DETAILED ACTION
The present office action is responsive to communications received on 10/04/2021.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/04/2021 has been entered.

Status of Claims
Claim 13 was amended.
Claims 1-18 are pending.

Response to arguments
With respect to applicant amendments the prior 35 USC § 112(b) rejection is withdrawn.
With respect to the 35 USC § 103 rejection:
Applicant’s arguments against Huston et al. are moot in light of new grounds of rejection.
Applicant’s argument against Chesla reciting, “it seems that Chesla is reactive, not proactive as called for in the claim element. In this regard Applicants previously clarified the a predicted future stage of the DDoS campaign” and similar arguments that Chesla does not disclose the future attacks such as “There is no mention in Chesla of a prediction nor that the "potential" cyber-threat that is referred to is a stage of a DDoS campaign that has future stages, both of which are required by the claim language”. These arguments are not persuasive in light of the new primary reference Lewis explicitly disclosing future attacks as mapped in the office action below and has machine learning to thwart the attacks wherein in view of Chesla that discloses how the attacks are being thwarted (see mapping in the office action). Additionally, Chesla [0077] discloses “controller implements a learning mechanism to define or otherwise select a set of correlation rules to execute. The workflow rules are set respective of the attacks that the cyber-security system 100 can handle. That is, in an exemplary implementation, a set of workflow rules is defined for each different type of threat.” Wherein the learning mechanism clearly demonstrates a proactive mitigation action of future stage potential attacks. Therefore, Chesla in view of the primary reference disclose the DDOS mitigation recited in Chesla, which the examiner still believes is applicable to attacks at any time with a primary reference that explicitly discloses future attacks. Therefore the mapping is updated and the 35 USC § 103 rejection maintained.

Claim Objections
Claim 18 is objected to because of the following informalities:  the last limitation recites “initiate initiating a proactive mitigation action” it seems applicant means “initiate a proactive mitigation action”.  Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


With respect to claims 1-4, 7-13 and 17-18 the claims are rejected under 35 U.S.C. §101 because the claimed invention is directed to an abstract idea without significantly more.
2019 Revised Patent Eligibility Guidance (PEG): Step 1:
As claims 1-4, 7-13 and 17-18 are directed to a system therefore they are all within at least one of the four statutory categories.
2019 PEG: Step 2A - Prong One:
Regarding Prong One of Step 2A of the 2019 PEG (which collectively includes the guidance in the January 7, 2019 Federal Register notice and the October 2019 update issued by the USPTO), the claim limitations are to be analyzed to determine whether, under their broadest reasonable interpretation, they “recite” a judicial exception or in other words whether a judicial exception is “set forth” or “described” in the claims.  An “abstract idea” judicial exception is subject matter that falls within at least one of the following groupings: a) certain methods of organizing human activity, b) mental processes, and/or c) mathematical concepts.
Representative independent claims 1 and 17-18 include limitations that recite at least one abstract idea.  Specifically, independent claim 1 recites:
receiving a plurality of attack feeds on at least one protected object in a secured environment; analyzing the plurality of attack feeds to determine characteristics of a DDoS attack campaign comprising multiple stages against the secured environment; determining a set of optimal mitigation resources assigned to the secured environment; selecting, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme.

The Examiner submits that the foregoing underlined limitations constitute “Human activity” and/or “mental process” because the claim recite: 
Mental process, such as: receiving a plurality of attack feeds.
Mental process, such as: analyzing the plurality of attack feeds.
Mental process, such as: determining a set of optimal mitigation resources assigned to the secured environment.
Mental process, such as: initiating a proactive mitigation action.

Accordingly, the claim recites at least one abstract idea. 
While independent claims 17-18 although might have slight variations but essentially recites the same scope of claim limitations as independent claim 1.

