Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1-4, 6-23 were considered under 35 USC 112, 101 (double patenting) and 103 for patentability over closest and analogous prior arts Leon, John (US Pub. #: 20170111328), hereafter Leon and Konda et al (US 20200067974), hereafter Konda have been fully considered and are persuasive. Claim(s) 5 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1-4, 6-23 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Paul Otterstedt (attorney) for filed amended claims:
1.	(Currently Amended) A method for detecting and mitigating a malicious bot, comprising the operations of: 
obtaining address information from a third-party threat intelligence provider; 

detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the one or more networked devices to identify the specific networked device that is sending the malicious network traffic and is thus suspected to be infected by the malicious bot; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic by performing a mitigation action.
2. 	(Previously Presented) The method of claim 1, wherein configuring the managed router service to mitigate the malicious network traffic comprises configuring the managed router service to block or reroute the given one of the searched packets corresponding to the address associated with the address information.  
3. 	(Original) The method of claim 1, further comprising generating statistical data and metrics related to the malicious network traffic.   
4. 	(Original) The method of claim 3, wherein the generating the statistical data and metrics comprises logging a time of an inspection of the given one of the searched packets, a packet type, a destination address, and a source address. 
5. 	(Canceled). 
1, further comprising notifying a user associated with the specific networked device of the malicious network traffic and a potential existence of the malicious bot.  
7. 	(Original) The method of claim 1, wherein a list of malicious addresses is maintained by the managed router service.
8. 	(Original) The method of claim 1, wherein the third-party threat intelligence provider is periodically queried to obtain the address information. 
9. 	(Original) The method of claim 1, wherein the address information comprises one or more of a source internet protocol (IP) address and a destination internet protocol (IP) address.
10. 	(Previously Presented) The method of claim 1, wherein the managed router service is connected to a cable modem at a customer premises and wherein the accessing is carried out at the customer premises. 
11. 	(Original) The method of claim 1, wherein additional address information is obtained from an owner or user of the networked device or a customer of an internet service provider.
12. 	(Previously Presented) The method of claim 1, further comprising soliciting a user associated with the networked device to review and approve the mitigation action before the mitigation action is initiated.
13. 	(Original) The method of claim 1, further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious.  
14. 	(Original) The method of claim 13, wherein the deep packet inspection device blocks the given one of the searched packets in response to determining that the packet is malicious.
15. 	(Currently Amended) A managed router service system comprising:
	a memory; and

wherein said managed router service system is configured to perform operations comprising:
obtaining address information from a third-party threat intelligence provider; 
accessing network traffic originating on a networked device of one or more networked devices prior to performance of network address translation in search of packets that correspond to the obtained address information;
detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the one or more networked devices to identify the specific networked device that is sending the malicious network traffic and is thus suspected to be infected by the malicious bot; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring the managed router service to mitigate the malicious network traffic by performing a mitigation action.
16. 	(Previously Presented) The managed router service system of claim 15, wherein configuring the managed router service system to mitigate the malicious network traffic comprises configuring the managed router service to block or reroute the given one of the searched packets corresponding to the address associated with the address information.  
17. 	(Currently Amended) The managed router service system of claim 15, the operations further comprising

