Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02-15-2022 has been entered.

Response to Amendments
The amended claims 1, 3-12, 14-19 and 25-26 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Coleman et al (US 7295831), hereafter Cole and Yong et al (US 20070245420), hereafter Yon have been fully considered and are persuasive. Claim(s) 2, 13, 20-24 and 27 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3-12, 14-19 and 25-26 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Patrick Moon (attorney) for filed amended claims:
1. (Currently Amended) A method performed by an attack detection system, for detection of a distributed attack in a wireless network to which multiple wireless devices are connected, the method comprising: 
detecting that characteristics of a traffic flow from each of a plurality of wireless devices fulfil a first predefined threshold condition related to abnormal traffic originating from the wireless devices, wherein the first predefined threshold condition related to abnormal traffic is that an amount of traffic from each one or more wireless devices exceeds a predefined traffic threshold and further wherein the predefined traffic threshold is calculated based on a detected normal traffic and a variation detected in the normal traffic; 
	in response to the detecting, identifying changes of the traffic flows from the wireless devices;
determining whether the wireless devices are used in the distributed attack based on whether the identified changes of the traffic flows exceed second thresholds; and
in response to determining that the wireless devices are used in the distributed attack, performing one or more mitigating actions.
2. (Cancelled).
3. (Previously Presented) The method according to claim 1, wherein said changes of the traffic flows include any of increased traffic rate, changed burst interval, and changed destination of the traffic flows.
4. (Previously Presented) The method according to claim 1, wherein 
said identifying is performed based on statistics on traffic originating from the wireless devices, and
the statistics are obtained from a statistics collecting node which is connected to one or more base stations serving the wireless devices. 
5. (Previously Presented) The method according to claim 1, wherein 
said detecting comprises receiving an analysis request from a control node, and
the control node sent the analysis request after receiving from one or more network nodes through which the traffic flows pass notifications indicating that the first predefined threshold condition is fulfilled by the traffic flows.
6. (Previously Presented) The method according to claim 5, wherein when it is determined that the wireless devices are used for the distributed attack, the control node is notified to interrupt or reroute said traffic flows. 
7. (Previously Presented) The method according to claim 5, wherein one or more of said one or more network nodes is a switch in a transport network connected to the wireless network serving the wireless devices.
8. (Previously Presented) The method according to claim 1, wherein it is determined that the multiple wireless devices have been manipulated to perform a Distributed Denial of Service (DDoS) attack on the wireless network based on the identified changes of said traffic flows.
9. (Previously Presented) The method according to claim 1, wherein different predefined threshold conditions are applied for different wireless devices.
10. (Previously Presented) The method according to claim 9, wherein threshold values in the different predefined threshold conditions are determined based on any one or more of: predefined default threshold values, type or identity of the wireless devices, and previous measurements on normal traffic from the wireless devices.
11. (Previously Presented) The method according to claim 1, wherein the wireless devices include Internet of Things (IoT) sensors and/or IoT gateways.
12. (Currently Amended) An attack detection system arranged to enable or support detection of a distributed attack in a wireless network to which multiple wireless devices are connected, the attack detection system comprising a memory and processor, wherein the attack detection system is configured to:
	detect that characteristics of a traffic flow from each of a plurality of wireless devices fulfil a first predefined threshold condition related to abnormal traffic originating from the wireless devices, wherein the first predefined threshold condition related to abnormal traffic is that an amount of traffic from each one or more wireless devices exceeds a predefined traffic threshold and further wherein the predefined traffic threshold is calculated based on a detected normal traffic and a variation detected in the normal traffic;
	in response to the detecting, identify changes of the traffic flows from the wireless devices;
	determine whether the wireless devices are used in the distributed attack based on whether the identified changes of the traffic flows exceed second thresholds; and
in response to determining that the wireless devices are used in the distributed attack, performing one or more mitigating actions.
13. (Cancelled).
14. (Previously Presented) The attack detection system according to claim 12, wherein said changes of the traffic flows include any of: increased traffic rate, changed burst interval, and changed destination of the traffic flows.
15. (Previously Presented) The attack detection system according to claim 12, wherein 
the attack detection system is configured to perform said identifying based on statistics on traffic originating from the wireless devices, and
the statistics are obtained from a statistics collecting node which is connected to one or more base stations serving the wireless devices. 
16. (Previously Presented) The attack detection system according to claim 12, wherein 
the attack detection system is configured to perform said detecting by receiving an analysis request from a control node, and
the control node is configured to send the analysis request after receiving from one or more network nodes through which the traffic flows pass notifications indicating that the predefined threshold condition is fulfilled by the traffic flows.
17. (Previously Presented) The attack detection system according to claim 16, wherein when it is determined that the wireless devices are used for the distributed attack, the attack detection system is configured to notify the control node to interrupt or reroute said traffic flows. 
18. (Previously Presented) The attack detection system according to claim 16, wherein one or more of said one or more network nodes is a switch in a transport network connected to the wireless network serving the wireless devices.
19. (Previously Presented) The attack detection system according to claim 12, wherein the attack detection system is configured to determine that the multiple wireless devices have been manipulated to perform a Distributed Denial of Service (DDoS) attack on the wireless network based on the identified changes of said traffic flows.
20-24. (Cancelled).
25. (Previously Presented)  The method according to claim 1, further comprising: 
receiving an analysis request for analyzing the traffic flow transmitted by each of the plurality of wireless devices; 
as a result of receiving the analysis request, transmitting towards a statistics collecting node a request for traffic information about traffic flows transmitted by the plurality of wireless devices; and
as a result of transmitting the request for the traffic information, receiving the traffic information transmitted by the statistics collecting node, wherein
the changes of the traffic flows are identified using the received traffic information. 
26. (Previously Presented)  The method according to claim 1, further comprising:
one or more network nodes receiving the traffic flow transmitted by each of the plurality of wireless devices;
said one or more network nodes determining whether the characteristics of the received traffic flow fulfil the first predefined threshold condition;
as a result of determining that the characteristics of the received traffic flow fulfil the first predefined threshold condition, said one or more network nodes transmitting towards a control node a notification indicating that the characteristics of the received traffic flow fulfil the first predefined threshold condition;
as a result of receiving the notification, the control node transmitting towards an attack detection entity an analysis request; and
after receiving the analysis request, the attack detection entity obtaining traffic statistics information from a statistics collecting node, wherein 
the changes of the traffic flows are identified by the attack detection entity based on the received traffic statistics information.
 27. (Cancelled).

