Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/21/2019, 11/21/2019, 02/19/2020, 03/26/2020, 04/17/2020, 11/04/2020, 12/15/2020, and 05/21/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Election/Restrictions
Applicant's election with traverse of Group I - claims 1-17, in the reply filed on 10/11/2021 is acknowledged. 
The traversal is found persuasive and the restriction requirement as set forth in the Office action mailed on 08/09/2021 is hereby withdrawn. Claims 18-20 no longer withdrawn from consideration.
In view of the above noted withdrawal of the restriction requirement, applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application.
In re Ziegler, 443 F.2d 1211, 1215, 170 USPQ 129, 131-32 (CCPA 1971). See also MPEP § 804.01.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 and 18-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 1 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01. 
Claim 1 comprises two uncorrelated parts: The first part identifies a number of gateways and their respective networks an sub-networks. The second part is concerned with identifying network hosts and analyzing data traffic generated therefrom. There is no definition of the role played by the gateway(s) in analyzing the network traffic and identifying a host having a particular traffic pattern.  

“determining … a standard deviation of the collected network traffic..” but fails to further define a function of the “standard deviation” with relation to the subsequent elements of the claim, e.g., how the “standard deviation” is used to identify a host with an aggregate value which deviates furthest from the mean. 
Claim 18 recites the limitation “by at least the standard deviation ("the selected host")” in line 32. Such claim language is indefinite in that it fails to point out whether the ("the selected host") is included or excluded by the claim language. This renders the scope of the claim ambiguous and indefinite.  
Claim 18 recites the limitation “transmitting a datagram having a time to live ("TTL") value set to zero to generate an error message with an IP address of one of the gateways sending the error message.” The claim omits correlating elements essential to link between the transmitting of the datagram and the generating of an error message. It is unclear whether the gateway(s) receive(s) the datagram and as a result the gateway(s) would generate error message(s) with their IP addresses.
Claim 18 recites the limitation “transmitting additional datagrams having the TTL value increased by one from the previously transmitted datagram until an error message is received having an IP address identifying the real destination host.” It is unclear whether the real destination host receives the datagram with the increased TTL value, and as a result it would generate error message with its IP addresses.
Claim 18 recites the limitation “modifying a source address of an IP datagram with a network address for the selected host.” But fails to define how a “selected host” is actually selected. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Korsunsky et al. (US 20110231564) in view of Stroud et al. (US 20130343377), both cited in the IDS filed 02/19/2020.

