DETAILED ACTION
The following claims are pending in this office action: 1-14
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 06/26/2020 is accepted.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/27/2021 has been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, an initialed and dated copy of Applicant’s IDS form 1449 filed 07/27/2021 is attached to the instant Office action. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 9-14 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 9 recites the limitation “the message” (claim 9, ln. 6). It is unclear if “the message” is referring to the prior instance of “a notification message” (claim 9, ln. 4) or if it is a new instance of message.   Examiner suggests changing the limitation to “the notification message”.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves et al. "DoS attack detection and path collision localization in NoC-based MpsoC architectures;" Journal of Low Power Electronics and Applications 9.1; February, 2019 (hereinafter “Chaves”) in view of Tews et al. (US Patent No. 11,165,802) (hereinafter “Tews”), and in view Talmor et al. (US Patent No. 10,721,269) (hereinafter “Talmor”).

As per claim 1, Chaves teaches a method for detection and localization of denial-of-service (DoS) attacks, comprising: detecting, by a router of an intellectual property (IP) core in a network-on- chip (NoC) based system-on-chip (SoC) architecture, [a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router]; ([Chaves, Fig. 2; pg. 2, para. 4-8; pg. 3, para. 2] multi-Processors System-on-Chips implemented as Networks-on-Chip is disclosed which includes the processor intellectual property core and associated routers as a system to detect denial of service attacks, identify the collision point of malicious and sensitive data, and find the direction from which the malicious packets enter the sensitive path.  [Fig. 10; pg. 12, para. 2] Figure 10 depicts the addition of a communication degradation monitor in the NoC router to locate the router where the attacker’s traffic enters the sensitive communication path.  Detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router is taught by Tews below)
([Chaves, pg. 2, para. 4] the processing elements are processors used by the NoC to process and store information; [pg. 1, abstract] the information evaluated includes information to narrow down a location of an DoS attacker) a candidate IP core in the NoC as a potential attacker based at least in part upon a destination packet latency curve (DLC) associated with the IP core; and ([pg. 3, para. 12] a candidate attacker processing element/IP core is determined based on a packets’ end-to-end latency upon their arrival using the packets’ generation time-stamp.  If the latency is out of the acceptable latency range, the candidate attacker’s location is determined from the Max Latency Router Address and the Max Router Latency value [a destination latency]; [Pg. 7, para. 2] the candidate attacker’s location is determined by the use of Routing Graphs [a destination latency curve associated with the IP core])
Chaves does not clearly teach detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router; and transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker.  
However, Tews teaches detecting a compromised packet stream ([Tews, col. 7, ln. 20-23; col. 11, ln. 46-49] the controller [router] communicates with devices [IP cores] to establish data flows and measure a traffic network parameter associated with the data flow [packets of the data stream – see col. 12, ln. 31-34] to detect if the network is outside the anomalous bounds and functioning abnormally [compromised]) at least in part upon a packet arrival curve (PAC) ([col. 8, ln. 42-51] to characterize the communications, multiple conversations [packets arrivals] including empirical distributions and jitter are measured to determine a fingerprint; [Fig. 8; col. 10] the fingerprint is a graphed curve [Fig. 8; col. 10] the fingerprint is a graphed curve of data collected by the communications controller including packet loss statistics [see col. 6, ln. 52-64]) associated with the router; ([Fig. 11; col. 9, ln. 59-67] the controller is implemented in a router)
 with the teachings of Tews to include detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router.  One of ordinary skill in the art would have been motivated to make this modification because a deviation from the expected timing distribution of the measured fingerprint (the PAC) may indicate interesting events (such as a DoS attack) that may be used in an attempt to compromise system operation.  (Tews, col. 3, ln. 52-58)
Chaves in view of Tews does not clearly teach transmitting, by the router, a notification message indicating that the candidate IP core is the potential attacker to a router of the candidate IP core. 	However, Talmor teaches transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker ([Talmor, col. 5, ln. 20-33; col. 7, ln. 27-35] a network traffic management device [router] includes a security module that sends to a client device [a device capable of connection to other computing devices or candidate IP core – see col. 3, ln. 25-29] a modified response challenge [notification message]; the challenge indicates that the client device is a potential attacker) to a router of the candidate IP core.  ([Col. 4, ln. 55-64;] in an embodiment, between the network traffic management device and the client device is a router configured to connect the client device to the network, and so the challenge is sent to the router of the client device)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews with the teachings of Talmor to include transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification because denial of service attacks mimic legitimate requests and the technique allows a security module to confirm whether a potential attacker is a legitimate requester or attacker.  (Talmor, col. 8, ln. 5-8)
	
