DETAILED ACTION
Claims 1-17 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d).

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/10/2019 and 01/03/2020 have been considered and acknowledged by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, such claim limitation(s) is/are: “a detection unit that is configured to…detect (Claim 9)…collect (Claims 10, 11 and 17)…transmit (Claims 12 and 14)…receive (Claim 13)…replace (Claims 14 and 15)” and “a protection unit that is configured to…use (Claim 9)…determine (Claims 10-12)…stop (Claim 16) because the claim limitation(s) uses a generic placeholders “detection unit” and “protection unit” that is coupled with functional language “detect”, “collect”, “transmit”, “receive”, “replace”, “determine” and “stop” without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.   
Per Federal Register [Vol. 76, No 27, Weds. Feb 9, 2011] guidance, pg. 7167:

unit for," "component for," "element for," "member for," "apparatus for," "machine for," or "system for." This list is not exhaustive and other non-structural terms may invoke § 112(f).

Since the claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation:  
The applicant's specification states the apparatus may be configured in a protection device, or the apparatus itself is a protection device. The apparatus may include a detection unit 401 and a protection unit 402 (see applicant’s specification as filed; paragraph 0083).  Further, the protection device 500 may include one or more central processing units 522 (e.g., one or more processors) and memories 532 (see applicant’s specification as filed; paragraph 0096).  As such, the applicant’s specification discloses the linking structure (apparatus/protection device).
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claims recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth SEE ALSO MPEP 2181: Therefore, the broadest reasonable interpretation of a claim limitation that invokes 35 U.S.C. 112(f)  or pre-AIA  35 U.S.C. 112, sixth paragraph, is the structure, material or act described in the specification as performing the entire claimed function and equivalents to the disclosed structure, material or act. As a result, section 112(f) or pre-AIA  section 112, sixth paragraph, limitations will, in some cases, be afforded a more narrow interpretation than a limitation that is not crafted in "means plus function" format.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 9 and 17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chelsa (U.S. 2008/0086435 A1) (Applicant submitted prior art, see IDS filed 01/03/2020).
Regarding claims 1, 9 and 17, Chelsa discloses a method for defending an HTTP flood attack, the method being applied to a protection device (see Chelsa; paragraph 0007; Chelsa discloses a method and system to detect and mitigate HTTP flood attacks), and the method comprising:

when the protection performance of the first protection strategy does not meet requirements (negative feedback), using a second protection strategy (mitigation action, e.g. rough blocking) for the protection, wherein a protection level of the second protection strategy is higher than (more drastic) a protection level of the first protection strategy (mitigation action, e.g. gentle blocking) (see Chelsa; paragraphs 0105 and 0333; Chelsa discloses the decision about switching between the different mitigation mechanisms is done according to the type of detected anomaly and the closed-feedback mechanism.  In case of negative feedback the rate limit factor is adjusted, i.e. more drastic blocking measures are created.  In other words, based on the negative feedback, the mitigation action is adjusted, i.e. “using a second protection strategy”, to give more drastic blocking measures, i.e. “higher than a protection level of the first protection strategy”).
Further, Chelsa discloses the additional limitations of claim 9, a detection unit (see Chelsa; paragraphs 0300 and 0301; Chelsa discloses system controller is responsible for decision engine outputs); and a protection unit (see Chelsa; paragraphs 0300 and 0301; Chelsa discloses system controller is responsible for the mitigation methods).
Further, Chelsa discloses the additional limitations of claim 17, processor and memory (see Chelsa; paragraph 0512).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 2-5, 8, 10-13 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chelsa (U.S. 2008/0086435 A1) (Applicant submitted prior art, see IDS filed 01/03/2020) in view of Andrews et al. (U.S. 2017/0180414 A1).
Regarding claims 2 and 10, Chelsa discloses all the limitations of claims 1 and 9 as discussed above.  While Chelsa discloses “detecting a protection performance of the first protection strategy”, as discussed above, Chelsa does not explicitly disclose wherein detecting the protection performance of the first protection strategy further includes: collecting the number of HTTP requests transmitted to a server within a predetermined time interval, and when the number of HTTP requests transmitted to the server is greater than a first threshold, determining that the protection performance of the first protection strategy does not meet the requirements.
In analogous art, Andrews discloses wherein detecting the protection performance of the first protection strategy further includes: 
collecting the number of HTTP requests transmitted to a server within a predetermined time interval, and when the number of HTTP requests transmitted to the server is greater than a first threshold, determining that the protection performance of the first protection strategy does not meet the requirements (see Andrews; paragraphs 0027 and 0038; Andrews discloses request rates can be calculated from, i.e. “collecting”, the number of requests a server receives during some defined interval, such as the number of requests directed to a URL, i.e. “HTTP requests”.  If global request rates continue to exceed a first global threshold the attack protection is escalated.  For example, if after ten seconds of performing the first attack protection, the global request rate does not fall back below the global level threshold, the process escalates the attack protections, i.e. “first protection strategy does not meet the requirements”).
One of ordinary skill in the art would have been motivated to combine Chelsa and Andrews because they both disclose the feature of HTTP flood protection, and as such, are within the same environment.  

