DETAILED ACTION
Responsive to the Applicant reply filed on 10/04/2021, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in following.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/04/2021 has been entered. 
Response to Amendment
The amendment filed 10/04/2021 has been entered. Claims 1, 6, 9, 14, 17, 22, 25 and 27 have been amended. Claims 1-3, 6-11, 14-19 and 22-29 remain pending in the application.
Response to Arguments
Applicant’s arguments, see Remarks, filed 10/04/2021, with respect to the rejection(s) of independent claim(s) 1, 9, 17 and 25 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Jayawardena et al. (US 20050180416 A1 hereinafter “Jayawardena”) in view of Salsamendi et al. (US 9542554 B1 hereinafter “Salsamendi”) in view of Chesla et al. (US 20130333029 A1 hereinafter “Chesla”). Please refer to the 35 U.S.C. § 103 section below for the detailed rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6, 9, 14, 17, 22, 25 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Jayawardena et al. (US 20050180416 A1 hereinafter “Jayawardena”) in view of Salsamendi et al. (US 9542554 B1 hereinafter “Salsamendi”) in view of Chesla et al. (US 20130333029 A1 hereinafter “Chesla”).
Regarding claim 1, (Currently Amended) Jayawardena discloses a method of mitigating botnets in a network, comprising (Abs. a system and method for aiding the handling of DDoS attacks [“mitigating botnets”]): 
diverting Internet traffic associated with the threat location by sending a Border Gateway Protocol (BGP) update to one or more routers of the network in response to receiving the indication that outbound Internet traffic of the network is associated with the threat location, wherein the BGP update identifies a diverted path for specified Internet traffic between the transmitting computing device and the network addressed to the IP address of the threat location and the specific Internet traffic is associated with the threat location, wherein the BGP update does not apply to other Internet traffic from the transmitting computing device not associated with the threat location (clm. 15, injecting a BGP routing instruction [“BGP update”] into said ISP when said DDoS attack is occurring [“indication that outbound Internet traffic is associated with the threat location”]; redirecting, at selected edge routers, VPN traffic addressed for said first IP address to a black-hole router [“diverted path” and “transmitting computing device” only associated with the threat location]; directing, at other edge routers, VPN traffic addressed for said first IP address to said application that is experiencing said DDoS attack [“diverted path”, “specific Internet traffic” and “BGP update” only for a transmitting computing device associated with the threat location, See ISP network clm. 12 and 14 below]; clm. 12, The ISP network of claim 8, wherein said injected instruction is a Border Gateway Protocol (BGP) routing instruction; clm. 14, The ISP network of claim 8, wherein said router injects said instruction when said application is experiencing a DDoS attack).
 However, it does not teach, “wherein the specified Internet traffic between the transmitting computing device and the network addressed to the IP address of the threat location comprises outbound Internet traffic of the network; receiving an indication that outbound Internet traffic of the network is associated with a threat location, wherein the indication that the outbound Internet traffic of the network is associated with the threat location includes an Internet Protocol (IP) address of the threat location and wherein the threat location is associated with a command and control (C2) server of a botnet and the C2 server is not a device of the network”.
In a same field of endeavor, Salsamendi discloses the method, wherein the specified Internet traffic between the transmitting computing device and the network addressed to the IP address of the threat location comprises outbound Internet traffic of the network (Col. 13, ln. 19-21, Suppose the author of malware 130 repacks the malware three times, sending different copies of malware 130 to each of clients 104, 106, and 108, respectively [“specified Internet traffic”]; Col. 13, ln. 33-37, Appliance 102 might accordingly transmit each of the three attachments to cloud security service 122 for processing, before allowing the messages from system 120 to reach any of clients 104-108 [“outbound Internet traffic”, since transitions via external network 118, See Fig. 1]; Col. 14, ln. 54-58, The external contact attempts made by the malware are stored, e.g. in database 316, in a manner that associates the generated domains (or IP addresses [“IP address of the threat location”], as applicable) with the malware being evaluated (e.g., using one or more database entries));
Col. 13, ln. 19-21, Suppose the author of malware 130 repacks the malware three times, sending different copies of malware 130 to each of clients 104, 106, and 108, respectively [“specified Internet traffic”]; Col. 13, ln. 33-37, Appliance 102 might accordingly transmit each of the three attachments to cloud security service 122 for processing, before allowing the messages from system 120 to reach any of clients 104-108 [“outbound Internet traffic”, since transitions via external network 118, See Fig. 1]; Col. 14, ln. 54-58, The external contact attempts made by the malware are stored [“indication”], e.g. in database 316, in a manner that associates the generated domains (or IP addresses [“IP address of the threat location”], as applicable) with the malware being evaluated (e.g., using one or more database entries)) and wherein the threat location is associated with a command and control (C2) server of a botnet and the C2 server is not a device of the network (Col. 2, ln. 14-24, FIG. 1, a malicious individual (using system 120 [“threat location”]) has created malware 130. The malicious individual hopes that a client device, such as client device 104 [“transmitting computing device”], will execute a copy of malware 130, compromising the client device, and causing the client device to become a bot in a botnet. The compromised client device can then be instructed to perform tasks (e.g., cryptocurrency mining, or participating in denial of service attacks) and to report information to an external entity, such as command and control (C&C) server 150 [“C2 server is not a device of the network”], as well as to receive instructions from C&C server 150, as applicable).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Jayawardena with the teachings of Salsamendi to receiv(ing) an indication that outbound Internet traffic of the network is associated with a threat location, wherein the indication that the outbound Internet traffic of the network is associated with the threat location while malware 130 could explicitly include the domain “kjh2398sdfj.com” in its code, techniques [or the method] such as static/dynamic analysis of malware 130 could make it possible for a security company (or other applicable entity, such as a security researcher) to identify the domain “kjh2398sdfj.com” as a C&C server, and take remedial actions (e.g., publish the domain “kjh2398sdfj.com” on a blacklist [or IP addresses, as applicable], and/or act to get the C&C server shut down/made unreachable) [Col. 2, 28-37].
However, the combination does not teach, “inspecting the diverted Internet traffic associated with the threat location to identify one or more attributes of the diverted Internet traffic; determining whether the diverted Internet traffic is malicious based at least in part on the identified one or more attributes; and handling the diverted Internet traffic according to one or more security settings in response to determining that the diverted Internet traffic is malicious.”
In a same field of endeavor, Chesla disclose the method, wherein inspecting the diverted Internet traffic associated with the threat location to identify one or more attributes of the diverted Internet traffic (¶0043-0045, at S240, each network element 102 receiving a packet that should be diverted, forwards the packet to the security server 120 instead of to the destination sever 130. The security server 120 processes the diverted traffic to detect and mitigate malicious attacks. At S250, the diversion field can be clear by the security server 120 to indicate that the diversion is no longer required); 
determining whether the diverted Internet traffic is malicious based at least in part on the identified one or more attributes (¶0046, At S260, a check is made to determine if the detected attack is terminate); and 
¶0047, At S260, a check [“security settings”] is made to determine if the detected attack is terminate; and if so, at S270, the central controller 101 is configured to instruct [“handling the diverted Internet traffic”] the peer network element of the network 100 not to set the diversion field to its diversion value).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Jayawardena and Salsamendi with the teachings of Chesla to inspect(ing) the diverted Internet traffic associated with the threat location to identify one or more attributes of the diverted Internet traffic. One of ordinary skill in the art would have been motivated to make this modification because suspicious incoming traffic from network 100 peer points [or outbound Internet traffic of the network] is diverted to the security server 120 and only “clean traffic” is injected back to its destination [0032].