As per claim 5, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Talmor does not clearly teach wherein the PAC comprises an upper bound for packet arrivals during a corresponding fixed time interval.
However, Tews teaches wherein the PAC comprises an upper bound ([Tewst, Fig. 8; col. 9, ln. 37-67] the PAC comprises an upper bound 372 of the fingerprint) for packet arrivals ([col. 12, ln. 31-34] the method uses data packets received from data flows to form the fingerprint) during a corresponding fixed time interval.  ([Col. 8, ln. 10-14] to facilitate network assessment timing characteristics of the network traffic of the communications systems is monitored. [Col. 9, ln. 4-28] the upper bound of the fingerprint corresponds to a limited time interval, i.e. 1 hour) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor with the teachings of Tews to include wherein the PAC comprises an upper bound for packet arrivals during a corresponding fixed time interval.  One of ordinary skill in the art would have been motivated to make this modification as creating a representative histogram with upper and lower bounds/baselines allows for more information about how baseline jitter measurements vary over time, and allow such jitter to be accounted for in the baseline.  (Tews, col. 10, ln. 52-56)

As per claim 6, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Talmor does not clearly teach wherein the compromised packet stream is detected based upon comparison of a current packet arrival count over the corresponding fixed time interval with the upper bound for the corresponding fixed time interval.  
However, Tews teaches wherein the compromised packet stream is detected based upon comparison of a current packet arrival count over the corresponding fixed time interval with the upper ([Tewst, Fig. 8, col. 9, ln. 59-62] a network anomaly [compromised packet stream – see col. 12, ln. 31-34] is detected based upon a comparison of portion 382 [current packet arrival count] falling outside the bounds of portion 372 [the upper bound for the corresponding fixed time interval])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews and Talmor for the same reasons as disclosed above.  

Claims 2-4 and 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Tews and Talmor as applied to claim 1 above, and further in view of Kommareddy et al. (US Pub. 2008/0028467) (hereinafter “Kommareddy”).

As per claim 2, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves also teaches [in response to the notification message] indicating that the candidate IP core is the potential attacker, updating a flag corresponding to a port in the router of the candidate IP core, the flag indicating that the candidate IP core is the potential attacker; and ([Chaves, pg. 7, para. 4; pg. 8, Algorithm 2] Algorithm 2 provides steps required to find all possible attacker suspect nodes [indicating the candidate IPs] by considering the collision router location by finding all the output ports on every minimal route path [corresponding to a port in the router] from the source [the source being candidate IPs] that can send packets to that port via the minimal path] to destination; the all_attackers flag is set in response to finding a suspect node. In response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker is taught by Kommareddy below)
[after a predefined period of time, transmitting a verification message] confirming that the candidate IP core is an attacker in response to the flag indicating that the candidate IP core is the potential attacker.  ([Chaves, pg. 13, para. 2] the firmware of the NoC extracts the direction information to narrow the suspects list [flag the candidate IP core – see pg. 8, Algorithm 2 where a candidate attacker is flagged] and localize [confirm] the compromised PE [that the candidate IP core is the potential attacker]. After a predefined period of time, transmitting a verification message confirming the candidate is an attacker is taught by Kommareddy below)
Chaves in view of Tews and Talmor does not clearly teach in response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker; and after a predefined period of time, transmitting a verification message confirming the candidate is an attacker.  
However, Kommareddy teaches in response to the notification message indicating that the candidate is the potential attacker, ([Kommareddy, para. 0026] the flow identifier of suspect flows [notification message] is transmitted from each of the routing nodes to a rendezvous node where a flow identifier of an attack flow is identified) updating a flag ([para. 0078; para. 0148; Fig. 22] the monitor on the rendezvous node updates a flag Y to identify an attacker) corresponding to a port, ([para. 0062] the routing nodes obtain the candidate attackers from packets received by line taps at ports of the router, and so the flag identifying an attacker corresponds to a port) the flag indicating that the candidate is the potential attacker; and ([para. 0080] the rendezvous node receives suspect flow lists from each of the routing nodes, setting flags indicating a candidate is a potential attacker, until all required suspect flow lists are obtained, producing a final and correct list, which is reported as an attacker)
after a predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists from the routing nodes are obtained by the rendezvous node, and the attacks can be detected) transmitting a verification ([Para. 0078] the rendezvous node analyzes the flow list to confirm the potential attacker, and then reports [transmitting a verification message] the confirmed attacker to the detection system) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews and Talmor with the teachings of Kommareddy to include in response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker; and after a predefined period of time, transmitting a verification message confirming the candidate is an attacker.  One of ordinary skill in the art would have been motivated to make this modification in order to distribute traffic monitors to allow adaptation to any topology in order to detect many types of DoS attacks efficiently and with minimal false positives.  (Kommareddy, para. 0051)

