DETAILED ACTION
Claims 1-44 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner Comment
The examiner recommends filing a written authorization for Internet communication in response to the present action.  Doing so permits the USPTO to communicate with Applicant using Internet email to schedule interviews or discuss other aspects of the application.  Without a written authorization in place, the USPTO cannot respond to Internet correspondence received from Applicant.  The preferred method of providing authorization is by filing form PTO/SB/439, available at: https://www.uspto.gov/patent/forms/forms.  See MPEP § 502.03 for other methods of providing written authorization.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/11/2020, 10/27/2020 and 11/03/2020 have been acknowledged and considered by the examiner.


Claim Objections
The numbering of claims is improper.  In particular, claim 30 is repeated.  It appears, the second claim 30 is supposed to be claim 31.


Claim Interpretation
Regarding claims 3, 4, 6, 10, 15-17, 22, 23, 25, 29, 33-35, 38, and 39 the claims recite alternative language, i.e. using the term “any one of” and “at least one of”, and as such, the Examiner interprets certain features to not be required due to the claim language listing the features in the alternative.  The rejection below specifies the particular limitations.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 2 and 21 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
  In particular, claim 2 (and similarly claim 21) recites “extracting traffic features from traffic directed at the protected entity”.  However, claim 1 (and similarly claim 20) from which claim 2 (and similarly claim 21) depend already recites “extracting traffic features from at least traffic directed to a protected entity”.  Therefore, claim 2 (and similarly claim 21) fails to further limit the subject matter of claim 1 (and similarly claim 20).
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.	
	
	Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-44 are rejected under 35 U.S.C. 103 as being unpatentable over Chelsa et al. (U.S. 2004/0250124 A1) in view of Coskun (U.S. 2018/0097828 A1) (both references are Applicant submitted prior art; see IDS filed 11/03/2020).
Regarding claims 1, 20 and 37, discloses a method and system for protecting against UDP Internet connection (QUIC) based denial-of-service (DDoS) attacks, comprising:
extracting traffic features from at least traffic directed to a protected entity, wherein the traffic features demonstrate behavior of user datagram protocol (UDP) traffic directed to the protected entity, wherein the extract traffic features include at least one rate-base feature and at least one rate-invariant feature, and wherein the at least traffic includes packets (see Chelsa; paragraphs 0016, 0017, 0023, 0029, 0030 and 0050; Chelsa discloses a security system uses adaptive fuzzy logic algorithms to analyze traffic patterns, in which the system adapts to particular baseline traffic characteristics of a protected network.  The security system is used in protecting from UDP DDos flood attacks. A signature detection module typically characterizes the attack by using statistical analysis to develop one or more signatures of packets participating in the attack, such as values of one or more packet header fields, i.e. “extracting traffic features”, or, in some cases, information from the packet payload.  One or more functions are used, such as, rate-invariant feature”, as well as, a rate of packets of the traffic, i.e. “rate-base feature”. The applicant’s specification supports this interpretation of the rate-based and rate-invariant features, see applicant’s specification as filed; paragraph 0088);
computing at least one baseline for each of the at least one rate-base feature and the at least one rate-invariant feature (see Chelsa; paragraphs 0016, 0048-0050 and 0131; Chelsa discloses the system periodically adapts the fuzzy logic algorithms to the particular baseline traffic characteristics of the protected network.  For example, determining separate baselines characteristics using the functions, including relation between the rates, of the fuzzy logic algorithm); and 
analyzing real-time samples of traffic directed to the protected entity to detect a deviation from each of the at least one computed baseline, wherein the deviation is indicative of a detected DDoS attack (see Chelsa; paragraphs 0033, 0050, 0132 and 0265; Chelsa discloses determining the at least one parameter includes counting occurrences of packets characterized by each of the plurality of parameters in the traffic, and designating one of the plurality of parameters as the at least one parameter when a number of occurrences, within a certain period of time, i.e. “analyzing real-time samples”, of the packets characterized by the one of the plurality of parameters exceeds, i.e. “deviation from”, a threshold value.  The parameter is the relation between the baseline characteristic rate, i.e. “computed baseline”, and maximum bandwidth.  Once the parameters are set traffic is monitored to detect an attack, i.e. the “DDos attack”); and
causing execution of at least one mitigation action when an indication of the detected DDoS attack is determined (see Chelsa; paragraphs 0017 and 0133; Chelsa discloses the security mitigation action”, a hierarchy counter, which is used to control the level of filtering). 