Regarding claim 1, Korsunsky discloses a method for scattering network traffic across a number of disparate hosts, said method comprising the steps of:
identifying each of a number of gateways located along a real transmission pathway between a real point of origin and a real point of destination, wherein each of said gateways has a network address (data flow processor may have access to network routing map data that may help in distinguishing between an in-network route point (e.g. a router along the path from a source to a destination) and end-user route points (ports) that generally should not participate in spanning tree protocol routing. Data flow processor may be configured to provide an access control capability for controlling access to network resources, such as web server content in a network including the Internet. Access control to web server gateways and the like may be provided by a data flow processor; [0617, [0643]]);
identifying a network and a sub-network for each of said gateways from the network addresses for the gateways (data flow processor may compare the data stream source with the valid subnet ranges and only allow forwarding of a flow of data that belongs to a valid subnet range. Data streams that may have a spoofed source address may have valid data packet payloads but may not belong to the valid subnet ranges and therefore, may be dropped; [0620]);
generating a list of network addresses for the hosts, including at least one host used for observation purposes which is actually located along the real transmission pathway, and at least one illusionary host having a network address which renders said illusionary host as appearing to be plausibly located along the real transmission pathway (elements of the flow processing facility 102 are implemented as processor modules 208,210, 212 or "blades" which plug into a chassis 218 that is implemented according to the network architecture. Management server 228 is implemented in a host machine; [0154].
Data flow may be directed at an external network device that is identified by a network address such as an IP address, MAC address, URI, or any other network
identifier. In this case, the data flow may be transmitted via the physical network interface 302 to the external device. Alternatively, the data flow may be transmitted via the switching fabric 304 to another network processor module 210 that transmits the data flow via its physical network interface to the external device; [0161].
data flows may be simulated or actual, and may be recently, currently, or previously generated; [0163].
flow processing facility 102 may implement an abstraction that is a simulated or logical network. This abstraction may include any and all servers and networking components that may occur in a real network, including without limitation hardware devices, physical interfaces, logical interfaces, network connections, and the like. Configuration tools may enable a user to create any and all emulated or logical networks by creating and destroying virtual network devices, and by connecting or disconnecting those devices; [0212]);
collecting frequency and volume data for network traffic to and from the hosts identified on the list (inspecting the packets to determine a validity for each packet; combining the inspection result with packet routing information into a network behavior; establishing a baseline for network behavior; and comparing ongoing network behavior to the baseline to detect abnormal network behavior in the flow processing facility. The packet routing information may include one or more of a port identifier, a source, a destination, and a route; [0063]. 
extrusion detection and prevention may examine whether and/or what traffic flows to and/or from a particular network area; the content of the traffic; and so on; [0126]);
determining an aggregate value for the collected network traffic data for each of the hosts identified on the list (management server 228 receives or produces aggregate health and status information associated with the flow processing facility; [0153]);
(a normalization of a data flow 444 may be expressed in terms of standard deviations of measurements of features of the flow; [0166].
header analyzer 2208 may also derive other features from statistics taken over multiple "chunks. Examples of such other features may include, without limitation, connection time, and/or requests per unit time, and/or average request and response sizes; [0422]);
identifying a particular one of the hosts from the list having an aggregate value which deviates furthest from the mean (blocks normalize 2218 and normalize 2220 may express the magnitudes of any and/or all of the components extracted from "traffic in" 2004 and which may be delivered by means of header analyzer 2208 and/or content analyzer 2210. These quantities may be expressed in terms of numbers of standard deviations, but many other representations may be employed. The result of these processes may be a sequence of feature vectors; [0426].
an anomaly may be signaled if all distances exceed respective thresholds. Note that in the example implementation, these distances and/or the related thresholds may be some number of standard deviations of the distances that may have been observed during training; [0436]).
Korsunsky does not expressly disclose replacing a source address of an outbound datagram with the network address for the particular one of the hosts.
(source MAC address is set to the MAC address of control CPU 106 and the destination MAC address is set to the MAC address of traffic generating CLD 102C. In some embodiments, the CLD server replaces the sequence number with its own current sequence number. In some embodiments. the CLD server may keep a copy of the entire modified directive packet to allow later retransmission; [0359]; 
To forward the CLD response packet, the CLD server replaces the destination MAC address with the MAC address of the originating network processor. If the sequence number was replaced by the CLD server in step 474, the original sequence number may be restored. Finally the modified response packet is transmitted; [0363]). 
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to add the features taught by Stroud into the system of Korsunsky in order to allow a deeper analysis of traffic patterns, and subsequently apply certain traffic engineering techniques such as filtering packets of a particular interest (Stroud; [0289]).

Regarding claim 2, the combination of Korsunsky and Stroud, particularly Korsunsky discloses determining that none of the hosts have an aggregate value deviating from the mean by more than the standard deviation; and adding additional illusionary hosts to the list (blocks normalize 2218 and normalize 2220 may express the magnitudes of any and/or all of the components extracted from "traffic in" 2004 and which may be delivered by means of header analyzer 2208 and/or content analyzer 2210. These quantities may be expressed in terms of numbers of standard deviations, but many other representations may be employed. The result of these processes may be a sequence of feature vectors applied to neural networks 2224; [0426]).

Regarding claim 3, the combination of Korsunsky and Stroud, particularly Korsunsky discloses each of the hosts are located on one or more IP networks (The data flow may be directed at an external network device that is identified by a network address such as an IP address, MAC address, URI, or any other network identifier. In this case, the data flow may be transmitted via the physical network interface 302 to the external device. Alternatively, the data flow may be transmitted via the switching fabric 304 to another network processor module 210 that transmits the data flow via its physical network interface to the external device; [0161]).

