied above to claim 1, further in view of Lv et al (US20130007233A1, hereinafter, “Lv”).
Regarding claim 3, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the similar field of endeavor Lv teaches:
and comprising identifying a given IP address that belongs to an autonomous system reserved for internal use by an entity, and refraining from the protective action with respect to the transmissions to the identified given public IP addresses (Lv, [0030] each managed network device of an autonomous wireless network needs a unique IP address to support internal control-path communication between them. However, such unique IP address does not have to be externally reachable or managed. Rather, each managed network device can assign (i.e. identifying) to itself an internal IP address within an address space specifically reserved for internal network communications).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lv in the malicious behavior detection of El-Moussa/Dandliker by assigning an internal IP address within an address space as specifically reserved for internal network communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to link local address space within wireless network as a private network (Lv, [Abstract], [0030]) so that protective action is not necessary.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Dandliker combination as applied above to claim 1, further in view of Wood (US20190081952A1, hereinafter, “Wood”).
Regarding claim 5, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the similar field of endeavor Wood teaches:
and comprising: analyzing the detected transmissions so as to identify a given local node that pinged a given public IP address so as to determine a status of the corresponding remote node; and refraining from the protective action with respect to the transmissions to the given public IP addresses (Wood, [0070] The invention also features a system for blocking DNS tunnels,… a process to identify whether a remote IP address is a previous fake IP address previously provided by the system in response to a previous DNS query; a process for finding the actual remote IP address for the at least one data communication packet destined for the fake IP address); Examiner notes claim 5 does not recite in what identified status of the remote node where the protective action is refrained. But it is obvious to one ordinary skilled in the art that if the status of the corresponding remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wood in the malicious behavior detection of El-Moussa/Dandliker by identifying actual remote IP address for data communication. This would have been obvious because the person having ordinary .

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Dandliker combination as applied above to claim 1, further in view of Deutschmann et al (US20190124092A1, hereinafter, “Deutschmann”).
Regarding claim 6, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Deutschmann teaches:
and comprising: analyzing the detected transmissions so as to identify a given local node that scanned one or more ports on a given remote node so as to determine one or more respective statuses of services provided by the given remote node at the one or more ports; and refraining from the protective action with respect to the transmissions to a given public IP address corresponding to the given remote node (Deutschmann, discloses detecting unauthorized access to a device based on scanning network ports, see [Abstract]. And [0012] In addition to scanning a second software port for the open or in use status thereof, a plurality of additional ports can be scanned by way of the code, when executed, attempting to open a network connection on each of the plurality of additional ports and modifying further delivery of data is based on a determination that any one of the plurality of additional ports being in use. Also referring to Fig. 1, End User Device (i.e. local node) and Malfeasant (i.e. remote node)). Examiner notes claim 6 does not recite in what respective status of the remote node where the protective action is refrained. But it is obvious to one ordinary skilled in the art that if the status of the corresponding remote node suggests the remote node is not malicious node, there is no need to perform the proactive action. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Deutschmann in the malicious behavior detection of El-Moussa/Dandliker by scanning network ports to determine which ports are open for the purpose of detection of remote fraudulent activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine particular ports are already in use so as to determine a malfeasant actor has access to the end user device (Deutschmann, [Abstract]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Dandliker combination as applied above to claim 1, further in view of Jeong et al (US20110016525A1, hereinafter, “Jeong”).
Regarding claim 8, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Jeong teaches: 
wherein each given transmission to a given public IP address comprises a destination port number on the corresponding remote node, and comprising computing, for a given public IP address, a count of distinct destination port numbers in the transmissions to the given public IP address, comparing the computed count to a specified threshold, and refraining from the (Jeong, discloses detecting network attack based on visual data analysis, see [Title], [Abstract]. And [0011] a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack. For instance see Fig. 6C, [0048] the generation of the traffic from multiple source IPs to one destination IP indicates that DDoS attack S602 is being progressed. Examiner notes, this can be interpreted as when the number of destination IP is more, the data indicates there is less chance of presence of network attack). Examiner notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the protective action. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Jeong in the malicious behavior detection of El-Moussa/Dandliker by using number of ports related to destination IP address for analyzing network attack. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect network attack based on destination IP address count on traffic image plot (Jeong, [Abstract]).

