DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-8 have been examined and are pending.
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/17/2020 and 10/15/2020 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 8 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because claim 8 recites "a monitoring program." The specification does not explicitly define as to what type of hardware, as a non-transitory computer readable (storage) medium, which a program is stored and/or executed.  At most, in paragraph 0016 states: “The storing unit 12 is a storage device such as a HDD (Hard Disk Drive), an SSD (Solid State Drive), or an optical disk....storing unit 12 stores an OS (Operating System) and various programs executed by the monitoring device 10. Further, the storing unit 12 stores various kinds of information used in the execution of the programs...” Broadly interpreted, a “(monitoring) program” needs to be stored and executed from on a non-transitory computer readable medium. Therefore, the claims are directed to non-statutory subject matter. 
	Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 1-2 and 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Capalik et al, hereinafter (“Capalik”), US PG Publication (2011/0321165 A1).
Regarding currently amended claims 1 and 7-8, Ramachandran teaches a monitoring system comprising; a monitoring method executed by a monitoring system, the monitoring method comprising and a monitoring program for causing a computer to execute: [Ramachandran et al 7360245 B1, col 2, lines 48-52: an anti-spoofing filter implemented in each interface of every router, where information about the IP addresses and physical addresses of hosts/routers in a computer network segment]
[[a]] monitoring circuitry Ramachandran, Col 5, lines 25-33: computers in the network 10 use TCP/IP protocol suite for communication with each of the four-layer structure where the data link layer 24 coupled to the network layer 26 (monitoring circuitry), handling the forwarding or routing of packets around the network] and 
[[a]] determination circuitry circuitry circuitry Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry ) for Source IP address to physical address mapping of the received packets. Fig. 5 and Col 11, lines 24-31, 50-56, 60-65: The filter 72 also need to receive and process responses to the router's test messages. Through comparison of source IP addresses and updating neighboring router physical address list; invention for detecting source IP address spoofed packets originating from hosts and preventing such packets (i.e. IP address based: Smurf, SYN, LAND, TFN, and Stacheldraht) from leaving a private network.
While Ramachandran teaches the determination circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, Ramachandran fails to explicitly teach but Capalik teaches [[a]] collection circuitry  ¶¶0052 and 0059: The decoy network device 106 may be implemented on two distinct computing devices: a monitor device and an analyzer device. The monitor device includes the virtual machine monitor 214, the virtual machines 216, and processes and modules therein. In such configuration, the monitor device collects unauthorized activity data and the analyzer device analyzes the unauthorized activity data (a first packet transmitted to an address not used in an Internet) to generate fingerprints. In some embodiments, the monitor device includes the introspection module comprising the code region selector 222, the trace instrumentor 224, and the trace analyzer 226; acquired low-level data about the interaction between decoy operation systems and any activity. ¶0063: When the attacker activity proceeds to interact with the decoy operating system 112 (a specific destination set as a decoy), the attacker provides the decoy operating system 112 with the data (a second packet transmitted to a specific destination set as a decoy) used to obtain control of the decoy operating system 112. ¶0125: A set of computers with respective programs sends fingerprints to a protected network device 136 (a first packet transmitted to an address not used in an Internet). Examiner interprets a protected network device 136 to be analogous to a paras 0029 {spec 0030-0031}].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method for filtering spoofed packets in a network of Ramachandran before him or her by including the teachings of system/method for Sampling Forensic Data of Unauthorized Activities Using Executability States of Capalik. The motivation/suggestion would have been obvious to try to modify the system of an anti-spoofing filter taught by Ramachandran by adding functions of decoy network device 106 to collect first and second information, which are used for different purposes as taught by Capalik [Capalik, ¶0063 and 0125].  

Regarding claim 2, the combination of Ramachandran and Capalik teach claim 1 as described above.
circuitry Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: ARP module 86 (collection circuitry); Col 9, lines 45-50: spoof-proof security of network, “per-interface” physical address list of neighboring routers as a host may send false or “faked” RIP response messages (a response packet to an attack packet falsifying a source IP address) in order to mislead neighboring routers.]

Regarding claim 6, the combination of Ramachandran and Capalik teach claim 1 as described above.
While Ramachandran teaches the determination circuitry and the collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, Ramachandran fails to explicitly teach but Capalik teaches wherein the collection circuitry circuitry circuitry circuitry  ¶¶0052 and 0059: The decoy network device 106 may be implemented on two distinct computing devices: a monitor device and an analyzer device. The monitor device includes the virtual machine monitor 214, the virtual machines 216, and processes and modules therein. In such configuration, the monitor device collects unauthorized activity data and the analyzer device analyzes the unauthorized activity data (a first packet transmitted to an address not used in an Internet) to generate fingerprints. In some embodiments, the monitor device includes the introspection module comprising the code region selector 222, the trace instrumentor 224, and the trace analyzer 22]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method for filtering spoofed packets in a network of Ramachandran before him or her by including the teachings of system/method for Sampling Forensic Data of Unauthorized Activities Using Executability States of Capalik. The motivation/suggestion would have been obvious to try to modify the system of an anti-spoofing filter taught by Ramachandran by adding functions of decoy network device 106 to collect first and second information, which are used for different purposes as taught by Capalik [Capalik, ¶0063 and 0125].  
	

Claim 3-5 is rejected under 35 U.S.C. 103 as being unpatentable over Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Capalik et al, hereinafter (“Capalik”), US PG Publication (2011/0321165 A1), in view of Hoshino et al, hereinafter (“Hoshino”), Japanese Patent Application (JP3889701 B2).

While Ramachandran teaches the collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: ARP module 86 (collection circuitry); however, the combination of Ramachandran and Capalik fail to explicitly teach but Hoshino teaches wherein the collection circuitry ¶¶0058 and 0073: configuration of a reflection attack packet as illustrated in Fig. 6; an example of reply packet is the PC91 in Fig. 6 using Internet Control Message Protocol (ICMP) echo command]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Capalik before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding an attacking terminal of Hochino [Hochino, ¶¶0056-0059].

Regarding claim 4, the combination of Ramachandran and Capalik teach claim 1 as described above.
While Ramachandran teaches the determination circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, the circuitry circuitry circuitry ¶0014: Then, the illegal packet received by the server 2 subjected to the DoS attack or the like is compared with the packets recorded in the packet log recording devices 9, 10, and 11, respectively, and the path through which the illegal packet propagated is specified. ¶0088] and a source IP address of the first information is same as a destination IP address of the traffic information, determines that an attack falsifying the source IP address is detected. [Hochino, ¶0034: The attacking terminal 14 replaces its source address (source IP address) with the IP address of the target terminal 16 (forged) as shown in “PC 41” in FIG]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Capalik before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding falsifying techniques of Hochino [Hochino, ¶0034].

Regarding claim 5, the combination of Ramachandran and Capalik teach claim 1 as described above.
circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, the combination of Ramachandran and Capalik fail to explicitly teach but Hoshino teaches wherein the determination circuitry circuitry circuitry ¶0092-0093: ICMP has dependent information part (i.e. Time Exceeded Message) is assumed to be the same as the original packet, by masking. By using the new packet, the original packet dependent portion is extracted from the replay attack packet]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Capalik before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding estimating of dependent information to determine reflection attack [Hochino, ¶0092-0093].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mori et al (20100218250A1) discloses network monitoring apparatus, network monitoring method, and network monitoring program.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

SAKINAH WHITE-TAYLOR
Examiner
Art Unit 2497



/Sakinah White Taylor/           Examiner, Art Unit 2497