Furthermore, dependent claims 2-4 and 7-13 further fail to make the abstract parent claims any less abstract. 
Claims 2-4 and 7-13 all recite Human activity and/or mental processes.
2019 PEG: Step 2A - Prong Two:
Regarding Prong Two of Step 2A of the 2019 PEG, it must be determined whether the claim as a whole integrates the abstract idea into a practical application.  As noted in the 2019 PEG, it must be determined whether any additional elements in the claim beyond the abstract idea integrate the 
In the present case, the additional limitations beyond the above-noted at least one abstract idea recited in the claim are as follows (where the bolded portions are the “additional limitations” while the underlined portions continue to represent the at least one “abstract idea”):
Claim 18 recites: A system for reducing a time to mitigate future stages of a distributed denial of service (DDoS) campaign, comprising: Page 4 of 15USSN: 16/227,912 Docket: RADW P1035 a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing system, configure the system to: receive a plurality of attack feeds on at least one protected object in a secured environment; (Mental process combined with conventional computer implementation, see MPEP § 2106.05(g) and MPEP § 2106.05(f)).
analyze the plurality of attack feeds to determine characteristics of a DDoS attack campaign comprising multiple stages against the secured environment; determine a set of optimal mitigation resources assigned to the secured environment; select, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; and initiate initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. (Mental process combined with conventional computer implementation, see MPEP § 2106.05(g) and MPEP § 2106.05(f)).

For the following reasons, the Examiner submits that the above identified additional limitations do not integrate the above-noted at least one abstract idea into a practical application.
A system for reducing a time to mitigate future stages of a distributed denial of service (DDoS) campaign, comprising: Page 4 of 15USSN: 16/227,912 Docket: RADW P1035 a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing system, configure the system to:” the Examiner submits that this additional limitation merely adds insignificant extra-solution activity (reducing time; analyzing data) to the at least one abstract idea in a manner that does not meaningfully limit the at least one abstract idea (see MPEP § 2106.05(g)).
Thus, taken alone, the additional elements do not integrate the at least one abstract idea into a practical application.
Looking at the additional limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually.  For instance, there is no indication that the additional elements, when considered as a whole, reflect an improvement in the functioning of a computer or an improvement to another technology or technical field, apply or use the above-noted judicial exception to effect a particular authentication apparatus that is integral to the claim, effect a transformation or reduction of a particular article to a different state or thing, or apply or use the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is not more than a drafting effort designed to monopolize the exception (see 2019 PEG and MPEP § 2106.05).
For these reasons, representative independent claims 1 and 17-18 do not recite additional elements that integrate the judicial exception into a practical application.  Accordingly, representative independent claims 1 and 17-18 are directed to at least one abstract idea.
The remaining dependent claim limitations not addressed above fail to integrate the abstract idea into a practical application as set forth below:
Claims 2-4 and 7-13: These claims disclose a Mental process and/or organizing human activity and thus do no more than generally link use of the abstract idea to a particular technological 
Thus, taken alone, any additional elements do not integrate the at least one abstract idea into a practical application.  Therefore, the claims are directed to at least one abstract idea.
2019 PEG: Step 2B:
Regarding Step 2B of the 2019 PEG, representative independent claim 1 does not include additional elements (considered both individually and as an ordered combination) that are sufficient to amount to significantly more than the judicial exception for reasons the same as those discussed above with respect to determining that the claim does not integrate the abstract idea into a practical application.
Regarding the additional limitation of “A system for reducing a time to mitigate future stages of a distributed denial of service (DDoS) campaign, comprising: Page 4 of 15USSN: 16/227,912 Docket: RADW P1035 a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing system, configure the system to:”, which the Examiner submits merely adds insignificant extra-solution activity to the abstract idea, the Examiner further submits that such steps are not unconventional as they merely consist of collecting and analyzing data in a system and take optimal action based on the analysis.  See MPEP 2106.05(d)(II).  
The dependent claims do not include additional elements (considered both individually and as an ordered combination) that are sufficient to amount to significantly more than the judicial exception for the same reasons to those discussed above with respect to determining that the dependent claims do not integrate the at least one abstract idea into a practical application.  
Therefore, claims 1-4, 7-13 and 17-18 are ineligible under 35 USC §101.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the applicant regards as the invention.
Claim 18 recites the limitation "the processing system" the applicant most likely meant “the processing circuitry”.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 8, 10-14, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Lewis et al. (US 20030110396 A1) hereinafter referred to as Lewis in view of Chesla (US 20160021056 A1) hereinafter referred to as Chesla.