While Chelsa discloses user datagram protocol (UDP) and UDP DDoS attacks, as discussed above, Chelsa does not explicitly disclose QUIC UDP.
In analogous art, Coskun discloses QUIC UDP (see Coskun; Abstract and paragraph 0047; Coskun discloses analyzing network activity, including on-the-spot analysis that determines whether the activity is permitted.  The network employs QUIC UDP protocol).
One of ordinary skill in the art would have been motivated to combine Chelsa and Coskun because they both disclose features of analyzing network activity, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Coskun’s feature of analyzing network activity using QUIC UDP into the system of Chelsa in order to provide the benefit of scalability by Chelsa not only protecting from UDP DDoS flood attacks (see Chelsa; paragraph 0017) but also QUIC DDoS, thus providing more well-rounded protection.
Further, Chelsa discloses the additional limitations of claim 20, a processing circuitry (see Chelsa; paragraph 0079; Chelsa discloses network security processor); and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system (see Chelsa; paragraphs 0081 and 0082; Chelsa discloses a computer readable medium in which program instructions are stored).
Regarding claims 2 and 21, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses 
Regarding claims 3 and 22, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses monitoring at least a UDP port at the protected entity to analyze the QUIC packets received through the UDP port to determine at least a type of each packet, wherein a packet type includes any one of: a QUIC short header packet, a QUIC long header packet, and a QUIC long header packet designated as an Initial Packet type (see Chelsa; paragraphs 0029, 0045, 0286 and 0289; Chelsa discloses analyzing property including packets of a certain protocol type.  The traffic includes packets having packet header fields.  During a UDP flood attack, the trapping module attempts to identify a transport layer checksum signature only if all of the following hierarchy group signatures have been identified, such as, destination port which indicates a UDP port and a destination address, i.e. destination connection ID, and as such a “short header”; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “QUIC short header packet” alternative).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 20.
Regarding claims 4, 23 and 38, Chelsa and Coskun disclose all the limitations of claims 1, 20 and 37, as discussed above, further the combination of Chelsa and Coskun clearly discloses any one of: counting a number of bytes and QUIC packets designated as short header packets counting number of packets”, of the certain protocol type entering the network to a total number of the packets of the traffic entering the network.  Further, determining the number of occurrences within a certain period of time, i.e. “predefined time frame”.  A frequency parameter includes average normal rate of the packets, expressed in bytes per second, i.e. “number of bytes”. During a UDP flood attack, signatures have been identified, such as, destination port which indicates a UDP port and a destination address, i.e. destination connection ID, and as such a “short header”; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “counting a number of…designated as short header…” alternative); and 
counting a number of bytes and QUIC packets designated as long header packets received during a predefined time frame; and 
counting a number of bytes and QUIC packets designated as long header packets of type Initial Packet received during a predefined time frame. 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1, 20 and 37.
Regarding claims 5 and 24, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein extracting the traffic features further comprises:
counting number of packets”, of the certain protocol type entering the network to a total number of the packets of the traffic entering the network.  Further, determining the number of occurrences within a certain period of time, i.e. “predefined time frame”.  A frequency parameter includes average normal rate of the packets, expressed in bytes per second, i.e. “number of bytes”. During a UDP flood attack, signatures have been identified, such as, destination port which indicates a UDP port and a destination address, i.e. destination connection ID, and as such a “short header”; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047); and
dividing the number of the bytes and QUIC packets by a number of active ConnectionIDs (see Chelsa; paragraphs 0059, 0067, 0071 and 0214; Chelsa discloses a ratio of a number of the packets of a certain protocol type entering, i.e. the rate equals bytes per second as such “number of bytes”, the network to the total number of packets of the traffic entering the network.  Dividing the matrix into regions characterized by packet arrival intensity, which is expressed in terms of number of connections, i.e. “number of active ConnectionIDs”; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 20.
