DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-20 as submitted on 6/28/19 were considered.  It is noted that there is an approved terminal disclaimer filed with respect to the current application in US application 16/457,737, now US Patent 11,108,813.

Information Disclosure Statement
	The IDS’s filed on 1/20/21 and 6/10/21 were considered.

Specification
The abstract of the disclosure is objected to because an abstract should only be one paragraph, thus the title in the abstract page should be deleted.  Correction is required.  See MPEP § 608.01(b).


Claim Objections
Claims 6 and 16 are objected to because of the following informalities:  
As per claims 6 and 16, it is suggested that applicant should also spell out what “PoPs” stands for as this is the first instance the term is used in the claims.  It is noted that support for this term appears to be found on paragraph 14 of the specification.
Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claims 6 and 16, “the PoPs” is recited in each claim, which lacks antecedent basis.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Kwan et al (US 2018/0084006).

Claims 1, 12, and 20:
	As per claim 1, Kwan discloses:
Analyzing, by one or more computer systems (paragraphs 27, 31, and 41), application layer in historical traffic to an online system to determine historical volumes of member traffic from a set of regions to the online system, wherein the member traffic is generated by members of the online system (paragraphs 50-51, 55, 59-60, 85-86, and 100; Members of the online system could be any group of entities that interact with the protected system to access the resources provided by the system.  Examples could include customers as discussed in paragraph 85 or entities located in a geographical region as discussed in paragraph 86).
Calculating, by the one or more computer systems, allocations of query rates from the set of regions based on the historical volumes of member traffic from the set of regions (paragraphs 50-51, 54-55, 92-93, and 108-113; For example, Connections Per Second is monitored and compared to historical data).
During a distributed denial-of-service (DDoS) attack, outputting the allocations of the query rates for use in blocking different portions of the requests from different regions in the set of regions to the online system (paragraphs 48, 55, 86, 95, 110, and 116; Requests from specific regions can be blocked if it is determined that region is indicative of an active attack).
mutatis mutandis, to claims 12 and 20.

Claims 2 and 13:
	As per claim 2, Kwan further discloses detecting the DDoS attack based on an increase in a query rate to the online system (paragraphs 55, 85-86, and 108-112; Various metrics are monitored which could indicate a DDoS attack of historical norms are exceeded such as exceeding bandwidth that was historically observed or excessive CPS).
The rejection of claim 2 applies, mutatis mutandis, to claim 13.

Claim 3:
	Kwan further discloses wherein detecting the DDoS attack comprises: estimating the query rate as a queries per second (QPS) for one or more services in the online system; and detecting the DDoS attack when the QPS exceeds a query rate threshold for the one or more services (paragraphs 55, 90, 108, and 110; Detecting CPS and determining it exceeds a historic threshold, which could indicate DDoS attack).

Claim 4:
	Kwan further discloses wherein detecting the DDoS attack further comprises: determining the query rate threshold based on one or more Attributes could be CPS, PPS, or bandwidth going to/from a service).

Claim 14:
	The rejections of claims 3 and 4 combined apply, mutatis mutandis, to claim 14.

Claims 5 and 15:
	As per claim 5, Kwan further discloses wherein the one or more attributes comprise at least one of: a resource utilization; a service level agreement metric; and a cost per request (paragraphs 36, 53, 87, and 108-113; Paragraphs 110-112 in particular discuss the different network features being monitored that read on resource utilization and cost per request, such as bandwidth).
The rejection of claim 5 applies, mutatis mutandis, to claim 15.

Claims 6 and 16:
	As per claim 6, Kwan further discloses:
Calculating a rate limit for a set of requests from an Internet Protocol (IP) address to the online system based on a historical volume of requests comprising the IP address from members of the online system (paragraphs 52-55; A learning mode is used to determine a rate limit/historical/default threshold for certain network measures such as CPS, PPS, and bandwidth to apply DoS protection verses specific IP addresses); and 
During the DDoS attack, outputting the rate limit for use by the PoPs in blocking a second subset of the requests from the IP address to the online system (paragraphs 53-55; Block a particular host if a threshold for a metric is exceeded, which could indicate a DoS attack.  Note as per paragraph 35 DDoS attacks are also generally referred to as DoS attacks).

The rejection of claim 6 applies, mutatis mutandis, to claim 16.

Claim 7:
	As per claim 7, Kwan further discloses wherein calculating the allocations of the query rates to the online system for the set of regions based on the historical volumes of member traffic from the set of regions comprises: calculating the allocations of the query rates for the set of regions to be proportional to the historical volumes of requests from the members in the set of regions (paragraphs 52-55).

Claim 8:
	As per claim 8, Kwan further discloses wherein calculating the allocations of the query rates to the online system for the set of regions based on the historical volumes of member traffic from the set of regions further comprises: adjusting the allocations of the DDoS protection is applied to different zones/regions/IP addresses.  Adjustments to the designated thresholds before a DDoS alert and mitigation are triggered can be adjusted depending on various factors.  Once triggered, further queries to a resource, i.e. allocations of query rates, can be blocked.  Blocking/mitigation can automatically be disabled once latency of various metrics are detected as being below specific thresholds again). 

Claim 17:
	The rejections of claims 7 and 8 combined apply, mutatis mutandis, to claim 17.

Claims 9 and 18:
	As per claim 9, Kwan further discloses enforcing the allocations of the query rates by blocking the different portions of the requests from the different regions at points of presence (PoPs) for the online system (paragraphs 55-56, 85-87, and 93; DDoS protection is applied to different zones/regions/IP addresses.  Adjustments to the designated thresholds before a DDoS alert and mitigation are triggered can be adjusted depending on various factors.  Once triggered, further queries to a resource, i.e. allocations of query rates, can be blocked.  Blocking/mitigation can automatically be disabled once latency of various metrics are detected as being below specific thresholds again).
mutatis mutandis, to claim 18.

Claims 10 and 19:
	As per claim 10, Kwan further discloses wherein enforcing the allocations of the query rates comprises determining a sampling rate for a set of requests from a region based on an allocation of a query rate for the region and an estimated query rate from the region; and selecting a subset of the requests from the region to block based on the sampling rate (paragraphs 55-56, 85-87, and 91-93;  DoS protections are applied on zones/regions/IP addresses where DoS protection is applied granularly, as discussed in paragraph 91, which means selecting and sampling the different key metrics discussed in the cited portions in order to determine whether to block or not based on if a threshold is breached for a metric).
The rejection of claim 10 applies, mutatis mutandis, to claim 19.

Claim 11:
	Kwan further discloses wherein the set of regions comprises at least one of: Internet service providers (ISPs); countries; and autonomous systems (paragraph 125; Bots in a botnet are autonomous systems).

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.