With respect to claim 1, Lewis discloses: A method for reducing a time to mitigate future stages of a distributed denial of service (DDoS) attack campaign, comprising: (Lewis abstract discloses “method and apparatus for predicting and preventing network attacks” wherein according to Lewis [0021] the attack could be “Distributed Denial of Service (DDoS) Attack”. Wherein the general proposition according to Lewis [0039] is one of “a Proactive, or Anticipatory, Intrusion Detector”).
receiving a plurality of attack feeds on at least one protected object in a secured environment; (Lewis claim 1 discloses “An apparatus for security management in a data, voice, or video network comprising, in combination: at least one data collector; precursor discovery means for identifying, among collected data, at least one precursor of an attack on said network;” wherein data collector is mapped to the entity receiving and the “at least one data collector” means there is a plurality of data collected of “at least one precursor” which is mapped to receiving a plurality of attack feeds for security management “in a data” mapped to the at least one protected object in a secured environment).
analyzing the plurality of attack feeds to determine characteristics of a DDoS attack campaign comprising multiple stages against the secured environment; (Lewis claim 1 discloses “identifying, among collected data, at least one precursor of an attack on said network” wherein the identified at least one precursor is mapped to characteristics of an attack campaign. Wherein the attack could be a 
Lewis does not explicitly disclose “optimal mitigation resources”.
However, Chesla in an analogous art discloses determining a set of optimal mitigation resources assigned to the secured environment; (Chesla [0015] discloses “securing a protected entity … [by] selecting at least one security application configured to handle a cyber-threat” then “analyzing the plurality of received signals to determine if the selected at least one security application is optimally configured to handle a potential cyber-threat”.).
selecting, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; (Chesla paragraph [0016] discloses “select at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determine at least one workflow rule respective of the at least one security application”. Wherein paragraph [0081-0082] discloses in more details that the security service 400 gathers “The characteristics of the traffic parameters include, for example, packet per second (PPS), connections per second (CPS), a packet size, a number of concurrent connections, a flow data symmetry (upload/download ratio), a request type (e.g., browser type requests vs. API call), and so on.” Therefore interpreted that based on the one or more security applications, mapped to optimal mitigation resources, and in addition the traffic characteristics analyzed by the security service, at least one optimal workflow is selected).
and initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS attack campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. (Chesla [0014] disclose “generating at least one action with respect to the potential cyber-threat” Additionally, Chesla [0077] discloses “controller a learning mechanism to define or otherwise select a set of correlation rules to execute. The workflow rules are set respective of the attacks that the cyber-security system 100 can handle. That is, in an exemplary implementation, a set of workflow rules is defined for each different type of threat.” Wherein the learning mechanism is mapped to a proactive mitigation action of future stage potential attacks. Chesla [0016] discloses “determine if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, generate at least one action with respect to the potential cyber-threat.” Wherein in the description paragraphs [0119-0120] explain illustrated Fig. 7 Steps S720 where “Upon determination that S.sub.3 is required, then execution of S.sub.3 can be initiated in the foreground. The workflow rule may be set by a user (e.g., an administrator) or automatically by a user upon selection of the appropriate security application … At S730, the security application is activated and executed by the security system. The security application operates to detect, investigate and/or mitigate threats as discussed in detail above”. Therefore, the examiner finds that a proactive mitigation action is initiated based on a user or machine defined workflow to generate one or more specific actions against a cyber-threat which are mapped to setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lewis as disclosed above with selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme as disclosed by Chesla in order to permit readily adaptable and customizable cyber security system to automatically detect and mitigate incoming threats (see Chesla [0012]).

With respect to claim 2, Lewis in view of Chesla disclose: The method of claim 1, wherein the DDoS attack also includes a subsequent step in the DDoS attack being part of a DDoS attack campaign. (Chesla [0029] discloses the cyber-attack could be an “ongoing attack campaigns” wherein the ongoing is interpreted to mean subsequent step wherein Chesla [0046] discloses the attack could be a DDoS attack).

With respect to claim 3, Lewis in view of Chesla disclose: The method of claim 1, wherein the plurality of attack feeds include at least one of: attack detection indications, attack insights, and attack predictions. (Lewis [0015] discloses “predicting and preventing imminent network attacks by identifying temporal precursors of such attacks, monitoring future network activity for such precursors, and taking protective action when precursors are detected, thus allowing an attack to be foiled before any damage is done” which is interpreted that the feeds are used for attack prediction).

With respect to claim 8, Lewis in view of Chesla disclose: The method of claim 1, wherein selecting, based on the set of optimal mitigation resources and the attack characteristics, further comprises: updating an existing workflow scheme to optimally meet the attack characteristics and the mitigation resources.  (Chesla [0123] discloses “assigning such security services to the security application; setting new or modifying existing event rules to correlate signals generated by newly assigned services; setting new or modifying existing workflow rules to handle the events generated by the newly added services” which is interpreted that based on the threat detection from traffic characteristics and re-programmed security applications [0122] the existing workflow scheme could be updated).