Regarding claims 6, 25 and 39, Chelsa and Coskun disclose all the limitations of claims 1, 20 and 37, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the at least one extracted rate-base feature and the at least one rate-invariant feature are “extracted…feature”, and protecting against UDP DDos network flood attacks; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047), QUIC HTTP floods, and QUIC connection floods, and wherein the required protection includes any one of: QUIC floods (see Chelsa; paragraphs 0017, 0029, 0046, and 0232-0234; Chelsa discloses protection for the UDP floods; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047), QUIC Connection Initiation; and QUIC Connection Limit.
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1, 20 and 37.
Regarding claims 7, 26 and 40, Chelsa and Coskun disclose all the limitations of claims 6, 25 and 39, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the at least rate-base feature to provide the is QUIC floods protection includes a number of long header packets per second; a number of QUIC packets per second (see Chelsa; paragraphs 0022, 0029, 0059, 0065, 0071, 0226, 0364, 0375; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047); and a number of QUIC bytes per second, and wherein at least one rate-invariant traffic feature to provide the is QUIC floods protection includes an average QUIC packet size for both long and short header (see Chelsa; paragraphs 0059, 0065, 0071, 0226, 0364, 0375; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047); a long header ratio; and a number of bytes and QUIC packets per active Connectionid for both long and short headers (see 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1, 20 and 37. 
Regarding claims 8, 27 and 41, Chelsa and Coskun disclose all the limitations of claims 6, 25 and 39 as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the at least rate-base traffic feature to provide the QUIC Connection Initiation protection includes a number of long header packets per second (see Chelsa; paragraphs 0059, 0226 and 0262; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047); and a number of long header packets set as “Initial Packet” per second, and wherein the at least one rate-invariant feature to provide the QUIC Connection Initiation protection includes along header ratio (see Chelsa; paragraphs 0059, 0226 and 0262; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1, 20 and 37.
Regarding claims 9, 28 and 42, Chelsa and Coskun disclose all the limitations of claims 6, 25 and 39, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the at least rate-base traffic feature to provide the is QUIC Connection Limit protection includes a number of active ConnectionIDs per second (see Chelsa; paragraphs 0216, 0341, 0357-0361; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047); and a number of new active ConnectionIDs per second, and wherein the at least rate-invariant feature to provide the is QUIC Connection Limit protection includes an increase in an average number of bytes per active ConnectionID (see Chelsa; paragraphs 0216, 0341, 0357-
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1, 20 and 37. 
Regarding claims 10 and 29, Chelsa and Coskun disclose all the limitations of claims 1 and 25, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein analyzing real-time samples of traffic directed to the protected entity to detect a deviation further comprises:
comparing real-time samples of the at least one rate-base feature and at least one rate-invariant feature to the at least one baseline (see Chelsa; paragraphs 0033, 0048-0050, 0131 and 0132; Chelsa discloses determining the at least one parameter includes counting occurrences of packets characterized by each of the plurality of parameters in the traffic, and designating one of the plurality of parameters as the at least one parameter when a number of occurrences, within a certain period of time, i.e. “comparing real-time samples”, of the packets characterized by the one of the plurality of parameters exceeds a threshold value.  The parameter is the relation between the baseline characteristic rate, i.e. “at least one baseline”, and maximum bandwidth); and 
detecting an anomaly when at least one of: the at least one rate-base feature and at least one rate-invariant feature deviates from the at least one baseline, wherein the deviation from the at least one baseline is by a threshold (see Chelsa; paragraphs 0033, 0050, 0131, 0132, 0265; Chelsa discloses determining the at least one parameter includes counting occurrences of packets deviation from”, a threshold value.  The parameter is the relation between the baseline characteristic rate, i.e. “at least one baseline”, and maximum bandwidth. Once the parameters are set traffic is monitored to detect an attack) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen both alternatives).
Regarding claims 11 and 30(1), Chelsa and Coskun disclose all the limitations of claims 10 and 25, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein computing at least one baseline further comprises: computing a short-term baseline and a long-term baseline based on the real-time samples, wherein the short-term baseline is adapted to relatively rapid changes in the QUIC UDP traffic, and the long-term baseline is adapted to relatively slow changes in the QUIC UDP traffic (see Chelsa; paragraphs 0245-0251 and 0262; Chelsa discloses short-term and long-term learning modules for determining the baseline by collecting statistics for the baseline values; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 20.