As per claim 3, Chaves in view of Tews and Talmor and further in view of Kommareddy teaches claim 2.  
Chaves does not clearly teach updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker. 
However, Kommareddy teaches updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker. ([Kommareddy, para. 0111; Fig. 22] the rendezvous node updates the counter and as a result, the flag, in accordance to the packets received, and a net increment to a counter’s value over time indicates the presence of an attack flow along the set of flows mapped to that counter.  [Fig. 13; para. 0113] flow ID 1 is initially sent as a candidate attacker to the rendezvous node at sequence 1, and flow ID 2 [another IP core] is updated at sequence 16 [a second notification message] to be the potential attacker. [Fig. 15; para. 0123] the determination of an attack flow occurs during the arrival of a fixed number of sequences of packets from time 0 to time 50 [during the predefined period of time])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews and Talmor with the teachings of Kommareddy to include updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification as determining different attack flows [candidate attackers] during a rehash interval [predefined period of time] ensures that the new mapping state is not affected by the old mapping state, increases the probability of attack detection, and reduces the number of suspect flows.  (Kommareddy, para. 0081)

As per claim 4, Chaves in view of Tews and Talmor and further in view of Kommareddy teaches claim 2.  
Chaves also teaches [wherein the predefined period of time is based upon] communication latency between the router of the IP core and routers along a path of the compromised packet stream.  ([Chaves, pg. 12, para. 1] a time stamp is introduced to calculate end-to-end [between the router of the IP core and routers] latency of each packet [communication latency] to detect the existence of the DoS attack; [pg. 7, para. 4] for each output port, all the possible input ports that can forward packets to the IP core are checked, and so the latency of all routers along a path of the compromised packet stream are checked.  Wherein the predefined period of time is based upon communication latency is taught by Kommareddy below)
  
However, Kommareddy teaches wherein the predefined period of time is based upon communication latency. ([Kommareddy, para. 0058; 0072] the counters are tested to map an incoming-to-outgoing traffic ratio representative of packet roundtrip time [communication latency]; [para. 0083] rehashing resets the counters to decouple flows from their flow aggregates, for example, to prevent the new traffic ratio mapping from being affected by the old traffic ratio mapping, and so the rehashing resets are based upon the communication latency; [para. 0127] the interval between periodic processing is larger than the roundtrip time)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews, Talmor and Kommareddy for the same reasons as disclosed above.  

