DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 12/19/2019 and 08/02/2021 were filed before the mailing date of this office action.  The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner. 
Claim Objections
Claim 4 is objected to because of the following discrepancy:
Claim 4, line 1 the phrase “second first IIR” should read “second IIR”
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 11-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2008/0086434 A1 to Chesla et al. (Chesla hereinafter) and further in view of US-PGPUB No. 2019/0020663 A1 to Bartos et al. (hereinafter Bartos) 
Regarding claim 1
Chesla discloses:
(see Chesla ¶03: “… the present invention is related to a system and method providing adaptive behavioral HTTP protection against HTTP floods attacks”):  
receiving samples of at least rate-base features, wherein the rate-base features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity (see Chesla ¶69: “Real-Time Traffic characteristics 102 includes the classification of both inbound 104 and outbound 106 HTTP traffic coming to and from the protected web server 108. Statistical parameters include both rate-based and rate-invariant parameters (all per protected server).”); 
computing a short-term baseline and a long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic (see Chesla ¶144-147: “FIG. 2 illustrates a flow chart depicting how the short term size distribution table is updated. It should be noted that: [0145] 1 sec interval--The interval in which a decision is made. Can be at the range of 1 to 10 seconds. [0146] Two types of size distribution tables are supported: short term (for real-time anomaly detection as specified above) and long term table for learning, i.e., calculating the URL size probability. [0147] According to the long-term size distribution table (which is defined later on), a measure of deviation from the expected request URL size occurrences is set every one second and is sent to a decision engine”); 
computing at least one short-term threshold respective of the short-term baseline and at least one long-term threshold respective of the long-term baseline (see Chesla ¶275: “Each of the decision engines generates DoA in an independent way (every one second). These engines are updated every one hour (MF's update and thresholds update) according to the adapted normal base lines (24.times.7 or continuous base lines)”); 
evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous (see Chesla ¶17: “Each list is divided into two sub-lists (high suspicious list and low suspicious list). Inclusion at each list is determined according to suspicious and attack thresholds (i.e., LOW=lower than attack thresholds and higher than suspicious threshold. High=higher than attack threshold).”
¶20: “the list further comprises: a first sub-list storing highly suspicious HTTP request sizes determined based on a suspicious HTTP request size greater th an a threshold; and a second sub-list storing lower suspicious HTTP request sizes determined based on a suspicious HTTP request size lower than a threshold”).

However, Chesla does not disclose the following limitation taught by Bartos: 
generating alarm when anomaly is detected (Bartos discloses generating an alert in ¶95: “… the mitigation action may entail generating an alert (e.g., an email, automated phone call, text message, etc.) for a network administrator, the user of the client, or other interested part”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system and method of Chesla to incorporate the alert generating functionality of the mitigation action as disclosed by Bartos, such modification would provide increased system security by alerting the detection of anomalous traffic.

Regarding claim 2

The method of claim 1,  
wherein anomalous behavior is determined when a real- time sample exceeds any one of: the short-term threshold and the long-term threshold (see Chesla ¶19: “In an extended embodiment, the first list further comprises: a first sub-list storing highly suspicious sources determined based on a frequency of suspicious occurrences greater than a threshold; and a second sub-list of storing low suspicious sources determined based on a frequency of suspicious occurrences lower than said threshold.”).  

Regarding claim 3
The combination Chesla and Bartos  discloses:
The method of claim 1, 
further comprising: 
setting a first Infinite impulse response (IIR) low pass filter (LPF) to compute the short-term baseline (see Chesla, ¶152-165 teaches how to compute and set IIR low pass filters. ¶152: “Continuous learning averaging is based on first order IIR filter. It means that every pre-defined period (typically 1 second) for learned value (lv) the recurrent equation …”); and 
setting a second IIR LPF to compute the long-term baseline (Chesla, ¶165: “In addition to the continuous average also a max (peak) parameter is calculated. The max value is evaluated according to the last hour and every one hour it goes through a max continuous averaging formula …”).  

Regarding claim 4
The combination Chesla and Bartos discloses:
The method of claim 3, 
wherein each of the first IIR LPF and the second first IIR LPF includes: 
an input circular buffer to buffer the received samples (see Chesla, ¶21: “The source trap buffers (the system preferable option) analyze all HTTP traffic that the suspicious sources (from the suspicious source list) generate toward the protected server”); and 
an output circular buffer to buffer outputs of the IIR LPF (see Chesla, ¶21: “… and the size trap buffer analyze all HTTP requests that match the sizes that exist in the suspicious size list”).  