Regarding claim 4, the combination of Korsunsky and Stroud, particularly Korsunsky discloses each of the hosts are configured to operate under TCP/IP protocols (the data flow 444 is composed of an IP-packet sequence, such as may be associated with a connection-oriented protocol (e.g., TCP/IP) or a connectionless protocol (e.g., UDP/IP). Each packet and, by extension, the data flow 444, may be composed of packet headers and packet payloads; [0192]).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Korsunsky in view of Stroud and in view of Robitaille et al. (US 20140025806).

Regarding claim 5, the combination of Korsunsky and Stroud does not expressly disclose identifying each of the gateways comprises: transmitting a datagram with a time to live ("TTL") value set to zero; and increasing the TTL value by one and transmitting an additional datagram.
In an analogous art, Robitaille discloses identifying each of the gateways comprises: transmitting a datagram with a time to live ("TTL") value set to zero; and increasing the TTL value by one and transmitting an additional datagram (the TTL value is 0 (zero) and the processing of the discovery packet and the remainder of the 3-way handshake by the device (advertisement packet from the device and a management reply from the discoverer) takes place as previously described. Whenever a discoverer detects a new device, it will begin the next discovery sequence with a TTL value incremented by 1 (one) from the previously used TTL value; [0045]).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to add the features taught by Robitaille into the system of Korsunsky and Stroud in order to enable avoiding a need for allocating unique layer-3 addresses to a device to be discovered to save time, cost and avoid temporary addressing changes (Robitaille; [0018]).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 7-11, 16-17 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Korsunsky et al. (US 20110231564).

Regarding claim 7, Korsunsky discloses a system for scattering network traffic across a number of disparate hosts, said system comprising:
a real transmission pathway comprising: a real origin host; a real destination host; and one or more gateways between said real origin host and said real destination host (data flow processor may have access to network routing map data that may help in distinguishing between an in-network route point (e.g. a router along the path from a source to a destination) and end-user route points (ports) that generally should not participate in spanning tree protocol routing; [0617)
the data flow processor may be configured to provide an access control capability for controlling access to network resources, such as web server content in a network including the Internet. In an example, the data flow processor may provide access control based on the subscriber profile; [0643]);

one or more illusionary hosts, each having a network address which is configured to appear as being plausibly located along said real transmission pathway (information may originate from the control processor module 208 or from the management server 228 and may be directed at controlling or monitoring the flow processing facility; [0153].
The flow processing facility 102 may implement an abstraction that is a simulated or logical network. This abstraction may include any and all servers and networking components that may occur in a real network, including without limitation hardware devices, physical interfaces, logical interfaces, network connections, and the like. Configuration tools may enable a user to create any and all emulated or logical networks by creating and destroying virtual network devices; [0212]).

Regarding claim 8, Korsunsky discloses each of said observation hosts are in electronic communication with one of said gateways; and each of said observation hosts are configured to collect data on network traffic passing through a respective one of the gateways (a network may comprise any number of computing facilities, such as network servers, switches, routers, hubs, clients, and the like. In any case, the information may comprise a file system, a database, a file, a record, a field, a value, a sequence of bytes, a byte, a bite, or any and all information. Thus, extrusion detection and prevention may examine whether and/or what traffic flows to and/or from a particular network area; the content of the traffic; [0126].
control processor module 208 coordinates the elements of the flow processing facility 102. These elements include the network processor modules 210, the application processor modules 212, and so on. The control processor module 208 enables management access to the flow processing facility 102 and its elements. This management access can include access to local facilities (memory, hard drives, network ports, network services and software applications, and so on) that reside within the elements. The management server 228 receives or produces aggregate health and status information associated with the flow processing facility 102; [0153]).

Regarding claim 9, Korsunsky discloses each of said illusionary hosts are in electronic communication with one of said gateways (data flows may be simulated or actual, and may be recently, currently, or previously generated; [0163].
flow processing facility 102 may implement an abstraction that is a simulated or logical network. This abstraction may include any and all servers and networking components that may occur in a real network, including without limitation hardware devices, physical interfaces, logical interfaces, network connections, and the like. Configuration tools may enable a user to create any and all emulated or logical networks by creating and destroying virtual network devices, and by connecting or disconnecting those devices; [0212]).