Regarding claim 6, (Currently Amended) the combination of Jayawardena, Salsamendi and Chesla discloses the method of claim 1, wherein the indication that the outbound Internet traffic of the network is associated with the threat location is an indication that a domain name service lookup from another computing device of the network was associated with the threat location (Salsamendi: Col. 5 ln. 8-13, DNS module 134 can be configured to monitor DNS requests (e.g., as received from client devices such as client device 104 [“outbound Internet traffic”, since transitions via external network 118, See Fig. 1]) for evidence that the client device has been infected with malware that makes use of algorithmically generated domains (e.g., where those domains are not already on a blacklist)).

Regarding claim 9, (Currently Amended) it is a computing device claim that corresponds to claim 1. Chesla further discloses a processor configured with processor-executable instructions to perform operations (¶0052, processor 410 uses instructions stored in the memory 415). Therefore, the claim is rejected for at least the same reasons as the method of claim 1.

Regarding claim 14, (Currently Amended) it is a computing device claim that corresponds to claim 6. Therefore, the claim is rejected for at least the same reasons as the method of claim 6.

Regarding claim 17, (Currently Amended) it is a non-transitory processor readable medium claim that corresponds to claim 1. Chesla further discloses a processor of a computing device to perform operations (¶0052, processor 410 uses instructions stored in the memory 415). Therefore, the claim is rejected for at least the same reasons as the method of claim 1.

