DETAILED ACTION
The instant application having Application No. 16/606847 filed on October 21, 2019 is presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Oath/Declaration
The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.

Information Disclosure Statement
As required by M.P.E.P. 609(C), the applicant’s submission of the Information Disclosure Statement is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609(C), a copy of the PTOL-1449 initialed and dated by the examiner is attached to the instant office action.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.

Priority
As required by M.P.E.P. 201.14(c), acknowledgement is made of applicant’s claim for priority based on applications filed on January 26, 2018 (PCT/US2018/015532).


Claim Objections
Claims 2-9, 11-13, and 15 are objected to because of the following informalities:
Claims 2-9 recite “A method” in the preamble, which should be “The method”.
Claims 11-13 recite “A non-transitory machine-readable storage medium” in the preamble, which should be “The non-transitory machine-readable storage medium”.
Claim 15 recites “A network device” in the preamble, which should be “The network device”.
Claims 2 and 13 recite “the set of indentifier”, which should be “the set of identifiers”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 14-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Applicant’s device of claim 14 consists of a series of steps none of which positively recite the use of any hardware. The claimed processor of the claim can be broadly, yet reasonably construed as software (see "The Authoritative Dictionary of IEEE Standards Terms," Seventh Edition, IEEE Press, 2000, page 872). Therefore, Applicant’s invention constitutes software per se, void of any hardware components, and as such fails to fall within any of the statutory classes of invention set forth by 35 USC 101.  Dependent claim 15 is rejected for the same reasons as presented above with respect to independent claim 14 and in view of its dependence on rejected independent claim 14.     

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-3, 5-7, and 9-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Elrod (US 2007/0157306).

(Elrod, abstract, paragraphs 18-19 and claims 1-2, teaches address resolution requests for a network device.), the method comprising: 
comparing address resolution requests submitted to network nodes from the network device against a predetermined threshold profile for the network device (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing incoming traffic, such as address resolution requests, to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists.); and 
regulating a flow of address resolution requests from the network device in response to the comparison (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.)  

As per claim 2, Elrod discloses A method as claimed in claim 1, further comprising: providing a set of identifiers representing network nodes, the set of indentifiers generated from one or more of: a local list of network nodes generated using successful address requests by the network device; a list of network nodes that the network device may issue an address request to; a remote list of network nodes generated using successful address requests by the network device; and a last known set of identifiers representing network nodes (Elrod, paragraph 21, teaches identifying devices based on their IP addresses. Elrod, paragraphs 22-23, 29, 34, 37, and 45, also teaches redirecting/blocking the address resolution requests based on various identifiers such as VLAN ID. These identifiers would be for devices that have sent/received address resolution requests. Elrod, paragraphs 18, also teaches using access control lists to allow/block traffic which would include device identifiers.)

As per claim 3, Elrod discloses A method as claimed in claim 1, wherein regulating a flow of address resolution requests further comprises: defining an observation window; and determining a status of an address resolution request throttle within the observation window from one of: non-throttled, in which the flow of address resolution requests from the network device is not regulated; and throttled, in which the flow of address resolution requests from the network device is regulated (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period (observation window) to setup and update the policy. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”.)
 
As per claim 5, Elrod discloses A method as claimed in claim 3, further comprising: in a throttled status, checking connections requested by the network device against the set of identifiers representing network nodes; and blocking a connection to a network node (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy, such as an access control list, at a switch that is performed in real time on incoming traffic. Incoming traffic is compared to a policy in real-time. If the traffic is considered to be a threat then it can be blocked based on the access control list. Elrod, paragraphs 36-37, also teaches blocking all incoming traffic from a specific IP address.)

As per claim 6, Elrod discloses A method as claimed in claim 3, further comprising: evaluating a throttle status at the end of the observation window (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. As this is being performed in real-time it is constantly being re-evaluated. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time.)  

As per claim 7, Elrod discloses A method as claimed in claim 6, further comprising: extending the observation window in the event that the threshold profile for the network device is exceeded (Elrod, paragraphs 15, 18-24, 26-27, 38, 40-43, and 46, teaches storing a policy/ACL at a switch that represents incoming traffic from devices that are considered to be a threat. As this is being performed in real-time it is constantly being re-evaluated for each new time period (observation window). Incoming traffic is compared to the policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time as well as continuing to monitor the suspicious traffic (extending the observation window) after the threat has been determined. Therefore, the policy/ACL is updated over time through multiple time periods.) 

(Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. As this is being performed in real-time it is constantly being re-evaluated. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Therefore, certain packets are throttled and other packets are not throttled which would be in a non-throttle status.)