As per claim 7, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Tews and Talmor does not clearly teach wherein the DLC comprises mean and variance of latency distributions for different hop counts from the router.
However, Kommareddy teaches the DLC comprises mean and variance of latency distributions ([Kommareddy, Fig. 22; para. 0148] at step 2202 to step 2208, the mean and standard deviation of the anomalies are calculated and a score is updated to take into account the mean and standard deviation; [para. 0089] the scoring procedure estimates packet flow’s rate using the counts; [para. 0058-0059; para. 0075] score refers to an outgoing-to-incoming packet ratio that is representative of packet roundtrip time [destination latency curve]) for different hop counts from the router.  ([para. 0078] the monitor for each router node forwards the records it has received from its previous hop monitors, and so a different score is calculated for different hop counts from the router)
 with the teachings of Kommareddy to include wherein the DLC comprises mean and variance of latency distributions for different hop counts from the router.  One of ordinary skill in the art would have been motivated to make this modification in order to determine attack flows which may be otherwise detected as statistical outliers.  (Kommareddy, para. 0130)

As per claim 8, Chaves in view of Tews and Talmor teaches claim 7.  
Chaves in view of Tews and Talmor does not clearly teach wherein the candidate IP core is identified as the potential attacker based upon a comparison of a current latency distribution with the mean and variance of the DLC.
However, Kommareddy teaches wherein the candidate IP core is identified as the potential attacker based upon a comparison of a current latency distribution with the mean and variance of the DLC.  ([Para. 0148-0149] at step 2208, the score [current latency distribution – see para. 0058-0059] is compared with the mean and variance of the flow that are used as a baseline for calculating scores.  If the resulting core is greater than the detection threshold, the candidate is identified as the potential attacker)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews, Talmor and Kommareddy for the same reasons as disclosed above.  

Claims 9-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Talmor and in view of Kommareddy.  

[indicating that the IP core is a potential attacker of a compromised packet stream]; ([Chaves, Fig. 2; pg. 2, para. 4-8; pg. 3, para. 2] multi-Processors System-on-Chips implemented as Networks-on-Chip is disclosed which includes the processor intellectual property core and associated routers as a system to detect denial of service attacks, identify the collision point of malicious and sensitive data, and find the direction from which the malicious packets enter the sensitive path.  [Fig. 10; pg. 12, para. 2] Figure 10 depicts the addition of a communication degradation monitor in the NoC router to locate the router where the attacker’s traffic enters the sensitive communication path.  [Pg. 11, para. 2] in addition to packets, the monitors also receive information regarding all the output requests and grants [notification messages].  Receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream is taught by Talmor below)
 [in response to the notification message], updating a flag corresponding to a port in the router, the flag indicating that the candidate IP core is the potential attacker; ([Chaves, pg. 7, para. 4; pg. 8, Algorithm 2] Algorithm 2 provides steps required to find all possible attacker suspect nodes [indicating the candidate IPs] by considering the collision router location by finding all the output ports on every minimal route path [corresponding to a port in the router] from the source [the source being candidate IPs] that can send packets to that port via the minimal path] to destination; the all_attackers flag is set in response to finding a suspect node. In response to the message, updating a flag corresponding to a port in the router, the flag indicating that the candidate IP core is the potential attacker is taught by Kommareddy below)
Chaves does not clearly teach receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream; in response to the message, updating a flag 
However, Talmor teaches receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream.  ([Talmor, col. 5, ln. 20-33; col. 7, ln. 27-35] a network traffic management device includes a security module that sends a modified response [notification message] and a router [see col. 4, ln. 55-64] of a client device [a device capable of connection to other computing devices or candidate IP core – see col. 3, ln. 25-29] receives the modified response; the modified response indicates that the client device is a potential attacker of a compromised stream of data packets [see col. 4, ln. 33-38]) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves with the teachings of Talmor to include receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream.  One of ordinary skill in the art would have been motivated to make this modification because denial of service attacks mimic legitimate requests and the technique allows a security module to confirm whether a potential attacker is a legitimate requester or attacker.  (Talmor, col. 8, ln. 5-8)
Chaves in view of Talmor does not clearly teach in response to the message, updating a flag corresponding to a port in the router, the flag indicating that the IP core is the potential attacker; monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time; 
However, Kommareddy teaches in response to the message, ([Kommareddy, para. 0026] the flow identifier of suspect flows [message] is transmitted from each of the routing nodes to a rendezvous node where a flow identifier of an attack flow is identified) updating a flag ([para. 0078; Fig. 22] the monitor on the rendezvous node updates a flag Y to identify an attacker) corresponding to a port in the router, ([para. 0062] the routing nodes obtain the candidate attackers from packets received by line taps at ports of the router, and so the flag identifying an attacker corresponds to the port) the flag indicating that the IP core is the potential attacker; ([para. 0080] the rendezvous node receives suspect flow lists from each of the routing nodes, setting flags indicating a client [IP core] is a potential attacker, until all required suspect flow lists are obtained, producing a final and correct list, which is reported as an attacker)
monitoring for additional notification messages for a predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15; Fig. 22] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists [notification messages] from the routing nodes are obtained by the monitor of the rendezvous node, and the attacks can be detected) where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and ([para. 0111; Fig. 22] the rendezvous node updates the counter and as a result, the flag, in accordance to the sequences/packets [notification messages received].  [Fig. 15; para. 0123] the arrival of a fixed number of sequences of packets are from time 0 to time 50 [during the predefined period of time])
after the predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists from the routing nodes are obtained by the rendezvous node, and flags indicating attackers are set) transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the [Para. 0078] the rendezvous node analyzes the flow list to set flags to confirm the potential attacker [see Fig. 22], and then reports [transmitting a verification message] the confirmed attacker to the detection system)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor with the teachings of Kommareddy to include in response to the message, updating a flag corresponding to a port in the router, the flag indicating that the IP core is the potential attacker; monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and after the predefined period of time, transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification as 1) distribute traffic monitors allows adaptation to any topology in order to detect many types of DoS attacks efficiently and with minimal false positives and 2) determining different attack flows [candidate attackers] during a rehash interval [predefined period of time] ensure that the new mapping state is not affected by the old mapping state, increases the probability of attack detection, and reduces the number of suspect flows.  (Kommareddy, para. 0051; para. 0081)

