Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/19/2021 has been entered. Claims 1, 15, 16, and 20 are amended. Claim 11 is cancelled. Claims 1-10 and 12-23 are pending.
Allowable Subject Matter
The indicated allowability of claim 21 is withdrawn in view of the newly discovered reference(s): Doctor et al. (US Patent Publication No. 2014/0096251).  Rejections based on the newly cited reference(s) follow.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 16 and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-9, 12, 13 and 16-23 are rejected under 35 U.S.C. 103 as being unpatentable over Doctor et al. (US Patent Publication No. 2014/0096251 and Doctor hereinafter) in view of Robinson et al. (US Patent No. 10,116,693 and Robinson hereinafter).

As to claims 1, 16 and 20, Doctor teaches a system for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system (i.e. …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220)), 
the system comprising: at least one DDoS honeypot (i.e., …teaches a HoneyNet in figure 3 figure element 300), implemented using a first computer system (i.e., …teaches a standalone HoneyNet in figure 3 figure element 300), in operative communication via a network with a central controller (i.e., …figure 3 illustrates a standalone Honeynet operatively communication via network with a central controller), implemented using a second computer system (i.e., …figure 3 illustrates a standalone Honeynet operatively communication via network with a standalone central controller), 
in the networked computing system (i.e., …see figure 3), 
wherein: the at least one DDoS honeypot is configured to impersonate a legitimate network- based device (i.e., ..teaches in paragraphs 27 and 29 the use of honeypots and honeynets), 

determine a source address of at least one of the data packets (i.e., ….teaches in par. 29 the following: “A data retrieval system 310 of the processing cluster 150 regularly gathers information about IP addresses and domains from a variety of trusted sources 300-307 (operation 400). The sources may include any electronically accessible sources that have been selected by an administrator and have information related to the activities of IP addresses and domains. The sources 300-307 may include honeynets 300”), 
and send a network traffic log corresponding to a plurality of data packets to the central controller (i.e.,. …teaches in par. 0033 the following: “Once the data has been decorated, the system sends the decorated data to the reputation database 330 for storage (operation 450). The reputation database 330 may operate as a conventional database that is locally or remotely located”. …further teaches par. 0034 the following: “The database 330 may be accessed and modified by a machine learning analysis system 340 and by users 350. The machine learning analysis system 340 includes a feature weighting system 342, a reputation system 343, and an attack prediction system 341. The feature weighting system 342 is configured to assign a weight to each feature in a record that corresponds to a threat associated with that feature (operation 460).”.), 
the network traffic log comprising the source address and additional information (i.e., …teaches in par. 0029 the following: “regularly gathers information about IP addresses and domains”.; 
and the central controller is configured to initiate a mitigation action based on the network traffic log and one or more mitigation rules (i.e., …teaches in par. 0007 the following: “identifying and mitigating malicious network threats, including identifying the threats, creating and updating a reputation database, taking mitigating actions against such threats and/or pushing reputation information to client firewalls and other client defensive systems…” ), 


Doctor does not expressly teach:
refrain from performing at least one action expected by the source of the data packet in response to the determination that the one or more received data packets are part of the DDoS attack, 
the at least one action comprising refraining from sending traffic to the source in response to at least one request.
In this instance the examiner notes the teachings of prior art reference Robinson. 
With regards to applicant’s claim limitation element of, “refrain from performing at least one action expected by the source of the data packet in response to the determination that the one or more received data packets are part of the DDoS attack”, teaches in col. 5 lines 15-21 …” it indicates that the PoWCount value is incorrect, suggesting that the client 12 did not actually perform the PoW calculation and that the request may be part of a DoS attack. In this case, the server 10 refrains from further processing of the client request.”…The examiner notes that client it requesting a registration and such is anticipating that the server will respond. The examiner further if the server determines that the client is part of an attack, the server will refrain from further communicating registration related traffic back to the client.)
With regards to applicant’s claim limitation element of, “the at least one action comprising refraining from sending traffic to the source in response to at least one request”, Robinson teaches in col. 5 lines 1-10 the following: “The client 12 performs steps C1-C3 in connection with a request sent to the server 10, e.g., a registration request as described above. In operation C1 the client 12 generates the same RandArray, and in operation C2 the client 12 obtains the current SvrTime and SvrRandom. The client 12 may obtain these values from the server 10 and/or the PRS 40. In operation C3 the client 12 uses RandArray, SvrTime and SvrRandom to perform a client proof-of-work (PoW) calculation and then 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Doctor with the teachings of Robinson by including the feature of process protection. Utilizing process protection as taught by Robinson above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Doctor's system will obtain the capability to provide enhanced system security. 