Regarding claim 11
The combination Chesla and Bartos discloses:
The method of claim 1, 
further comprising: 
determining whether the HTTPS traffic returned to demonstrated normal behavior comparing end-of attack threshold to a current sample (see Chesla, ¶433: “End of attack is identified in state 2 according to the process described in FIG. 24. When the Full DoA stays, persistently, below 8, blocking will be temporarily deactivated. If during this the Full DoA stays below 8 for a pre-defined period (default 30 seconds) then the system will transit to state 0, i.e., attack termination...”).  

Regarding claim 12

The method of claim 11, 
further comprising:  Page 30 of 39RADW P1631 
computing an end-of attack threshold matrix, wherein each element in the threshold matrix is an estimate of an expected short-term threshold at a certain hour and day of a week (see Chesla, ¶58-59: “Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to more in-depth HTTP traffic parameters that are analyzed once traffic anomaly is detected. This protection includes a differential (different learning means that the statistics are collected and learned per hour and day in a week) and continuous adaptive mechanisms that tune the sensitivity of the anomaly detection engine”); 
comparing the threshold matrix to a current sample (Chesla in ¶17-20 how to compare thresholds to a current sample. ¶20: “… the list further comprises: a first sub-list storing highly suspicious HTTP request sizes determined based on a suspicious HTTP request size greater than a threshold; and a second sub-list storing lower suspicious HTTP request sizes determined based on a suspicious HTTP request size lower than a threshold”); and 
determining a normal behavior when a current sample is lower than the corresponding element in the threshold matrix (see Chesla, ¶07:” This protection system includes an adaptive mechanism that tunes the sensitivity of the anomaly detection (or decision) engine according to the adapted normal traffic behavior. The decision engine is based on a combination between fuzzy logic inference systems and statistical thresholds.
¶16: … the second list includes all suspicious HTTP request URL sizes that are determined according to the normal URL size distribution as specified below
¶20: … a second sub-list storing lower suspicious HTTP request sizes determined based on a suspicious HTTP request size lower than a threshold”).    

Regarding claim 13
The combination Chesla and Bartos discloses:
The method of claim 11, 
further comprising: 
computing an end-of attack threshold as a weighted average between a last baseline value before detecting abnormal behavior attack and an average rate during period of time when abnormal behavior was detected (see Chesla, ¶433: “FIG. 24 illustrates the attack termination condition (source mitigation case). End of attack is identified in state 2 according to the process described in FIG. 24. When the Full DoA stays, persistently, below 8, blocking will be temporarily deactivated. If during this the Full DoA stays below 8 for a pre-defined period (default 30 seconds) then the system will transit to state 0, i.e., attack termination”).   

Regarding claim 14
The combination Chesla and Bartos discloses:
The method of claim 1, 
wherein a rate-base feature includes any one of: a number of HTTPS requests per second (RPS), a volume of HTTPS responses measured in number of bytes per second, and a volume of HTTPS requests measured in bytes per second (see Chesla ¶374: “R.sub.rps.ident.The HTTP request rate (request per second) origin at the source address”  ¶260-261: “Out/R_P--ratio between HTTP request (R_C) to outbound bandwidth (OutB_C) As specified before the RT formula of the ratio parameter is: Out / R_P = OutB_C R_C , ##EQU00013## where OutB _C=Outbound bandwidth in this case is measured in KBytes per second”).  

Regarding claim 15
The combination Chesla and Bartos discloses:
The method of claim 1, 
wherein the anomalous behavior of the at least HTTPS traffic indicates a potential HTTPS flood DDoS attack (see Chesla ¶08: “… the generated degree of anomaly indicates a HTTP flood attack, and the decision engine communicates with said source IP trap buffer and the HTTP request size trap buffer to characterize the anomaly”).  

Regarding claim 16
The combination Chesla and Bartos discloses:
The method of claim 15, 
wherein the method is performed by a defense system including at least a detector for detecting anomalous behavior and a mitigation resource for performing a mitigating action when anomalous behavior is detected (see Chesla, ¶57: “The present invention provides for a system and method to detect and mitigate denial of service and distributed DoS HTTP page flood attacks that can be generated”).  