Regarding claim 10, Korsunsky discloses each of said observation hosts are configured to calculate an aggregate value of network traffic for each of the number of (The management server 228 receives or produces aggregate health and status information associated with the flow processing facility 102. Any function or feature of the flow processing facility 102 that is subject to control by an administrator or about which information is provided to an administrator can be provided through a physical data port of the control processor module 208. This data port can be operatively coupled to the management server 228. Through this coupling, information may be both received from the management server 228 and provided to the management server 228. This information may originate from the control processor module 208 or from the management server 228 and may be directed at controlling or monitoring the flow processing facility 102; [0153-0154]).

Regarding claim 11, Korsunsky discloses said real origin host is configured to determine a mean value and a standard deviation value of the network traffic for all of the number of disparate hosts on the real transmission pathway (methods and systems a normalization of the data flow may include normalizing one or more of data packet headers, data packet payloads, protocols, data flow behaviors, data flow packet arrival time, and data flow packet size. Normalization may be expressed in terms of standard deviations of measurement of features of the data flow, or as a statistical measure or a result of a mathematic calculation. Normalization may also be associated with neural networks that are applied to the data flow within the antivirus facility; [0037, 0166, 0209, 0401-0410, 0426, 0435-0436]).

Regarding claim 16, Korsunsky discloses the real transmission pathway is located along one or more IP networks (The data flow may be directed at an external network device that is identified by a network address such as an IP address, MAC address, URI, or any other network identifier. In this case, the data flow may be transmitted via the physical network interface 302 to the external device. Alternatively, the data flow may be transmitted via the switching fabric 304 to another network processor module 210 that transmits the data flow via its physical network interface to the external device; [0161]).

Regarding claim 17, Korsunsky discloses each of said hosts and gateways are configured to operate using TCP/IP protocols  (the data flow 444 is composed of an IP-packet sequence, such as may be associated with a connection-oriented protocol (e.g., TCP/IP) or a connectionless protocol (e.g., UDP/IP). Each packet and, by extension, the data flow 444, may be composed of packet headers and packet payloads; [0192]).

Allowable Subject Matter
Claims 6, 12-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
mutatis mutandis.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Kapoor et al. (US 20160366160), “Systems And Methods For Processing Data Flows.”

Prior art is not used against claims 18-20. However, this is not an indication that the claims are allowable. The 112(b) issues cause a great deal of confusion and uncertainty as to the proper interpretation of the limitation of the claims. It is difficult for the Examiner to ascertain what the Applicant intends to claim.
The scope of the claims is unclear as discussed above. As a result, a meaningful formulation of art rejections cannot be done at this time. See MPEP 2173.06 II, 2nd paragraph:
... where there is a great deal of confusion and uncertainty as to the proper interpretation of the limitations of a claim, it would not be proper to reject such a claim on the basis of prior art.... a rejection under 35 U.S.C. 103 should not be based on considerable speculation about the meaning of terms employed in a claim or assumptions that must be made as to the scope of the claims.
Ex Parte Timothy J.O. Catlin and Kevin T. Rowney, the appeal of 09/167,315, Appeal No. 2007-3072, decided Feb. 3, 2009, page 12:
... A rejection of a claim, which is so indefinite that "considerable speculation as to meaning of the terms employed and assumptions as to the scope of such claims" is needed, is likely imprudent. See In re Steele, 305 F.2d 859, 862 (CCPA 1962) (holding that the examiner and the board were wrong in relying on what at best were speculative assumptions as to the meaning of the claims and basing a rejection under 35 U.S.C. §103 thereon.).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OUSSAMA ROUDANI whose telephone number is (571)272-4727. The examiner can normally be reached 8:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, UN C CHO can be reached on (571) 272 7919. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/OUSSAMA ROUDANI/           Primary Examiner, Art Unit 2413