As per claim 10, Elrod discloses A non-transitory machine-readable storage medium encoded with instructions executable by a processor of a network device for throttling address resolution requests (Elrod, abstract and paragraphs 7, 15, 18-23, 34, 38, 41-43, and 46, teaches throttling traffic such as address resolution requests.), the machine-readable storage medium comprising instructions to: 
monitor outgoing address resolution requests to a target device from the network device (Elrod, paragraphs 15, 18-23, 26-27, and 41, teaches monitoring incoming traffic, such as address resolution requests.); and 
compare data representing a frequency of requests to the target device from the network device against a threshold profile for the network device (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing the number of incoming address resolution requests to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists. Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to stop the threat.)

As per claim 11, Elrod discloses A non-transitory machine-readable storage medium as claimed in claim 10, further encoded with instructions to:WO 2019/147270PCT/US2018/015532 18regulate the number of outgoing address resolution requests to the target device from the network device (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.)

As per claim 12, Elrod discloses A non-transitory machine-readable storage medium as claimed in claim 10, further encoded with instructions to: block outgoing address resolution requests from the network device to a previously unvisited target device (Elrod, paragraphs 23, and 36-37, teaches blocking all traffic from an attacking IP address. This would block all requests including requests to previously visited or unvisited target devices.)  

(Elrod, paragraph 21, teaches identifying devices based on their IP addresses. Elrod, paragraphs 22-23, 29, 34, 37, and 45, also teaches redirecting/blocking the address resolution requests based on various identifiers such as VLAN ID. These identifiers would be for devices that have sent/received address resolution requests. Elrod, paragraphs 18, also teaches using access control lists to allow/block traffic which would include device identifiers.)

As per claim 14, Elrod discloses A network device, comprising a processor (Elrod, abstract, paragraphs 7 and 15 and claim 16, teaches a device with processor.) to: 
determine a frequency of address resolution requests from the network device to a target device (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing the number of incoming address resolution requests to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists.); and 
regulate a flow of outgoing address resolution requests to the target device in response to a comparison of the frequency against a threshold profile of the network (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.) 

As per claim 15, Elrod discloses A network device as claimed in claim 14, the processor further to: define an observation window within which outgoing address resolution requests are monitored (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period (observation window) to setup and update the policy. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”.)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 4 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Elrod in view of Kim (US 2015/0067764).

As per claim 4, Elrod discloses A method as claimed in claim 3, further comprising: … recording connection parameters of the network device to the set of identifiers representing network nodes (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”. Elrod, paragraphs 18, 21-23, 29, 34, 37, and 45, teaches identifying devices based on various identifiers such as IP addresses, MAC addresses, and VLAN IDs. The system can use access control lists to allow/block traffic based on the identifiers.) 
However, Elrod only specifically teaches recording connection parameters for threats (in a throttled status) and does not specifically recite in a non-throttled status, 
Kim discloses in a non-throttled status, recording connection parameters of the network device to the set of identifiers representing network nodes (Kim, paragraphs 15-16 and 60, teaches updating a whitelist with known good IP addresses. As these are addresses that are known to be good, these are considered to be in a non-throttled/non-threatening status.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Elrod. Elrod teaches using and updating an ACL with identifiers of known attacker devices. Kim teaches using and updating an ACL with identifiers of known good devices. Therefore, it would have been obvious to have used and updated an ACL with both identifiers of known attacker devices and known good devices using a whitelist and blacklist in order to prevent unauthorized access by known attackers while also allowing access by known good users.

As per claim 8, Elrod discloses A method as claimed in claim 6, further comprising: storing a copy of the set of identifiers representing network nodes in the event that the threshold profile for the network device is … exceeded; and restarting an observation window (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches storing a policy/ACL at a switch that represents incoming traffic from devices that are considered to be a threat. As this is being performed in real-time it is constantly being re-evaluated for each new time period (observation window). Incoming traffic is compared to the policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Therefore, the policy/ACL is updated over time through multiple time periods.)
 However, Elrod teaches storing the identifier when the threshold has been exceeded (during a threat) and does not specifically teach storing the identifiers when the “threshold profile … is not exceeded” (not during a threat).
Kim discloses storing a copy of the set of identifiers representing network nodes in the event that the threshold profile for the network device is not exceeded (Kim, paragraphs 15-16 and 60, teaches updating a whitelist with known good IP addresses. As these are addresses that are known to be good, these are considered to be in a non-throttled/non-threatening status which is when the threshold is not exceeded as shown by Elrod.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Elrod. Elrod teaches using and updating an ACL with identifiers of known attacker devices. Kim teaches using and updating an ACL with identifiers of known good devices. Therefore, it would have been obvious to have used and updated an ACL with both identifiers of known attacker devices and known good devices using a whitelist and blacklist in order 

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Liljenstolpe (US 2019/0081818) – teaches address resolution request messages and an access control list with a whitelist.
Coggeshall (US 2003/0198219) – teaches timing out after a threshold time period of not receiving a response to the address resolution request.
Wakumoto (US 2007/0101429) – teaches that a device may be malicious if the rate of address resolution requests is above a threshold.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498