With respect to claim 10, Lewis in view of Chesla disclose: The method of claim 1, wherein determining the set of optimal mitigation resources further comprise: checking at least one of: location, type, status and availability of each mitigation resource assigned to the secured environment. (Chesla claim 35 discloses “analyzing the plurality of received signals to determine if the selected at least one security application is optimally configured to handle a potential cyber-threat that threatens the protected entity;” which is mapped to checking the type of mitigation resource assigned to protected entity which is mapped to the secured environment).

With respect to claim 11, Lewis in view of Chesla disclose: The method of claim 1, wherein selecting the at least one optimal workflow scheme defines at least a mitigation action and information for provisioning each mitigation resource in the set of optimal mitigation resources to execute the mitigation action. (Chesla [0099] discloses “Events that satisfy at least one workflow rule will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on” and [0119] “Upon determination that S.sub.3 is required, then execution of S.sub.3 can be initiated in the foreground” wherein the resource S.sub.3 was provisioned to execute a mitigation action).

With respect to claim 12, Lewis in view of Chesla disclose: The method of claim 1, wherein the optimal workflow scheme further comprises: an operation regimen defining actions to be performed and a set of parameters for the actions, (Chesla [0110] discloses an event such as a “terminate all services” wherein the parameters could be “source identity, destination identity … [and] expiration period”).
provisioning instructions, (Chesla [0110] discloses provisioning instructions such as “expiration period in seconds, minutes, hours, and days. The rule can further defines one or more Boolean operators”).
triggering criteria for initiating the operation regimen, (Chesla [0110] discloses “The action parameter defines at least one action to be performed if the rule is satisfied. The action may be, for example, a start service”).
triggering criteria for terminating the operation regimen resources, (Chesla [0110] discloses “The action parameter defines at least one action to be performed if the rule is satisfied. The action may be, for example … a stop service”).
detecting trigger events, (Chesla [0106] discloses “security events 630 that satisfy at least one workflow rule 640 will trigger an action”).
classifications of network entities to protect. (Chesla [0082] discloses user traffic classification as part of the prior art security protection wherein a “flow-path may define an end-to-end traffic path between two network entities in different granularity levels. The classification of the flow-path may be based on, for example, a source identity, a destination identity”).

With respect to claim 13, Lewis in view of Chesla disclose: The method of claim 12, wherein setting the proactive mitigation further comprising: performing at least one proactive mitigation action defined in the operation regimen upon satisfaction of the triggering criteria for initiating the operation regimen. (Chesla [0122] discloses “it is checked if the analysis of such feeds should trigger the reprogramming of the security application. For example, if a new threat has been detected or the attack scale has been increased and the initially assigned security services cannot efficiently handle such cases, then security application should be re-programmed” which is interpreted that the re-programming is mapped to the proactive future mitigation action in this embodiment defined as an operation based on analysis result trigger).

With respect to claim 14, Lewis in view of Chesla disclose: The method of claim 1, wherein the method is performed by a system deployed in a backbone network. (Chesla [0028] discloses “protected entity may be deployed or otherwise accessed through various computing platforms. As noted above, computing platforms may include, but are not limited to, virtualized networks and software defined networks (SDN)” wherein the SDN could be implemented as ISP backbones according to Chesla paragraph [0032] therefore implicitly the method is performed by a system deployed in a backbone network).

With respect to claim 16, Lewis in view of Chesla disclose: The method of claim 1, wherein selecting at least one optimal workflow scheme defines a plurality of attack signatures utilized to mitigate the DDoS attack against the secured environment. (Chesla [0046-0047] discloses the security services “allows for management of multiple types of attack signatures databases (DBs)” wherein the attacks could be DDoS. As explained in claim 1 that, the security services are selected based on the optimal workflow therefore the examiner interprets that the selected optimal workflow includes the security services which include databases that define a plurality of attack signatures to mitigate DDoS attacks).

With respect to claim 17, Lewis in view of Chesla disclose: A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute the method according to claim 1. (Rejected based on the same rationale as claim 1).