Regarding claim 17

The method of claim 16, 
wherein the defense system is deployed in-line with traffic between client devices accessing the protected entity (see Chesla ¶67: “Fig 1; illustrates the present invention's protection system architecture 100 for HTTP flood protection. The protection device in line with the protected server and the external data sources”), 
Chesla failed to explicitly disclose the following limitation:
wherein the protected entity is deployed in any one of a cloud computing platform and an on-premises datacenter (however Bartos, in ¶26-27 disclosed: “network 100 may comprise local networks 160, 162 that include devices/nodes 10-16 and devices/nodes 18-20, respectively, as well as a data center/cloud environment 150 that includes servers 152-154. Notably, local networks 160-162 and data center/cloud environment 150 may be located in different geographic locations”).  

Regarding claim 19
Chesla discloses: 
A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic (see Chesla, ¶22: “a computer user medium having computer readable program code embodied therein which implements a method to detect an anomaly”),  

Regarding claim 20
A system for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic comprising: 
a processing circuitry (see Chesla, ¶505: “… a computer to perform any of the methods associated with the present invention”); and 
a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to (see Chesla, ¶505: “… a storage medium having program code stored therein which can be used to instruct a computer to perform any of the methods associated with the present invention”): 

In addition to the above limitations, claim 20 recites substantially the same limitations as claim 1, in the form of a system for implementing the corresponding method. Therefore, claim 20 is rejected under the same rationale as claim 1.

Claim 5-10 are rejected under 35 U.S.C. 103 as being unpatentable over Chesla, Bartos and further in view of L. Litwin, "FIR and IIR digital filters," in IEEE Potentials, vol. 19, no. 4, pp. 28-31, Oct.-Nov. 2000, doi: 10.1109/45.877863. (hereinafter Litwin)  
Regarding claim 5
The combination Chesla and Bartos discloses:
The method of claim 3. 

wherein each of the first and second IIR LPF filter is set as follows: 
    PNG
    media_image1.png
    25
    261
    media_image1.png
    Greyscale

 where bi and ai are the coefficients (Litwin on page 28 discloses the general difference equation for an IIR filter as y(n)=−Σ                        
                            
                                
                                    a
                                
                                
                                    k
                                
                            
                            y
                            
                                
                                    n
                                    -
                                    k
                                
                            
                            +
                        
                     Σ                        
                            
                                
                                    b
                                
                                
                                    k
                                     
                                     
                                
                            
                            x
                            (
                            n
                            -
                            k
                        
                    ) 
where                         
                            
                                
                                    a
                                
                                
                                    k
                                     
                                
                            
                             
                             
                             
                        
                    is the k-th feedback tap. The left Σ denotes summation from k = 1 to k = N -1 where N is the number of feedback taps in the IIR filter. The right Σ denotes summation from k = 0 to k = M -1 where M is the number of feedforward taps).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to further modify the combination Chesla in view of Bartos by setting Chesla’s IIR LPF filter using Bartos’ difference equation for IIR digital filters. A person having ordinary skill in the art would have recognized that an IIR filter benefits from the previous inputs and outputs to provide an infinite duration impulse response. Regarding claim 6
The combination Chesla, Bartos and Litwin discloses:
The method of claim 5,
wherein the coefficients of the first IIR LPF and the second IIR LPF are different (Litwin in the equation y(n)=−Σ                        
                            
                                
                                    a
                                
                                
                                    k
                                
                            
                            y
                            
                                
                                    n
                                    -
                                    k
                                
                            
                            +
                        
                     Σ                        
                            
                                
                                    b
                                
                                
                                    k
                                     
                                     
                                
                            
                            x
                            (
                            n
                            -
                            k
                        
                    ) teaches the coefficients                         
                            
                                
                                    a
                                
                                
                                    k
                                
                            
                             
                        
                    and                         
                            
                                
                                    b
                                
                                
                                    k
                                     
                                     
                                
                            
                             
                        
                    can have different values).  

Regarding claim 7
The combination Chesla, Bartos and Litwin discloses:
The method of claim 6, 
(Chesla ¶245-275 teaches how to determine short-term and long-term thresholds. ¶275: “FIG. 11 illustrates the decision-making engine. There are four decision engines 1102, 1104, 1106, and 1108. Each of the decision engines generates DoA in an independent way (every one second). These engines are updated every one hour (MF's update and thresholds update) according to the adapted normal base lines (24. times.7 or continuous base lines). Engine 3 (FIS1) 1106 Max (deviation) MF is updated upon every size input (i.e., S_C.sub.i, E(i)) and the R_C MF is updated every one hour according to the R_C normal base-line”).  