As per claim 10, Chaves in view of Talmor and Kommareddy teaches claim 9.  
Chaves in view of Talmor does not clearly updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker.
However, Kommareddy teaches updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message .  ([Kommareddy, para. 0111] the rendezvous node updates the counter and as a result, the flag, in accordance to the packets received, and a net increment to a counter’s value over time indicates the presence of an attack flow along the set of flows mapped to that counter.  [Fig. 13; para. 0113] flow ID 1 is initially sent as a candidate attacker to the rendezvous node at sequence 1, and flow ID 2 [another IP core] is updated at sequence 16 [a second notification message] to be the potential attacker. [Fig. 15; para. 0123] the determination of an attack flow occurs during the arrival of a fixed number of sequences of packets from time 0 to time 50 [during the predefined period of time])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Talmor and Kommareddy for the same reasons as disclosed above.  

As per claim 11, Chaves in view of Talmor and Kommareddy teaches claim 9.  
Chaves also teaches wherein the notification message is received from a second router of a second IP core in the NoC that identified ([Chaves, pg. 2, para. 4] the processing elements are processors used by the NoC to process and store information; [Fig. 10, pg. 12, para. 2] the information processed is information [notification message] captured by a DoS monitor of a router downstream from the router of the attacker IP core [a second router of a second IP core – see pg. 4, sec. 3: Router Architecture]) the IP core as the potential attacker based at least in part upon a destination packet latency curve (DLC). ([pg. 3, para. 12] a potential attacker IP core is determined based on a packets’ end-to-end latency upon their arrival using the packets’ generation time-stamp.  If the latency is out of the acceptable latency range, the candidate attacker’s location is determined from the Max Latency Router Address and the Max Router Latency value [a destination latency]; [Pg. 7, para. 2] the candidate attacker’s location is determined by the use of Routing Graphs [a destination latency curve associated with the IP core])