Regarding claim 22, (Currently Amended) it is a non-transitory processor readable medium claim that corresponds to claim 6. Therefore, the claim is rejected for at least the same reasons as the method of claim 6.

Regarding claim 25, (Currently Amended) it is a system claim that corresponds to claim 1. Chesla further discloses a processor configured with processor-executable instructions to perform operations (¶0052, processor 410 uses instructions stored in the memory 415). Therefore, the claim is rejected for at least the same reasons as the method of claim 1.

Regarding claim 27, (Currently Amended) it is a system claim that corresponds to claim 6. Therefore, the claim is rejected for at least the same reasons as the method of claim 6.


Claims 2, 7, 10, 15, 18, 23 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Jayawardena et al. (US 20050180416 A1 hereinafter “Jayawardena”) in view of Salsamendi et al. (US 9542554 B1 hereinafter “Salsamendi”) in view of Chesla et al. (US 20130333029 A1 hereinafter “Chesla”) as applied to claim 1 above, and further in view of DORON et al. (US 20180255095 A1 hereinafter “Doron”).
Regarding claim 2, (Previously Presented) the combination of Jayawardena, Salsamendi and Chesla discloses the method of claim 1 except “routing the diverted Internet traffic toward the diverted Internet traffic's original destination in response to determining that the diverted Internet traffic is not malicious”. 
In a same field of endeavor, Doron further discloses the method of claim 1, wherein routing the diverted Internet traffic toward the diverted Internet traffic's original destination in response to determining that the diverted Internet traffic is not malicious (Doron: ¶0047, At S260, a check is made to determine if the detected attack is terminated; and if so, at S270, the central controller 101 is configured to instruct the peer network element of the network 100 not to set the diversion field to its diversion value).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Jayawardena, Salsamendi, and Chesla with the teachings of Doron to rout(ing) the diverted Internet traffic toward the diverted Internet traffic's original destination in response to determining that the diverted Internet traffic is not malicious. One of ordinary skill in the art would have been motivated to make this modification because the mitigation resource [or “determining the diverted traffic is not malicious”] may be configured to determine when a previously detected DDoS attack is terminated. Upon such determination, the controller 280 returns to a peace mode of operation (¶0064).

Regarding claim 7, (Original) the combination of Jayawardena, Salsamendi and Chesla discloses the method of claim 1 except “handling the diverted Internet traffic according to one or more security settings comprises dropping one or more packets of the diverted Internet traffic.”
Doron discloses the method of claim 1, wherein handling the diverted Internet traffic according to one or more security settings comprises dropping one or more packets of the diverted Internet traffic (Doron: ¶0074, S330 may include causing redirection of traffic from sources of the traffic to a mitigation resource, cleaning the traffic (e.g., by filtering malicious [“dropping one or more packets”] or otherwise illegitimate traffic)).
  At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Jayawardena, Salsamendi and Chesla with the teachings of Doron to handl(ing) the diverted Internet traffic according to one or more security settings comprises dropping one or more packets of the diverted Internet traffic One of ordinary skill in the art would have been motivated to make this modification because the mitigation action may include generating an ACL filtering IP addresses [or “dropping one or more packets”] not associated with entities in the defense platform, and configuring the cloud computing platform with the generated access control list. Thus, the mitigation action results in only allowing traffic from the defense platform (¶0075).

Regarding claim 10, (Original) it is a computing device claim that corresponds to claim 2. Therefore, the claim is rejected for at least the same reasons as the method of claim 2.

Regarding claim 15, (Original) it is a computing device claim that corresponds to claim 7. Therefore, the claim is rejected for at least the same reasons as the method of claim 7.

Regarding claim 18, (Previously Presented) it is a non-transitory processor readable medium claim that corresponds to claim 2. Therefore, the claim is rejected for at least the same reasons as the method of claim 2.

Regarding claim 23, (Previously Presented) it is a non-transitory processor readable medium claim that corresponds to claim 7. Therefore, the claim is rejected for at least the same reasons as the method of claim 7.

Regarding claim 28, (Previously Presented) it is a system claim that corresponds to claim 7. Therefore, the claim is rejected for at least the same reasons as the method of claim 7.


