DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings are objected to because some of the text in Fig. 5 are not legible.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
s 4 and 18-19 are objected to because of the following informalities:  
Claim 4 recites “as a result of the third packet different with the traffic dimensions” in line 8. There is a grammar issue.  
Claims 18-19 needs a comma after “claim 17” in the first line of each claim for grammar and consistency reasons.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 17-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 17 is a system claim comprising “a plurality of agents collocated with different nodes … wherein at least one agent of the plurality of agents comprises one or more processors … a controller …,” however, there is no mention of any hardware.  Pages 30 and 31 of the specification doesn’t clearly define these elements as hardware.   The limitations “agents,” “nodes,” “processors,” and “controller” can be reasonably interpreted as software elements, rendering the system claim as “software per se” (see MPEP 2106.03). Therefore, the claim does not fall within at least one of the four categories of patent eligible subject matter. Claims 18-19 do not cure the deficiency in claim 17 and are rejected for the same rational.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 14 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 14 recites the limitation "said shifting" in line 1.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-11, and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Agarwal et al. (US 20090254970 A1; hereinafter “Agarwal”) in view of Curcio et al. (US 20180115471 A1; hereinafter “Curcio”).
As per claims 1, 17, and 20, Agarwal discloses: a method, system, and non-transitory computer-readable medium, the system comprising: 
a plurality of agents collocated with different nodes of a distributed platform at which different services, content, or data of the distributed platform may be accessed (Agarwal, [0034], SPC agents are resident in a local protection component, [0051], local protection components can be an application, network firewall engine, security gateway, or a router, [0095], “components of the system can be combined in to one or more devices, such as a local protection component, or collocated on a particular node of a distributed network”), wherein at least one agent of the plurality of agents comprises one or more processors (Agarwal, [0100], processor) that are configured to: 
receive a packet from a client device (Agarwal, [0051], SPC agent receives events including protocol violations, e.g., malformed packets, from one or more local protection components (i.e., client device));
inspect the packet using a plurality of rules, wherein each rule of the plurality of rules comprises at least one different (i) rule definition with traffic dimensions identifying a different attack, (ii) signal with which to differentiate attack traffic with the traffic dimensions of a specific attack from other traffic, (iii) threshold specifying a condition, and (iv) action to implement based on the condition of the threshold being satisfied (Agarwal, [0045] and [0039], policies/rules include description of an event type (i.e., rule definition) and “defines an attack signature associated with a specific attack type,” thresholds, responses (i.e., action) when the event instances are applied to the threshold, and tags (i.e., signals) that indicate the type of attack associated with the corresponding attack signature); 

update a value that is linked to the particular signal and a client identifier of the client device based on the particular signal provided by the at least one agent (Agarwal, [0063], “In one example, an alert is triggered if more than 2 event summary reports indicate an instance of a possible SIP INVITE flood attack by a single IP source address,” in other words, a count (i.e., value) is kept/updated for event summary reports indicating a possible SIP INVITE flood attack by a single IP source (i.e., client identifier) and when the count reaches 2 or more (i.e., threshold), an alert/action is triggered/implemented, [0060], SPC agent provides event summaries to SPC server, [0045], wherein the event summaries include tags as part of the policy or rule); and 
implement the action of the particular rule across the plurality of agents in response to the value satisfying the condition for the threshold of the particular rule (Agarwal, [0063], “In one example, an alert is triggered if more than 2 event summary reports indicate an instance of a possible SIP INVITE flood attack by a single IP source address,” in other words, a count (i.e., value) is kept/updated for event summary reports indicating a possible SIP INVITE flood attack by a single IP source (i.e., client identifier) and when the count reaches 2 (i.e., threshold) or more, an alert/action is triggered/implemented).
While Agarwal discloses the use of tags in event summaries that comprise event information such as malformed packets (Agarwal, [0045] and [0051]), Agarwal does not explicitly disclose, however, Curcio teaches or suggests: provide a particular signal to tag (i.e., provide a signal) the packets in the flow with information determined from implementation of the rules … The tag can be placed in a header of the packets”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Agarwal to include providing a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be performed on each packet which tends to be slow relative to current network speeds (Curcio, [0009]-[0010]).