As per claim 12, Chaves in view of Talmor and Kommareddy teaches claim 11.  
Chaves also teaches wherein the IP core is identified in response to the second router detecting the compromised packet stream.  ([Chaves, pg. 13, para. 2; Fig. 10] the downstream monitor extracts [detects] the direction information of the compromised stream to narrow the suspects list and localize [identify] the compromised PE [IP core])

As per claim 14, Chaves in view of Talmor and Kommareddy teaches claim 11.  
Chaves also teaches [wherein the predefined period of time is based upon] communication latency between the second router and routers along a path of the compromised packet stream.  ([Chaves, pg. 12, para. 1] a time stamp is introduced to calculate end-to-end [between the second router and routers along the path] latency of each packet [communication latency] to detect the existence of the DoS attack; [pg. 7, para. 4] for each output port, all the possible input ports that can forward packets to the IP core are checked, and so the latency of all routers along a path of the compromised packet stream are checked.  Wherein the predefined period of time is based upon communication latency is taught by Kommareddy below)
Chaves does not teach wherein the predefined period of time is based upon communication latency between the second router and routers along a path of the compromised packet stream. 
However, Kommareddy teaches wherein the predefined period of time is based upon communication latency.  ([Kommareddy, para. 0058; 0072] the counters are tested to map an incoming-to-outgoing traffic ratio representative of packet roundtrip time [communication latency]; [para. 0083] rehashing resets the counters to decouple flows from their flow aggregates, for example, to prevent the new traffic ratio mapping from being affected by the old traffic ratio mapping, and so the rehashing resets are based upon the communication latency; [para. 0127] the interval between periodic processing is larger than the roundtrip time)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Talmor and Kommareddy for the same reasons as disclosed above. 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Talmor and Kommareddy as applied to claim 12 above, and further in view of Tews.  

As per claim 13, Chaves in view of Talmor and Kommareddy teaches claim 12.
Chaves in view of Talmor and Kommareddy does not clearly teach wherein the compromised packet stream is detected based at least in part upon a packet arrival curve (PAC) associated with the second router.
However, Tews teaches wherein the compromised packet stream is detected ([Tews, col. 7, ln. 20-23; col. 11, ln. 46-49] the controller [router] communicates with devices [IP cores] to establish data flows and measure a traffic network parameter associated with the data flow [packets of the data stream – see col. 12, ln. 31-34] to detect if the network is outside the anomalous bounds and functioning abnormally [compromised]) based at least in part upon a packet arrival curve (PAC) ([col. 8, ln. 42-51] to characterize the communications, multiple conversations [packets arrivals] including empirical distributions and jitter are measured to determine a fingerprint; [Fig. 8; col. 10] the fingerprint is a graphed curve of data collected by the communications controller including packet loss statistics [see col. 6, ln. 52-64]) associated with the second router; ([Fig. 11; col. 9, ln. 59-67; col. 1, ln. 45-50] the controller is implemented in a router that is the victim of an attack and so the router corresponds to the second router)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor and Kommareddy with the teachings of Tews to include wherein the compromised packet stream is detected based at least in part upon a packet arrival curve (PAC) associated with the second router.  One of ordinary skill in the art would have been motivated to make this modification because a deviation from the expected timing distribution of the measured fingerprint (the PAC) may indicate interesting events (such as a DoS attack) that may be used in an attempt to compromise system operation.  (Tews, col. 3, ln. 52-58)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Peng et al. (US Pub. 2005/0249214) discloses a detection module for determining the source of addresses of received network packets which identifies DDoS attacks based on a packet count which is compared with a threshold value.  
Lee et al. (US Pub. 2014/0380459) discloses a first filtering router corresponding to an attacking entity and a second filtering router corresponding to a victim entity, where how close the filtering router to the attacking entity can be calculated using a hop count, and where a filter transmission is propagated from the victim to the attacker.  
Wolfson et al. (US Pub. 2020/0028863) discloses the attackee sending a tracing flag identifier to a cloud provider environment associated with the attacker device that allows identification of the attacker device by the cloud provider. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493 

/Jeremy S Duffield/Primary Examiner, Art Unit 2498