Regarding claims 3 and 11, Chelsa discloses all the limitations of claims 1 and 9 as discussed above.  While Chelsa discloses “detecting a protection performance of the first protection strategy”, as discussed above, Chelsa does not explicitly wherein detecting the protection performance of the first protection strategy further includes: collecting a traffic volume of HTTP requests transmitted to a server within a predetermined time interval, and when the traffic volume of HTTP requests transmitted to the server is greater than a preset traffic volume, determining that the protection performance of the first protection strategy does not meet the requirements.
In analogous art, Andrews discloses wherein detecting the protection performance of the first protection strategy further includes: 
collecting a traffic volume of HTTP requests transmitted to a server within a predetermined time interval, and when the traffic volume of HTTP requests transmitted to the server is greater than a preset traffic volume (threshold), determining that the protection performance of the first protection strategy does not meet the requirements (see Andrews; paragraphs 0027, 0038 and 0042; Andrews discloses request rates can be calculated from, i.e. “collecting”, the number of requests a server receives during some defined interval, such as the number of requests directed to a URL, i.e. “HTTP requests”.  If global request rates continue to exceed a first global threshold the attack protection is escalated.  In particular, at or before traffic volume” from other distribution points. Should the request rates continue to exceed the global threshold, i.e. “preset traffic volume”, the distributed platform server is directed to perform a different attack protection that is more effective at limiting request rates, i.e. “first protection strategy does not meet the requirements”).
One of ordinary skill in the art would have been motivated to combine Chelsa and Andrews because they both disclose the feature of HTTP flood protection, and as such, are within the same environment.  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate determining the level of attack protection as taught by Andrews into the system of Chelsa in order to provide the benefit of the decision to switch between different mitigation mechanisms (see Chelsa; paragraph 0105) being based on the number of requests compared to different level thresholds.
Regarding claims 4 and 12, Chelsa discloses all the limitations of claims 1 and 9 as discussed above.  While Chelsa discloses “detecting the protection performance of the first protection strategy”, as discussed above, Chelsa does not explicitly disclose transmitting detection information to a server according to a preset cycle, and when no response information, transmitted by the server based on the detection information, is received within a preset time period, determining that the protection performance of the first protection strategy does not meet the requirements.
In analogous art, Andrews transmitting detection information to a server according to a preset cycle, and when no response information, transmitted by the server based on the detection information, is received within a preset time period, determining that the protection performance preset cycle”, or until the request rate across the distributed platform exceeds the global level threshold. The specified duration can be a timed interval or can expire when the request rate at the distribution point where the distribution point level threshold was exceeded falls back below that threshold. Should the specified duration expire, the process reverts back to step 240.  When the aggregate request rate exceeds the global threshold, i.e. “no response information” due to attack on server, the attack protection is escalated).
One of ordinary skill in the art would have been motivated to combine Chelsa and Andrews because they both disclose the feature of HTTP flood protection, and as such, are within the same environment.  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate determining the level of attack protection as taught by Andrews into the system of Chelsa in order to provide the benefit of the decision to switch between different mitigation mechanisms (see Chelsa; paragraph 0105) being based on the number of requests compared to different level thresholds.