Regarding claims 12 and 30(2), Chelsa and Coskun disclose all the limitations of claims 11 and 25, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein computing at least one baseline further comprises: factoring periods with no traffic followed by high bursts of traffic, wherein the traffic includes QUIC UDP packets (see Chelsa; no traffic”, and values between 8 and 10 represent an attack, i.e. “high bursts of traffic”.  Further, determining low frequency to high intensity traffic of packets; and further, Coskun is relied upon to disclose QUIC packets being used; see Coskun; paragraph 0047).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 20.
Regarding claims 13 and 31, Chelsa and Coskun disclose all the limitations of claims 1 and 24, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the threshold is dynamically updated as follows: U(t) = Y(t) + maxDev, wherein U(t) is an anomaly threshold, Y(t) is a baseline, and maxDev is a maximum deviation of an observed traffic feature during peace time corresponding to a required value of a false positive detections rate of the observed traffic feature (see Chelsa; paragraphs 0266, 0302-0311 and 0418; Chelsa discloses identification of false positives, and an equation for updating a threshold, e.g. Cblock, using a max function.  The max function can include adjustments to parameters).
Regarding claims 14 and 32, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein causing the execution of at least one mitigation action occurs when anomalies are detected on at least one rate-base feature and the at least one rate-invariant feature (see Chelsa; paragraphs 0017, 0132, 0133 and 0135; Chelsa discloses determining characteristic parameters of anomalous traffic and protecting against UPD DDoS network flood attacks.  In particular, detection of a traffic anomaly is in response to the baseline patterns, i.e. “rate-base feature and rate-invariant feature”).
Regarding claims 15 and 33, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the mitigation action includes at least one of: a web challenge, a QUIC challenge, blocking traffic (see Chelsa; paragraphs 0023, 0121 and 0136; Chelsa discloses detection of an attack and in response incoming traffic is filtered.  The filtering includes traffic blocking), rate limiting, attack signature generation, and generating alerts, wherein one or more mitigation actions can be executed in an escalated order (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “blocking traffic” alternative).
Regarding claims 16 and 34, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the method is performed by a defense system, wherein the defense system is deployed in-line with traffic between client devices accessing the protected entity, wherein the protected entity is deployed as at least one of: a QUIC enabled server and a non-QUIC enabled server and a network (see Chelsa; paragraphs 0117; Chelsa discloses the security system including a server deployed in front, i.e. “in-line”, of a group of one or more network elements, such as in front of a critical server, in order to provide protection to the group of elements) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “non-QUIC” alternative).
Regarding claims 17 and 35, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the method is performed by a defense system, wherein the defense system is deployed out-of-path”, of a protected network and between the router and WAN) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “non-QUIC” alternative).
Regarding claims 18 and 36, Chelsa and Coskun disclose all the limitations of claims 1 and 20, as discussed above, further the combination of Chelsa and Coskun clearly discloses wherein the method is performed by a defense system, wherein the defense system is installed in a cloud defense platform as an always-on deployment, wherein the cloud defense platform is deployed on a path between client devices and the protected entity (see Chelsa; paragraphs 0117 and 0118; Chelsa discloses the security system can be deployed between the customer network and the protected network; and further Coskun discloses cloud computing services being used; see Coskun; paragraph 0035).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 19 and 43, Chelsa and Coskun disclose all the limitations of claims 1 and 37, as discussed above, further the combination of Chelsa and Coskun clearly discloses a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute the method of claim 1 (see Chelsa; paragraphs 0081 and 0082; Chelsa discloses a computer-readable medium in which program instructions are stored).
Regarding claim 44, Chelsa and Coskun disclose all the limitations of claims 1 and 37, as discussed above, further the combination of Chelsa and Coskun clearly discloses a system for protecting against quick UDP Internet connection (QUIC) based denial-of-service (DDoS) attacks, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to execute the method of claim 37 (see Chelsa; paragraphs 0079, 0081 and 0082; Chelsa discloses network security processor and a computer readable medium in which program instructions are stored).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Ahmed (U.S. 9,483,742 B1) discloses traffic analysis including UDP flood attacks.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/A.A.C/Examiner, Art Unit 2443                                                                                                                                                                                                        02/11/2022


/PHUOC H NGUYEN/Primary Examiner, Art Unit 2443