Claims 3, 11, 19 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Jayawardena et al. (US 20050180416 A1 hereinafter “Jayawardena”) in view of Salsamendi et al. (US 9542554 B1 hereinafter “Salsamendi”) in view of Chesla et al. (US 20130333029 A1 hereinafter “Chesla”) as applied to claim 1 above, and further in view of Reddy et al. (US 20180007084 A1 hereinafter “Reddy_1”)
Regarding claim 3, (Previously Presented) the combination of Jayawardena, Salsamendi and Chesla teaches all features of the method of claim 1. Although Chesla teaches, “examine packet headers” in paragraphs 0036-0040, it does not teach “inspecting the diverted Internet traffic to identify 
In a same field of endeavor, Reddy_1 discloses the method of claim 1, wherein inspecting the diverted Internet traffic to identify the one or more attributes of the diverted Internet traffic comprises performing deep packet inspection on the diverted Internet traffic (¶0054, DOTS mitigator(s) 308 may assess the attack traffic 310 (e.g., using its own attack detection functions), and potentially using deeper analysis techniques than that of DOTS client 304 (e.g., a more robust attack detector, using techniques such as deep packet inspection, etc.)).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by combination of Jayawardena, Salsamendi and Chesla with the teachings of Reddy_1 to include inspecting the diverted Internet traffic to identify the one or more attributes of the diverted Internet traffic comprises performing deep packet inspection on the diverted Internet traffic. One of ordinary skill in the art would have been motivated to make this modification because the device may perform DPI on the packets to inspect their payloads [or “diverted Internet traffic”] since performing DPI may inspect traffic payloads [or “diverted Internet traffic”] and take corrective measures if an attack is detected (¶0076).

Regarding claim 11, (Original) it is a computing device claim that corresponds to claim 3. Therefore, the claim is rejected for at least the same reasons as the method of claim 3.

Regarding claim 19, (Previously Presented) it is a non-transitory processor readable medium claim that corresponds to claim 3. Therefore, the claim is rejected for at least the same reasons as the method of claim 3.

Regarding claim 26, (Previously Presented) it is a system claim that corresponds to claim 3. Therefore, the claim is rejected for at least the same reasons as the method of claim 3.


Claims 8, 16, 24 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Jayawardena et al. (US 20050180416 A1 hereinafter “Jayawardena”) in view of Salsamendi et al. (US 9542554 B1 hereinafter “Salsamendi”) in view of Chesla et al. (US 20130333029 A1 hereinafter “Chesla”) as applied to claim 1 above, and further in view of Reddy et al. (US 20160330236 A1 hereinafter “Reddy_2”).
Regarding claim 8, (Original) the combination of Jayawardena, Salsamendi and Chesla teaches all features of the method of claim 1 except “handling the diverted Internet traffic according to one or more security settings comprises sending one or more packets of the diverted Internet traffic to a firewall for further inspection.”
In a same field of endeavor, Reddy_2 discloses the method of claim 1, wherein handling the diverted Internet traffic according to one or more security settings comprises sending one or more packets of the diverted Internet traffic to a firewall for further inspection (¶0151, the application firewall 290, included in the appliance 200 below, provides HTML form field protection in the form of inspecting or analyzing the network communication; ¶0164, the client agent 120, specifically interceptor 350, then communicates the redirected transport layer communication to the appliance 200).
At the time of filing, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by combination of Jayawardena, Salsamendi and Chesla with the teachings of Reddy_2 to include handling the diverted Internet traffic according to one or more security settings comprises sending one or more packets of the diverted Internet traffic to a firewall for further the rules/policy engine 236 comprises one or more application firewall or security control policies [or “security settings comprising a firewall for further inspection”] for providing protections against various classes and types of web or Internet based vulnerabilities (¶0166).

Regarding claim 16, (Original) it is a computing device claim that corresponds to claim 8. Therefore, the claim is rejected for at least the same reasons as the method of claim 8.

Regarding claim 24, (Previously Presented) it is a non-transitory processor readable medium claim that corresponds to claim 8. Therefore, the claim is rejected for at least the same reasons as the method of claim 8.

Regarding claim 29, (Previously Presented) it is a system claim that corresponds to claim 8. Therefore, the claim is rejected for at least the same reasons as the method of claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
• Detection of infected network devices via analysis of responseless outgoing network traffic- Davis et al. (US 20140075536 A1): [0031] For the malware program to function as intended, it generally needs to reach out to the attacker-controlled server or group of servers (commonly referred to as the Command & Control servers or C&C servers) on a regular interval so that control can be established and/or updates to the malware can be retrieved

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached campus 9:00 AM- 5:00 PM, alternate Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493