As per claim 2, claim 1 is incorporated and while the modified Agarwal discloses the use of SPC agents collocated with a node for detecting malformed packets according to a policy or rules (Agarwal, [0045], [0051], and [0095]), Agarwal does not explicitly disclose, however, Curcio teaches or suggests: wherein inspecting the packet comprises comparing one or more of a header, Uniform Resource Locator ("URL"), metadata, and message body of the packet against the traffic dimensions from the rule definition of the plurality of rules at an agent that is collocated with a node that is an intended recipient of the packet, and wherein the traffic dimensions comprise at least 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include comparing the header against traffic dimensions from the rule definition as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be performed on each packet which tends to be slow relative to current network speeds (Curcio, [0009]-[0010]).

As per claim 3, claim 2 is incorporated and the modified Agarwal discloses: wherein providing the particular signal comprises passing the particular signal and the client identifier from the agent to a controller that is remote from the agent and the node (Agarwal, [0063], event summary is provided to the SPC server (i.e., remote controller), [0059], wherein the event summary includes at least source or destination IP addresses related to an attack, [0045], wherein the event summary also includes corresponding tags); and 
wherein implementing the action comprises the controller providing the agent with the action in response to the controller determining that the value that is linked to the particular signal and the client identifier satisfies the condition for the threshold of the particular rule (Agarwal, [0063], “the response to the flood is to provide a notification source IP address” in response to more than 2 event summary reports indicating an instance of a possible SIP INVITE flood attack by a single IP source address within a moving 1 minute window).

As per claim 4, claim 1 is incorporated and the modified Agarwal does not disclose, however, Curcio teaches or suggests: receiving a second packet and a third packet from the client device (Curcio, [0054]-[0057], packet flow is received in different examples); 
blocking the second packet from a node that is an intended recipient of the second packet in response to implementing the action against the second packet and the second packet being provided with the particular signal as a result of the second packet matching the traffic dimensions from the rule definition of the particular rule (Curcio, [0054]-[0057], packet flow is tagged based on rule matching and prevented/blocked from reaching computing device 532 based on the implementation of the rule/action and the tag); and 
issuing the third packet to the node in response to the third packet not being subject to the action as a result of the third packet different with the traffic dimensions from the rule definition of the particular rule (Curcio, [0054]-[0057], if no rules match the packets, the packet flow can be short circuited to move towards the destination computing device 532).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the 

As per claim 5, claim 1 is incorporated and while the modified Agarwal discloses: wherein receiving the packet comprises receiving the packet at a first agent of a plurality of agents (Agarwal, [0051], SPC agent receives events including protocol violations, e.g., malformed packets, from one or more local protection components), wherein each agent of the plurality of agents provides attack protections for a different node of a plurality of nodes forming a distributed platform (Agarwal, [0031], SPC agents enforce security policies for their corresponding local protection component); 
wherein implementing the action comprises configuring each agent of the plurality of agents with a blocking action that prevents any packet with the client identifier from reaching an intended node of the plurality of nodes (Agarwal, [0063], “provide a notification to SPC agents of the appropriate class throughout the SPC server's domain to block the source IP address”); and 
blocking a second packet that is issued by the client device and that arrives at a second agent of the plurality of agents before reaching a node of the plurality of nodes in response to configuring the plurality of agents (Agarwal, [0063], “the response to the flood is to provide a notification to SPC agents of the appropriate class throughout the SPC server's domain to block the source IP address,” in other words, when a second 

As per claim 6, claim 5 is incorporated and the modified Agarwal does not disclose, however, Curcio teaches or suggests: wherein the second packet omits the particular signal as a result of the second packet differing with the traffic dimensions from the rule definition of the particular rule (Curcio, [0022], if an inspected packet does not match a pre-filter rule, a particular tag (i.e., signal) is omitted, however, information regarding rules were implemented for, but did not match, is included).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include providing a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be performed on each packet which tends to be slow relative to current network speeds (Curcio, [0009]-[0010]).