Regarding claims 5 and 13, Chelsa and Andrews disclose all the limitations of claims 4 and 12 as discussed above, and further the combination of Chelsa and Andrews clearly discloses wherein the detection information is preset detection information, and after transmitting the detection information to the server according to the preset cycle, the method further includes: when the server is in a service state, acquiring, by the server, pre-stored response (content stored on server)  information after receiving the preset detection information (see Andrews; paragraphs 0020 and 0037; Andrews discloses retrieving a copy of content from the origin server.  The in a service state”, of the origin server.  In particular, when an attack is detected, based on monitoring for a specified duration, the attack protection is performed, so that the content is able to be retrieved); and 
transmitting, by the server, the response information to the protection device (see Andrews; paragraphs 0020 and 0037; Andrews discloses the distribution point server, i.e. “protection device”, retrieves a copy of the requested content or service from the origin sever. The distribution point server then passes the retrieved content or service to the requesting.  The content is able to be retrieved and passed due to the attack protection being escalated to prevent performance degradation).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 4 and 12.
Regarding claims 8 and 16, Chelsa discloses all the limitations of claims 1 and 9 as discussed above.  While Chelsa discloses “detecting a protection performance of the first protection strategy”, as discussed above, Chelsa does not explicitly disclose collecting the number of HTTP requests received within each predetermined time interval; when the number of HTTP requests received within the predetermined time interval is greater than a second threshold, using the first protection strategy for protection; and when each number of HTTP requests received within a preset number of successive predetermined time intervals is not greater than the second threshold, stopping the protection.
In analogous art, Andrews discloses collecting the number of HTTP requests received within each predetermined time interval (see Andrews; paragraph 0027; Andrews discloses request rates can be calculated from, i.e. “collecting”, the number of requests a server receives HTTP requests”); 
when the number of HTTP requests received within the predetermined time interval is greater than a second threshold, using the first protection strategy for protection (see Andrews; paragraphs 0027 and 0042; Andrews discloses request rates can be calculated from the number of requests a server receives during some defined interval, such as the number of requests directed to a URL, i.e. “HTTP requests”.  And should the request rates continue to exceed the global threshold or exceed a second global threshold, maintain performing the attack protection.  In other words, the current attack protection, i.e. “first protection strategy for protection”, is continued to be used); and 
when each number of HTTP requests received within a preset number of successive predetermined time intervals is not greater than the second threshold, stopping the protection (see Andrews; paragraphs 0025, 0027 and 0042; Andrews discloses multiple thresholds can be set at each level to provide for multiple escalations at each level.  For example, a first global threshold can trigger the distributed platform servers to perform a first attack protection and a second global threshold can trigger the distributed platform servers to perform a different second attack protection.  Request rates can be calculated from the number of requests a server receives during some defined interval, such as the number of requests directed to a URL, i.e. “HTTP requests”.  The attack protection is performed for a period of time.  In other words, the attack protection is only performed when a threshold, e.g. first and/or second, is triggered, i.e. has been exceeded and continues to be exceeded, and as such, when the request rate is below the threshold the attack protection would not be performed, i.e. “stopping the protection”).

Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate determining the level of attack protection as taught by Andrews into the system of Chelsa in order to provide the benefit of the decision to switch between different mitigation mechanisms (see Chelsa; paragraph 0105) being based on the number of requests compared to different level thresholds.

Claims 6, 7, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chelsa (U.S. 2008/0086435 A1) (Applicant submitted prior art, see IDS filed 01/03/2020) in view of Andrews et al. (U.S. 2017/0180414 A1), as applied to claims 4 and 12 above, and further in view of Adams et al. (U.S. 2015/0096020 A1).
Regarding claims 6 and 14, Chelsa and Andrews disclose all the limitations of claims 4 and 12 as discussed above.  While discloses Andrews discloses “wherein transmitting the detection information to the server according to the preset cycle”, as discussed above, the combination of Chelsa and Andrews does not explicitly disclose replacing a source address in a target HTTP request with an IP address of the protection device according to the preset cycle to obtain detection information including the IP address of the protection device, wherein the target HTTP request is one of verified requests among HTTP requests transmitted by client terminals; and transmitting the detection information including the IP address of the protection device to the server.
HTTP request”, for a resource, e.g. subpage of a website, from the client device.  The request includes a verification cookie, i.e. “detection information”.  As known to one or ordinary skill in the art, a reverse proxy sits in front of the network device and intercepts requests from clients and then will send the requests to and receive responses from the network device.  As such, the reverse proxy replaces the client address, i.e. “source address”, in the request with its “IP address” in order for the response from the network device to be received at the reverse proxy), wherein the target HTTP request is one of verified requests among HTTP requests transmitted by client terminals (see Adams; paragraphs 0050 and 0061; Adams discloses the security device has verified the client device.  Further, the client can send additional requests, therefore, “one of verified requests”); and
transmitting the detection information (verification cookie) including the IP address of the protection device to the server (see Adams; paragraphs 0017, 0050 and 0061; Adams discloses that the security device/reverse proxy receives the client request, including the verification cookie, for a subpage of a website and provides a response from the network device.  As such, the reverse proxy sends the request, including the verification cookie, to the network device in order to receive the response from the network device.  Further, the request includes the IP address of the reverse proxy because, as known to one of ordinary skill in the art, the 
One of ordinary skill in the art would have been motivated to combine Chelsa, Andrews and Adams because they all disclose the feature of denial of service attack protection, and as such, are within the same environment.  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the reverse proxy feature as taught by Adams into the combined system of Chelsa and Andrews in order to provide the benefit of added protection by allowing the IP address of the origin servers to not be revealed, and thus making it harder for attackers to leverage a targeted attack.
Regarding claims 7 and 15, Chelsa, Andrews and Adams discloses all the limitations of claims 6 and 14 as discussed above, and further the combination of Chelsa, Andrews and Adams clearly discloses after transmitting the detection information to the server, the method further includes: 
when response information (subpage of website), transmitted by the server (network device) based on the detection information (verification cookie), is received, replacing a target address (IP address of security device/reverse proxy) in the response information with the source address (client address) in the target HTTP request (see Adams; paragraphs 0017, 0050 and 0061 and Figure 5C; Adams discloses a security device, e.g. reverse proxy, is capable of processing and/or transferring traffic between a client device and a network device.  The security device/reverse proxy provides a response, from the network device, to client device based on verifying the solution. The response includes a response to the request, i.e. “HTTP request”, received from client device, i.e. the subpage of the website requested.  As known to one or target address”, in the response from the network device with the client’s address, i.e. “source address”, in order for the response from the network device to be sent to the client device); and 
transmitting the response information (subpage of website) with the target address having been replaced (see Adams; paragraphs 0017, 0050 and 0061; Adams discloses that the security device/reverse proxy provides the response, e.g. subpage of a website, from the network device to the client device.  As such, the response includes the source address, i.e. “the target address having been replaced”, of the client device so that the reverse proxy can send it to the client device because, as known to one of ordinary skill in the art, the response would initially have the reverse proxy IP address in order for it to be sent by the network device to the reverse proxy).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 6 and 14.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Han et al. (U.S. 2018/0026994 A1) discloses defense system and method against HTTP flood attacks, wherein defense strategies are adjusted. 
Bailey, JR (U.S. 2011/0178933 A1) discloses determining attacks such as DoS attacks and changing the protection mechanism to another protection mechanism to maintain acceptable level of security.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.A.C/Examiner, Art Unit 2443                                                                                                                                                                                                        01/27/2022

/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2443