With respect to claim 18, Lewis discloses: A system for reducing a time to mitigate future stages of a distributed denial of service (DDoS) attack campaign, comprising: (Lewis abstract discloses “method and apparatus for predicting and preventing network attacks” wherein according to Lewis 
a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing system, configure the system to: (Lewis claim 1 and paragraph [0047] disclose apparatus and “computer” for performing the collecting and mitigation actions which implicitly comprises processor and memory).
comprising:  receive a plurality of attack feeds on at least one protected object in a secured environment; (Lewis claim 1 discloses “An apparatus for security management in a data, voice, or video network comprising, in combination: at least one data collector; precursor discovery means for identifying, among collected data, at least one precursor of an attack on said network;” wherein data collector is mapped to the entity receiving and the “at least one data collector” means there is a plurality of data collected of “at least one precursor” which is mapped to receiving a plurality of attack feeds for security management “in a data” mapped to the at least one protected object in a secured environment).
analyze the plurality of attack feeds to determine the characteristics of a DDoS attack campaign comprising multiple stages against the secured environment; (Lewis claim 1 discloses “identifying, among collected data, at least one precursor of an attack on said network” wherein the identified at least one precursor is mapped to characteristics of an attack campaign. Wherein the attack could be a DDOS as recited in Lewis [0021]. Wherein the attack could be on multiple time stages “T2-T1” see Lewis [0063-0064]).
Lewis does not explicitly disclose “optimal mitigation resources”.
However, Chesla in an analogous art discloses: determine a set of optimal mitigation resources assigned to the secured environment; (Chesla [0015] discloses “securing a protected entity … [by] selecting at least one security application configured to handle a cyber-threat” then “analyzing the optimally configured to handle a potential cyber-threat”.).
select, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; (Chesla paragraph [0016] discloses “select at least one security application configured to handle a cyber-threat, wherein the at least one security application executes a plurality of security services assigned to the at least one security application; determine at least one workflow rule respective of the at least one security application”. Wherein paragraph [0081-0082] discloses in more details that the security service 400 gathers “The characteristics of the traffic parameters include, for example, packet per second (PPS), connections per second (CPS), a packet size, a number of concurrent connections, a flow data symmetry (upload/download ratio), a request type (e.g., browser type requests vs. API call), and so on.” Therefore interpreted that based on the one or more security applications, mapped to optimal mitigation resources, and in addition the traffic characteristics analyzed by the security service, at least one optimal workflow is selected).
and initiate a proactive mitigation action to mitigate a predicted future stage of the DDoS attack campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. (Chesla [0014] disclose “generating at least one action with respect to the potential cyber-threat” Additionally, Chesla [0077] discloses “controller implements a learning mechanism to define or otherwise select a set of correlation rules to execute. The workflow rules are set respective of the attacks that the cyber-security system 100 can handle. That is, in an exemplary implementation, a set of workflow rules is defined for each different type of threat.” Wherein the learning mechanism is mapped to a proactive mitigation action of future stage potential attacks. Chesla [0016] discloses “determine if the at least one security event satisfies the at least one workflow rule; and upon determining that the at least one security event satisfies the workflow rule, setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lewis as disclosed above with selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme as disclosed by Chesla in order to permit readily adaptable and customizable cyber security system to automatically detect and mitigate incoming threats (see Chesla [0012]).

Claims 4-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lewis and Chesla as applied to claims 1-3, 8, 10-14, and 16-18 above, and further in view of Stiansen et al. (US 20160044054 A1) hereinafter referred to as Stiansen.

With respect to claim 4, Lewis in view of Chesla disclose: The method of claim 1, 
 wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the attack feeds to determine attack characteristics. 
However, Stiansen in an analogous art discloses: wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the plurality of attack feeds to determine attack characteristics. (Stiansen [0039] discloses “the analyzing the one or more data packets comprising analyzing simultaneously two or more data packets, the data packets being sent under a single communication protocol or different communication protocols. In some embodiments, the analyzing the one or more data packets comprising one or more of the following: identifying a source address of the packets; identifying or track a location of the packets; exploring a history of past analyses; associating a risk category with the packets; and computing a risk score of the packets” which is interpreted that two or more received packets mapped to the plurality of attack feeds and supplementary data feed are analyzed in parallel to determine the attack characteristics and assign a risk score).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lewis and Chesla as combined above  wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the attack feeds to determine attack characteristics disclosed by Stiansen in order to “continuously collect and analyze vast amounts of live high-risk Internet traffic to identify cyber attacks in a high-speed delivery platform” (see Stiansen [0018]).