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Cole teaches See Fig. 1, C2L57-67: plurality of wireless devices are communicatively connected to the wireless access points (WiAP) via wireless communication network. (C18L7-12) various measurements of characteristics are made on network traffic and that if an "anomalous" or "suspicious" event occurs, this would be detectable in the observed measurements (C19L18-21) and if the error exceeds a certain empirically determined threshold, then an anomalous condition is likely to be present; C11L36-40: Cooperative Decision Engine (CDE) collects wireless event data and looks for normal wireless events and abnormal wireless events... (C11L54-56) response initiator/adaptive feedback engine (RIAFE) maintains a running mistrust level for each wireless network devices and each WiAP in the WiNet based on WiNet traffic/event data received, based on the confidence metric and the type of anomaly, different attacks (C17L35-40 DOS, DDOS etc.) are detected by CDE and (C14L33-35) is essentially defined as any event which is "anomalous" or different from normal network traffic behavior (C12L26-65) and determined that the given wireless device is anomalous or malicious based on its mistrust level; C16L49-59: If a rogue wireless network device exists in the area, the RF signal strengths will be affected and the measurements will be skewed by the emissions of the rogue RF emitter, an analytic and adaptive system is required to look at large amounts of data over time to determine statistically that there is an anomaly present in the readings and (C11L62-63) based on incremental thresholds in the mistrust levels, the RIAFE sends response actions and (C13L29-31) when any mistrust level reaches or exceeds the value of three, an alarm is issued (also refer C20L28-35, Fig. 9, table 1).

Further, a second prior art of record Yon teaches [026] a threshold level is defined for each level of acceptable risk [029-30] Bytes Consumed behaviour anomaly model is used to detect burst of activity that exceeds or defies acceptable risk level. Packets Consumed is calculated... Ratio of packet types are also calculated to measure abnormality in packet consumption... [035] a user's bytes consumed profile exceeded the deviation threshold and the service used was TCP, then a behavioral anomaly is detected.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: detect that characteristics of a traffic flow from each of a plurality of wireless devices fulfil a first predefined threshold condition related to abnormal traffic originating from the wireless devices, wherein the first predefined threshold condition related to abnormal traffic is that an amount of traffic from each one or more wireless devices exceeds a predefined traffic threshold and further wherein the predefined traffic threshold is calculated based on a detected normal traffic and a variation detected in the normal traffic.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 12 mutatis mutandis.  Claim(s) 2, 13, 20-24 and 27 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/BADRINARAYANAN /Examiner, Art Unit 2496.