DETAILED ACTION
This Office Action is in response to application 17/403415 filed on 08/16/2021.  Claims 1-24 are pending.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 9, 17, are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 11, 17, of U.S. Patent No. 11,120,406 (Patent ‘406) in view of Dagon et al. (US 2008/0028463)).
Regarding claims 1, 9, 17, Patent ‘406 discloses:
(Patent ‘406, claim 1); and 
preventing sending of the first message to the destination device (Patent ‘406, claim 3); and 
sending, to the second computing device, a second message comprising an invalid network address and configured to prevent the second computing device from sending one or more additional messages (Patent ‘406, claim 1).
While Patent ‘406 disclosed preventing sending (see above), Patent ‘406 did not explicitly disclose based on determining that the first message is malicious.
However, in an analogous art, Dagon disclosed based on determining that the first message is malicious, preventing sending of the first message to the destination device (Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer (i.e., destination device). The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer (i.e., preventing sending of the first message to the destination device). Paragraph 14, determining if a bot computer DNS request rate is normal or suspicious (i.e., malicious)).
	One of ordinary skill in the art would have been motivated to combine the teachings of Patent ‘406 with Dagon because the references involve detecting malicious attacks on a network, and as such, both are within the same environment.  
(Dagon, Paragraph 52).

Claim Objections
Claims 2, 10, 18, are objected to because of the following informalities:  The claims recite “determining that a quantity messages received…” The examiner believes this should recite “determining that a quantity of messages received…”.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7, 15, 23, are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 7, 15, 23, recite the limitation “sending additional messages, received via the port of the second computing device, to a sink-hole device.” However, claims 1, 9, 17 (from which claims 7, 15, 23, depend upon) recite “prevent the second computing 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7, 9-13, 15, 17-21, 23, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Dagon et al. (US 2008/0028463) in view of Gels et al. (US 2004/0187032).
Regarding claim 1, Dagon disclosed:
A method comprising: receiving, by one or more first computing devices (Paragraph 12, sinkhole computer 20) and from a second computing device (Paragraph 12, bot computer 10), a first message (Paragraph 14, DNS request) addressed to a destination device (Paragraph 12, C&C computer 25)( Paragraph 9, victim bot computers use a command and control (C&C) computer to communicate with compromised networks Paragraphs 12-13, a malware author controls victim bot computers 10. The command and control computer (C&C) of the network of attacking comprised computers is identified. The sinkhole computer is used to hold traffic redirected from the C&C computer. Paragraph 14, bot computer’s sending DNS requests); and 
based on determining that the first message is malicious: preventing sending of the first message to the destination device (Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer. The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer (i.e., preventing sending of the first message to the destination device. Paragraph 48, once traffic is deemed abusive (i.e., malicious) and measured in the sinkhole, it is possible to revoke the DDNS account); and 
sending, to the second computing device, a second message comprising an invalid network address (Paragraph 13, the IP address of the C&C computer is replaced with the IP address of the sinkhole computer (i.e., invalid). Bot computers looking to contact the C&C computer will be told to contact the sinkhole computer instead (i.e., sending a second message to the second computing device)).
While Dagon disclosed determining a message is malicious and sending the malicious messages to an invalid IP address (see above), Dagon did not explicitly disclose configured to prevent the second computing device from sending one or more additional messages.  
However, in an analogous art, Gels disclosed configured to prevent the second computing device from sending one or more additional messages (Paragraph 7, blocking of faked IP addresses (i.e., preventing from sending additional messages as they are blocked) as many DoS and DDoS attacks used faked IP addresses (IP spoofing) to prevent detection of the hacker. Anonymous hosts should be restricted or prohibited as far as possible).
	One of ordinary skill in the art would have been motivated to combine the teachings of Dagon with Gels because the references involve mitigating DoS/DDoS attacks on a network, and as such, both are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the preventing of sending additional (Gels, Paragraphs 15-17).
	Regarding claims 9, 17, the claims are substantially similar to claim 1. Claim 9 recites one or more processors and memory (Dagon, Paragraph 8, computers, therefore having a process and memory). Claim 17 recites a non-transitory computer readable medium (Dagon, Paragraph 9, medium for communication). Therefore, the claims are rejected under the same rationale.
	