With respect to claim 5, Lewis in view of Chesla, and Stiansen disclose: The method of claim 4, wherein the supplementary data feeds include relevant data gathered from at least one of: Border Gateway Patrol (BGP), Simple Network Management Protocol (SNMP), Remote Authentication Dial-In User Services (RADIUS), Page 27 of 36RADW P1035 Policy and Charging Rules Function (PCRF), active domain name service (DNS) queries, DNSFIow, logs, FarSight DNSDB, MaxMind, GeolP, Shodan, Threat Intelligence and IP reputation feeds and Layer 7 entities (FW, LB, SWG and such) data, SOC/NOC BI systems logs and data. (Stiansen Fig. 23 paragraph [0229] disclose the Border Gateway Patrol (BGP) as a source to obtain data feeds that includes data for analytics).

With respect to claim 6, Lewis in view of Chesla, and Stiansen disclose: The method of claim 4, further comprising: analyzing the supplementary data feeds and the plurality of attack feeds using a machine learning engine. (Stiansen [0135-0136] disclose assessment of threat using one or more algorithms wherein the “one or more algorithms include an AI or machine learning algorithm”).

With respect to claim 7, Lewis in view of Chesla, and Stiansen disclose: The method of claim 5, further comprising: creating an optimal workflow scheme to optimally meet the attack characteristics using the set of optimal mitigation resources. (Chesla claim 31 discloses “tag the at least one new security resource with one or more unique tags, wherein the at least one workflow rule and at least one event rule process signals and events based on the one or more unique tags.” The security resource is mapped to the mitigation resource and the event rules define the attack characteristics and therefore mapped to the attack characteristics in this context. Therefore, the examiner interprets that an optimal workflow is one that would provide the mitigation resources to certain attack based on its characteristics).

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lewis and Chesla as applied to claims 1-3, 8, 10-14, and 16-18 above, and further in view of Ehle (US 10686811 B1) hereinafter referred to as Ehle.

With respect to claim 9, Lewis in view of Chesla disclose: The method of claim 1, 
They do not explicitly disclose: further comprising: checking if the DDoS attack have been mitigated; and updating the at least one optimal workload scheme with new provisions, when the DDoS attack have not been mitigated.
However, Ehle in an analogous art discloses: further comprising: checking if the DDoS attack have been mitigated; and updating the at least one optimal workload scheme with new provisions, when the DDoS attack have not been mitigated. (Ehle Fig. 7 step 710 “was malicious traffic handled properly” and if no then step 712 “initiate detection improvement workflow” and then step 714 “update security model with training data” wherein column 2 lines 64-67 disclose “For example, one such attack may be a distributed denial of service attack ( DDoS).”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lewis and Chesla as combined above with checking if the DDoS attack have been mitigated; and updating the optimal workload scheme with new provisions, when the DDoS attack have not been mitigated disclosed by Ehle to improve assessment of live data which may be considered less predictable by utilizing machine learning (see Ehle column 1 lines 5-25 and column 2 lines 1-20).

Claim 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lewis and Chesla as applied to claims 1-3, 8, 10-14, and 16-18 above, and further in view of Xaypanya et al. (US 20140215621 A1) hereinafter referred to as Xaypanya.

With respect to claim 15, Lewis in view of Chesla disclose: The method of claim 1, 
 wherein the proactive mitigation action is performed by a cloud service. 
However, Xaypanya in an analogous art discloses: wherein the proactive mitigation action is performed by a cloud service. (Xaypanya [0140] discloses “proactive security mechanism 108 may be deployed on one or more local enterprise servers, via a web-based architecture (e.g., as Software as a Service (SaaS), as a cloud-based service”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Lewis and Chesla as combined above wherein the proactive mitigation action is performed by a cloud service as disclosed by Xaypanya for providing a continuous secure solution that is in a sandboxed environment and thus immune to remote clients’ systems attacks (see Xaypanya paragraphs [0014 and 0098]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ahmed (US 9483742 B1) Abstract discloses using machine learning to mitigate DDOS attacks.
Tang et al. (US 20130104230 A1) paragraph [0006] discloses using machine learning to mitigate DDOS attacks.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANY S GADALLA whose telephone number is (571)272-2322. The examiner can normally be reached Mon to Fri 8:30AM - 5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/H.S.G./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493