As per claim 7, claim 1 is incorporated and the modified Agarwal discloses: wherein the value corresponds to a request rate at which the client device issues a plurality of packets that match the traffic dimensions from the rule definition of a particular rule, and wherein the plurality of packets are distributed across a plurality of agents that protect a plurality of nodes of a distributed platform from attack (Agarwal, [0054], [0060], and [0063], the value/count of 2 event summary reports indicating an 

As per claim 9, claim 1 is incorporated and the modified Agarwal discloses: receiving a second packet from a different second client device (Agarwal, [0051], SPC agent receives events including protocol violations, e.g., malformed packets, from one or more local protection components (i.e., second client device)); 
updating a second value that is linked to the second signal, the third signal, and a second client identifier of the second client device (Agarwal, [0091], a hacking tool (i.e., second client device) overwhelms a contact center with bogus SIP-related traffic and SPC agents detect and forward attack summaries to the SPC server and based on the attack summaries (i.e., updating a second value), the SPC server identifies the affected infrastructure, [0045], wherein the event summaries include tags corresponding to different policies or rules); and 
implementing a second action of the second rule in response to the second value satisfying the condition for the threshold of the second rule, wherein the second action is different than the action of the particular rule (Agarwal, [0091], in response to identifying the affected infrastructure, the SPC server sends alternate routing directives as an action which is a different action to blocking a source IP address).

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include providing a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be performed on each packet which tends to be slow relative to current network speeds (Curcio, [0009]-[0010]).

As per claim 10, claim 1 is incorporated and the modified Agarwal discloses: issuing the packet to a node identified as an intended recipient of the packet while the action is inactive in response to the value not satisfying the condition for the threshold of the particular rule (Agarwal, [0063], “an alert is triggered if more than 2 event summary reports indicate an instance of a possible SIP INVITE flood attack by a single IP source 

As per claim 11, claim 1 is incorporated and the modified Agarwal discloses: wherein implementing the action comprises restricting the action to one of: packets identified with the particular signal and having the client identifier; all packets that are sent and have the client identifier; all packets identified with the particular signal and any client identifier; and packets identified with at least a second signal that is different than the particular signal (Agarwal, [0063], blocking all traffic with the same source IP address).

As per claim 13, claim 1 is incorporated and the modified Agarwal does not explicitly disclose, however, Curcio teaches or suggests: wherein providing the particular signal comprises adding the particular signal to one of the packet header, URL, or metadata (Curcio, [0012], tag is placed in a header of the packets).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include providing a particular signal to the packet in response to the 

As per claim 14, claim 1 is incorporated and the modified Agarwal does not disclose, however, Curcio teaches or suggests: wherein said shifting comprising: wherein providing the particular signal comprises inserting the particular signal as a new header value of the packet or a new parameter of the packet URL (Curcio, [0027], tags may be in the form of additional (i.e., new) headers).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include providing a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be performed on each packet which tends to be slow relative to current network speeds (Curcio, [0009]-[0010]).

As per claim 15, claim 1 is incorporated and the modified Agarwal discloses: providing a graphical user interface with interactive controls used to configure the rule definition, signal, threshold, and action of a new rule; and adding the new rule to the plurality of rules (Agarwal, [0039], [0045], and [0069], interface where a system 

As per claim 16, claim 1 is incorporated and the modified Agarwal discloses: wherein implementing the action comprises providing one or more client identifiers for client devices subject to the action, and one or more signals identifying specific traffic from the client devices that is subject to the action (Agarwal, [0045], “The response can be any suitable response, such as … preparation of a detailed event log (e.g., save the attack information, such as timestamp, attacker IP address … When a policy or rule triggers a response, the notifications, events, or event summaries generated or transmitted as part of the response may include some or all of the scoping indicators or tags in the policy or rule,” in other words, an attacker IP address (i.e., client identifier) is provided and at least one tag is provided in event summaries during an implementation of a response/action).