Claims 15, 21 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Lim et al (US20180013778A1, hereinafter, “Lim”).
Regarding claim 15, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Lim teaches:
and comprising determining a destination port number of a given transmission, comparing the determined destination port number to specified list of port numbers, and refraining from the protective action with respect to the given transmission upon detecting that the determined destination port number is in the specified list (Lim, discloses method for detecting abnormal behavior in a main device and a terminal device by using whitelist. And [0040] the network whitelist (i.e. specified list) may include the IP address and port number of a network connection for the main device 10 and the terminal device 20, the name of a network process, and [0062] at step S125, the network process, IP address, and port number of the main device and the network process, IP address, and port number of the terminal device are compared with the main device-terminal device connection whitelist).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lim in the malicious behavior detection of El-Moussa/Dandliker by identifying abnormal of network devices using whitelist that includes IP address and port number of the devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the abnormal behavior of network devices based on a whitelist (Lim, [Abstract]), i.e. if the device is in a whitelist, protective action is refrained.

Regarding claim 21, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Lim teaches:
wherein a given transmission comprises a given protocol and a given destination port number, and comprising comparing the destination port number to a list of valid destination port numbers for the given protocol, and refraining from the protective action with respect to the given transmission upon detecting the given destination port number in the list (Lim, discloses method for detecting abnormal behavior in a main device and a terminal device by using whitelist. And [0040] the network whitelist (i.e. the list) may include the IP address and port number of a network connection for the main device 10 and the terminal device 20, the name of a network process, and [0062] at step S125, the network process, IP address, and port number of the main device and the network process, IP address, and port number of the terminal device are compared with the main device-terminal device connection whitelist).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lim in the malicious behavior detection of El-Moussa/Dandliker by identifying abnormal of network devices using whitelist that includes IP address and port number of the devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the abnormal behavior of network devices based on a whitelist (Lim, [Abstract]), i.e. if the device is in a whitelist, protective action is refrained.  

Claims 16, 22 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Gottlieb et al (US 9,130,982B2, hereinafter, “Gottlieb”).
Regarding claim 16, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Gottlieb teaches:
and comprising determining a geo-location of a given destination IP address in a given transmission, computing a count of the transmissions to any of the destination IP addresses having the same geo-location, comparing the computed count to a specified threshold, and refraining from the protective action with respect to the given transmission upon detecting that the computed count is less than the specified threshold (Gottlieb, discloses detecting anomalous attacks in internet network flow, see [Abstract]. And Col. 6 lines 55-67, DDoS attacks may employ bots located in geographically diverse regions.  Therefore it is expected that the number of unique geographical areas from which traffic is observed for a destination could be relatively large when a DDoS attack is in progress…The IP Geolocation Diversity Indicator maintains a count of the unique geographical locations from where traffic is observed for a given destination within the current time window.  As before, this is compared against a long term rate (i.e. specified threshold) to determine the presence of geolocation anomalies for the given destination. And col. 7 lines 28-30, An analyst can filter alerts based on destination IP addresses or destination IP prefixes of interest in conjunction with some subset of indicator types). 


Regarding claim 22, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Gottlieb teaches:
wherein a given transmission comprises a given public IP address, and comprising determining a number of the public IP addresses hosted by a datacenter hosting the given IP address, and refraining from the protective action with511188-2002 S4 respect to the given transmission upon detecting that the determined number is less than a specified threshold (Gottlieb, Col. 6 lines 36-46, A botnet originated DDoS attack typically uses a large number of bots to overwhelm a target. In addition, many botnets may also employ random source IP address spoofing to hide the location of individual bots.  It is thus possible that during a large scale DDoS attack the number of unique source IP addresses for a given destination IP may be quite large relative to normal operations. It may be possible to provide early warning of DDoS/RDDoS attacks by considering the number of unique source IP addresses observed within a time window for a given destination IP address). Examiner notes if the determined number IP addresses is less, then it is obvious to one ordinary skilled in the art that it is less likely of attacks, therefore protective action can be refrained. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious behavior detection of El-Moussa/Dandliker by identifying attacks based on large number of bots with IP addresses. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the counting average of internet traffic message to determine anomalous attacks (Gottlieb, [Abstract]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied to claim 1, further in view of Chiba et al (US20160366159A1, hereinafter, “Chiba”).
Regarding claim 17, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Chiba teaches:
and comprising determining that a given destination IP address in a given transmission belongs to an autonomous system, computing a count of the transmissions to the given destination IP (Chiba, discloses extraction of traffic features using traffic log, see [Abstract]. And [0006] In an approach for automatically extracting the feature information from the information on communication relating to attacks, the information on communication relating to attacks is summarized based on the categorization into respective items set in advance, for example, date and time, an Internet protocol (IP) address of a communication peer, …, and the number of times of communication. Also see [0060] for traffic logs generated by malware including communication destination IP address. In particular Fig. 6 shows AS number suggesting autonomous system), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chiba in the malicious behavior detection of El-Moussa/Dandliker by extracting feature information on communication related to attacks such as internet destination IP address, number of times of communication in an autonomous system. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the extracted feature information from traffic logs to identify attacks (Chiba, [Abstract], [0019]).
El-Moussa further teaches: comparing the computed count to a specified threshold, and refraining from the protective action with respect to the given transmission upon detecting that the computed count exceeds the specified threshold (El-Moussa, [0038] This in itself can be indicative of malicious behaviour because command and control servers for malicious computer worms and zombie botnets, etc. tend to frequently change their IP address to avoid having their IP address blackholed, thus frequent i.e. more than one per hour (i.e. computed count, specified threshold), DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour). Examiner further notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Zawoad et al (US20190387005A1, hereinafter, “Zawoad”).
Regarding claim 18, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Zawoad teaches:
and comprising determining that a given destination IP address in a given transmission belongs to an autonomous system,501188-2002 S4 determining that the autonomous system is not bulletproof, and refraining from the protective action with respect to the given transmission (Zawoad, [0176] As described above, adversaries may often use "bullet-proof" hosting services to launch attacks in order to avoid law enforcement and other legal repercussions and certain autonomous systems (ASs) are known for to have a higher incidence of malicious activity than other ASs). Examiner notes given the teachings of Zawoad that bulletproof hosting services often launch attacks, it is obvious to one ordinary skilled in the art that not bulletproof autonomous system is less likely launch attacks therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zawoad in the malicious behavior detection of El-Moussa/Dandliker by identifying bullet-proof services in autonomous system. This would have been obvious because the person having ordinary skill in .