As to claim 3, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein the central controller performs an additional determination of whether the one or more received data packets are part of the DDoS attack (i.e., …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220).”).

As to claim 4, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot is part of the DDoS attack (i.e., …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220).”).

As to claim 5, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack (i.e., …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220).”).

As to claim 6, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack (i.e., …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220).”).

As to claim 7, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be rate limited (i.e., 

As to claim 8, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be blocked, discarded, or both (i.e., …teaches in par. 21 the following: “block any traffic coming from the threat.”).

As to claim 9, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be diverted to a specified network address (i.e., …teaches in par. 0024 the following: “any traffic from the bot command computer to the bots may be blocked from passing through the first computer network 110 by routing the data to a null route that leads to nowhere.”).

11. (Cancelled)

As to claim 12, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein the central controller is further configured to send at least one of the mitigation rules to at least one network device (i.e., …teaches in par. 0024 the following: “the infrastructure equipment such as routers, switches, and firewalls may include ACLs (i.e., mitigation rules) to only permitting specifically authorized traffic to the infrastructure equipment”.).

As to claim 13, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 12, wherein the at least one network device is part of an internet service provider's infrastructure, a hosting provider's infrastructure, or an enterprise's infrastructure (i.e., …teaches in par. 0024 the following: “the infrastructure equipment such as routers, switches, and firewalls may include ACLs (i.e., mitigation rules) to only permitting specifically authorized traffic to the infrastructure equipment”. The examiner contends that routers are part of the enterprise infrastructure).

As to claim 17, the system of Doctor and Robinson as applied to claim 16 above teaches threat detection, specifically Doctor teaches a method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack (i.e. …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220)).

As to claim 18, the system of Doctor and Robinson as applied to claim 16 above teaches threat detection, specifically Doctor teaches a method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack (i.e. …teaches in par. 0023 the following: “The network data is then aggregated and processed to identify a DOS or DDOS attack through traffic patterns, volume of traffic, and rate (operation 220)).

As to claim 19, the system of Doctor and Robinson as applied to claim 16 above teaches threat detection, specifically Doctor teaches a method of claim 16, wherein one of the one or more mitigation 

As to claim 21, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, specifically Doctor teaches a system of claim 1, wherein the central controller is further configured to extract the source address from the network traffic log and generate one or more rules to mitigate the DDoS attack (i.e., …teaches in par. 0024 the following: “the infrastructure equipment such as routers, switches, and firewalls may include ACLs (i.e., mitigation rules) to only permitting specifically authorized traffic to the infrastructure equipment”. The examiner notes that mitigation rules are the ACL that is distributed to network component to mitigate the attack. The examiner further notes that ACL content is based on the extracted source addresses collected from the network data).

As to claim 22, the system of Doctor and Robinson as applied to claim 21 above teaches threat detection, specifically Doctor teaches a system of claim 21, wherein each network traffic log corresponds to a plurality of the data packets (i.e., ….teaches in par. 29 the following: “A data retrieval system 310 of the processing cluster 150 regularly gathers information about IP addresses and domains from a variety of trusted sources 300-307 (operation 400). The sources may include any electronically accessible sources that have been selected by an administrator and have information related to the activities of IP addresses and domains. The sources 300-307 may include honeynets 300”).

As to claim 23, the system of Doctor and Robinson as applied to claim 21 above teaches threat detection, specifically Doctor teaches a system of claim 22, wherein a plurality of network traffic logs are .