Regarding claims 2, 10, 18, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein determining that the first message is malicious comprises one or more of: monitoring messages received from the second computing device (Dagon, Paragraph 14, determining whether a bot computers DNS request rate is normal or suspicious (i.e., monitoring); analyzing content of the first message; determining that a quantity messages received from the second computing device satisfies a maximum threshold quantity of messages (Dagon, Paragraphs 19-32, determining if the request rate significantly deviates from a mean request rate and exceeds a threshold); or determining that the first message has been sent via a port of the second computing device, wherein messages, previously sent by the second computing device via the port of the second computing device, indicate malicious messaging by the second computing device.

Regarding claims 3, 11, 19, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein the second computing device is associated with a first network, and wherein preventing sending of the first message to the destination device comprises preventing sending of the first message to a destination device associated with a second network different than the first network (Dagon, Paragraph 13, the IP address of the C&C computer is replaced with the IP address of the sinkhole computer. Bot computers looking to contact the C&C computer will be told to contact the sinkhole computer instead. Figure 2A showing the victim cloud as one network and the sinkhole/C&C computer as a different network).
	Regarding claims 4, 12, 20, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein determining that the first message is malicious comprises: determining that messages, of at least one message type and sent by the second computing device, indicate malicious messaging by the second computing device (Dagon, Paragraph 14, determining whether a bot computer’s DNS (i.e., message type) request rate is normal or suspicious (i.e., malicious)); and 2Application No. 17/403,415Docket No.: 007412.05463\USPreliminary Amendment dated November 24, 2021
determining, based on the first message being of that at least one message type, that the first message is malicious (Dagon, Paragraph 14, if the bot’s DNS request rate is determined to be suspicious, an exponential request rate is determined).
Regarding claims 5, 13, 21, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
(Dagon, Paragraph 14, bot computer’s DNS request rate (i.e., message type), and wherein the second message is configured to prevent the second computing device from sending additional messages of the at least one message type (Gels, Paragraph 7, blocking of faked IP addresses (i.e., preventing from sending additional messages of one message type) as many DoS and DDoS attacks used faked IP addresses (IP spoofing) to prevent detection of the hacker. Anonymous hosts should be restricted or prohibited as far as possible).
For motivation, please refer to claims 1, 9, 17.
Regarding claims 7, 15, 21, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
further comprising: determining that the second computing device sent the first message via a port of the second computing device (Dagon, Paragraph 148, sending DNS queries that have the same source IP and port); and 
sending additional messages, received via the port of the second computing device, to a sink-hole device (Dagon, Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer (i.e., destination device). The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer. Paragraph 148, DNS queries having a source IP and port).

Claims 6, 8, 14, 16, 22, 24, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Dagon et al. (US 2008/0028463) in view of Gels et al. (US 2004/0187032) and McCowan et al. (US 7,596,097).
Regarding claims 6, 14, 22, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels did not explicitly disclose:
wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device.  
However, in an analogous art, McCowan disclosed wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device (Column 12, Lines 41-63, trace detector 150 drops subsequent trace route packets to block trace route packets originating from the source address of the initial trace route packet. In a host 130, the trace detector can block outgoing packets 192. Trace detector formulates at least one trace route response packet (i.e., acknowledgement) for initial or subsequent trace route packets 192. The trace route response packet 194 includes misinformation concerning identities of device for which a response would have been provided had the trace route packet 192 not been dropped (i.e., false indication of a successful receipt). The trace detector can create a fraudulent or fake response that misidentifies the actual source of the response so as to confuse the trace route program).
One of ordinary skill in the art would have been motivated to combine the teachings of Dagon and Gels with McCowan because the references involve mitigating attacks on a network, and as such, both are within the same environment.  
(McCowan, Column 9, Lines 1-4).

Regarding claims 8, 16, 24, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels did not explicitly disclose:
wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device.
However, in an analogous art, McCowan disclosed wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device (Column 9, Lines 46-60, once detection of a trace route occurs, the network device or end host adds the source IP address to a quarantine area where additional security measures apply. The trace detector can mark the host as untrusted which causes highly restrictive security policies to apply to all traffic (i.e., limit) to and from that host).
One of ordinary skill in the art would have been motivated to combine the teachings of Dagon and Gels with McCowan because the references involve mitigating attacks on a network, and as such, both are within the same environment.  
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the limiting of subsequent messages of McCowan with the teachings of Dagon and Gels in order to reduce the likelihood of dropping legitimate packets (McCowan, Column 9, Lines 1-4).

Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663. The examiner can normally be reached M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.












/S.C.N/Examiner, Art Unit 2451                                                                                                                                                                                                        

/Chris Parry/Supervisory Patent Examiner, Art Unit 2451