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Alpert et al (US10,257,295B1, hereinafter, “Alpert”).
Regarding claim 19, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Alpert teaches:
and comprising determining a given destination IP address in a given transmission, identifying a subset of the transmissions to the given public IP address, identifying, based on the times, a most recent transmission in the subset, determining a date for the most recent transmission, comparing the date to a specified threshold date, and refraining from the protective action with respect to the given transmission upon detecting that the determined date is after the specified threshold date (Alpert, discloses monitoring abnormality in internet activity, see [Abstract]. And Col. 5 lines 46-57, if the activity report indicates normal internet traffic activity for when a user is actively using a client device 130 and or mobile device 160, 170, the cloud server 180 may use that report in determining that the property is occupied. In another example, in response to a triggered alarm event within a property, the cloud server 180 may analyze the recent activity report transmitted by the internet sensor 120 to determine user activity within the property.  For instance, if the activity report indicates normal internet traffic activity, the monitor cloud server 180 may determine that there is no security breach within the property).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Alpert in the malicious behavior detection of El-Moussa/Dandliker by identifying recent internet activity from activity report that indicates normal internet traffic activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to base on recent normal internet traffic activity to determine there is no security breach in the networks (Alpert, [Abstract]).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Ylonen et al (US20030110379A1, hereinafter, “Ylonen”).
Regarding claim 20, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Ylonen teaches:
wherein a given transmission comprises a given protocol, and comprising receiving, from a firewall, a notification from a firewall that the firewall recognizes the given protocol, and refraining from the protective action with respect to the given transmission (Ylonen, discloses maintaining security in a packet-switched information network [Title]. And [0016] The objects of the invention are achieved by implementing packet-level processing in the operating system kernel of a firewall computer, by setting up at least one protocol-specific application gateway somewhere else than in the operating system kernel of the firewall computer, and by instructing the packet-level processing process to recognize packets associated with the protocol that the protocol-specific application gateway handles and to direct the recognized packets to the application gateway. Also see Fig. 1, Firewall 103). Examiner notes when firewall recognizes protocol that malicious transmission is based on, it is obvious to one ordinary skilled in the art that one can rely on firewall to block the malicious transmission therefore protective action is not needed.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ylonen in the malicious behavior detection of El-Moussa/Dandliker by implementing firewall with protocol-specific application gateway to recognize packets associated with protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the firewall to block malicious transmission associated with protocol that can be recognized related to attacks (Ylonen, [Abstract]), so that further protective action is not necessary.

Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Kim et al (US20180351930A1, hereinafter, “Kim”).
Regarding claim 23, El-Moussa/Dandliker teaches:
The method according to claim 1, 

wherein each given transmission from a given local node to a given remote node comprises a given protocol and a given destination port number, and comprising comparing the destination port numbers in the given transmissions to a list of standard port numbers, computing a count of the compared destination port numbers that were not in the list, and refraining from the protective action with respect to the given transmissions upon detecting that the computed count exceeds a specified threshold (Kim, [0237] each whitelist (i.e. not in the list, where the list can be blacklist) includes a source IP address, a source port number, a destination IP address, a destination port number, a protocol, etc. Also, each whitelist may further include …, the number of permissions per day, the number of uses per day,…). Examiner notes the number of port numbers being more in the whitelist (i.e. not in the blacklist) suggests less likely of network attacks therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kim in the malicious behavior detection of El-Moussa/Dandliker by using whitelist that includes destination IP address and port number in firewall to control bidirectional communication between internal network and external network. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the firewall to block malicious transmission associated with port numbers that can be not included in whitelist (Kim, [Abstract]), so that further protective action is not necessary.