Regarding claim 8
The combination Chesla, Bartos and Litwin discloses:
The method of claim 7, 
Bartos further discloses: 
wherein the maxDev value is a maximal difference 'A' between a current sample and the respective computed baseline, wherein the value of the maximal difference 'A' is defined based on a pre-configured permitted false positive rate (however Bartos in ¶40 disclosed: “The performance of a machine learning model can be evaluated in a number of ways based on the number of true positives, false positives, true negatives, and/or false negatives of the model
… the false positives of the model may refer to the number of traffic flows that are incorrectly classified as malware-generated, anomalous, etc”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the method of Chesla by incorporating the method of Bartos to compute maxDev based on a pre-configured false positive rate as defined by Bartos to continuously update the learning of malicious traffic. 


Regarding claim 9
The combination Chesla, Bartos and Litwin discloses:
The method of claim 8, 

wherein the maxDev value is computed as follows: maxDev=pa, wherein 'a' is an estimation of a standard deviation of a difference 'A' and 'p' is a constant number predetermined based on a required sensitivity (see ¶247-306 where Chesla teaches the equations to determine threshold ranges for anomaly detection. 
¶275: Engine 3 (FIS1) 1106 Max (deviation) MF is updated upon every size input (i.e., S_C.sub.i, E(i)) and the R_C MF is updated every one hour according to the R_C normal base-line.
¶249:… equations follow a measure of variance ( {square root over (N)}), a peak "attractor" ( .sub.nm.sup.M) and a detection sensitivity level (l) factor. The logarithmic nature of these formula aims to insure that lower average values would result in lower detection sensitivity (i.e., higher ratio between normal and attack edge)).  

Regarding claim 10
Chesla, Bartos and Litwin together disclose:
The method of claim 8, 
Chesla discloses:
wherein the maxDev value is computed as follows: maxDev = (An: n = [(1 - FP)N]), where FP is a parameter defining a required sensitivity, wherein samples in a dataset of 'An' are sorted in descending order the highest absolute values of deviations from the respective computed baseline, among the last N samples (Chesla ¶247-306 teach how to compute maxDev. See ¶275:” Engine 3 (FIS1) 1106 Max (deviation) MF is updated upon every size input (i.e., S_C.sub.i, E(i)) and the R_C MF is updated every one hour according to the R_C normal base-line”).  
 
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Chesla, Bartos and further in view of US-PGPUB No. 2019/0158533 A1 to Holloway et al. (hereinafter Holloway)  
Regarding claim 18
The combination of Chesla and Bartos discloses:
The method of claim 16. 
However, Chesla and Bartos does not explicitly disclose the following limitations taught by Holloway:
wherein the defense system is installed in a cloud defense platform as an always-on deployment, wherein the cloud defense platform is deployed between client devices and the protected entity (Holloway in ¶20-21 disclosed: “A method and apparatus for denial-of-service (DoS) detection and mitigation in a cloud-based proxy service is described. … The cloud-based proxy service illustrated in FIG. 1 includes a set of proxy server(s) 120 that are situated between the client computing devices 110A-I and the origin servers 130A-N”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Chesla and Bartos to incorporate the teachings of Holloway to modify the HTTP flood DDOS detection and mitigation system of Chesla and Bartos to gain the benefits of an always-on cloud defense platform for the detection and mitigation of DDOS HTTP flood attacks.  	 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Anderson et al.  (US-PGPUB No. 2019/0245866 A1)- disclosed everaging point inferences on Hypertext Transfer Protocol (HTTP) transactions for HTTP Secure (HTTPS) malware detection
Bhogavilli et al. (US-PGPUB No. 2012/0174196 A1)- disclosed methods and systems for detecting and responding to Denial of Service and other cyber attacks against servers and web servers.
Del Fante et al. (US-PGPUB No. 2016/0164912 A1)- disclosed Methods and systems for detection and mitigation of denial-of-service DoS attacks against network applications/services/devices in near real-time
Mota et al. (USPAT No. 10931692)- disclosed filtering mechanism to reduce false positives of machine learning (ML)-based anomaly detectors and classifiers

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 4122


/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491