As per claim 18, claim 17 is incorporated and the modified Agarwal discloses: wherein receiving the packet comprises receiving the packet at a first agent of the plurality of agents (Agarwal, [0051], SPC agent receives events including protocol violations, e.g., malformed packets, from one or more local protection components); and 
wherein a second agent of the plurality of agents comprises one or more processors that are configured to: block a second packet that is issued by the client device and that arrives at the second agent before reaching a node of the distributed platform in response to implementing the action (Agarwal, [0063], “the response to the 

As per claim 19, claim 17 is incorporated and the modified Agarwal does not disclose, however, Curcio teaches or suggests: wherein the one or more processors of the at least one agent are further configured to: 
block a second packet that arrives at the at least one agent before reaching a node of the distributed platform in response to implementing the action and the second packet being identified with at least one of the client identifier and the particular signal (Curcio, [0054]-[0057], packet flow is tagged based on rule matching and prevented/blocked from reaching computing device 532 based on the implementation of the rule/action and the tag); and 
issue a third packet that arrives at the at least one agent to the node in response to implementing the action and the third packet being identified with a second client identifier and zero or more signals that are different than the client identifier and the particular signal (Curcio, [0054]-[0057], if no rules match the packets, the packet flow can be short circuited to move towards the destination computing device 532).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Agarwal in view of Curcio and further in view of Subbarayan et al. (US 20180115523 A1; hereinafter “Subbarayan”).
As per claim 8, claim 1 is incorporated and the modified Agarwal does not disclose, however, Curcio teaches or suggests: wherein providing the particular signal comprises: providing a first signal in response to the packet matching a first set of traffic dimensions from the rule definition of the particular rule (Curcio, [0056], a packet is tagged according to the rule the packet matches, i.e., different tags for different rules); and 
providing a different second signal in response to the response matching a second set of traffic dimensions from the rule definition of the particular rule (Curcio, [0056], a packet is tagged according to the rule the packet matches, i.e., different tags for different rules).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include providing a particular signal to the packet in response to the packet matching the traffic dimensions from a rule as taught by Curcio for the benefit of pre-filtering traffic according to rules so that deep packet inspection need not be 
The modified Agarwal does not disclose, however, Subbarayan teaches or suggest: inspecting a response that is issued by a server in response to the packet from the client device (Subbarayan, [0061], extracting information from data packets corresponding to the client message or server response and analyzing the extracted information for detecting attacks, anomalies or threats).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Agarwal to include inspecting responses from a server as taught by Subbarayan for the benefit of detecting attacks, anomalies or threats (Subbarayan, [0061]).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Agarwal in view of Curcio and further in view of Mantin et al. (US 20210203641 A1; hereinafter “Mantin”).
As per claim 12, claim 1 is incorporated and the modified Agarwal does not disclose, however, Mantin teaches or suggests: deactivating the action after an expiration value specified by the particular rule is reached (Mantin, [0041], “the attack detection component 140 deactivates a (previously activated) fuzzy security rule after a period of time such that the attack detection component 140 stops applying the fuzzy security rule to future traffic received by the web application layer proxy”).
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Noeth et al. (US 20180307833 A1) teaches tagging packets for the benefit of detecting attacks by hackers ([0092]).
Hsiung et al. (US 20150381660 A1) teaches adding security tags to packets according to a policy enforcement point for the benefit of accelerating the speed of packet inspection ([0073]). 	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552. The examiner can normally be reached M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437   

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437