Claims 2, 10 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Doctor in view of Robinson as applied claim 1 above and further in view of Gurvich et al. (US Patent Publication No. 2017/0339186 and Gurvich hereinafter).

As to claim 2, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, however neither reference expressly teaches a system of claim 1, wherein the DDoS honeypot performs the determination of whether the one or more received data packets are part of the DDoS attack.
In this instance the examiner notes the teachings of prior at reference Gurvich. 
Gurvich teaches in par. 0041 the following: “honeypots 40 may distinguish between attack traffic and legitimate incoming requests associated with the honeypot addresses.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of
the claimed invention to combine the teachings of Doctor and Robinson with the teachings of
Gurvich by including the feature of scattered attack traffic detection. Utilizing scattered attack traffic detection as taught by Gurvich above allows a system to provide comprehensive system securtiy and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Doctor and Robinson system will obtain the capability to provide enhanced threat detection.

As to claim 10, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, however neither reference expressly teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that DPI is to be performed on the network traffic from the determined source address.
In this instance the examiner notes the teachings of prior at reference Gurvich. 
Gurvich teaches in par. 0039 the following: “Processors 48 may extract from the monitored attack traffic various attack parameters, referred to as Indicators of Compromise (IOCs). Non-limiting examples of IOCs may comprise network IOCs (e.g., attacker IP address and attacker domain name) and attack-related files carried by the attack traffic. In some embodiments, processors 48 also generate attack reports and logs that record the attacks they have detected and analyzed. Processors 48 of honeypots 40 send the IOCs, logs and reports over network 36 to processor 60 of control server 52.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of
the claimed invention to combine the teachings of Doctor and Robinson with the teachings of
Gurvich by including the feature of packet data extraction. Utilizing packet data extraction as taught by Gurvich above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Doctor and Robinson system will obtain the capability to provide enhanced network security.

As to claim 15, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, however neither reference expressly teaches a system of claim 1, wherein the at least one DDoS honeypot is configured to further send to the central controller only a portion of at least one of 
In this instance the examiner notes the teachings of prior at reference Gurvich. 
Gurvich teaches in par. 0039 the following: “Processors 48 may extract from the monitored attack traffic various attack parameters, referred to as Indicators of Compromise (IOCs). Non-limiting examples of IOCs may comprise network IOCs (e.g., attacker IP address and attacker domain name) and attack-related files carried by the attack traffic. In some embodiments, processors 48 also generate attack reports and logs that record the attacks they have detected and analyzed. Processors 48 of honeypots 40 send the IOCs, logs and reports over network 36 to processor 60 of control server 52.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of
the claimed invention to combine the teachings of Doctor and Robinson with the teachings of
Gurvich by including the feature of packet data extraction. Utilizing packet data extraction as taught by Gurvich above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Doctor and Robinson system will obtain the capability to provide enhanced network security.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Doctor in view of Robinson as applied claim 1 above and further in view of Dousti et al. (US Patent Publication No. 2018/0084005 and Dousti hereinafter).

As to claim 14, the system of Doctor and Robinson as applied to claim 1 above teaches threat detection, however neither reference expressly teaches a system of claim 1, wherein the central 
In this instance the examiner notes the teachings of prior art reference Dousti. 
Dousti teaches in par. 0041 the following: “After the DDoS attack is over, the router associated with the DDoS attack mitigation platform receives a BGP message that includes an indicator indicating that the targeted computer system no longer undergoing the DDoS attack. In response, the DDoS attack mitigation platform withdraws the advertised new route and stops receiving network traffic intended for the targeted computer system.”.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of
the claimed invention to combine the teachings of Doctor and Robinson with the teachings of
Dousti by including the feature of rule reversal. Utilizing rule reversal as taught by Dousti above allows a
system to provide comprehensive DDoS security and therefore provides the motivation in this instance
to combine the references. The examiner contends that by combining the references, the system of
Doctor and Robinson system will obtain the capability to provide enhanced DDoS network
protection.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/BRYAN F WRIGHT/Examiner, Art Unit 2497