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/
Dandliker combination as applied above to claim 1, further in view of Firstenberg et al (US20180069884A1, hereinafter, “Firstenberg”).
Regarding claim 24, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the similar field of endeavor Firstenberg teaches:
and comprising determining that a given destination IP address in a given transmission belongs to an autonomous system, determining that the autonomous system is not rentable, and refraining from the protective action with respect to the given transmission (Firstenberg, [0009] the method may include generating an alert for the one or more predicted ASNs, or for transmissions to the IP addresses of the one or more predicted ASNs… generating the alert may include restricting data transmissions between the endpoints and the IP addresses of the one or more predicted ASNs…, each given predicted ASN may include a rentable ASN). Examiner notes Firstenberg’s teachings suggests non-rentable autonomous system is less likely related to suspicious transmission activity therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Firstenberg in the malicious behavior detection of El-Moussa/Dandliker by identifying ASNs and their behaviors such as rentable or non-rentable. This would have been obvious because the person having ordinary skill in the art would have been motivated to employing ASNs with non-.

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Keanini et al (US20070143852A1, hereinafter, “Keanini”).
Regarding claim 26, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Keanini teaches:
and comprising identifying one or more of the local nodes as pingers, determining that all of the transmissions to a given destination IP address are from the identified local nodes, and refraining from the protective action with respect to any given transmission to the given destination IP address (Keanini, [0048] the control module 320 uses ping requests to identify hosts on the network and TCP connection attempts to identify open ports of the hosts.  Based on this information, the control module 320 sends messages to the identification subsystem 330 instructing it to carry out various analyses to identify and verify vulnerabilities of hosts 191 on the network).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Keanini in the malicious behavior detection of El-Moussa/Dandliker by using ping request to identify vulnerable hosts. This would have been obvious because the person having ordinary skill in the .

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Amoudi et al (US20210014198A1, hereinafter, “Amoudi”).
Regarding claim 27, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Amoudi teaches:
and comprising determining that a given destination IP address in a given transmission corresponds to a mail server, and521188-2002 S4 refraining from the protective action with respect to the given transmission (Amoudi, [0043] Since the OPES system 10 is hosted in a DMZ (behind firewalls), only specific IP addresses and specific port numbers will be allowed to communicate with the backend mail server 112 hosted in the computer network 1. And the mail server 112 can be configured to accept only email communications from a node having a predefined IP address such as, for example, the IP address for the email security gateway 14). Examiner notes Amoudi’s teachings suggest with mail server configured to accept only email from a node having a predefined IP address, it is obvious to one ordinary skilled in the art that there is no need for protective action.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Amoudi in the .

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/ Dandliker combination as applied above to claim 1, further in view of Rouvinen (US20200177625A1, hereinafter, “Rouvinen”).
Regarding claim 28, El-Moussa/Dandliker teaches:
The method according to claim 1, 
The combination of El-Moussa/Dandliker does not explicitly teach the following limitation(s), in the same field of endeavor Rouvinen teaches:
and comprising detecting a first given transmission to a given public IP address, detecting a second given transmission to the given public IP address and whose protocol comprises Simple Network Management Protocol, detecting a third given transmission to the given public IP address and whose protocol comprises Internet Control Message Protocol, and refraining from the protective action with respect to the first given transmission (Rouvinen, [0048] in some embodiment it is also possible to monitor source IP addresses in the data frames and to analyze if the IP addresses are correct ones or masqueraded, i.e. spoofed, IP addresses, which are not in use at all.  This kind of monitoring may be based on a utilization of a certain communication protocol procedure, such as ICMP, SNMP, HTTP, TCP SYN).  
.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Balasubramaniam (US20210136037A1). Discloses endpoint security using DNS agent for managing domain name requests such that client devices are restricted from visiting malicious or undesirable domains.
Sanghavi et al (US20200007548A1). Discloses methods for blocking, detecting preventing malicious traffic by using blacklisted domains based on a set of rules that specify match criteria associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets.
Mortensen et al (US20200014714A1). Discloses detection of particular DNS misuse based on monitored network data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436