	soliciting a user associated with the specific networked device to review and approve the mitigation action before the mitigation action is initiated.  
18. 	(Currently Amended) The managed router service system of claim 15, the operations further comprising notifying a user associated with the specific networked device of the malicious network traffic and a potential existence of [[a]]the malicious bot.  
19. 	(Original) The managed router service system of claim 15, the operations further comprising rerouting the given one of the searched packets to a deep packet inspection device to determine if the packet is malicious.  
20. 	(Currently Amended) A non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform operations comprising:
obtaining address information from a third-party threat intelligence provider; 
accessing network traffic originating on a networked device of one or more networked devices prior to performance of network address translation in search of packets that correspond to the obtained address information;
detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the  to identify the specific networked device that is sending the malicious network traffic and is thus suspected to be infected by the malicious bot; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic by performing a mitigation action.
21.	(New) A method for detecting and mitigating a malicious bot, comprising the operations of: 
obtaining address information from a third-party threat intelligence provider; 
accessing network traffic originating on a networked device of one or more networked devices prior to performance of network address translation in search of packets that correspond to the obtained address information;
detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the one or more networked devices; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic by performing a mitigation action, wherein configuring the managed router service to mitigate the malicious network traffic comprises configuring the managed router service to block the given one of the searched packets corresponding to the address 
22. 	(New) A managed router service system comprising:
	a memory; and
	at least one processor coupled to said memory; 
wherein said managed router service system is configured to perform operations comprising:
obtaining address information from a third-party threat intelligence provider; 
accessing network traffic originating on a networked device of one or more networked devices prior to performance of network address translation in search of packets that correspond to the obtained address information;
detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the one or more networked devices; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring the managed router service to mitigate the malicious network traffic by performing a mitigation action, wherein configuring the managed router service to mitigate the malicious network traffic comprises configuring the managed router service to block the given one of the searched packets corresponding to the address 
23. 	(New) A non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform operations comprising:
obtaining address information from a third-party threat intelligence provider; 
accessing network traffic originating on a networked device of one or more networked devices prior to performance of network address translation in search of packets that correspond to the obtained address information;
detecting that the network traffic includes malicious network traffic by performing a check determining that a given one of the packets accessed prior to performance of the network address translation corresponds to an address associated with the address information obtained from the third-party threat intelligence provider, the performance of the check comprising correlating a source media access control address of the network traffic to a specific networked device of the one or more networked devices; and
responsive to the check determining that the given one of the searched packets corresponds to the address associated with the address information, configuring a managed router service to mitigate the malicious network traffic by performing a mitigation action, wherein configuring the managed router service to mitigate the malicious network traffic comprises configuring the managed router service to block the given one of the searched packets corresponding to the address associated with the address information or reroute, to a deep packet inspection device, the given one of the searched packets corresponding to the address associated with the address information.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Leon teaches [0038]  the active threat detector receives third party threat data from external sources comprising updated lists or ranges of Internet Protocol (IP) addresses that have been identified as suspicious or from which malicious activity has originated; [0091-93] the security information and event management (SIEM) inspects outbound data packets, data packets originating from the node to see if the packets contain malicious IP address; [0089] the third party threat data includes lists or ranges of suspicious or malicious IP addresses and the SIEM compares the inbound data packets with these IP addresses to identify suspicious data packets (the SIEM analyzes the header of an inbound data packet to see if the header includes a malicious IP address as a source address or destination address) and/or checks the threat signatures of data packets; [0038] third party lists are in the form of a routing table that the active threat detector uses to compare with the source and/or destination address of incoming packets; ([0062, 89] If a match is found between the inspected IP address and the information received from the third party, the corresponding data packet or packets are dropped and blocked from further entry into the node [0040-41] then notify the other nodes (via the router) of this newly identified IP address so that the routers, the active threat detectors, and/or the firewalls of the nodes are configured by updating routing tables and are prepared to block and/or analyze packets that originate from or is destined for the newly identified IP address.

Further, a second prior art of record Evron teaches [0114] the first information identifies a first public network address from which the network traffic associated with the first distributed denial 

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: a managed router service (MRS) device identifies which device(s) at a customer premises are sending malicious traffic and are potentially infected by a bot. The MRS is the first hop device, the MRS is able to inspect the network traffic before network address translation (NAT) is performed and the source media access control (MAC) address of the malicious network traffic along with other metadata in the packet can be correlated, not merely to the customer, but to a particular device at the customer premises, to an address associated with the address information obtained from the third-party 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 15, 20 and 21 – 23 mutatis mutandis. Claim(s) 5 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.